Abstract: A system that intercepts and analyzes application program interface (API) traffic, identifies correlations between components of API traffic, and uses those correlations to detect anomalous behaviors. API traffic, including requests and responses, is intercepted and analyzed to identify correlations in the API traffic. The correlations may be based on API traffic and can include a sequence of APIs, parameters passed between earlier and subsequent APIs, user roles within a user session and APIs accessed by the user roles, and other correlations. Correlation data for user sessions is generated and stored, and later compared to subsequent user session traffic. If the subsequent user session traffic does not comply with the correlations detected in earlier user sessions, an anomaly may be triggered.

Abstract: Live and legitimate user traffic is used with in depth knowledge of the business logic for an API specification to perform security testing on a set of APIs. The present system intercepts and analyzes application program interface (API) traffic, identifies user session data, and identifies traffic suitable to duplicate. The identified traffic is duplicated and modified by addition of malicious code. The modified code is then sent to its intended API destination, where it is processed as normal. The resulting response and other traffic as well as the API system and optionally other systems, such as datastore systems, are analyzed to determine if the malicious code resulted in a valid attack. Results from the modified code attack attempts are reported to a user.

Abstract: A system analyzes APIs and automatically generates an API description for the system. The APIs each have an API behavior, which can include a request and a response. Each request and response can have different components. The present system automatically learns characteristics and patterns in the request and response components. As clients engage an API, the component data in the requests and responses for the API are monitored and distributions for various characteristics are determined. Once the API description is automatically generated by the system, the API description can be compared to incoming API requests to identify anomalies that can be associated with users without proper credentials.