Is NLP-based security going to be the standard for securing APIs?

If you read our last article (which you can find here) you are now familiar with the common methods currently used to secure APIs, mainly firewalls and access management, static and dynamic security checks, quotas, and throttling measures. 

While these approaches have been proven for application security for many years now, the underlying technological layer they are protecting has shifted in recent years. In the second part of this series, we’ll discuss how this shift calls for new security methods, and the right approach to API security that we believe will become the next standard. 

One size doesn’t fit all

The various application security solutions mentioned above each have their distinct advantages that protect APIs from some attacks. However, there are also several key shortcomings when it comes to fully protecting APIs. Being rule-based solutions, they are (1) hard to scale; (2) hard to maintain; and (3) often result in a high volume of false positives. 

Accordingly, a recent industry survey shows that for 50% or more of enterprise security leaders, these solutions aren’t even an option.

 A chart showing technology usage & plans for API security

Agnostic to the actual context of the application, these solutions provide the same types of protection to every application using known threat signatures and vulnerabilities. This means that they protect each API the same way, regardless of the unique business logic that governs the way an API functions. This isn’t enough. 

An application’s business logic is made up of workflows and business rules, governing how data is created, saved, and modified. It manages the relationships and communications between data objects and regulates the ways in which they are accessed and updated. 

But APIs expose functions that in the past were hidden inside an application. Therefore, APIs are more susceptible to functional attacks that attempt to manipulate the API business logic and abuse call flow. These attacks do not follow known signatures and are unique for every application, based on its unique logic. 

Functional attacks use legitimate API calls in an illegitimate way. This is why general-purpose security doesn’t work, and why analyzing the metadata isn’t enough. 

Detecting such zero-day attacks must start with deep context. Through a deep understanding of the API business logic, it becomes possible to detect anomalous behaviors that break the logic.  By learning the application behavior patterns through full API data analysis, it becomes possible to detect and block breaches through anomaly detection. 

image of solving a Rubik’s Cube

Functional security is logic-based security

This is where full data analysis of API data comes in. Using AI-powered models to analyze the  API traffic, it becomes possible to automatically uncover the way an application behaves — its business logic — en route to preventing complex attacks that might otherwise sneak their way past the more common measures.

Organizations adopting this proactive, automated security mechanism benefit from an ongoing security analysis that adapts itself in accordance with changes in API specifications. Risks are better managed by setting and enforcing security policies that are aligned with the API’s behavior and communication patterns. Readiness is maintained via automated alerts on security incidents and implements remediation.

It is important to recognize what functionality a specific API provides in a way that the protection around it is automatically tailored, so that no matter how many APIs there are, how frequently they are updated, or how much traffic they pass through – protection is always kept at all times with minimal false positives and optimal detection.

Is NLP the answer?

Natural Language Processing (NLP) is an AI technology that focuses on how computers understand the natural language that humans use to communicate. Its goal is to enable computers to fully understand human language in a manner that adds value. As API data transfer uses common English to structure requests and responses, automated NLP algorithms that analyze API dialogues are empowering a new, context-aware layer of protection. 

API data transfer can be seen as a conversation based on simple text messages that use information elements containing a key-value pair. These messages are comprised of a request and a response and are often part of a sequence in which each message triggers a corresponding message. The basic unit of these information elements can be regarded as words, messages as sentences, and procedures as paragraphs.  

Using NLP algorithms, it is possible to uncover interesting relations between data objects in various contexts, differentiate between properly structured requests/responses and anomalies that use the wrong hierarchy when requesting data objects, or use different representations of the API data. NLP algorithms also help identify applications that are behaving unpredictably or are incorrectly describing API resources and fields

In the case of APIs, these anomalies can be malicious attempts by hackers to access sensitive data without proper authorization.

Five reasons why NLP-based API security is the next big thing

  1. High accuracy. AI-based NLP technology automatically learns an API’s business logic, going beyond metadata analysis by reviewing the actual API calls in the specific context. This approach focuses on prioritizing ‘meaningful anomalies’ – unusual behaviors with the potential of significantly impacting the business logic and indicating intent to manipulate the API.
  2. Prepares you for the unexpected. While general-purpose application security solutions excel at detecting attacks that match known generic vulnerabilities, they fail when it comes to detecting zero-day, functional attacks. NLP-based security solutions learn each API’s unique logic and detect any anomalous behavior that could be a functional attack. 
  3. Capture different patterns in the API data. Finding patterns in API data can be used for verifying whether any related transaction includes the required fields and alert when a transaction does not include one of these fields as an anomaly. Looking at API data as a dialogue enables users to look at the data from a sequential perspective, user clustering, and more. These are key patterns that help users understand the functional context in order to keep falses down.
    For example, NLP methods for representation learning, in which words or phrases are mapped to some array of numbers taken as input categorical data, and learn a representation for each data value. 
  4. Scale your protection. Using statistical modelling to analyze the application behavior and spot deviations from baselines can be effective on a relatively small scale. But as the amount of traffic grows, it loses efficiency and false positives grow in proportion, thereby undermining scalability. Using NLP doesn’t require comprehensive and ongoing maintenance to make sure all sensitive data is recognized and protected. It allows users to maintain very high accuracy at any scale because it discards that noise and focuses on meaningful anomalies. 
  5. Knowing the right context. NLP enables security analysts to explain the meaning of specific anomalies given the objects on which they occurred, their characteristics, the relationship being manipulated, the users, and more. Essentially, this results in faster remediation and better collaboration.

Parting words

The proliferation of APIs is only going to intensify, meaning the attack surface will keep growing and at a higher pace. This evolution increasingly creates a situation where the approach outlined above becomes a key component in the security strategy of organizations. 

By applying NLP-based API security, security leaders can gain the visibility and insights needed for effective governance, controls, and collaboration with R&D. These enhance the ability to influence and reinforce security standards across the organization, resulting in better protection of the enterprise application layer.

Blog banner 3


*** This is a Security Bloggers Network syndicated blog from Imvision Blog authored by Omer Primor. Read the original post at: