Nothing Special   »   [go: up one dir, main page]

WO2023166336A1 - System and method to prevent an attack on an application programming interface - Google Patents

System and method to prevent an attack on an application programming interface Download PDF

Info

Publication number
WO2023166336A1
WO2023166336A1 PCT/IB2022/053903 IB2022053903W WO2023166336A1 WO 2023166336 A1 WO2023166336 A1 WO 2023166336A1 IB 2022053903 W IB2022053903 W IB 2022053903W WO 2023166336 A1 WO2023166336 A1 WO 2023166336A1
Authority
WO
WIPO (PCT)
Prior art keywords
programming interface
application programming
user
module
behaviour
Prior art date
Application number
PCT/IB2022/053903
Other languages
French (fr)
Inventor
Puneet TUTLIANI
Original Assignee
Tutliani Puneet
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tutliani Puneet filed Critical Tutliani Puneet
Publication of WO2023166336A1 publication Critical patent/WO2023166336A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Definitions

  • Embodiments of the present disclosure relate to a cyber risk prevention system and more particularly to a system and a method to prevent an attack on an application programming interface.
  • APIs Application programming interfaces
  • the API use has seen explosive growth lately. According to Akamai, API communications now account for more than 83% of all internet traffic.
  • the API becomes an effective bridge for interconnection of enterprise resources, an enterprise packages own data or services into a standard API and provides the standard API to authorized users, namely, partners, so as to accelerate partner integration and customer growth, and derive an open and converged API ecosystem.
  • the API can include various business scenarios such as user information query and bank card payment.
  • the APIs often document information about their structure and methods of implementation.hackers can use this information to launch their cyberattacks.
  • There are other API security vulnerabilities like poor authentication, no encryption, information leakage, API abuse and other flaws which can give rise to these attacks. As a result, various systems are developed to prevent an attack on an application programming interface.
  • a system to prevent an attack on an application programming interface includes a processing subsystem hosted on a server and configured to execute on a network to control bidirectional communications among a plurality of modules.
  • the processing subsystem includes an application programming interface data collection module configured to collect a plurality of user’s application programming interface data.
  • the processing subsystem also includes a learning module operatively coupled to the application programming interface data collection module.
  • the learning module is configured to learn user’s behaviour and application’s behaviour based on the user’s application programming interface data collected.
  • the learning module is also configured to parse hypertext transfer protocol and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt.
  • the processing subsystem also includes a correlation table creation module operatively coupled to the learning module.
  • the correlation table creation module is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’s session upon parsing of the hypertext transfer protocol and payload.
  • the input and output parameters may be in hypertext transfer protocol, payload of hypertext transfer protocol.
  • the application programming interface (API) data is collected in JavaScript object notation (JSON) format, an extended markup language (XML) format, hypertext transfer protocol (HTTP) format, protocol buffer (Protobuf) format, graph query language (GraphQL) format and the like.
  • the processing subsystem also includes a correlation determination module operatively coupled to the correlation table creation module.
  • the correlation determination module is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface.
  • the correlation determination module is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created.
  • the processing subsystem also includes an attack detection module operatively coupled to the correlation determination module.
  • the attack detection module is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
  • a method to prevent an attack on an application programming interface includes collecting, by an application programming interface data collection module of a processing subsystem, a plurality of user’s application programming interface data.
  • the method also includes learning, by a learning module of the processing subsystem, user’s behaviour and application’s behaviour based on the user’s application programming interface data collected.
  • the method also includes parsing, by the learning module of the processing subsystem, hypertext transfer protocol and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt.
  • the method also includes creating, by a correlation table creation module of a processing subsystem, a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’ session upon parsing of the hypertext transfer protocol and payload.
  • the method also includes mapping, by a correlation determination module of the processing subsystem, one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface.
  • the method also includes determining, by the correlation determination module of the processing subsystem, a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created.
  • the method also includes detecting, by an attack detection module of the processing subsystem, a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
  • FIG. 1 is a block diagram of a system to prevent an attack on an application programming interface in accordance with an embodiment of the present disclosure
  • FIG. 2 is a schematic representation of an exemplary embodiment of a system to prevent an attack on an application programming interface of FIG. 1 in accordance with an embodiment of the present disclosure
  • FIG. 3 is a block diagram of a computer or a server in accordance with an embodiment of the present disclosure.
  • FIG. 4 is a flow chart representing the steps involved in a method to prevent an attack on an application programming interface in accordance with an embodiment of the present disclosure.
  • Embodiments of the present disclosure relate to a system and a method to prevent an attack on an application programming interface.
  • the system includes a processing subsystem hosted on a server and configured to execute on a network to control bidirectional communications among a plurality of modules.
  • the processing subsystem includes an application programming interface data collection module configured to collect a plurality of user’s application programming interface data.
  • the processing subsystem also includes a learning module operatively coupled to the application programming interface data collection module.
  • the learning module is configured to learn user’s behaviour and application’s behaviour based on the user’s application programming interface data collected.
  • the learning module is also configured to parse hypertext transfer protocol and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt.
  • the processing subsystem also includes a correlation table creation module operatively coupled to the learning module.
  • the correlation table creation module is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’s session upon parsing of the hypertext transfer protocol and payload.
  • the processing subsystem also includes a correlation determination module operatively coupled to the correlation table creation module.
  • the correlation determination module is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface.
  • the correlation determination module is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created.
  • the processing subsystem also includes an attack detection module operatively coupled to the correlation determination module.
  • the attack detection module is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
  • FIG. 1 is a block diagram of a system (100) to prevent an attack on an application programming interface in accordance with an embodiment of the present disclosure.
  • the system (100) includes a processing subsystem (105) hosted on a server (108) and configured to execute on a network to control bidirectional communications among a plurality of modules.
  • the server (108) may include a cloud server.
  • the server (108) may include a local server.
  • the processing subsystem (105) is configured to execute on a network (not shown in FIG. 1) to control bidirectional communications among a plurality of modules.
