PingIntelligence

Anomalous activity reporting

The Anomaly API provides detailed reporting on anomalous activity associated with a specified API. The types of anomalies detected include:

  • Anomalies for each ABS attack type – activity which has the characteristics of one of the attack types (for example, API Memory Attack) but does not meet the threshold of an attack.

  • Irregular URLs – suspicious URL traffic

  • Anomalous request activity including injection attacks, overflow attacks, and system commands

This report detects leading indicators of attacks on API services and is reviewed to observe trends.

Here is an snippet from an Anomaly API JSON report for a cookie-based API:

{
 "company": "ping identity",
 "name": "api_anomalies",
 "description": " This report contains information on anomalous activity on the specified
 API",
 "later_date": "Tue Jan 14 18:00:00:000 2018",
 "earlier_date": "Sun Jan 12 18:00:00:000 2018",
 "api_name": "shop",
 "anomalies_summary": {
 "api_url": "shopapi",
 "total_anomalies": 14,
 "most_suspicious_ips": [],
 "most_suspicious_anomalies_urls": []
 },
 "anomalies_details": {
 "url_anomalies": {
 "suspicious_sessions": [],
 "suspicious_requests": []
 },
 "ioc_anomalies": [
 {
 "anomaly_type": "API Memory Attack Type 2",
 "cookies": [
 {
 "cookie": "AMAT_2_H",
 "access_time": [
 "Mon Jan 13 01:01:33:589 2018"
 ]
 },
 {
 "cookie": "AMAT_2_H",
 "access_time": [
 "Mon Jan 13 01:01:33:589 2018"
 ]
 }
 ]
 },