How Can AI Help Improve API Security? Posted in Security Kristopher Sandoval August 20, 2020 Artificial Intelligence (AI) is a promising technology. AI, alongside Machine Learning (ML), promises to leverage the wide world of data to deliver better security and more complete offerings. Today, we’re going to dive into AI, and define what AI specifically is. We’ll then look at how AI can help improve security in the API space, and what types of offerings are commonly available to the API ecosystem. What Is AI? AI is perhaps one of the most misunderstood concepts in computing, mainly because of how the media portrays it. The classic image of artificial intelligence presented in a film like 2001: A Space Odyssey only shows a fantastically advanced variant of what it is. So, let’s define what artificial intelligence actually is in practice. AI is a type of processing in which a computer applies logic to a specific set of requirements or activities. This logic, referred to as “intelligence,” is the application of the learned processing to solve a problem in a similar way to how a human might implement it. A computer learning from experience is known commonly as “machine learning,” while the actual knowledgebase formed from these collective learnings is colloquially termed “Artificial Intelligence.” AI can be both simple and complex. A simple AI might be a collection of IFs and THENs, mirroring the thought pattern a human user might apply to a set of circumstances. For instance, in some applications, a smart thermostat may be considered artificially intelligent, assuming the thermostat “learns” from the user’s previous settings and adapts schedules intelligently using both this learned behavior and external data such as weather reports and exterior temperature sensors. This type of learning may seem to be nothing more than mimicry. Still, over time, the collective behaviors learned by the system amount to something between simple imitation and real intelligence, thus earning it the title of “Artificial Intelligence.” More advanced AI combines additional learned behavior with logic circuits and external data. Shopping assistants are an excellent example of this type of AI. The shopper’s interests and past habits are tied into object-oriented data streams in which the objects are given categories, qualities, and natures. In this type of system, a shopper who typically buys dog food may find that, during the holiday season, their assistant recommends a toy for their pet. How Can AI Help Secure APIs? With all of this said, what can AI do for web APIs? This is somewhat difficult to answer, as the field of AI is continuously evolving. Perhaps a better question is, “what is AI best suited for?” AI learns from data and acts upon those learnings. Therefore, AI does best when there is a narrow set of expectations and an adequate data stream. Luckily, there are many options on offer from vendors for the modern API developer to integrate into their code flow. As it was when “the cloud” became an in-vogue term, almost any functionality has been ported in some way to leverage AI. Let’s look at some general AI implementation approaches. Below we cover three ways AI can be utilized to help secure APIs: heuristic security, pathing intelligence, and trend analysis. Heuristic Security In the AI space, a heuristic system is an offer for generalized protection. Applied to APIs, a heuristics AI would consider baseline behaviors and flag requests that seemed suspicious. A heuristics system is a type of self-evolving stop-gap, carrying out orders to the best of its ability today but developing for a better implementation tomorrow. Thus, it is an imperfect solution but a platform that allows you to create a better solution. Let’s look at a hypothetical implementation. Imagine a security system for API and resource intrusion powered by a heuristics-based AI. This AI has a baseline of “normal behaviors” built-in. Accessing the API, testing the resource load, etc. may all fall within this accepted boundary, and might be classed as a “normal interaction.” However, a system such as this fails is in the “allowed but abnormal” spectrum of interactions. What happens when a developer wants to test out a new load balancing implementation, and thus requests the output in a new format? What happens when unstable data connections result in cached queries being sent more than once for entirely valid reasons? In such a case, the heuristics-based AI might be able to look at this functionality, and say “this is not normal behavior, but based upon what I know, that this is a developer IP and that the credentials are correct, I am going to allow this.” Such a heuristics AI is thus not a perfect implementation but provides the desired result rather effectively. The AI side of this “AI-powered heuristic” allows for a learning process to occur on the data set of deviations, which can then be integrated into the AI, allowing for more accurate API security processing. Over time, the heuristics employed by an AI can be seasoned, changed, augmented, and expanded, with new data sets acting as problems with unique solutions, thereby increasing the accuracy and effectiveness of the security solution. Pathing Intelligence Another example of AI-driven security is security based upon pathing intelligence. A pathing solution is concerned with providing and securing the best path for a given data type, and detecting deviations from this core pathing paradigm. This strategy goes by different names, typically based around optimizing or load