Artificial Intelligence and Machine Learning: A New Approach to API Security

July 3, 2018
Bernard Harguindeguy
SVP Intelligence, Ping Identity

The world is changing. Business is rapidly expanding beyond traditional enterprise boundaries. Executives are exploring and embracing new business models. Partner ecosystems, collaboration and integrations have become competitive advantages.

The enabler of many of these changes is the increasingly widespread use of APIs. ProgrammableWeb, the Web's defacto journal of the public API economy, has documented a steep API growth trend since the late 2000’s that shows no sign of stopping.

Source: ProgrammableWeb

APIs Enable Critical Business Initiatives

This steep growth trajectory comes as no surprise. According to the State of API Integration 2018 Report, over 60% of companies agree that API integration is critical to their business strategy.


APIs enable interoperability and the sharing of data both within and beyond enterprise boundaries for more engaging experiences and smarter services. They allow for assets to be more easily consumed and reused, so companies can unlock new value from old resources and bring new solutions to market faster. And as companies increasingly open their APIs to third party developers, they’re able to broaden their reach, deliver innovative new services and generate new revenue streams.


While some industries are leading the way in API adoption and innovation, it’s a trend you’ll see no matter what kind of work you do:


  • Banking institutions are increasingly adopting an open API model to give their customers better experiences, more ways to understand and control their finances and more choice in how they interact.
  • For healthcare providers and payers, integrated healthcare delivery is on the rise. Silos of data are slowly giving way to aggregation and interoperability as APIs allow organizations to share critical health information across the organization, with other providers, payers and with their patients and members to improve quality of care.
  • Retailers, always looking for new ways to innovate in a competitive environment, are using APIs to enable mobile payments, partner with e-commerce platforms and connect their systems together to deliver omnichannel experiences.


The growing popularity of APIs also coincides with another hot trend—the Internet of Things (IoT). It’s no coincidence that these two technologies are on both on the rise. APIs are the interface through which things are connected to the internet, to the other things in the network and to the apps and devices that people use to interact with them. Whether they’re consumer devices like fitness trackers and smart thermostats or enterprise/industrial IoT applications like maintenance sensors on manufacturing equipment or location trackers on fleet vehicles, APIs form the essential connective tissue that enable these use cases.


The foundational nature of APIs to many top strategic initiatives heightens the need to make sure that they can’t be disrupted or used inappropriately for theft, fraud and invasions of privacy.


The Gaps in Traditional API Security

With new APIs popping up every day and businesses using them to expose some of their most sensitive data and applications, you’d think there would be foolproof security measures to make sure no one was misusing them. You’d be wrong. ProgrammableWeb has said, “To put perspective on how difficult API security is, pretty much every major Internet company has had API security problems.”


APIs exponentially expand the attack surface of the enterprise, yet they often aren’t adequately protected by traditional security defenses. The typical approach to API security focuses on securing access to APIs, including authentication and authorization, rate limiting and network privacy, often through the use of identity security solutions and/or API gateways.


This kind of access control is powerful, but it leaves security gaps in your API deployment. It requires a complementary set of security capabilities to address threats such as:


  • API-specific DDoS attacks - attacks that send large amounts of traffic, often from multiple sources, to overload critical API services like login or session management to disrupt access to the service.
  • Login attacks - including the use of stolen credentials or tokens, credential stuffing (testing lists of previously breached credentials against a target API to try to gain access) or fuzzing (feeding large amounts of random data into a program to discover vulnerabilities).
  • Application & data attacks - data deletion or manipulation, data theft, code injection, or application disruption executed post-login by hackers who gained access or by insiders with legitimate access.


Kin Lane, the API Evangelist, explains in his white paper on the evolving API security landscape that “we must build on the established base of healthy API management and security practices by expanding our toolbox according to the unique needs of APIs.”


Applying Artificial Intelligence and Machine Learning to API Security

Identifying suspicious activity amidst a sea of API traffic is a big data problem. Trying to identify a single malicious transaction among tens of thousands can seem futile, especially because many organizations lack the skills to solve these kinds of problems on their own.


And aside from the sheer volume of traffic, security and IT ops teams have to contend with many different kinds of APIs being used in different ways, including applications like mobile and voice. Because of the variety of API use cases, it’s often difficult to to separate an attack from legitimate activity, and it’s next to impossible to write policies that work for all APIs. Normal transactions for one API might be malicious for another. The threats to the API environment are also evolving rapidly as the landscape changes and hackers grow more sophisticated in their attacks.


Kin Lane argues that the next evolution of API security must focus on making intelligent API security an integral part of API operations. Artificial intelligence and machine learning are the perfect tools to address both the challenge of finding malicious intent in vast amounts of transaction data and the need to simultaneously evolve security practices as threats evolve.


Artificial intelligence can be used to identify and block API cyberattacks by learning the range of normal patterns of behavior in each API and across your API environment over time, taking into account multiple levels of context. Then it can start to identify anomalous behavior, even without written policies or prior knowledge of common attack patterns. Add continuous learning capabilities, and you have a solution that gets better and better over time. AI and machine learning can take API security beyond access control to close those security gaps.


AI Complements and Extends Foundational Security Solutions

We’re only just beginning to see AI and machine learning applied to API security. PingIntelligence for APIs represents one of the first solutions helping enterprises move away from static, policy-driven security models to continuous, proactive API threat monitoring and detection. As this trend picks up speed, companies will find that AI and machine learning nicely complement and extend security capabilities that they’re already investing in, such as authentication/authorization solutions and API management/gateway solutions.


Enhanced protection for the data, application and systems that can be accessed via APIs will only spark more innovation, collaboration and business growth for the enterprises that are embracing the API economy.