APPLICATION PROGRAMMING INTERFACE WALL

US 20160057107A1
Filed: 08/22/2014
Published: 02/25/2016
Est. Priority Date: 08/22/2014
Status: Active Grant

First Claim

Patent Images

1. An application programming interface (API) call filtering system to filter API call requests received, via a network, from a device that is network-connected and configured to run endpoint application hardware and/or software, to secure an API service that accepts API call requests and provides API call responses thereto, the system comprising:

at least one computing device configured to implement one or more services, wherein the one or more services are configured to;

a) monitor, at an API filter, API call requests received from an endpoint application directed to a server configured to provide, at least in part, the API service;

b) monitor authentication methods of the API call requests;

c) compile authentication information related to the authentication methods;

d) compile performance indicators of the API call requests;

e) analyze the compiled performance indicatorsf) create at least one report based at least in part, on the analyzed performance indicators and compiled authentication information;

g) modify an authentication method of at least one API call request in response to a security team input following an output of the at least one report, to form a modified API call request that is processable by the server as the server is configured for the API call requests, wherein modifying an authentication method comprises, for at least some API call requests, creating a requirement that the at least one API call request satisfy an authentication test that the at least one API call request would not have otherwise had to satisfy; and

h) send the modified API call request to the server.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Application programming interfaces (APIs) can be unintentionally exposed and allow for potentially undesirable use of corporate resources. An API call filtering system configured to monitor API call requests received via an endpoint and API call responses received via a supporting service of an API or web service. The API call filtering system enables enterprises to improve their security posture by identifying, studying, reporting, and securing their APIs within their enterprise network.

116 Citations

30 Claims

1. An application programming interface (API) call filtering system to filter API call requests received, via a network, from a device that is network-connected and configured to run endpoint application hardware and/or software, to secure an API service that accepts API call requests and provides API call responses thereto, the system comprising:
- at least one computing device configured to implement one or more services, wherein the one or more services are configured to;
  
  a) monitor, at an API filter, API call requests received from an endpoint application directed to a server configured to provide, at least in part, the API service;
  
  b) monitor authentication methods of the API call requests;
  
  c) compile authentication information related to the authentication methods;
  
  d) compile performance indicators of the API call requests;
  
  e) analyze the compiled performance indicatorsf) create at least one report based at least in part, on the analyzed performance indicators and compiled authentication information;
  
  g) modify an authentication method of at least one API call request in response to a security team input following an output of the at least one report, to form a modified API call request that is processable by the server as the server is configured for the API call requests, wherein modifying an authentication method comprises, for at least some API call requests, creating a requirement that the at least one API call request satisfy an authentication test that the at least one API call request would not have otherwise had to satisfy; and
  
  h) send the modified API call request to the server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The API call filtering system of claim 1, wherein the device is a user device or a machine-to-machine device.
  - 3. The API call filtering system of claim 1, wherein the API filter initially includes no information of the API to which the API call requests are transmitted.
  - 4. The API call filtering system of claim 1, wherein the performance indicators include a frequency, a velocity, a time of day, a geo-location, or an authentication indicator related to the API call requests.
  - 5. The API call filtering system of claim 1, wherein the at least one report includes analysis of the performance indicators and at least one recommendation of an action or non-action to take in response to each of at least some of the API call requests.
  - 6. The API call filtering system of claim 1, wherein the one or more services are further configured to:
    - obtain the performance indicators;
      
      determine identification criteria based, at least in part, on the performance indicators; and
      
      identify, using the identification criteria, the API to which the API call requests are transmitted.
  - 7. The API call filtering system of claim 1, wherein the one or more services are further configured to:
    - create an access control list (ACL) for the API; and
      
      change access permissions in the ACL for the API, wherein the access permission changes include modifying access to the API, limiting access to the API, or blocking access to the API.
  - 8. The API call filtering system of claim 7, wherein limiting access to the API comprises at least throttling or reducing throughput.
  - 9. The API call filtering system of claim 7, wherein the one or more services are further configured to change the access permissions for the API from unauthenticated access permissions to authenticated access permissions.
  - 10. The API call filtering system of claim 1, wherein the API call request received from the endpoint application includes requests to authenticate the endpoint application with respect to a secure account maintained at, or for, the API service.

11. (canceled)

12. A non-transitory computer-readable storage medium having stored thereon executable instructions that, when executed by one or more processors of a computer system, wherein the computer system is an application programming interface (API) wall, cause the computer system to at least:
- identify, at an API wall, API call requests for a web service, the API call requests transmitted from an endpoint to a server, wherein the server is a component of an enterprise network;
  
  identify, at the API wall, API call responses transmitted from the server;
  
  collect business intelligence related to the API call requests and the API call responses, the business intelligence including statistics and properties of the endpoint;
  
  compile a report, the report including statistics, analysis, and/or recommendations related to the API call request;
  
  create, via the API wall, a dashboard including information related to API use across the enterprise network; and
  