  • the network may include a wired network such as local area network (LAN).
  • the network may include a wireless network such as Wi-Fi, Bluetooth, Zigbee, near field communication (NFC), infra-red communication (RFID) or the like.
  • the processing subsystem (105) includes an application programming interface data collection module (110) configured to collect a plurality of user’s application programming interface data.
  • the application programming interface (API) data is collected in JavaScript object notation (JSON) format, an extended markup language (XML) format, hypertext transfer protocol (HTTP) format, protocol buffer (Protobuf) format, graph query language (GraphQL) format and the like.
  • JSON JavaScript object notation
  • XML extended markup language
  • HTTP hypertext transfer protocol
  • Protobuf protocol buffer
  • GraphQL graph query language
  • the processing subsystem (105) also includes a learning module (120) operatively coupled to the application programming interface data collection module (110).
  • the learning module (120) is configured to leam user’s behaviour and application’s behaviour based on the user’s application programming interface data collected.
  • the user’s behaviour may include user’s usage behaviour associated with a web application or a mobile application.
  • the application’s behaviour may include a server data associated with serving of the application programming interface (API).
  • the learning module (120) is also configured to parse hypertext transfer protocol (HTTP) payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt.
  • the API associated components may include at least one of a uniform resource locator, a method, a request header, a response header, a response status, a request parameter, a response parameter or a combination thereof.
  • the processing subsystem (105) also includes a correlation table creation module (130) operatively coupled to the learning module (120).
  • the correlation table creation module (130) is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’s session upon parsing of the hypertext transfer protocol payload.
  • the one or more corresponding input and output parameters may include at least one of session identifier, name, value type, filters, tokens, cookies or a combination thereof.
  • the processing subsystem (105) also includes a correlation determination module (140) operatively coupled to the correlation table creation module (130).
  • the correlation determination module (140) is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface.
  • the correlation determination module is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created.
  • the correlation score varies from 0 to 1 based on analysis of the corelation between the one or more values of the application programming interface and the one or more historical values.
  • the term ‘one or more historical values’ are defined as one or more returned values with respect to previously called APIs.
  • the processing subsystem (105) also includes an attack detection module (150) operatively coupled to the correlation determination module (140).
  • the attack detection module (150) is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
  • the malicious action may include an insecure direct object reference (IDOR) attack on the application programming interface.
  • IDOR insecure direct object reference
  • the processing subsystem (105) further includes an attack prevention module (160) configured to transmit 401 hypertext transfer protocol response code to the user based on the malicious action detected from user end.
  • 401 http response code is defined as unauthorized client error status response code indicating that the client request has not been completed because it lacks valid authentication credentials for the requested resource.
  • the attack prevention module (160) is also configured to transmit any other customizable response code and message to the user based on the malicious action detected.
  • FIG. 2 is a schematic representation of an exemplary embodiment of a system (100) to prevent an attack on an application programming interface of FIG. 1 in accordance with an embodiment of the present disclosure.
  • a website application associated with payment process for any transaction saves credit card information to make recurring payment process easier for users.
  • any hacker or a malicious actor can fetch the information from the website application easily by using his or her computing device (104).
  • the system (100) prevents the vulnerabilities in the application and breaks specified usual behavior.
  • the system (100) learns the client and application behavior by collecting API data.
  • the system (100) includes a processing subsystem (105) hosted on a server (108) and further includes a plurality of modules.
  • the processing subsystem communicates with other modules through a wireless communication network (115).
  • the processing subsystem (105) includes an application programming interface data collection module (110) configured to collect a plurality of user’s application programming interface data.
  • the application programming interface (API) data is collected in JavaScript object notation (JSON) format or an extended markup language (XML) format an extended markup language (XML) format, hypertext transfer protocol (HTTP) format, protocol buffer (Protobuf) format, graph query language (GraphQL) format and the like.
  • JSON JavaScript object notation
  • XML extended markup language
  • HTML hypertext transfer protocol
  • HTTP protocol buffer
  • Protobuf protocol buffer
  • GraphQL graph query language
  • a learning module (120) learns user’s behaviour and application’s behaviour based on the user’s application programming interface data collected.
  • the user’s behaviour may include user’s usage behaviour associated with a web application or a mobile application.
  • the application’s behaviour may include a server data associated with serving of the application programming interface (API).
  • the learning module (120) is also configured to parse hypertext transfer protocol (HTTP) and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour leamt.
  • the API associated components may include at least one of a uniform resource locator, a method, a request header, a response header, a response status, a request parameter, a response parameter or a combination thereof.
  • a correlation table creation module creates a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’s session.
  • the one or more corresponding input and output parameters may include at least one of session identifier, name, value type, tokens, filters, cookies or a combination thereof.
  • a correlation determination module (140) is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface using session identifier.
  • the correlation determination module is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface syntactical names of the one or more corresponding input and output parameters and the one or more corresponding input and output parameters from the correlation table created.
  • the correlation score varies from 0 to 1 based on analysis of the corelation between the one or more values of the application programming interface and the one or more historical values.
  • an attack detection module detects a malicious action on the application programming interface.
  • the malicious action may include an insecure direct object reference (IDOR) attack on the application programming interface.
  • IDOR insecure direct object reference
  • the user ID value is then manipulated to ‘ 12’ and the hacker gets the credit card information of the original user with ID value ‘ 12’.
  • the server fails to verify the user request, sending the response for any value.
  • the chances of IDOR attack arises.
  • the system (100) detects the possibility of the IDOR attack with comparison of every client to application behavior against correlation, and any deviation is flagged as unauthorized access.
  • an attack prevention module (160) is configured to transmit 401 hypertext transfer protocol response code to the user based on the malicious action detected from user end.
  • 401 http response code refers to unauthorized client error status response code indicating that the client request has not been completed because it lacks valid authentication credentials for the requested resource.
  • the system (100) helps in detecting as well as preventing the type of attacks on the API by collecting and analyzing multiple user interaction with application.
  • FIG. 3 is a block diagram of a computer or a server in accordance with an embodiment of the present disclosure.
