System and method for identifying and preventing malicious API attacks
First Claim
1. A method for identifying and preventing malicious server-side application programming interface (API) attacks over a network in a client-server architecture, performed on a computer having a processor, a memory, and one or more code sets stored in the memory and executed by the processor, the method comprising:
- during a learning stage;
monitoring, by the processor, all requests sent to a server-side API over the network and all responses sent from the server-side API over the network;
identifying, by the processor, one or more first characteristic data points of each request and response sent during the learning stage; and
determining, by the processor, based at least in part on the identified one or more first characteristic data points, one or more characteristic data models, wherein a characteristic data model represents at least one of an expected input to the API and an expected output of the API; and
during a protection stage;
monitoring, by the processor, all requests sent to the server-side API and all responses sent from the server-side API;
identifying, by the processor, one or more second characteristic data points of each request and response sent during the protection stage;
one of validating and invalidating, by the processor, the identified one or more second characteristic data points against the one or more characteristic data models;
generating, by the processor, one or more attacker profiles based at least in part on the validating step;
determining, by the processor, one or more suspicion scores for each attacker profile; and
identifying, by the processor, one or more suspicious profiles based at least in part on respective suspicion scores, wherein all future requests and responses related to an identified suspicious profile are flagged with an alert irrespective of validity.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for identifying and preventing malicious application programming interface attacks is configured to, during a learning stage: monitor all requests sent to and from the server API; identify one or more first characteristic data points of each request and response sent during the learning stage; and determine, based at least in part on the identified one or more first characteristic data points, one or more characteristic data models, wherein a characteristic data model represents at least one of an expected input to the API and an expected output of the API; and during a protection stage: monitor all requests sent to and from the server API; identify one or more second characteristic data points of each request and response sent during the protection stage; and one of validate and invalidate the identified one or more second characteristic data points against the one or more characteristic data models.
11 Citations
20 Claims
-
1. A method for identifying and preventing malicious server-side application programming interface (API) attacks over a network in a client-server architecture, performed on a computer having a processor, a memory, and one or more code sets stored in the memory and executed by the processor, the method comprising:
-
during a learning stage; monitoring, by the processor, all requests sent to a server-side API over the network and all responses sent from the server-side API over the network; identifying, by the processor, one or more first characteristic data points of each request and response sent during the learning stage; and determining, by the processor, based at least in part on the identified one or more first characteristic data points, one or more characteristic data models, wherein a characteristic data model represents at least one of an expected input to the API and an expected output of the API; and during a protection stage; monitoring, by the processor, all requests sent to the server-side API and all responses sent from the server-side API; identifying, by the processor, one or more second characteristic data points of each request and response sent during the protection stage; one of validating and invalidating, by the processor, the identified one or more second characteristic data points against the one or more characteristic data models; generating, by the processor, one or more attacker profiles based at least in part on the validating step; determining, by the processor, one or more suspicion scores for each attacker profile; and identifying, by the processor, one or more suspicious profiles based at least in part on respective suspicion scores, wherein all future requests and responses related to an identified suspicious profile are flagged with an alert irrespective of validity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for identifying and preventing malicious server-side application programming interface (API) attacks over a network in a client-server architecture, comprising:
-
a computer having a processor and a memory; and one or more code sets stored in the memory and executed by the processor, which configure the processor to; during a learning stage; monitor all requests sent to a server-side API over the network and all responses sent from the server-side API over the network; identify one or more first characteristic data points of each request and response sent during the learning stage; and determine based at least in part on the identified one or more first characteristic data points, one or more characteristic data models, wherein a characteristic data model represents at least one of an expected input to the API and an expected output of the API; and during a protection stage; monitor all requests sent to the server-side API and all responses sent from the server-side API; identify one or more second characteristic data points of each request and response sent during the protection stage; one of validate and invalidate the identified one or more second characteristic data points against the one or more characteristic data models; generate one or more attacker profiles based at least in part on the validating step; determine one or more suspicion scores for each attacker profile; and identify one or more suspicious profiles based at least in part on respective suspicion scores, wherein all future requests and responses related to an identified suspicious profile are flagged with an alert irrespective of validity. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for identifying and preventing malicious server-side application programming interface (API) attacks over a network in a client-server architecture, performed on a computer having a processor, a memory, and one or more code sets stored in the memory and executed by the processor, the method comprising:
-
during a learning stage; monitoring, by the processor, all requests sent to a server-side API over the network from a plurality of client devices and all responses sent from the server-side API over the network to each of the plurality of client devices; identifying, by the processor, one or more first characteristic data points of each request sent by a given client device and each response sent to the given client device during the learning stage; and determining, by the processor, based at least in part on the identified one or more first characteristic data points, one or more characteristic data models represents at least one of an expected input to the server-side API and an expected output of the server-side API; and during a protection stage; monitoring, by the processor, all requests sent to the server-side API and all responses sent from the server-side API; identifying, by the processor, one or more second characteristic data points of each request and response sent during the protection stage; one of validating and invalidating, by the processor, the identified one or more second characteristic data points against the one or more characteristic data models; passing to and from the server, by the processor, requests having no invalidated one or more second characteristic data points; blocking to and from the server, by the processor, requests having invalidated one or more second characteristic data points; generating, by the processor, one or more attacker profiles based at least in part on the validating step; determining, by the processor, one or more suspicion scores for each attacker profile; and identifying, by the processor, one or more suspicious profiles based at least in part on respective suspicion scores, wherein all future requests and responses related to an identified suspicious profile are flagged with an alert irrespective of validity. - View Dependent Claims (18)
-
-
19. A method for identifying and preventing malicious server-side application programming interface (API) attacks over a network in a client-server architecture, performed on a computer having a processor, a memory, and one or more code sets stored in the memory and executed by the processor, the method comprising:
-
during a learning stage; monitoring, by the processor, all requests sent to a server-side API over the network and all responses sent from the server-side API over the network; identifying, by the processor, one or more first characteristic data points of each request and response sent during the learning stage; and determining, by the processor, based at least in part on the identified one or more first characteristic data points, one or more characteristic data models, wherein a characteristic data model represents at least one of an expected input to the API and an expected output of the API; and during a protection stage; monitoring, by the processor, all requests sent to the server-side API and all responses sent from the server-side API; identifying, by the processor, one or more second characteristic data points of each request and response sent during the protection stage; one of validating and invalidating, by the processor, the identified one or more second characteristic data points against the one or more characteristic data models; generating, by the processor, an alert for each request having invalidated one or more second characteristic data points; generating, by the processor, and alert for each response having invalidated one or more second characteristic data points; generating, by the processor, an alert timeline, wherein the alert timeline represents a selection of one or more aggregations of alerts, the alerts in each of the one or more aggregations having a predefined similarity, the one or more aggregations being organized in a predefined order; and displaying, by the processor, the alert timeline on a visual display.
-
-
20. A system for identifying and preventing malicious server-side application programming interface (API) attacks over a network in a client-server architecture, comprising:
-
a computer having a processor and a memory; and one or more code sets stored in the memory and executed by the processor, which configure the processor to; during a learning stage; monitor all requests sent to a server-side API over the network and all responses sent from the server-side API over the network; identify one or more first characteristic data points of each request and response sent during the learning stage; and determine, based at least in part on the identified one or more first characteristic data points, one or more characteristic data models, wherein a characteristic data model represents at least one of an expected input to the API and an expected output of the API; and during a protection stage; monitor all requests sent to the server-side API and all responses sent from the server-side API; identify one or more second characteristic data points of each request and response sent during the protection stage; one of validate and invalidate the identified one or more second characteristic data points against the one or more characteristic data models; generate an alert for each request having invalidated one or more second characteristic data points; generate an alert for each response having invalidated one or more second characteristic data points; generate an alert timeline, wherein the alert timeline represents a selection of one or more aggregations of alerts, the alerts in each of the one or more aggregations having a predefined similarity, the one or more aggregations being organized in a predefined order; and display the alert timeline on a visual display.
-
Specification