This page applies to Apigee and Apigee hybrid.
View
Apigee Edge documentation.
Advanced API Security uses detection rules to detect unusual patterns in API traffic that could represent malicious activity. These rules include both machine learning models, trained on real API data, and descriptive rules, based on known types of API threats.
The following table lists the detection rules and their descriptions.
| Detection rule | Description |
|---|---|
| A machine learning model for detecting anomalies—unusual patterns of events—in API traffic. See About Advanced Anomaly Detection. | |
| Brute Guessor | High proportion of response errors during previous 24 hours |
| Flooder | High proportion of traffic from an IP address in a 5-minute window |
| OAuth Abuser | Large number of OAuth sessions with small number of user agents during the previous 24 hours |
| Robot Abuser | Large number of 403 rejection errors in the past 24 hours |
| Static Content Scraper | High proportion of response payload size from an IP address in a 5-minute window |
| TorListRule | Tor exit nodes IP list. A Tor exit node is the last Tor node that traffic passes through in the Tor network before exiting onto the internet. Detecting Tor exit nodes indicates that an agent has sent traffic to your APIs from the Tor network, possibly for malicious purposes. |
About Advanced Anomaly Detection
The Advanced Anomaly Detection algorithm learns from your API traffic, taking into account factors like error rates, traffic volume, request size, latency, geolocation, and other traffic metadata at the environment level. If there are significant shifts in traffic patterns (for example, a surge in traffic, error rates, or latency), the model flags the IP address that contributed to the anomaly in Detected Traffic.
You can also combine anomaly detection with security actions to automatically flag or deny traffic that is detected as anomalous by the model. See the "Using Apigee Advanced API Security's Security Actions to Flag and Block Suspicious Traffic" community post for additional information.
Model behavior
To reduce the risk that bad actors can exploit the model, we do not expose specific details about how the model works or how incidents are detected. However, this additional information can help you make the best use of anomaly detection:
- Accounting for seasonal variance:Because the model is trained on your traffic data, it can recognize and account for seasonal traffic variances (such as holiday traffic), if your traffic data includes previous data for that pattern, such as the same holiday in a previous year.
- Surfacing anomalies:
- For existing Apigee and hybrid customers: Apigee recommends that you have at least 2 weeks of historical API traffic data and, for more accurate results 12 weeks of historical data is preferable. Advanced Anomaly Detection starts surfacing anomalies within six hours of opting in to model training.
- New Apigee users: The model starts surfacing anomalies 6 hours after opt-in, if you have a minimum of 2 weeks of historical data. However, we recommend using caution when acting on detected anomalies until the model has at least 12 weeks of data for training. The model is continuously trained on your historical traffic data so that it becomes more accurate over time.
Limitations
For Abuse Detection Advanced Anomaly Detection:
- Anomalies are detected at the environment level. Anomaly detection at an individual proxy level is not supported at this time.
- Anomaly detection is not supported for VPC-SC customers at this time.
Machine learning and detection rules
Advanced API Security uses models built with Google's machine learning algorithms to detect security threats to your APIs. These models are pre-trained on real API traffic data sets (including your current traffic data, if enabled) that contain known security threats. As a result, the models learn to recognize unusual API traffic patterns, such as API scraping and anomalies, and cluster events together based on similar patterns.
Two of the detection rules are based on machine learning models:
- Advanced API Scraper
- Advanced Anomaly Detection