METHODS AND SYSTEMS FOR API DECEPTION ENVIRONMENT AND API TRAFFIC CONTROL AND SECURITY
First Claim
Patent Images
1. A proxy configured for routing client messages to one or more target APIs, the proxy comprising:
- a processor configured to identify or record at least one of;
parameter data corresponding to one or more client side parameters, wherein;
the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and
each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy;
and,parameter data corresponding to one or more server side parameters, wherein;
the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and
each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients;
anda proxy router configured to;
receive a client message; and
discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that;
(i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a predefined threshold.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for Application Programming Interface (API) based flow control and API based security at the application layer of the networking protocol stack. The invention additionally provides an API deception environment to protect a server backend from threats, attacks and unauthorized access.
80 Citations
24 Claims
-
1. A proxy configured for routing client messages to one or more target APIs, the proxy comprising:
-
a processor configured to identify or record at least one of; parameter data corresponding to one or more client side parameters, wherein; the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy; and, parameter data corresponding to one or more server side parameters, wherein; the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients; and a proxy router configured to; receive a client message; and discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that; (i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a predefined threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for securing one or more API servers, the system comprising:
a proxy cluster configured for routing client messages to one or more target APIs implemented on the one or more API servers, the proxy cluster comprising a plurality of networked proxies, wherein each of the plurality of proxies are configured for routing client messages to the one or more target APIs, and each proxy comprising; a processor configured to identify or record at least one of; parameter data corresponding to one or more client side parameters, wherein; the parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy; and, parameter data corresponding to one or more server side parameters, wherein; the parameter data corresponding to the one or more server side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients; and a proxy router configured to; receive a client message; and discard the received client message without onward transmission to an API server identified in the received client message, in response to a determination that; (i) initiating a process for forwarding the received client message to the API server would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
or(ii) receiving a response to the received client message from the API server would result in parameter data corresponding to a server side parameter to exceed a predefined threshold; wherein each of a plurality of proxies within the proxy cluster are configured to synchronize one or more data states of said proxy with corresponding one or more data states of at least one other proxy within the plurality of proxies, and wherein the data states under synchronization comprise client side parameter data states or server side parameter data states. - View Dependent Claims (9)
-
10. A system configured for routing client messages to one or more target APIs implemented on a secured server backend, the system comprising:
-
a proxy comprising; a processor configured to detect indicators of compromise based on API layer data extracted from client messages received at the proxy, wherein indicators of comprise are detected responsive to any one of; determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
ordetermining that a target API name extracted from a client message does not match any API to which the proxy is configured to route client messages; a proxy router configured to respond to detection of an indicator of compromise by routing a client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from a client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend; and one or more processor implemented decoy APIs configured to respond to client messages received from the proxy router by; initiating network communication with a client that has generated the received client message; and recording information corresponding to said client and client messages generated by said client. - View Dependent Claims (11)
-
-
12. A method for routing client messages to one or more target APIs, the method comprising:
-
receiving a client message at a proxy interposed as a network communication gateway to a server backend configured to implement one or more APIs; discarding the received client message without onward transmission to an API server identified in the received client message, in response to a determination that; (i) initiating a process for forwarding the received client message to the server backend would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
or(ii) receiving a response to the received client message from the server backend would result in parameter data corresponding to a server side parameter to exceed a predefined threshold; wherein; parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy; parameter data corresponding to the one or more server side parameters, is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A method for routing client messages to one or more target APIs implemented on a secured server backend, the method comprising:
-
detecting an indicator of compromise based on API layer data extracted from client messages received at the proxy, wherein the detected indicator of comprise is detected responsive to any one of; determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
ordetermining that a target API name extracted from a client message does not match any API to which the proxy is configured to route client messages; responding to detection of an indicator of compromise by routing a client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from a client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend; initiating at the decoy API, network communication with a client that has generated the received client message; and recording information corresponding to said client and client messages generated by said client. - View Dependent Claims (21, 22)
-
-
23. A computer program product for routing client messages to one or more target APIs, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
-
receiving a client message at a proxy interposed as a network communication gateway to a server backend configured to implement one or more APIs; discarding the received client message without onward transmission to an API server identified in the received client message, in response to a determination that; (i) initiating a process for forwarding the received client message to the server backend would result in parameter data corresponding to a client side parameter or a server side parameter to exceed a predefined threshold value;
or(ii) receiving a response to the received client message from the server backend would result in parameter data corresponding to a server side parameter to exceed a predefined threshold; wherein; parameter data corresponding to the one or more client side parameters is identified based on analysis of API layer data extracted from data messages received at the proxy; each of the one or more client side parameters comprises a parameter descriptive of client side behavior detected at the proxy; parameter data corresponding to the one or more server side parameters, is identified based on analysis of API layer data extracted from data messages received at the proxy; and each of the one or more server side parameters comprises a parameter descriptive of (i) requests for server side data received from one or more clients or (ii) server side responses to data messages received from one or more clients.
-
-
24. A computer program product for routing client messages to one or more target APIs implemented on a secured server backend, comprising a non-transitory computer readable medium having a computer readable program code embodiment therein, the computer readable program code comprising instructions for:
-
detecting an indicator of compromise based on API layer data extracted from client messages received at the proxy, wherein the detected indicator of comprise is detected responsive to any one of; determining that a target API name extracted from a client message matches a decoy API name that is determinable by scanning of API data on the proxy;
ordetermining that a target API name extracted from a client message does not match any API to which the proxy is configured to route client messages; responding to detection of an indicator of compromise by routing a client message corresponding to the detected indicator of compromise to a decoy API having an API name that matches the target API name extracted from a client message corresponding to the detected indicator of compromise, wherein said decoy API is communicably isolated from the secured server backend; initiating at the decoy API, network communication with a client that has generated the received client message; and recording information corresponding to said client and client messages generated by said client.
-
Specification