  • the server (200) includes processor(s) (230), and memory (210) operatively coupled to the bus (220).
  • the processor(s) (230), as used herein, means any type of computational circuit, such as, but not limited to, a microprocessor, a microcontroller, a complex instruction set computing microprocessor, a reduced instruction set computing microprocessor, a very long instruction word microprocessor, an explicitly parallel instruction computing microprocessor, a digital signal processor, or any other type of processing circuit, or a combination thereof.
  • the memory (210) includes several subsystems stored in the form of executable program which instructs the processor (230) to perform the method steps illustrated in FIG. 1.
  • the memory (210) includes a processing subsystem (105) of FIG.l.
  • the processing subsystem (105) further has following modules: an application programming interface data collection module (110), a learning module (120), a correlation table creation module (130), a correlation determination module (140), an attack detection module (150), and an attack prevention module (160).
  • the application programming interface data collection module (110) is configured to collect a plurality of user’s application programming interface data.
  • the learning module (120) is configured to leam user’s behaviour and application’s behaviour based on the user’s application programming interface data collected.
  • the learning module (120) is also configured to parse hypertext transfer protocol and pay load to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt.
  • the correlation table creation module (130) is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’ session upon parsing of the hypertext transfer protocol and payload.
  • the correlation determination module (140) is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface.
  • the correlation determination module (140) is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface, syntactical names of the one or more corresponding input and output parameters and the one or more corresponding input and output parameters from the correlation table created.
  • the attack detection module (150) is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
  • the attack prevention module (160) is configured to transmit 401 hypertext transfer protocol response code to the user based on the malicious action detected from user end.
  • the bus (220) as used herein refers to be internal memory channels or computer network that is used to connect computer components and transfer data between them.
  • the bus (220) includes a serial bus or a parallel bus, wherein the serial bus transmits data in bit-serial format and the parallel bus transmits data across multiple wires.
  • the bus (220) as used herein may include but not limited to, a system bus, an internal bus, an external bus, an expansion bus, a frontside bus, a backside bus and the like.
  • FIG. 4 is a flow chart representing the steps involved in a method (300) to prevent an attack on an application programming interface in accordance with an embodiment of the present disclosure.
  • the method (300) includes collecting, by an application programming interface data collection module of a processing subsystem, a plurality of user’s application programming interface (API) data in step 310.
  • collecting the plurality of user’s application programming interface data may include collecting the API data collected in JavaScript object notation (JSON) format, an extended markup language (XML) format hypertext transfer protocol (HTTP) format, protocol buffer (Protobuf) format, graph query language (GraphQL) format and the like.
  • JSON JavaScript object notation
  • XML extended markup language
  • HTTP hypertext transfer protocol
  • Protobuf protocol buffer
  • GraphQL graph query language
  • the method (300) also includes learning, by a learning module of the processing subsystem, user’s behaviour and application’s behaviour based on the user’s application programming interface data collected in step 320.
  • learning the user’s behaviour based on the user’s API data collected may include learning the user’s usage behaviour associated with a web application or a mobile application.
  • learning the application’s behaviour may include learning the application’s behaviour which may include a server data associated with serving of the application programming interface (API).
  • API application programming interface
  • the method (300) also includes parsing, by the learning module of the processing subsystem, hypertext transfer protocol payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt in step 330.
  • parsing the hypertext transfer protocol (HTTP) payload to extract the plurality of the API associated components may include extracting at least one of a uniform resource locator, a method, a request header, a response header, a response status, a request parameter, a response parameter or a combination thereof.
  • HTTP hypertext transfer protocol
  • the method (300) also includes creating, by a correlation table creation module of a processing subsystem, a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’ s session upon parsing of the hypertext transfer protocol payload in step 340.
  • creating the correlation table for maintaining the API and the one or more corresponding input and the output parameters for each of the user’s session may include creating the correlation table for maintaining the one or more corresponding input and output parameters including at least one of session identifier, name, value type, filters, cookies, tokens or a combination thereof.
  • the method (300) also includes mapping, by a correlation determination module of the processing subsystem, one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface in step 350.
  • the method (300) also includes determining, by the correlation determination module of the processing subsystem, a correlation score between the one or more values and the one or more historical values of the application programming interface, syntactical names of the one or more corresponding input and output parameters and the one or more corresponding input and output parameters from the correlation table created in step 360.
  • determining the correlation score between the one or more values and the one or more historical values of the API may include determining the correlation score varying from 0 to 1 based on analysis of the corelation between the one or more values of the application programming interface and the one or more historical values.
  • the method (300) also includes detecting, by an attack detection module of the processing subsystem, a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values in step 370.
  • detecting the malicious action on the API based on the correlation score determined may include detecting an insecure direct object reference (IDOR) attack on the application programming interface.
  • IDOR insecure direct object reference
  • Various embodiments of the present disclosure provide a system which detects and optionally prevents any attempt to insure direct access or unauthorized objects over REST API.
  • the present disclosed system for each request checks correlation in the correlation table, if the request API is present in the correlation table for each input parameters present in the correlation table, then the session cache is searched for matching correlated API and parameters. If the matching value is found in session cache, it is expected and correct behavior. If value is either not present in the session cache or not matching, this implies an anomaly input by the client.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Social Psychology (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system (100) to prevent an attack on an application programming interface is disclosed. An application programming interface data collection module (110) collects a plurality of user's application programming interface data. A learning module (120) to learn user's behaviour and application's behaviour, parse hypertext transfer protocol payload to extract a plurality of application programming interface associated components. A correlation table creation module (130) creates a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user's session. A correlation determination module (140) maps one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values, determines a correlation score between the one or values and historical values of the application programming interface and the one or more corresponding input and output parameters. An attack detection module (150) detects malicious action on the application programming interface.