  provide, via the API wall, control mechanisms for modifying access to an API, limiting access to the API, creating access control lists (ACLs), and enforcing ACLs, wherein control mechanisms operate in response to security team inputs following output of the report, wherein modifying access comprises modifying an authentication method of at least one API call request that, for at least some API call requests, creates a requirement that the at least one API call request satisfy an authentication test that the at least one API call request would not have otherwise had to satisfy.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to create, via the API wall, a list of APIs that are called across an enterprise network.
  - 14. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to record traffic over the network from an endpoint to a web server, the web server configured to provide web services in response to an API call request from the endpoint.
  - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions that cause the computer system to record traffic over the network further include instructions that cause the computer system to:
    - systematically browse web assets to identify traffic that originates from browser-driven website interaction; and
      
      remove identified browser-driven website interaction traffic from the traffic recorded over the network in order to improve identification of API calls.
  - 16. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to collect properties determined at the API wall, the properties including measured frequency, measured velocity, time of day, geo-location, or response times.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the instructions that cause the computer system to collect properties further include instructions that cause the computer system to determine if APIs are chained together with an API call request to one leading to API call requests to another.
  - 18. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to require access via the API wall, by an endpoint, over Transport Layer Security (TLS).
  - 19. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to:
    - identify libraries and/or middleware that include an API; and
      
      record commonly abused APIs in the identified libraries and/or middleware based, at least in part, on information collected at the API wall.
  - 20. The non-transitory computer-readable storage medium of claim 12, wherein the instructions further comprise instructions that, when executed by the one or more processors, cause the computer system to:
    - identify libraries and/or middleware that include an API; and
      
      record human-compiled data relating to commonly abused APIs.

21. A computer-implemented method for filtering application programming interface (API) calls in a secured network environment, the computer-implemented method, comprising:
- under control of one or more computer systems configured with executable instructions,a) receiving, at an API call filter, an API call request from an endpoint directed to a server in an enterprise network;
  
  b) determining, at the API call filter, whether a to-be-sent API call request will be the original API call request or a modified API call request, wherein the to-be-sent API call request is to be sent to a secured API supporting service, wherein the secured API supporting service provides at least one API to access a business unit of the enterprise network, and wherein determining is based on operator inputs;
  
  c) sending the to-be-sent API call request to the secured API supporting service; and
  
  d) transmitting, over the secured network environment, an API call response to the endpoint.
- View Dependent Claims (22, 23, 24)
- - 22. The computer-implemented method of claim 21, wherein the endpoint is a user device or an instance of an application.
  - 23. The computer-implemented method of claim 21, further comprising receiving the modified API call request via a transparent request proxy located adjacent to the server.
  - 24. The computer-implemented method of claim 23, wherein the modified API call request is modified in real-time.

25. A computer-implemented method for filtering application programming interface (API) calls in a secured network environment, the computer-implemented method, comprising:
- providing an API wall device at a logical perimeter of a secured network;
  
  monitoring, at the API wall device, API calls from a plurality of endpoint apps executing on user devices with the API calls directed to a secured server, wherein the secured server is within the logical perimeter of the secured network and the user devices are outside the logical perimeter of the secured network, and wherein monitoring can occur without requiring advance knowledge of endpoint apps of the plurality of endpoint apps, the API calls, or the secured server;
  
  aggregating statistics over the API calls to form a report relating to the statistics;
  
  outputting the report to a security team tasked with maintaining security for the secured network;
  
  receiving inputs from the security team; and
  
  processing a received API call based on the received inputs from the security team, wherein processing includes modifying an authentication method for at least some API call requests based on the received inputs.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The computer-implemented method of claim 25, wherein the statistics are statistics relating to the plurality of endpoint apps, the user devices on which plurality of endpoint apps are running, and API call usage statistics.
  - 27. The computer-implemented method of claim 25, further comprising:
    - enforcing transport layer security (TLS) between the plurality of endpoint apps and the API wall when the secured server is not configured to require transport layer security (TLS);
      
      forwarding selected API calls from the API wall to the secured server when the selected API calls are received using transport layer security (TLS), wherein the selected API calls are modified to be consistent with a secured server interface; and
      
      deleting API calls at the API wall that are received without transport layer security (TLS).
  - 28. The computer-implemented method of claim 25, further comprising:
    - determining a first authentication method used between an endpoint app of the plurality of endpoint apps and the API wall;
      
      determining a required authentication method security level for a received API call;
      
      if the first authentication method is a less secure authentication method relative to the required authentication method security level, modifying the received API call to form a modified API call that uses a second authentication method that is at least as secure as the required authentication method security level; and
      
      forwarding the received API call or the modified API call, to the secured server.
  - 29. The computer-implemented method of claim 28, wherein the first authentication method uses a user-created username and password pair and the second authentication method uses a digital certificate issued and verified by a public key infrastructure certificate authority.
  - 30. The computer-implemented method of claim 25, wherein monitoring API calls from a plurality of endpoint apps comprises:
    - identify web assets;
      
      determine which API calls comprise browser-driven website interaction; and
      
      omitting browser-driven website API calls from monitoring.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shape Security Inc. (F5 Incorporated)
Original Assignee
Shape Security Inc. (F5 Incorporated)
Inventors
Call, Justin D., Peacock, Timothy D.

Granted Patent

US 9,729,506 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/629   to features or functions of...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/547   Remote procedure calls [RPC...

H04L 43/045   for graphical visualisation...

H04L 43/062   related to network traffic

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

APPLICATION PROGRAMMING INTERFACE WALL

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

116 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION PROGRAMMING INTERFACE WALL

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

116 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links