Page created: 6 Nov 2020
|
Page updated: 12 May 2021
ABS AI Engine detects attacks based on behavior from the username accessing API services.
PingIntelligence captures the username information in the following three ways:
- User information is captured if the incoming request has a JSON Web Token (JWT). For more information, see Extract user information from JWT in inline mode and Extract user information from JWT in sideband mode.
- Similarly, if an incoming request has a custom header with user information, then the username is extracted. For more information see, Extract username from custom header in sideband mode and Extract username from custom header in inline mode.
- PingIntelligence is deployed in sideband mode with an API gateway that supports capturing username information. Following is a list of PingIntelligence and API gateway integrations that support capturing username information:
Note the following points for ABS AI engine to detect username based attacks:
- OAuth token parameter, oauth2_access_token, must be configured in API JSON in ASE. For more information on API JSON definition see, Defining an API – API JSON configuration file
- The incoming request must have an OAuth token in it for ABS AI engine to detect username based attacks
Important: ABS AI engine will not detect username attacks for requests
where the server responds with an HTTP 401 Unauthorized Error code. This
will prevent blocking of a valid user if an attacker tries to impersonate the user.
Detected attacks based on username
Attack Type | Description | id | Single or Across APIs |
API Probing Replay Attack Type 1 | Probing or breach attempts on an API service – also called fuzzing - Username |
34
|
Across APIs |
API Probing Replay Attack Type 2 | Probing an API service over an extended time period - Username |
35
|
Across APIs |
Sequence Attack | Abnormal sequence of API transactions |
36
|
Across APIs |
Abnormal API Access | Abnormal user behavior when accessing API services | 38 |
Across APIs |
User Data Exfiltration Type 2 | A User is extracting excessive data via an API service | 39 |
Single API |
User Data Injection | A User is injecting excessive data into an API service | 40 |
Single API |
Important: While reporting an abnormal
sequence, if username is available with the API ecosystem, ABS reports username or else
it reports OAuth token.