Description

SYSTEM AND METHOD TO PREVENT AN ATTACK ON AN APPLICATION PROGRAMMING INTERFACE
EARLIEST PRIORITY DATE
This Application claims priority from a Complete patent application filed in India having Patent Application No. 202241011924, filed on March 04, 2022, and titled “SYSTEM AND METHOD TO PREVENT AN ATTACK ON AN APPLICATION PROGRAMMING INTERFACE”.
BACKGROUND
Embodiments of the present disclosure relate to a cyber risk prevention system and more particularly to a system and a method to prevent an attack on an application programming interface.
Application programming interfaces (APIs) allow for easy machine-to-machine communication. The API use has seen explosive growth lately. According to Akamai, API communications now account for more than 83% of all internet traffic. In recent years, the API becomes an effective bridge for interconnection of enterprise resources, an enterprise packages own data or services into a standard API and provides the standard API to authorized users, namely, partners, so as to accelerate partner integration and customer growth, and derive an open and converged API ecosystem. The API can include various business scenarios such as user information query and bank card payment. The APIs often document information about their structure and methods of implementation. Hackers can use this information to launch their cyberattacks. There are other API security vulnerabilities like poor authentication, no encryption, information leakage, API abuse and other flaws which can give rise to these attacks. As a result, various systems are developed to prevent an attack on an application programming interface.
Conventionally, there is a risk of any enterprise likely to get an unprecedented API attack, most are not aware of the possibility at all. This is mostly due to the unfamiliarity with the APIs, and how a poorly implemented one can cause damage to a business. More importantly, enterprises are not fully aware of how to prevent such an attack, and they end up losing critical user/client information. Also, such conventional systems are able to prevent some common types of attacks such as distributed denial of service (DDoS, or D-doss) attack, a man in the middle attack (MITM), API injection attack and the like.
Hence, there is a need for an improved system and a method to prevent an attack on an application programming interface in order to address the aforementioned issues.
BRIEF DESCRIPTION
In accordance with an embodiment of the present disclosure, a system to prevent an attack on an application programming interface is disclosed. The system includes a processing subsystem hosted on a server and configured to execute on a network to control bidirectional communications among a plurality of modules. The processing subsystem includes an application programming interface data collection module configured to collect a plurality of user’s application programming interface data. The processing subsystem also includes a learning module operatively coupled to the application programming interface data collection module. The learning module is configured to learn user’s behaviour and application’s behaviour based on the user’s application programming interface data collected. The learning module is also configured to parse hypertext transfer protocol and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt. The processing subsystem also includes a correlation table creation module operatively coupled to the learning module. The correlation table creation module is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’s session upon parsing of the hypertext transfer protocol and payload. In one embodiment, the input and output parameters may be in hypertext transfer protocol, payload of hypertext transfer protocol. In some embodiment, the application programming interface (API) data is collected in JavaScript object notation (JSON) format, an extended markup language (XML) format, hypertext transfer protocol (HTTP) format, protocol buffer (Protobuf) format, graph query language (GraphQL) format and the like. The processing subsystem also includes a correlation determination module operatively coupled to the correlation table creation module. The correlation determination module is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface. The correlation determination module is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created. The processing subsystem also includes an attack detection module operatively coupled to the correlation determination module. The attack detection module is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
In accordance with another embodiment of the present disclosure, a method to prevent an attack on an application programming interface is disclosed. The method includes collecting, by an application programming interface data collection module of a processing subsystem, a plurality of user’s application programming interface data. The method also includes learning, by a learning module of the processing subsystem, user’s behaviour and application’s behaviour based on the user’s application programming interface data collected. The method also includes parsing, by the learning module of the processing subsystem, hypertext transfer protocol and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt. The method also includes creating, by a correlation table creation module of a processing subsystem, a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’ session upon parsing of the hypertext transfer protocol and payload. The method also includes mapping, by a correlation determination module of the processing subsystem, one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface. The method also includes determining, by the correlation determination module of the processing subsystem, a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created. The method also includes detecting, by an attack detection module of the processing subsystem, a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
To further clarify the advantages and features of the present disclosure, a more particular description of the disclosure will follow by reference to specific embodiments thereof, which are illustrated in the appended figures. It is to be appreciated that these figures depict only typical embodiments of the disclosure and are therefore not to be considered limiting in scope. The disclosure will be described and explained with additional specificity and detail with the appended figures.
BRIEF DESCRIPTION OF THE DRAWINGS
The disclosure will be described and explained with additional specificity and detail with the accompanying figures in which:
FIG. 1 is a block diagram of a system to prevent an attack on an application programming interface in accordance with an embodiment of the present disclosure;
FIG. 2 is a schematic representation of an exemplary embodiment of a system to prevent an attack on an application programming interface of FIG. 1 in accordance with an embodiment of the present disclosure;
FIG. 3 is a block diagram of a computer or a server in accordance with an embodiment of the present disclosure; and
FIG. 4 is a flow chart representing the steps involved in a method to prevent an attack on an application programming interface in accordance with an embodiment of the present disclosure.
