Artificial Intelligence Based API Security with WSO2 and PingIntelligence for APIs
By Sanjeewa Malalgoda
- 9 Jun, 2019
APIs power digital transformation. They are invaluable for any organization’s employees, partners, customers, and other stakeholders to gain access to applications, data, and business functionality across the enterprise. As it’s a critical component in any large enterprise, many of them have built internal and external API strategies within their organizations. This includes ensuring security throughout the API ecosystem.
The success of APIs makes it an attractive target for hackers and malicious users. Most sophisticated security attacks today cannot be prevented by access control and rate limiting policies alone. Modern security teams need to detect and respond to dynamic attacks and the unique vulnerabilities of each API. Because of the gravity of recent attacks and security compromises related to APIs, a level of security apart from access control is needed.
Each API has its own access patterns and users, which makes it hard to detect a specific pattern by analyzing large volumes of data manually or by using static policies. Unsupervised machine learning and artificial intelligence (AI) can be used to augment API security and efficiently detect security threats.
AI-driven Security for API Management
WSO2 API Manager and Ping worked together to implement such an AI-based API security solution by combining the functionality of both products.
WSO2 API Manager is a unique open source approach to addressing full API lifecycle management, monetization, and policy enforcement. It allows extensibility and customization and ensures freedom from vendor lock-in. As part of the larger WSO2 Integration Agile Platform, it is a central component used to deploy and manage API-driven ecosystems. It’s hybrid integration capabilities further simplify projects that span traditional as well as microservice environments by allowing deployment on-premises, in the cloud, or in a combination of both.
It offers various static policy-based options for security and access control. These include:
- OAuth 2.0 authentication and authorization for API access.
- Request and response validation against the most common request based attacks such as SQL injection, parsing attacks, and schema poisoning.
- API policy creation and enforcement based on specific parser properties and regular expressions
- Support for many types of rate limiting capabilities including rate limits by request counts and network bandwidth usage
- The ability to assign quotas to users, applications, IP addresses, devices, and regions among other things
PingIntelligence for APIs represents one of the first solutions that help enterprises move away from static, policy-driven security models to continuous, proactive API threat monitoring and detection. As this trend picks up speed, companies will find that AI and machine learning nicely complement and extend security capabilities that they’re already investing in, such as authentication/authorization solutions and API management/gateway solutions.
Recently WSO2 and Ping partnered to achieve the common goal of augmenting current API security mechanisms. The WSO2 team developed an open source extension to communicate with the PingIntelligence API security enforcer (ASE), which can be deployed in WSO2 API Gateway.
Since Ping (through PingIntelligence) is a market leader in AI-powered API cybersecurity they were our natural choice when considering a partnership. This opportunity allows WSO2 API Manager users to apply AI-based security analysis for their APIs in addition to static rule-based security controls. Similarly, PingIntelligence users can now utilize AI-based analytics when they externally expose their services as APIs.
If you are considering an API-first strategy, WSO2 API Manager is a good choice as it provides all the necessary API management capabilities and can now easily integrate with PingIntelligence to provide intelligent API security. This partnership adds value to both WSO2 and Ping and makes its users’ lives easier.
How it Works
With this project, we intend to apply AI models to continuously inspect and report on all API activity. It helps to discover anomalous API traffic behavior automatically across the enterprise. Bad actors are well versed in circumventing static security policies. Our solution recognizes and responds to attacks which fly under the radar of foundational API security measures, and target API vulnerabilities without static policies, rules or code. Examples of API attacks reported and blocked include:
Authentication System Attacks
- Login system attacks: Bad actors use credential stuffing and other brute force attacks to test valid credentials from the dark web to determine the validity of these credentials. They then utilize the compromised credentials to access API services. Bots may execute aggressive attacks or run slower attacks designed to blend in with normal login failures.
- Account takeover with stolen credential attacks: Stolen credentials acquired via man-in-the-middle and other attacks are used to penetrate and take over accounts. These credentials include stolen tokens, cookies or API keys which may be used by the hacker to access data authorized to the compromised client.
Data and Application Attacks
- API takeover attacks: Hackers use a valid account to reverse engineer the API and access other accounts using the vulnerabilities they found. Theft of data and private info follows, as well as the takeover of other accounts. Meanwhile, the hacker looks like a normal user at all times since they are using a valid account.
- Data extraction or theft: Hackers use APIs to steal files, photos, credit card information and personal data from accounts available through an API. Since normal outbound activity on one API may be an attack on a different API, PingIntelligence uses its deep understanding of each API to block both normal and extended duration data exfiltration attacks.
- Data scraping: APIs are commonly abused by bots which extract (scrape) data for subsequent use (e.g. competitive pricing) which can negatively impact your business. Data scraping attacks can be executed on the API service directly and can run over extended time frames to avoid detection.
- Data deletion or manipulation: A disgruntled employee or hacker could delete information to sabotage systems or change data to compromise information.
- Data injected into an application service: A hacker can load large data files to overrun system memory or inject excessive data to overload an API service.
- Malicious code injection: A hacker may inject malicious code, such as key loggers, which could compromise other users accessing the service.
- Extreme application activity: A hacker can generate calls that require unusually high system resources which can overwhelm a backend and cause an application-level denial of service.
- Probing and fuzzing attacks: A hacker may look for coding flaws which can be exploited to expose unintended content. The hacker may also try to mask the activity by probing the API over long time periods. These attacks can be used to force API errors to uncover IP and system addresses that can then be used to access resources.
API DoS/DDoS Attacks
- Targeted API DDoS attacks: Hackers tune attacks to stay below rate limits and exploit API vulnerability with finely crafted API Distributed Denial of Service (DDoS) attacks to disable services.
- Extreme client activity: A bot or hacker may generate extreme levels of inbound activity on an API service.
The WSO2 API Gateway is the primary component that intercepts API requests and applies various types of policies. Each policy is executed using something we call an “API Handler”. The API gateway architecture allows users to add specific handlers to perform various tasks in different stages of the request flow. This implementation comes with a handler that allows users to perform sideband calls to the Ping ASE. With these sideband calls, it publishes API request metadata to Ping and checks the validity of the request. It does the same for the response as well. With the provided request metadata Ping ASE can detect abnormal access patterns. It also builds a knowledge base using API request data sent to it.
With this knowledge base, it can build models that make informed decisions. The AI engine looks at a range of information and determines that the API has been trained when a sufficient amount of data has been collected. All API traffic, normal and attack, is captured and analyzed during the training period. The AI engine also applies continuous learning after the initial API training is complete. Once training is completed ASE will update with the decisions made.
APIs are critical for any enterprise today. While these APIs are useful for both internal and external users, they often become a target for hackers and malicious users. Most sophisticated security attacks these days can’t be prevented with just rate limits and static policies. That’s why WSO2 and Ping have partnered up to build a next-gen API security solution that applies AI models to continuously inspect and report on all API activity.
Download the extension here.
- Sanjeewa Malalgoda
- Associate Director, Engineering | Architect at WSO2