The ABS (API Behavioral Security) AI Engine is a Java-based distributed system that analyzes API traffic to provide API traffic insight, visibility, and security.
API traffic information is received from ASE nodes in log files containing:
- Client details such as device, browser, IP address, and operating system
- Session information including HTTP or WebSocket connections and methods
These logs are periodically (every 10 minutes) forwarded to ABS nodes for processing. Using machine learning algorithms, ABS generates API traffic insight, anomaly data, and attack insight that identifies clients responsible for attacks. To prevent future attacks, ABS can automatically program inline devices, such as the ASE (API Security Enforcer), to block clients based on attack lists.
The ABS AI engine provides the following functionality:
- Collection and consolidation of access logs from ASE nodes
- Machine learning algorithms to identify anomalies and attacks
- Detection of attacks from HTTP(s) and WebSocket(s) traffic
- Optional sending of blacklists to ASE which blocks client access
- Centralized database for storing AI data
- Stateless cluster for scalability and resiliency
- REST APIs for fetching traffic metrics, anomalies, and attack information
- Email alerts
Configuring ABS consists of setting up two entities:
- Database system
- ABS uses a MongoDB database to store metadata and all Machine Learning (ML) analytics. The MongoDB database system is configured in a replica set for production deployments. MongoDB is separately installed before starting ABS.
- ABS AI engine
- One or more ABS instances are configured to receive and process logs and to store results in MongoDB. You should install ABS in a cluster for high availability deployments.