Further, those skilled in the art will appreciate that elements in the figures are illustrated for simplicity and may not have necessarily been drawn to scale. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the figures by conventional symbols, and the figures may show only those specific details that are pertinent to understanding the embodiments of the present disclosure so as not to obscure the figures with details that will be readily apparent to those skilled in the art having the benefit of the description herein.
DETAILED DESCRIPTION
For the purpose of promoting an understanding of the principles of the disclosure, reference will now be made to the embodiment illustrated in the figures and specific language will be used to describe them. It will nevertheless be understood that no limitation of the scope of the disclosure is thereby intended. Such alterations and further modifications in the illustrated system, and such further applications of the principles of the disclosure as would normally occur to those skilled in the art are to be construed as being within the scope of the present disclosure.
The terms "comprises", "comprising", or any other variations thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such a process or method. Similarly, one or more devices or sub-systems or elements or structures or components preceded by "comprises... a" does not, without more constraints, preclude the existence of other devices, sub-systems, elements, structures, components, additional devices, additional sub-systems, additional elements, additional structures or additional components. Appearances of the phrase "in an embodiment", "in another embodiment" and similar language throughout this specification may, but not necessarily do, all refer to the same embodiment.
Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by those skilled in the art to which this disclosure belongs. The system, methods, and examples provided herein are only illustrative and not intended to be limiting.
In the following specification and the claims, reference will be made to a number of terms, which shall be defined to have the following meanings. The singular forms “a”, “an”, and “the” include plural references unless the context clearly dictates otherwise. Embodiments of the present disclosure relate to a system and a method to prevent an attack on an application programming interface. The system includes a processing subsystem hosted on a server and configured to execute on a network to control bidirectional communications among a plurality of modules. The processing subsystem includes an application programming interface data collection module configured to collect a plurality of user’s application programming interface data. The processing subsystem also includes a learning module operatively coupled to the application programming interface data collection module. The learning module is configured to learn user’s behaviour and application’s behaviour based on the user’s application programming interface data collected. The learning module is also configured to parse hypertext transfer protocol and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt. The processing subsystem also includes a correlation table creation module operatively coupled to the learning module. The correlation table creation module is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’s session upon parsing of the hypertext transfer protocol and payload. The processing subsystem also includes a correlation determination module operatively coupled to the correlation table creation module. The correlation determination module is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface. The correlation determination module is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created. The processing subsystem also includes an attack detection module operatively coupled to the correlation determination module. The attack detection module is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
FIG. 1 is a block diagram of a system (100) to prevent an attack on an application programming interface in accordance with an embodiment of the present disclosure. The system (100) includes a processing subsystem (105) hosted on a server (108) and configured to execute on a network to control bidirectional communications among a plurality of modules. In one embodiment, the server (108) may include a cloud server. In another embodiment, the server (108) may include a local server. The processing subsystem (105) is configured to execute on a network (not shown in FIG. 1) to control bidirectional communications among a plurality of modules. In one embodiment, the network may include a wired network such as local area network (LAN). In another embodiment, the network may include a wireless network such as Wi-Fi, Bluetooth, Zigbee, near field communication (NFC), infra-red communication (RFID) or the like.
The processing subsystem (105) includes an application programming interface data collection module (110) configured to collect a plurality of user’s application programming interface data. In one embodiment, the application programming interface (API) data is collected in JavaScript object notation (JSON) format, an extended markup language (XML) format, hypertext transfer protocol (HTTP) format, protocol buffer (Protobuf) format, graph query language (GraphQL) format and the like.
The processing subsystem (105) also includes a learning module (120) operatively coupled to the application programming interface data collection module (110). The learning module (120) is configured to leam user’s behaviour and application’s behaviour based on the user’s application programming interface data collected. In one embodiment, the user’s behaviour may include user’s usage behaviour associated with a web application or a mobile application. In another embodiment, the application’s behaviour may include a server data associated with serving of the application programming interface (API). The learning module (120) is also configured to parse hypertext transfer protocol (HTTP) payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt. In some embodiment, the API associated components may include at least one of a uniform resource locator, a method, a request header, a response header, a response status, a request parameter, a response parameter or a combination thereof.
The processing subsystem (105) also includes a correlation table creation module (130) operatively coupled to the learning module (120). The correlation table creation module (130) is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’s session upon parsing of the hypertext transfer protocol payload. In one embodiment, the one or more corresponding input and output parameters may include at least one of session identifier, name, value type, filters, tokens, cookies or a combination thereof.
The processing subsystem (105) also includes a correlation determination module (140) operatively coupled to the correlation table creation module (130). The correlation determination module (140) is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface. The correlation determination module is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created. In a specific embodiment, the correlation score varies from 0 to 1 based on analysis of the corelation between the one or more values of the application programming interface and the one or more historical values. As used herein, the term ‘one or more historical values’ are defined as one or more returned values with respect to previously called APIs.
