ABS AI Engine reports on REST API attacks by delivering reports on per API attacks, that is, client attack targeted a single API. ABS AI engine also reports across API attacks, that is, client attack targeted multiple APIs.
Per API attacks: These attacks are reported on a specific API and is based on
activity from a client using an OAuth token, cookie or an IP address. Each attack type
is assigned a type ID and can be accessed using the attack
REST API of
ABS. Entering type ID 0 reports on all attacks on the specified API except for attack
types which are analyzed across APIs.
Use the following ABS REST API to access different attack types:
https://<ABS_IP:port>/v4/abs/attack?later_date=yyyy-mm-ddThh:mm&later_date=yyyy-mm-ddThh:mm&api=<api_name>&type=<type_id>
.
For example,
https://192.168.11.166:8080/v4/abs/attack?later_date=2019-12-31T18:00&later_date=2019-10-25T13:30&api=shop&type=1
Attack Type | Type ID |
Data Exfiltration Attack Type 1 | 1 |
Single Client Login Attack Type 1 | 2 |
Multi-Client Login Attack | 3 |
Stolen Token Attack Type 1 (Token) | 4 |
Stolen Cookie Attack Type 1 (Cookie) | 4 |
API Memory Attack Type 1 | 5 |
API Memory Attack Type 2 | 6 |
Cookie DoS Attack | 7 |
API Probing Replay Attack Type 1 | 8 |
API DDoS Attack Type 1 | 9 |
Extreme Client Activity Attack | 10 |
Extreme App Activity Attack | 11 |
API DoS Attack | 12 |
API DDoS Attack Type 2 | 13 |
Data Deletion Attack | 14 |
Data Poisoning Attack | 15 |
Data Exfiltration Attack Type 2 | 21 |
Content Scraping Type 2 | 28 |
Unauthorized Client Attack | 29 |
Header Manipulation Attack | 37 |
User Data Exfiltration Type 2 | 39 |
User Data Injection | 40 |
Query Manipulation Attack | 41 |
Across API attacks:
These attacks are detected across APIs and are based on activity from a client username or client using an OAuth token, cookie or an IP address. For example, a hacker with a token may execute attacks which span across multiple APIs.
Use the following ABS REST API to access different attack types:
https://<ABS_IP:port>/v4/abs/attack?later_date=yyyy-mm-ddThh:mm&later_date=yyyy-mm-ddThh:mm&type=<type_id>
.
For example,
https://192.168.11.166:8080>/v4/abs/attack?later_date=2019-12-31T18:00&later_date=2019-10-25T13:30&type=18
Attack Type | Type ID |
Stolen Token Attack Type 2 | 16 |
Stolen Cookie Attack Type 2 | 17 |
API Probing Replay Attack Type 2 (Cookie) | 18 |
API Probing Replay Attack Type 2 (Token) | 19 |
API Probing Replay Attack Type 2 (IP) | 20 |
Excessive Client Connections (Cookie) Note: Applicable only for Inline ASE deployment. For more information, see
Excessive Client Connections section below.
|
22 |
Excessive Client Connections (Token) Note: Applicable only for Inline ASE deployment. For more information, see
Excessive Client Connections section below.
|
23 |
Excessive Client Connections (IP) Note: Applicable only for Inline ASE deployment. For more information, see
Excessive Client Connections section below.
|
24 |
Content Scraping Type 1 (Cookie) | 25 |
Content Scraping Type 1 (Token) | 26 |
Content Scraping Type 1 (IP) | 27 |
Single Client Login Attack Type 2 | 30 |
Stolen API Key Attack | 31 |
API Probing Replay Attack Type 1 | 32 |
API Probing Replay Attack Type 2 | 33 |
API Probing Replay Attack Type 1 | 34 |
API Probing Replay Attack Type 2 | 35 |
Sequence Attack | 36 |
Abnormal API Access | 38 |
Excessive Client Connections
Excessive client connections attack has three attack IDs, 22, 23, and 24 for IP, cookie,
and token. These three attack IDs are disabled by default when you install
PingIntelligence. However, you can enable these attacks for PingIntelligence inline
deployment by using the attackstatus
REST API in ABS or through
PingIntelligence for APIs Dashboard. For more information, see Enable or disable attacks in ABS and Enable or disable attacks through PingIntellilgence Dashboard . Attack IDs 22,23, and 24 are not available for
PingIntelligence sideband deployment since ASE does not receive the API traffic directly
from the client.
For more information on Inline and Sideband ASE deployment modes, see ASE deployment modes.