A security team intending to enhance API security might start with a traditional tool set such as:

  • Software development lifecycle tools like source code analysis (SCA) and static- and dynamic application software testing (SAST and DAST)
  • Monitoring inbound activity and blocking potential threats, typically with signature-based detection tools deployed at or near the network perimeter. Some limitations of this approach are covered in a previous article.

Here are some additional potential problems with perimeter-security approaches:

  1. API traffic volume can be extremely high, so the threats that matter can get lost in the noise.
  2. API attacks and abuse may unfold over days or even weeks, so point-in-time analysis, lacking meaningful context, misses finding the needle in the haystack.
  3. API access tokens are refreshed frequently, making it difficult to see how your APIs are being probed or accessed – and by whom.

As a result, perimeter and similar signature-based security approaches may detect and stop obvious API threats, but they do little to protect against sophisticated malicious activity that may extend across different IP addresses, tokens, and time periods.

This is where API behavioral analytics helps.

What is API behavioral analytics?

Before diving into the API flavor of it, let’s define behavioral analytics. In my research I discovered my favorite definition, VMware’s: Behavioral analysis uses machine learning, artificial intelligence, big data, and analytics to identify malicious behavior by analyzing differences in normal, everyday activities.

Properly implemented, API behavioral analytics identifies and tracks API consumers, puts their actions in business context, and differentiates between normal business processes and potential attacks or abuse over long time periods.

Performing behavioral analytics requires the ability to move beyond the noise originating from indistinguishable IP addresses. As we rise above IP addresses, let’s clarify terms. The simplest term to use here is “user” but in the context of APIs, user can be an authenticated human, or an authenticated machine account entity. Let’s dial in for a moment on business-to-business APIs: the API provider has to grant its API consumers access to the API. For the purposes of this discussion, let’s refer to API consumers as users. Consider this illustration:


 From here, we can zero in on two distinct types of entities crucial to API security:

  • Actor entity: One facet of an API consumer (e.g., an API key, an authenticated user, an access token, an IP address).
  • Business entity: A collection of API resources that collectively represent a single business entity (e.g., an order, a reservation).

Connecting elements like user identifiers, access tokens, API keys, and sessions to create a complete picture of a user is the first step to determining if they are legitimate or malicious. In this case, a “user” may be an authenticated user or an API key that a partner is using to request access tokens.

The second piece of the equation is understanding how each and every actor entity is interacting with each and every of your business entities and APIs. For example, knowing that the user is interacting with a specific API endpoint is less revealing than knowing that they are accessing a specific invoice, placing an order, accessing a certain hotel reservation, etc. So, it’s important to understand how individual API services and endpoints come together to create business processes that have meaning to humans.

Using API behavioral analytics to spot anomalies

Once you can connect the dots between actor entities and business entities, you have a framework for baselining normal behavior and detecting meaningful anomalies.

Here’s a basic example. Suppose you built a baseline calculation of how many times a restaurant client application might interact with several API endpoints in a vendor payment system:

  • Every 10 minutes: charge API
  • Each day: charge summary(daily) API
  • Monthly: invoice API

A solid baseline across several API endpoints can then provide the foundation for a wide range of anomaly detection models. The observations are used as a training data set for various API attack use cases. The data is collected over a sufficient period to be used for predictive Machine Learning models. A few notable examples are:

  • Users with similar permissions are clustered, so that a model predicts whether a given access made by a user is a violation of its expected permissions which were learned.
  • The number of charge API calls by the user during a single 1-hour window exceeds the historical baseline, by, for example, an order of magnitude.
  • The same user credentials are observed calling the charge API from two countries on opposite sides of the world at the same time.
  • The same access tokens are observed being used from multiple IP addresses at the same time.

These types of activities become much more meaningful – and detectable – once you have profiled and baselined how actors and business entities interact using APIs. And this is just one of thousands of potential API behavioral analytics scenarios.

These approaches are not immune to false positives. To continue the above example, the client application might be deployed to a new location or the client user might be working at home over a VPN connection. Either of these use cases could look like one of the abnormal detections above.

That’s why smart API behavioral analytics requires the creation of models on top of other models to filter out false positives. This can include profiling users and endpoints  with different risk and sensitivity levels, as well as looking at attributes like device type and activity to infer context more accurately.

The cloud is required for API behavioral analytics 

The data storage and machine learning power required to perform API behavioral analytics at scale is only possible by tapping into the scalability of the cloud. That’s why next-generation API security platforms like Neosec have moved the industry from on-premises deployment models to the cloud. The cloud model also enables you to access advanced analytics from anywhere you want or need to work.

Try behavioral analytics for your API security

In addition to enabling more advanced API security threat detection and analysis capabilities, SaaS-based API security is also much faster and easier to deploy. In fact, you can have it deployed and analyzing your API activity quickly. Request a free trial of Neosec today to see for yourself.


API Security: Debunking the Myths

Learn the fundamentals of API security. Made for security leaders and practitioners to increase their foundational knowledge about API security and best practices.


Gartner provides a view into API trends. Learn More.