The processing subsystem (105) also includes an attack detection module (150) operatively coupled to the correlation determination module (140). The attack detection module (150) is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values. In one embodiment, the malicious action may include an insecure direct object reference (IDOR) attack on the application programming interface.
In a particular embodiment, the processing subsystem (105) further includes an attack prevention module (160) configured to transmit 401 hypertext transfer protocol response code to the user based on the malicious action detected from user end. As used herein, the term ‘401 http response code’ is defined as unauthorized client error status response code indicating that the client request has not been completed because it lacks valid authentication credentials for the requested resource. The attack prevention module (160) is also configured to transmit any other customizable response code and message to the user based on the malicious action detected.
FIG. 2 is a schematic representation of an exemplary embodiment of a system (100) to prevent an attack on an application programming interface of FIG. 1 in accordance with an embodiment of the present disclosure. Considering an example, where a website application associated with payment process for any transaction saves credit card information to make recurring payment process easier for users. In such a scenario, if the website application does not restrict easy access of the website application, then any hacker or a malicious actor can fetch the information from the website application easily by using his or her computing device (104). In order to overcome, such type of issues i.e. by stopping the hacker from obtaining the saved credit card information of users, the system (100) prevents the vulnerabilities in the application and breaks specified usual behavior.
For preventing the type of attacks on an application programming interface (API), the system (100) learns the client and application behavior by collecting API data. The system (100) includes a processing subsystem (105) hosted on a server (108) and further includes a plurality of modules. Here, the processing subsystem communicates with other modules through a wireless communication network (115). The processing subsystem (105) includes an application programming interface data collection module (110) configured to collect a plurality of user’s application programming interface data. For example, the application programming interface (API) data is collected in JavaScript object notation (JSON) format or an extended markup language (XML) format an extended markup language (XML) format, hypertext transfer protocol (HTTP) format, protocol buffer (Protobuf) format, graph query language (GraphQL) format and the like.
Once, the API data is collected of the plurality of users, a learning module (120) learns user’s behaviour and application’s behaviour based on the user’s application programming interface data collected. For example, the user’s behaviour may include user’s usage behaviour associated with a web application or a mobile application. In another example, the application’s behaviour may include a server data associated with serving of the application programming interface (API). The learning module (120) is also configured to parse hypertext transfer protocol (HTTP) and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour leamt. Again, the API associated components may include at least one of a uniform resource locator, a method, a request header, a response header, a response status, a request parameter, a response parameter or a combination thereof.
Upon parsing of the HTTP protocol and payload, a correlation table creation module (130) creates a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’s session. For example, the one or more corresponding input and output parameters may include at least one of session identifier, name, value type, tokens, filters, cookies or a combination thereof.
Based on the creation of the correlation table, a correlation determination module (140) is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface using session identifier. The correlation determination module is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface syntactical names of the one or more corresponding input and output parameters and the one or more corresponding input and output parameters from the correlation table created. In the example used herein, the correlation score varies from 0 to 1 based on analysis of the corelation between the one or more values of the application programming interface and the one or more historical values.
Again, based on the correlation score determined upon mapping of the one or more values with the one or more historical values, an attack detection module (150), detects a malicious action on the application programming interface. For example, here the malicious action may include an insecure direct object reference (IDOR) attack on the application programming interface. In the example used herein, let’s say the hacker acquires information by requesting a server to retrieve credit card information by sending the user ID value ‘ 10’. The user ID value is then manipulated to ‘ 12’ and the hacker gets the credit card information of the original user with ID value ‘ 12’. The server fails to verify the user request, sending the response for any value. As a result, the chances of IDOR attack arises. However, the system (100) detects the possibility of the IDOR attack with comparison of every client to application behavior against correlation, and any deviation is flagged as unauthorized access.
Further, in order to prevent the type of attack, an attack prevention module (160) is configured to transmit 401 hypertext transfer protocol response code to the user based on the malicious action detected from user end. Here, the term 401 http response code refers to unauthorized client error status response code indicating that the client request has not been completed because it lacks valid authentication credentials for the requested resource. Thus, the system (100) helps in detecting as well as preventing the type of attacks on the API by collecting and analyzing multiple user interaction with application.
FIG. 3 is a block diagram of a computer or a server in accordance with an embodiment of the present disclosure. The server (200) includes processor(s) (230), and memory (210) operatively coupled to the bus (220). The processor(s) (230), as used herein, means any type of computational circuit, such as, but not limited to, a microprocessor, a microcontroller, a complex instruction set computing microprocessor, a reduced instruction set computing microprocessor, a very long instruction word microprocessor, an explicitly parallel instruction computing microprocessor, a digital signal processor, or any other type of processing circuit, or a combination thereof.
The memory (210) includes several subsystems stored in the form of executable program which instructs the processor (230) to perform the method steps illustrated in FIG. 1. The memory (210) includes a processing subsystem (105) of FIG.l. The processing subsystem (105) further has following modules: an application programming interface data collection module (110), a learning module (120), a correlation table creation module (130), a correlation determination module (140), an attack detection module (150), and an attack prevention module (160).