balancing. Pathing intelligence is also related to concepts such as Backend for Frontend (BFF) or shim APIs. When a user makes a request, that request has a best-suited path for the scenario. The type of data, the purpose, and format could all impact the pathing process. An identity request needs to hit an authorization server; a media request has to hit a media server, and so on. The problem is that these paths, even if they are the proper paths for handling data, may come with caveats. For instance, how does a server handle a request from an outdated client requesting a resource that no longer exists today? Such a request may still be justified in being served (especially in critical situations such as IoT medical devices), however, the overhead of coding a multitude of correct paths for the same resource may be too significant for a given implementation. An AI-driven solution may be to watch for such pathing errors, reroute the request to the proper path, and notify the client of the outdated client version. The AI may also step in at that time to determine if the request is legitimate – for instance, if a known exploit uses out-of-date software to request information that should not be accessed, the AI should be able to tell between a malicious request and a malformed request. This pathing AI would function not just from external sources into the API, but from the API to the external as well. An AI within our API can look at the paths that exist and can be pinged, and then detect issues that deviate from known configurations. If the AI detects that the server logging system is suddenly insecure or intruded upon, the AI can cease request service or even write the information to an alternative, secure location. If the AI realizes that a server has failed and that requests are being written to a public server with no access control, the AI can terminate this function, or even add temporary credentials to lock down the public system. Ultimately, pathing AI is about knowing what the current state of information flow is, and then terminating or controlling deviations. Trend Analysis and Historic Processing Trend analysis and historic processing goes by many different names, but simply put; it’s the processing of utilizing multiple data sources to give an overall impression of the current user state and the utilization trend that is most likely. By looking at previous use cases and current general traffic trends, you can more clearly estimate what is appropriate and what is not in terms of the user flow. Note that this is different from heuristics – while heuristics often uses such data to provide “good enough” generalized solutions, trend analysis and historic processing allows you to craft unique responses to a specific use pattern. For instance, let’s assume that it is currently Halloween. If your API is used widely to generate historical pricing trends for shoppers comparing prices at multiple stores, the pattern of increased costume shopping (and thus increased interest in your API) might increase the use of specific endpoints. Therefore, an AI might look at these trends and decide to increase rate-limiting for high-rate user groups that still display human-like search practices. For scenarios that lack a rule or role-based policy system, and an AI system may be well-suited to making these on-the-fly decisions for what is and isn’t allowed. The problem with this sort of AI approach is that these decisions are only ever going to be as good as the data you feed into it. What happens if a product is posted on a major social media platform? How would a company be able to note that a celebrity has mentioned its service? All of these situations would be hard enough for a human to know and understand, but for the current generation of AI, these situations can be quite tricky to parse. Practical Example Let’s look at a specific example to see how AI and ML can be used in the modern API space. Edgewise is an implementation of ML and AI centered around the idea of “zero trust segmentation.” Simply put, zero trust segmentation (by Edgewise’s definition) is the idea that the network can be segmented into distinct parts, none of which trust the other. Each environment is created where everything is inspected, nothing is trusted, and thus, everything is protected. Edgewise works through micro-segmentation. Without changing the way the applications are built or requiring network overhauls, the platform is segmented into discrete elements, all of which are accompanied by a standard use case and defined boundary. As defined by Edgewise, these interdependencies allow for applications to continue regular operations while still forcing each entity to verify and validate themselves between boundaries. Most importantly, these defined boundaries and processes allow for added elements into each segment, maintaining security while allowing for ease of distribution. The machine learning element further allows the actual boundaries and policies to change dynamically for the current platform distribution and paradigm, allowing for more accurate and secure handling of traffic. Conclusion AI can be a powerful tool, but like the cloud, it has become a buzzword in the industry. Not everything is machine learning, and not everything needs AI. That said, AI can deliver excellent results for a wide variety of implementations and systems. As such, it should be considered a solution to secure a widely available and accessible API. What do you think of AI and API integrations? Let us know in the comments below!