Just like airport security, a system hosting a public API has to deal with heavy loads of incoming traffic every day. Most of that traffic, most of the time, is legitimate but sometimes some of it is not. David Andrzejek over at Helpnetsecurity explains to you how, by taking a leaf out of the airport security book, you can keep the bad apples out of your API while still serving millions of requests each day without latency.
Like a traveller passing thru airport security, an API client has his credentials validated at each request and gets checked for XML bombs, SQL injection, nested data forms and so on. But like terrorists at the airport, hackers often have valid credentials stolen from someone else and don’t wear their bad intent on their sleeve.
As US and Israeli airport security have found, the best way to weed out the bad apples without overburdening everyone else is to use behaviour evaluation to identify potential bad actors. API security can do the same thing. The idea is to have rules and algorithms in place to evaluate client sessions, asking questions like ‘How are clients behaving?’ ‘What are they doing?’, and ‘Are there unusual error rates or repeat behaviors in short timeframes?’.
David emphasizes that there are numerous machine-based approaches to answering these questions in order to identify and stop malicious API client practice. He warns, however, that the standard web security approaches won’t necessarily work with APIs. Hackers can be cunning. They know standard DoS attacks won’t work well. Attacks can be hidden by distributing hacking attempts across bots that get hidden in a sea of legitimate traffic.
To get really good at detecting the bad apples, you consequently need to put in place a machine learning-based system that understands API traffic really well. That means having a system with a good understanding of what an API key is, what an access token is and what the request context of any payload is.
David concludes by stressing that while there’s no proof that machine learning-based behavior detection algorithms are the answer to API security problems, you need to bolster your API security if you’re not to be caught wrong-footed by hackers.