Abstract: A system that intercepts and analyzes application program interface (API) traffic, identifies correlations between components of API traffic, and uses those correlations to detect anomalous behaviors. API traffic, including requests and responses, is intercepted and analyzed to identify correlations in the API traffic. The correlations may be based on API traffic and can include a sequence of APIs, parameters passed between earlier and subsequent APIs, user roles within a user session and APIs accessed by the user roles, and other correlations. Correlation data for user sessions is generated and stored, and later compared to subsequent user session traffic. If the subsequent user session traffic does not comply with the correlations detected in earlier user sessions, an anomaly may be triggered.

Abstract: Live and legitimate user traffic is used with in depth knowledge of the business logic for an API specification to perform security testing on a set of APIs. The present system intercepts and analyzes application program interface (API) traffic, identifies user session data, and identifies traffic suitable to duplicate. The identified traffic is duplicated and modified by addition of malicious code. The modified code is then sent to its intended API destination, where it is processed as normal. The resulting response and other traffic as well as the API system and optionally other systems, such as datastore systems, are analyzed to determine if the malicious code resulted in a valid attack. Results from the modified code attack attempts are reported to a user.

Abstract: A system identifies sessions of API behavior and uses the identified behavior to detect anomalous API requests. A session of API behavior is detected as two or more API requests that are typically received in a chronological order. The APIs in a session occur in a particular order, and have a particular API request or response that follows and/or precedes each other API request or response. Once APIs in a session are learned, incoming API requests typically associated with a session can be compared to the session to determine if they appear in an expected sequence based on the session. If an API request is not received in the sequence or chronological order according to an API session, the received request can be tagged as an anomaly. Similarly, if the received request does not include information from a previous response or request, the received API request may be an anomaly.

Abstract: A system generates a number of uniform resource locators as application program interfaces in an intelligent way based on live traffic. Live traffic between a server and multiple users is monitored and intercepted and forwarded to a remote server that processes the traffic. Traffic URLs are processed to build a digital data structure that represents nodes or portions within each URL. For URLs having different nodes at the same hierarchical level that have the same type, the present system may replace those different nodes with a representative node. The representative node replaces the nodes at the same hierarchical level having the same type, but having different values.

Abstract: A system analyzes APIs and automatically generates an API description for the system. The APIs each have an API behavior, which can include a request and a response. Each request and response can have different components. The present system automatically learns characteristics and patterns in the request and response components. As clients engage an API, the component data in the requests and responses for the API are monitored and distributions for various characteristics are determined. Once the API description is automatically generated by the system, the API description can be compared to incoming API requests to identify anomalies that can be associated with users without proper credentials.

Abstract: Behaviors in the form of API strings for each of a plurality of users are determined for each user interacting with an API for a particular time. The behavior strings are converted to a numerical format, and clustering algorithms are applied to the numerical format data. The type of cluster is then determined for each cluster. Types of clusters can include an attacking user, bots, speed of access, and outlier type. The results of clustering and a statistical analysis can be reported to a user through a dashboard. The dashboard may provide graphical information, for example in the form of a sankey diagram, as well as statistical analysis data for each cluster.

Abstract: The present system models multiple application program interfaces(APIs) and determines anomaly behavior for the group of APIs. The system APIs are monitored and data is collected for the multiple APIs. Metrics are generated for the APIs and reported to an application. The metrics are a raw timeseries stream of metrics and are transformed to a different domain for processing. In some instances, the raw time series metric data is smoothed or averaged into an average domain. A model receives the smooth time series metric data, a pilot signal, and homogeneous signal inputs. The model may include an LSTM model or some other model. The LSTM model may output data to a neural network, which then provides output of a predicted value of the metrics, current value of the metric, and a regenerated pilot signal. A determination is made as to whether the neural network system predicts the pilot signal correctly, and if so the predicted metric is compared to the actual metric.