METHODS AND SYSTEMS FOR API DECEPTION ENVIRONMENT AND API TRAFFIC CONTROL AND SECURITY

US 20180115523A1
Filed: 10/25/2017
Published: 04/26/2018
Est. Priority Date: 10/26/2016
Status: Active Grant

First Claim

Patent Images

1. A proxy configured for routing client messages to one or more target APIs, the proxy comprising:

a processor configured to identify or record at least one of;

parameter data corresponding to one or more client side parameters, wherein;

the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and

each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy;

and,parameter data corresponding to one or more server side parameters, wherein;

the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and

each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients;

anda proxy router configured to;

receive a client message; and

discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that;

(i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;

or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a predefined threshold.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for Application Programming Interface (API) based flow control and API based security at the application layer of the networking protocol stack. The invention additionally provides an API deception environment to protect a server backend from threats, attacks and unauthorized access.

80 Citations

24 Claims

1. A proxy configured for routing client messages to one or more target APIs, the proxy comprising:
- a processor configured to identify or record at least one of;
  
  parameter data corresponding to one or more client side parameters, wherein;
  
  the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and
  
  each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy;
  
  and,parameter data corresponding to one or more server side parameters, wherein;
  
  the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and
  
  each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients;
  
  anda proxy router configured to;
  
  receive a client message; and
  
  discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that;
  
  (i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
  
  or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a predefined threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The proxy as claimed in claim 1, wherein the processor is configured to identify or record both of:
    - parameter data corresponding to one or more client side parameters; and
      
      parameter data corresponding to one or more server side parameters.
  - 3. The proxy as claimed in claim 1, wherein the client side parameters include one or more of client spike, bytes-in-spike, TCP connection spike, message spike and wild card topic substitution.
  - 4. The proxy as claimed in claim 1, wherein the server side parameters include one or more of server spike, server connection, server connection queuing, bytes-out spike, and topic publisher and subscriber quota.
  - 5. The proxy as claimed in claim 1, wherein the processor is configured to maintain discrete sets of data records corresponding to client side parameters or server side parameters, for each API server within a server backend.
  - 6. The proxy as claimed in claim 1, wherein a determination at the proxy router whether to discard the received client message without onward transmission to an API server identified in the received client message, is based on one or more of device ID, IP address and oAuth2 token corresponding to a client.
  - 7. The proxy as claimed in claim 1, wherein the proxy router is configured to:
    - transmit the received client message to an API server identified in the received client message, in response to a determination that;
      
      (i) initiating a process for forwarding the received client message to the API server does not result in parameter data corresponding to a client side parameter or a server side parameter exceeding a predefined threshold value;
      
      or(ii) receiving a response to the received client message from the API server does not result in parameter data corresponding to a server side parameter exceeding a predefined threshold.

8. A system for securing one or more API servers, the system comprising:
- a proxy cluster configured for routing client messages to one or more target APIs implemented on the one or more API servers, the proxy cluster comprising a plurality of networked proxies, wherein each of the plurality of proxies are configured for routing client messages to the one or more target APIs, and each proxy comprising;
  
  a processor configured to identify or record at least one of;
  
  parameter data corresponding to one or more client side parameters,wherein;
  
  the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and
  
  each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy;
  
  and,parameter data corresponding to one or more server side parameters,wherein;
  
  the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and
  
  each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients;
  
  anda proxy router configured to;
  
  receive a client message; and
  
  discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that;
  
  (i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
  
  or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a predefined threshold;
  
  wherein each of a plurality of proxies within the proxy cluster are configured to synchronize one or more data states of said proxy with corresponding one or more data states of at least one other proxy within the plurality of proxies, and wherein the data states under synchronization comprise client side parameter data states or server side parameter data states.
- View Dependent Claims (9)
- - 9. The system as claimed in claim 8, wherein the data states under synchronization comprise server side parameter data states and exclude client side parameter data states.

10. A system configured for routing client messages to one or more target APIs implemented on a secured server backend, the system comprising:
- a proxy comprising;
  
  a processor configured to detect indicators of compromise based on API layer data extracted from client messages received at the proxy, wherein indicators of comprise are detected responsive to any one of;
  
  determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
  
  ordetermining that a target API name extracted from a client message does not match any API to which the proxy is configured to route client messages;
  
  a proxy router configured to respond to detection of an indicator of compromise by routing a client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from a client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend; and
  
  one or more processor implemented decoy APIs configured to respond to client messages received from the proxy router by;
  
  initiating network communication with a client that has generated the received client message; and
  
  recording information corresponding to said client and client messages generated by said client.
- View Dependent Claims (11)
- - 11. The system as claimed in claim 10, wherein said system is configured to respond to a determination that a target API name extracted from a client message does not match any API to which the proxy is configured to route client messages, by:
    - generating a processor implemented decoy API having an API name that matches the target API name, and routing the client message to the generated processor implemented decoy API, wherein;
      
      the generated processor implemented decoy API is communicably isolated from the secured server backend; and
      
      said generated processor implemented decoy API is configured to respond to client messages received from the proxy router by;
      
      initiating network communication with a client that has generated the received client message; and
      
      recording information corresponding to said client and client messages generated by said client.

