ABS AI Engine reports on REST API attacks by delivering reports on per API attacks, that is, client attack targeted a single API. ABS AI engine also reports across API attacks, that is, client attack targeted multiple APIs.

Per API attacks: These attacks are reported on a specific API and is based on activity from a client using an OAuth token, cookie or an IP address. Each attack type is assigned a type ID and can be accessed using the attack REST API of ABS. Entering type ID 0 reports on all attacks on the specified API except for attack types which are analyzed across APIs.

Use the following ABS REST API to access different attack types: https://<ABS_IP:port>/v4/abs/attack?later_date=yyyy-mm-ddThh:mm&later_date=yyyy-mm-ddThh:mm&api=<api_name>&type=<type_id> .

For example, https://192.168.11.166:8080/v4/abs/attack?later_date=2019-12-31T18:00&later_date=2019-10-25T13:30&api=shop&type=1

The following table lists the attack types for individual APIs:
Per API attacks
Attack Type Type ID
Data Exfiltration Attack Type 1 1
Single Client Login Attack Type 1 2
Multi-Client Login Attack 3
Stolen Token Attack Type 1 (Token) 4
Stolen Cookie Attack Type 1 (Cookie) 4
API Memory Attack Type 1 5
API Memory Attack Type 2 6
Cookie DoS Attack 7
API Probing Replay Attack Type 1 8
API DDoS Attack Type 1 9
Extreme Client Activity Attack 10
Extreme App Activity Attack 11
API DoS Attack 12
API DDoS Attack Type 2 13
Data Deletion Attack 14
Data Poisoning Attack 15
Data Exfiltration Attack Type 2 21
Content Scraping Type 2 28
Unauthorized Client Attack 29
Header Manipulation Attack 37
User Data Exfiltration Type 2 39
User Data Injection 40
Query Manipulation Attack 41

Across API attacks:

These attacks are detected across APIs and are based on activity from a client username or client using an OAuth token, cookie or an IP address. For example, a hacker with a token may execute attacks which span across multiple APIs.

Use the following ABS REST API to access different attack types: https://<ABS_IP:port>/v4/abs/attack?later_date=yyyy-mm-ddThh:mm&later_date=yyyy-mm-ddThh:mm&type=<type_id> .

For example, https://192.168.11.166:8080>/v4/abs/attack?later_date=2019-12-31T18:00&later_date=2019-10-25T13:30&type=18

The following table lists the attack types for individual APIs:
Across API attacks
Attack Type Type ID
Stolen Token Attack Type 2 16
Stolen Cookie Attack Type 2 17
API Probing Replay Attack Type 2 (Cookie) 18
API Probing Replay Attack Type 2 (Token) 19
API Probing Replay Attack Type 2 (IP) 20
Excessive Client Connections (Cookie)
Note: Applicable only for Inline ASE deployment. For more information, see Excessive Client Connections section below.
 22
Excessive Client Connections (Token)
Note: Applicable only for Inline ASE deployment. For more information, see Excessive Client Connections section below.
 23
Excessive Client Connections (IP)
Note: Applicable only for Inline ASE deployment. For more information, see Excessive Client Connections section below.
 24
Content Scraping Type 1 (Cookie) 25
Content Scraping Type 1 (Token) 26
Content Scraping Type 1 (IP) 27
Single Client Login Attack Type 2 30
Stolen API Key Attack 31
API Probing Replay Attack Type 1 32
API Probing Replay Attack Type 2 33
API Probing Replay Attack Type 1 34
API Probing Replay Attack Type 2 35
Sequence Attack 36
Abnormal API Access 38

Excessive Client Connections

Excessive client connections attack has three attack IDs, 22, 23, and 24 for IP, cookie, and token. These three attack IDs are disabled by default when you install PingIntelligence. However, you can enable these attacks for PingIntelligence inline deployment by using the attackstatus REST API in ABS or through PingIntelligence for APIs Dashboard. For more information, see Enable or disable attacks in ABS and Enable or disable attacks through PingIntellilgence Dashboard . Attack IDs 22,23, and 24 are not available for PingIntelligence sideband deployment since ASE does not receive the API traffic directly from the client.

For more information on Inline and Sideband ASE deployment modes, see ASE deployment modes.