The application programming interface data collection module (110) is configured to collect a plurality of user’s application programming interface data. The learning module (120) is configured to leam user’s behaviour and application’s behaviour based on the user’s application programming interface data collected. The learning module (120) is also configured to parse hypertext transfer protocol and pay load to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt. The correlation table creation module (130) is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’ session upon parsing of the hypertext transfer protocol and payload. The correlation determination module (140) is configured to map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface. The correlation determination module (140) is also configured to determine a correlation score between the one or values and the one or more historical values of the application programming interface, syntactical names of the one or more corresponding input and output parameters and the one or more corresponding input and output parameters from the correlation table created. The attack detection module (150) is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values. The attack prevention module (160) is configured to transmit 401 hypertext transfer protocol response code to the user based on the malicious action detected from user end.
The bus (220) as used herein refers to be internal memory channels or computer network that is used to connect computer components and transfer data between them. The bus (220) includes a serial bus or a parallel bus, wherein the serial bus transmits data in bit-serial format and the parallel bus transmits data across multiple wires. The bus (220) as used herein, may include but not limited to, a system bus, an internal bus, an external bus, an expansion bus, a frontside bus, a backside bus and the like.
FIG. 4 is a flow chart representing the steps involved in a method (300) to prevent an attack on an application programming interface in accordance with an embodiment of the present disclosure. The method (300) includes collecting, by an application programming interface data collection module of a processing subsystem, a plurality of user’s application programming interface (API) data in step 310. In one embodiment, collecting the plurality of user’s application programming interface data may include collecting the API data collected in JavaScript object notation (JSON) format, an extended markup language (XML) format hypertext transfer protocol (HTTP) format, protocol buffer (Protobuf) format, graph query language (GraphQL) format and the like.
The method (300) also includes learning, by a learning module of the processing subsystem, user’s behaviour and application’s behaviour based on the user’s application programming interface data collected in step 320. In one embodiment, learning the user’s behaviour based on the user’s API data collected may include learning the user’s usage behaviour associated with a web application or a mobile application. In another embodiment, learning the application’s behaviour may include learning the application’s behaviour which may include a server data associated with serving of the application programming interface (API).
The method (300) also includes parsing, by the learning module of the processing subsystem, hypertext transfer protocol payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt in step 330. In some embodiment, parsing the hypertext transfer protocol (HTTP) payload to extract the plurality of the API associated components may include extracting at least one of a uniform resource locator, a method, a request header, a response header, a response status, a request parameter, a response parameter or a combination thereof.
The method (300) also includes creating, by a correlation table creation module of a processing subsystem, a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’ s session upon parsing of the hypertext transfer protocol payload in step 340. In one embodiment, creating the correlation table for maintaining the API and the one or more corresponding input and the output parameters for each of the user’s session may include creating the correlation table for maintaining the one or more corresponding input and output parameters including at least one of session identifier, name, value type, filters, cookies, tokens or a combination thereof.
The method (300) also includes mapping, by a correlation determination module of the processing subsystem, one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface in step 350. The method (300) also includes determining, by the correlation determination module of the processing subsystem, a correlation score between the one or more values and the one or more historical values of the application programming interface, syntactical names of the one or more corresponding input and output parameters and the one or more corresponding input and output parameters from the correlation table created in step 360. In some embodiment, determining the correlation score between the one or more values and the one or more historical values of the API may include determining the correlation score varying from 0 to 1 based on analysis of the corelation between the one or more values of the application programming interface and the one or more historical values.
The method (300) also includes detecting, by an attack detection module of the processing subsystem, a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values in step 370. In one embodiment, detecting the malicious action on the API based on the correlation score determined may include detecting an insecure direct object reference (IDOR) attack on the application programming interface.
Various embodiments of the present disclosure provide a system which detects and optionally prevents any attempt to insure direct access or unauthorized objects over REST API.
Moreover, the present disclosed system for each request checks correlation in the correlation table, if the request API is present in the correlation table for each input parameters present in the correlation table, then the session cache is searched for matching correlated API and parameters. If the matching value is found in session cache, it is expected and correct behavior. If value is either not present in the session cache or not matching, this implies an anomaly input by the client.
It will be understood by those skilled in the art that the foregoing general description and the following detailed description are exemplary and explanatory of the disclosure and are not intended to be restrictive thereof. While specific language has been used to describe the disclosure, any limitations arising on account of the same are not intended. As would be apparent to a person skilled in the art, various working modifications may be made to the method in order to implement the inventive concept as taught herein. The figures and the foregoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, the order of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts need to be necessarily performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of embodiments is by no means limited by these specific examples.

