Protect API's from Malicious data mining bots using advance behavioural in the hybrid cloud

AI for Bots: Visitor Management

API abuse protection at the edge

“The central problem of API protection is simple to define. As all traffic to APIs is by definition automated. Simple fingerprinting, Captcha and other Java script based bot mitigations don't work. If your API is being systematically data-mined against your terms of service - VerifiedVisitors' behavioural ML can detect and prevent these abuse of service attacks - before they hit your APIs"

Validating Visitor Traffic at the Network Edge

VerifiedVisitors uses behavioural machine learning to analyse all the traffic to your APIs. This enables us to detect the typical patterns associated with the abuse of your API terms of service.

Let's take a typical example. You have an API to enable your customers to calculate the correct shipping fees per product. For your paying customers the acceptable use policy is the ecom partner looks up a customer address, along with the relevant item, weight, postal address, and delivery service requested. In any given day, this could be hundreds of lookups, but, crucially, the ecom partner is only performing one lookup as part of the transaction and final pricing.

Abusive use of the API is when a distributed attack, using thousands of IPs and user agents systematically crawls each postal district and extracts all your pricing data - which can then be used by your competitors, or even to power another service as part of mash up of API services.

Traditionally, this type of attack is almost impossible to detect. You have to just rate-limit the API, which sucks for your legitimate clients.

Strategies for API Abuse

What we do today ?

Our customers tell us it's not going to be immediately obvious API abuse is in fact happening. API traffic tends to scale quite quickly and it's very hard to distinguish legitimate use from abuse. Often it will be a "gut-feel" - we just think abuse in occurring. We may have time outs and poor performance due to the increased API calls.

The Cloud architect charged with solving the API abuse issue will typically increase system resources, and ensure the API has enough elastic compute to auto-scale to cope with the additional use of resources by the abusive API queries. Or they may go the opposite way, and simply rate limit the entire service.

Either way - it's not going to solve the problem. You've just either increased your monthly hosting bill for no reason, or restricted the service for all your legitimate users.

Another option is to carefully go through each API partner, force registration, add tracking on the API service, and manage the inbound IPs. Although technically possible, many APIs have thousands of end-users and this approach simply is not practical.

Specialist API firewalls can also be used to protect against API abuse. However, these don't work at the network edge, and the abusive traffic still hits the API.

Behavioural Edge Protection for APIs.

How does Verifiedvisitors prevent API abuse?

VerifiedVisitors unique architecture employs intelligent agents at the network edge, with approved integrations with Cloudflare and AWS Cloudfront at the network edge layer.

Our intelligent system tracks the behaviour of each client hitting your API using Machine Learning algorithms written with the express purpose of tracking abusive API calls. We build up a distribution pattern of "normal" behaviour, and look for distributions that are differentiated by several orders of magnitude, or that simply break the existing terms of service.

We can then dynamically block the entire abusive traffic stream - simply preventing access to the API for just the abusive traffic. Your mileage may vary, but we typically see a small percentage of users 1-2% who are systematically data mining.

Machine Learning - Visual Display of API Behaviour