USING INDIVIDUALIZED APIs TO BLOCK AUTOMATED ATTACKS ON NATIVE APPS AND/OR PURPOSELY EXPOSED APIs
Abstract
An API call filtering system filters responses to API call requests received, via a network, from user devices. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique endpoint identifier (“UEID”) of the user device making the request. Using the UEID, the web service or other service protected by the API call filtering system can be secured against excessive request iterations from a set of rogue user devices while allowing for ordinary volumes of requests of requests the user devices, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . An API call filtering system that filters API calls received, via a network, from user devices that are network-connected and running endpoint app software and/or hardware, to secure an API service that accepts API call requests and provides API call responses thereto, wherein the API service is secured against excessive request iterations from a set of rogue user devices while allowing for ordinary volumes of requests of the user devices, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria, the API call filtering system comprising:
a request handler, coupled to a network interface, for handling requests from user devices; an end-point identifier, coupled to the request handler, for determining an identity of a requesting user device based on a personalized application programming interface (“API”) processing of a received request; storage for a plurality of references to user devices, references to their corresponding unique endpoint identifiers (“UEIDs”); a verifier for verifying with the requesting user device that it is the user device associated with the UEID included in the request from the requesting user device; and a filter controller for dropping, filtering and/or forwarding requests for ordinary volumes of requests, wherein the filter controller operates, at least in part, by recognizing the UEIDs of the requests, thereby allowing filter controller to filter out excessive requests from unrecognized user devices and user devices that are issuing what is deemed to be excessive request iterations.
2 . The API call filtering system of claim 1 , wherein requests from user devices include requests to authenticate the user device with respect to a secured account maintained at or for the API service.
3 . The API call filtering system of claim 1 , wherein the verifier for verifying includes a public key module that can encrypt a challenge message using a public key of a public key pair associated with one or more UEIDs and check signing of challenge reply messages.
4 . The API call filtering system of claim 3 , wherein the challenge message includes a random, semi-random, or pseudorandom number.
5 . The API call filtering system of claim 1 , wherein one or more of the request handler, the end-point identifier, the storage for a plurality of references to user devices, the verifier, and/or the filter controller are integrated into the secured API service.
6 . A user device that executes at least one endpoint app that sends API requests via a network to an API service that has been secured against excessive request iterations from a set of rogue user devices while allowing for ordinary volumes of requests from the user devices, the user device comprising:
an app initiator that processes data about, by, or for one or more endpoint apps that execute on a user device; storage for one or more UEIDs, wherein at least one UEID is associated with the one or more endpoint apps; and a request generator, that generates requests to be sent over the network to an API call filtering system and/or an API service while identifying the endpoint app in the requests.
7 . The user device of claim 6 , wherein UEIDs are associated with a limited address space to reduce an ability of an unauthorized device to use multiple UEIDs in order to hide a source of excessive request iterations.
8 . The user device of claim 7 , wherein the limited address space is provided by association of UEID requests with telephone numbers.
9 . The user device of claim 6 , further comprising storage for a private key of a public key infrastructure (“PKI”) key pair, wherein the private key used at least to encrypt challenge responses thereby signaling that the user device has access to the private key.
10 . The user device of claim 6 , wherein the requests generated by the request generator are requests directed to be sent over the network to the API call filtering system.
11 . The user device of claim 6 , wherein the requests generated by the request generator are requests directed to be sent over the network to the API service.
12 . In a secured network environment, wherein a computing system that services application programming interface (“API”) calls is connected to a network that allows for authorized user devices to initiate such API calls and also allows for unauthorized user devices to initiate such API calls, a method of detecting at least some unauthorized API calls, the method comprising:
receiving, over the network, an API call from a user device;
identifying an end-point identifier supplied by the user device based on data provided with the API call;
checking that end-point identifier against a stored plurality of references to user devices' corresponding unique endpoint identifiers (“UEIDs”);
verifying that the requesting user device is the user device associated with the UEID included in the request from the requesting user device; and
filtering out API call requests, based on the UEID and its determined validity.
13 . The method of claim 12 , wherein filtering out requests comprises
securing the API call requests against excessive request iterations from a set of user devices while allowing for ordinary volumes of requests of from the set of user devices, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria.
14 . The method of claim 13 , wherein securing the API call requests against excessive request iterations comprises dropping requests using invalid UEIDs, dropping requests for a given UEID that are deemed excessive requests, and forwarding requests for ordinary volumes of requests from valid UEIDs.
15 . The method of claim 12 , wherein at least one of the API calls authenticates user devices with respect to a secured account maintained by the API service.
16 . The method of claim 12 , wherein verifying comprises:
encrypting a challenge message using a public key of a public key pair associated with one or more UEIDs; and checking digital signatures of challenge reply messages.
17 . The method of claim 16 , wherein the challenge message includes a random, semi-random, or pseudorandom number.Join the waitlist — get patent alerts
Track US2016191464A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.