Search papers, labs, and topics across Lattice.
This paper introduces HTTP REST API Learning (HRAL), an unsupervised anomaly detection method that learns the structure and behavior of API endpoints directly from network traffic, circumventing the need for predefined rules or documentation. The approach demonstrates robust detection of malicious activities by identifying deviations from learned API behaviors, achieving an average recall of 82.07% and an F1-score of 87.24%, particularly excelling in environments with limited API documentation. When integrated with existing signature-based rules, HRAL achieves complete detection, underscoring its potential as a foundational component for enhancing API security in real-world applications.
HRAL can achieve 100% detection of malicious API activity, even in environments with minimal documentation, making it a game-changer for API security.
Application Programming Interfaces (APIs) are essential in software development, enabling web services, mobile apps, and microservices. However, their widespread use introduces significant security risks, highlighting the importance of API security. This paper presents HTTP REST API Learning (HRAL), a novel unsupervised anomaly detection approach that models the structure and behavior of API endpoints directly from network traffic, without relying on predefined rules or documentation. HRAL enables robust detection of malicious activity by understanding how APIs behave and flagging deviations as potential threats. We evaluate HRAL across varying levels of OpenAPI documentation detail and compare it with existing techniques. HRAL achieves strong performance, with an average recall of 82.07% and an F1-score of 87.24%, significantly outperforming alternatives when API documentation is limited. Moreover, our results approach the effectiveness of full API document definitions. When combined with signature-based rules such as the OWASP ModSecurity CRS, our system achieves 100% detection. These results highlight HRAL's effectiveness in real-world, partially documented API environments and its potential as a foundational layer for modern API security solutions.