Claims

LAIM:
1. A system (100) to prevent an attack on an application programming interface comprising: a processing subsystem (105) hosted on a server (108) and configured to execute on a network to control bidirectional communications among a plurality of modules comprising: an application programming interface data collection module (110) configured to collect a plurality of user’s application programming interface data; a learning module (120) operatively coupled to the application programming interface data collection module (110), wherein the learning module (120) is configured to: leam user’s behaviour and application’s behaviour based on the user’s application programming interface data collected; and parse hypertext transfer protocol and payload to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt; a correlation table creation module (130) operatively coupled to the learning module (120), wherein the correlation table creation module (130) is configured to create a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’ session upon parsing of the hypertext transfer protocol and payload; a correlation determination module (140) operatively coupled to the correlation table creation module (130), wherein the correlation determination module (140) is configured to: map one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface; and determine a correlation score between the one or values and the one or more historical values of the application programming interface, syntactical names of the one or more corresponding input and output parameters and the one or more corresponding input and output parameters from the correlation table created; and an attack detection module (150) operatively coupled to the correlation determination module (140), wherein the attack detection module (150) is configured to detect a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values.
2. The system (100) as claimed in claim 1, wherein the application programming interface data is collected in JavaScript object notation format, an extended markup language format hypertext transfer protocol format, protocol buffer format, graph query language format and the like.
3. The system (100) as claimed in claim 1, wherein the user’s behaviour comprises user’s usage behaviour associated with a web application or a mobile application.
4. The system (100) as claimed in claim 1, wherein the application’s behaviour comprises a server data associated with serving of the application programming interface.
5. The system (100) as claimed in claim 1, wherein the application programming interface associated components comprises at least one of a uniform resource locator, a method, a request header, a response header, a response status a request parameter, a response parameter or a combination thereof.
6. The system (100) as claimed in claim 1, wherein the one or more input and output parameters comprises at least one of session identifier, name, value type, filters, tokens, cookies or a combination thereof.
7. The system (100) as claimed in claim 1, wherein the correlation score varies from 0 to 1 based on analysis of the corelation between the one or more values of the application programming interface and the one or more historical values.
8. The system (100) as claimed in claim 1, wherein the malicious action comprises an insecure direct object reference attack on the application programming interface.
9. The system (100) as claimed in claim 1, wherein the processing subsystem (105) further comprising an attack prevention module (160) configured to transmit 401 hypertext transfer protocol response code to the user based on the malicious action detected from user end.
10. A method (300) comprising: collecting, by an application programming interface data collection module of a processing subsystem, a plurality of user’s application programming interface data (310); learning, by a learning module of the processing subsystem, user’s behaviour and application’s behaviour based on the user’s application programming interface data collected (320); parsing, by the learning module of the processing subsystem, hypertext transfer protocol pay load to extract a plurality of application programming interface associated components based on the user’s behaviour and the application’s behaviour learnt (330); creating, by a correlation table creation module of a processing subsystem, a correlation table for maintaining an application programming interface and one or more corresponding input and output parameters for each user’ session upon parsing of the hypertext transfer protocol payload (340); mapping, by a correlation determination module of the processing subsystem, one or more values of the application programming interface and the one or more corresponding input and output parameters with one or more historical values returned corresponding to the application programming interface (350); determining, by the correlation determination module of the processing subsystem, a correlation score between the one or values and the one or more historical values of the application programming interface and the one or more corresponding input and output parameters from the correlation table created (360); and detecting, by an attack detection module of the processing subsystem, a malicious action on the application programming interface based on the correlation score determined upon mapping of the one or more values with the one or more historical values (370).
PCT/IB2022/053903 2022-03-04 2022-04-27 System and method to prevent an attack on an application programming interface WO2023166336A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202241011924 2022-03-04
IN202241011924 2022-03-04

Publications (1)

Publication Number Publication Date
WO2023166336A1 true WO2023166336A1 (en) 2023-09-07

Family

ID=87883122

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2022/053903 WO2023166336A1 (en) 2022-03-04 2022-04-27 System and method to prevent an attack on an application programming interface

Country Status (1)

Country Link
WO (1) WO2023166336A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7934253B2 (en) * 2006-07-20 2011-04-26 Trustwave Holdings, Inc. System and method of securing web applications across an enterprise
CN104850780A (en) * 2015-04-27 2015-08-19 北京北信源软件股份有限公司 Discrimination method for advanced persistent threat attack

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7934253B2 (en) * 2006-07-20 2011-04-26 Trustwave Holdings, Inc. System and method of securing web applications across an enterprise
CN104850780A (en) * 2015-04-27 2015-08-19 北京北信源软件股份有限公司 Discrimination method for advanced persistent threat attack

Similar Documents

Publication Publication Date Title
US7870201B2 (en) Apparatus for executing an application function using a mail link and methods therefor
US7870202B2 (en) Apparatus for executing an application function using a smart card and methods therefor
US8533581B2 (en) Optimizing security seals on web pages
US8122251B2 (en) Method and apparatus for preventing phishing attacks
WO2020259389A1 (en) Csrf vulnerability detection method and apparatus
CN103384888A (en) Systems and methods for malware detection and scanning
US11611582B2 (en) Dynamic phishing detection
EP1955183A2 (en) Application access utilizing a client-generated authentication code
US11689528B2 (en) Transparently using origin isolation to protect access tokens
US20150067772A1 (en) Apparatus, method and computer-readable storage medium for providing notification of login from new device
US12069080B2 (en) Malware detection using document object model inspection
CN110177096B (en) Client authentication method, device, medium and computing equipment
US20240114038A1 (en) Web 3.0 object reputation
Wang et al. A framework for formal analysis of privacy on SSO protocols
CN114866247B (en) Communication method, device, system, terminal and server
CN113709136B (en) Access request verification method and device
JP5743822B2 (en) Information leakage prevention device and restriction information generation device
WO2023166336A1 (en) System and method to prevent an attack on an application programming interface
US11438375B2 (en) Method and system for preventing medium access control (MAC) spoofing attacks in a communication network
US20240195817A1 (en) Technical support scam protection
CN112751844B (en) Portal authentication method and device and electronic equipment
EP4351106A1 (en) Web 3.0 object reputation
EP4383647A1 (en) Technical support scam protection
Morag Container attacks: a blast radius analysis
CN117376027A (en) Message modification method, device, equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22929682

Country of ref document: EP

Kind code of ref document: A1