PingIntelligence

Anomalous activity reporting

The Anomaly application programming interface (API) provides detailed reporting on anomalous activity associated with a specified API.

The types of anomalies detected include:

  • Anomalies for each API Behavioral Security (ABS) attack type – activity which has the characteristics of one of the attack types (for example, API Memory Attack) ,but does not meet the threshold of an attack.

  • Irregular Uniform Resource Locator (URL) – suspicious URL traffic.

  • Anomalous request activity including injection attacks, overflow attacks, and system commands.

This report detects leading indicators of attacks on API services and is reviewed to observe trends.

Here is an snippet from an Anomaly API JavaScript Object Notation (JSON) report for a cookie-based API:

{
 "company": "ping identity",
 "name": "api_anomalies",
 "description": " This report contains information on anomalous activity on the specified
 API",
 "later_date": "Tue Jan 14 18:00:00:000 2018",
 "earlier_date": "Sun Jan 12 18:00:00:000 2018",
 "api_name": "shop",
 "anomalies_summary": {
 "api_url": "shopapi",
 "total_anomalies": 14,
 "most_suspicious_ips": [],
 "most_suspicious_anomalies_urls": []
 },
 "anomalies_details": {
 "url_anomalies": {
 "suspicious_sessions": [],
 "suspicious_requests": []
 },
 "ioc_anomalies": [
 {
 "anomaly_type": "API Memory Attack Type 2",
 "cookies": [
 {
 "cookie": "AMAT_2_H",
 "access_time": [
 "Mon Jan 13 01:01:33:589 2018"
 ]
 },
 {
 "cookie": "AMAT_2_H",
 "access_time": [
 "Mon Jan 13 01:01:33:589 2018"
 ]
 }
 ]
 },