12. A method for routing client messages to one or more target APIs, the method comprising:
- receiving a client message at a proxy interposed as a network communication gateway to a server backend configured to implement one or more APIs;
  
  discarding the received client message without onward transmission to an API server identified in the received client message, in response to a determination that;
  
  (i) initiating a process for forwarding the received client message to the server backend would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
  
  or(ii) receiving a response to the received client message from the server backend would result in parameter data corresponding to a server side parameter to exceed a predefined threshold;
  
  wherein;
  
  parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy;
  
  each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy;
  
  parameter data corresponding to the one or more server side parameters, is identified based on analysis of API layer data extracted from data messages received at the proxy; and
  
  each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method as claimed in claim 12, comprising identifying or recording both of:
    - parameter data corresponding to one or more client side parameters; and
      
      parameter data corresponding to one or more server side parameters.
  - 14. The method as claimed in claim 12, wherein the client side parameters include one or more of client spike, bytes-in-spike, TCP connection spike, message spike and wild card topic substitution.
  - 15. The method as claimed in claim 12, wherein the server side parameters include one or more of server spike, server connection, server connection queuing, bytes-out spike, and topic publisher and subscriber quota.
  - 16. The method as claimed in claim 12, wherein a determination whether to discard the received client message without onward transmission to an API server identified in the received client message, is based on one or more of device ID, IP address and OAuth2 token corresponding to a client.
  - 17. The method as claimed in claim 12, further comprising:
    - transmitting the received client message to an API server identified in the received client message and implemented within the server backend, in response to a determination that;
      
      (i) initiating a process for forwarding the received client message to the API server does not result in parameter data corresponding to a client side parameter or a server side parameter exceeding a predefined threshold value;
      
      or(ii) receiving a response to the received client message from the API server does not result in parameter data corresponding to a server side parameter exceeding a predefined threshold.
  - 18. The method as claimed in claim 12, wherein the proxy is configured to synchronize one or more data states of said proxy with corresponding one or more data states of at least one other proxy that is interposed as a network communication gateway to the server backend, and wherein the data states under synchronization comprise client side parameter data states or server side parameter data states.
  - 19. The method as claimed in claim 18, wherein the data states under synchronization comprise server side parameter data states and exclude client side parameter data states.

20. A method for routing client messages to one or more target APIs implemented on a secured server backend, the method comprising:
- detecting an indicator of compromise based on API layer data extracted from client messages received at the proxy, wherein the detected indicator of comprise is detected responsive to any one of;
  
  determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
  
  ordetermining that a target API name extracted from a client message does not match any API to which the proxy is configured to route client messages;
  
  responding to detection of an indicator of compromise by routing a client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from a client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend;
  
  initiating at the decoy API, network communication with a client that has generated the received client message; and
  
  recording information corresponding to said client and client messages generated by said client.
- View Dependent Claims (21, 22)
- - 21. The method as claimed in claim 20, further comprising the step of responding to a determination that the client in network communication with said decoy API is a client in breach of one or more predefined security policies, by routing one or more communications from said client to an external honeypot server that is communicably isolated from the secured server backend.
  - 22. The method as claimed in claim 20, comprising responding to determining that a target API name extracted from a client message does not match any API to which the proxy is configured to route client messages, by generating a processor implemented decoy API having an API name that matches the target API name, and routing the client message to the generated processor implemented decoy API, wherein:
    - the generated processor implemented decoy API is communicably isolated from the secured server backend; and
      
      said generated processor implemented decoy API is configured to respond to client messages received from the proxy router by;
      
      initiating network communication with a client that has generated the received client message; and
      
      recording information corresponding to said client and client messages generated by said client.

23. A computer program product for routing client messages to one or more target APIs, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
- receiving a client message at a proxy interposed as a network communication gateway to a server backend configured to implement one or more APIs;
  
  discarding the received client message without onward transmission to an API server identified in the received client message, in response to a determination that;
  
  (i) initiating a process for forwarding the received client message to the server backend would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
  
  or(ii) receiving a response to the received client message from the server backend would result in parameter data corresponding to a server side parameter to exceed a predefined threshold;
  
  wherein;
  
  parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy;
  
  each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy;
  
  parameter data corresponding to the one or more server side parameters, is identified based on analysis of API layer data extracted from data messages received at the proxy; and
  
  each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients.

24. A computer program product for routing client messages to one or more target APIs implemented on a secured server backend, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
- detecting an indicator of compromise based on API layer data extracted from client messages received at the proxy, wherein the detected indicator of comprise is detected responsive to any one of;
  
  determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
  
  ordetermining that a target API name extracted from a client message does not match any API to which the proxy is configured to route client messages;
  
  responding to detection of an indicator of compromise by routing a client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from a client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend;
  
  initiating at the decoy API, network communication with a client that has generated the received client message; and
  
  recording information corresponding to said client and client messages generated by said client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ping Identity Corporation
Original Assignee
Elastic Beam, Inc. (Ping Identity Corporation)
Inventors
Subbarayan, Udayakumar, Harguindeguy, Bernard, Gopalakrishnan, Anoop Krishnan, Angadi, Nagabhushana, Kumar, Ashwani, Sahu, Santosh, Poonthiruthi, Abdu Raheem, Sahu, Avinash Kumar, Kundottil, Yasar

Granted Patent

US 10,587,580 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/554   involving event detection a...

G06F 21/6281   at program execution time, ...

G06N 20/00   Machine learning

H04L 63/02   for separating internal fro...

H04L 63/0281   Proxies

H04L 63/04   for providing a confidentia...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0876   based on the identity of th...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/1491   using deception as counterm...

METHODS AND SYSTEMS FOR API DECEPTION ENVIRONMENT AND API TRAFFIC CONTROL AND SECURITY

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

80 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR API DECEPTION ENVIRONMENT AND API TRAFFIC CONTROL AND SECURITY

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links