Modifying Authentication for an Application Programming Interface
US-2018026943-A1 · Jan 25, 2018 · US
Blocking automated attacks with forced user interaction
US10397187B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10397187-B2 |
| Application number | US-201816102716-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 13, 2018 |
| Priority date | Jul 9, 2014 |
| Publication date | Aug 27, 2019 |
| Grant date | Aug 27, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An API call filtering system filters responses to API call requests received, via a network, from UEs. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique UE identifier (“UEIN”) of the UE making the request. Using the UEIN, the web service or other service protected by the API call filtering system can be secured against excessive request iterations from a set of rogue UEs while allowing for ordinary volumes of requests of requests the UEs, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: obtaining an API function associated with a service provided by a supporting server computer system; generating a modified API function corresponding to the API function that also requires a unique end-point identifier (UEIN) argument; managing UEIN data for a plurality of UEINs, each UEIN of the plurality of UEINs associated with a specific computing device of a plurality of authorized computing devices; receiving, from a first computing device, a first modified API call corresponding to the modified API function, the first modified API call comprising a first UEIN associated with a first authorized computing device of the plurality of authorized computing devices; verifying that the first computing device corresponding to the first modified API call is the first authorized computing device associated with the first UEIN; in response to verifying that the first computing device is the first verified computing device, forwarding the first modified API call to the supporting server computer system by making a first API call corresponding to the API function to the supporting server computer system; wherein the method is performed by one or more computing devices. 2. The method of claim 1 , further comprising: receiving, from a second computing device, a second modified API call corresponding to the modified API function, the second modified API call comprising a second UEIN potentially associated with a second authorized computing device of the plurality of authorized computing devices; verifying that the second computing device corresponding to the second modified API call is not associated with the second UEIN; in response to verifying that the second computing device is not associated with the second UEIN, blocking the second modified API call, wherein blocking the second modified API call comprises not forwarding the second modified API call to the supporting server computer system. 3. The method of claim 1 , wherein verifying that the first computing device corresponding to the first modified API call is the first computing device associated with the first UEIN comprises: issuing a challenge to the first computing device; and determining if a challenge response received from the first computing device is valid. 4. The method of claim 3 , wherein the challenge is an encryption challenge that requires the first computing device to perform an encryption operation based on the first UEIN. 5. The method of claim 3 , further comprising: maintaining data comprising a plurality of unauthorized UEINs; in response to determining that the challenge response received from the first computing device is not valid, adding the first UEIN to the plurality of unauthorized UEINs. 6. The method of claim 1 , further comprising: receiving, from a third computing device, a third modified API call corresponding to the modified API function, the third modified API call comprising a third UEIN; determining that the third UEIN belongs to a plurality of unauthorized UEINs; in response to determining that the third UEIN belongs to the plurality of unauthorized UEINs, blocking the third modified API call, wherein blocking the third modified API call comprises not forwarding the third modified API call to the supporting server computer system. 7. The method of claim 1 , wherein the first UEIN is initially generated by the first authorized computing device. 8. The method of claim 1 , further comprising: prior to receiving the first modified API call from the first computing device, receiving a set of data from the first authorized computing device indicating successful performance of a non-automatable step at the first authorized computing device; in response to the set of data indicating the successful performance of the non-automatable step, associating the first UEIN with the first authorized computing device. 9. The method of claim 1 , further comprising: monitoring a volume of modified API calls of the modified API function that are associated with the first UEIN; based on the volume of modified API calls associated with the first UEIN, determining that the first authorized computing device associated with the first UEIN is no longer authorized; in response to determining that the first computing device associated with the first UEIN is no longer authorized, blocking additional modified API calls comprising the first UEIN, wherein blocking the additional modified API calls comprises not forwarding the additional modified API calls to the supporting server computer system. 10. The method of claim 1 , wherein each UEIN of the plurality of UEINs uniquely identifies a particular instance of an application running on the corresponding computing device of the plurality of authorized computing devices. 11. A system comprising: one or more hardware processors; at least one memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors, cause the one or more hardware processors to: obtain an API function associated with a service provided by a supporting server computer system; generate a modified API function corresponding to the API function that also requires a unique end-point identifier (UEIN) argument; manage UEIN data for a plurality of UEINs, each UEIN of the plurality of UEINs associated with a specific computing device of a plurality of authorized computing devices; receive, from a first computing device, a first modified API call corresponding to the modified API function, the first modified API call comprising a first UEIN associated with a first authorized computing device of the plurality of authorized computing devices; verify that the first computing device corresponding to the first modified API call is the first authorized computing device associated with the first UEIN; in response to verifying that the first computing device is the first verified computing device, forward the first modified API call to the supporting server computer system by making a first API call corresponding to the API function to the supporting server computer system. 12. The system of claim 11 , wherein the one or more instructions, when executed by the one or more hardware processors, cause the one or more processors to: receive, from a second computing device, a second modified API call corresponding to the modified API function, the second modified API call comprising a second UEIN potentially associated with a second authorized computing device of the plurality of authorized computing devices; verify that the second computing device corresponding to the second modified API call is not associated with the second UEIN; in response to verifying that the second computing device is not associated with the second UEIN, block the second modified API call, wherein blocking the second modified API call comprises not forwarding the second modified API call to the supporting server computer system. 13. The system of claim 11 , wherein verifying that the first computing device corresponding to the first modified API call is the first computing device associated with the first UEIN comprises: issuing a challenge to the first computing device; and determining if a challenge response received from the first computing device is valid. 14. The system of claim 13 , wherein the challenge is an encryption challenge that requires the first computing device to perform an encryption operation based on the first UEIN. 15. The method of claim 13 , wherein the one or more instructions, when executed
Assignees
Inventors
Classifications
Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title
wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption (cryptographic mechanisms or cryptographic arrangements for public-key encryption H04L9/30) · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
for controlling access to devices or network resources · CPC title
Detection or prevention of fraud · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10397187B2 cover?
- An API call filtering system filters responses to API call requests received, via a network, from UEs. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique UE identifier (“UEIN”) of the UE making the request. Using the UEIN, the web service or other service protected by the API call filte…
- Who is the assignee on this patent?
- Shape Security Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0227. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Aug 27 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).