System and method for partition migration in a multitenant application server environment
US-2015372938-A1 · Dec 24, 2015 · US
Methods and systems for deep learning based API traffic security
US11855968B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11855968-B2 |
| Application number | US-202217817577-A |
| Country | US |
| Kind code | B2 |
| Filing date | Aug 4, 2022 |
| Priority date | Oct 26, 2016 |
| Publication date | Dec 26, 2023 |
| Grant date | Dec 26, 2023 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for deep learning based API traffic analysis and network security. The invention provides an automated approach to threat and/or attack detection by machine learning based accumulation and/or interpretation of various API/application traffic patterns, identifying and mapping characteristics of normal traffic for each API, and thereafter identifying any deviations from the normal traffic parameter baselines, which deviations may be classified as anomalies or attacks.
First claim
Opening claim text (preview).
We claim: 1. A non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the instructions comprising code to cause the processor to: receive an event trigger to analyze traffic parameter data associated with network traffic of an Application Programming Interface (API); identify the API as associated with an API class from a plurality of API classes; identify, in response to the event trigger, an anomaly detection model from a plurality of anomaly detection models and associated with the API class, each anomaly detection model from the plurality of anomaly detection models being associated with a different API class from the plurality of API classes; analyze, using the anomaly detection model and in response to the event trigger, the traffic parameter data to identify deviations between the traffic parameter data and a traffic parameter baseline value associated with the API; and restrict network traffic associated with the API when the deviations meet a criterion. 2. The non-transitory processor-readable medium of claim 1 , wherein the event trigger is based on at least one of receiving a data request, receiving a data message, a periodic time event trigger or an instruction for initiating analysis. 3. The non-transitory processor-readable medium of claim 1 , wherein the traffic parameter baseline value is based on a current time. 4. The non-transitory processor-readable medium of claim 1 , wherein the traffic parameter baseline value is based on at least one of geolocation of a source of the network traffic, a datacenter associated with the network traffic, a device type associated with the network traffic, an application associated with the network traffic, an amount of the network traffic, or a payload type of the network traffic. 5. The non-transitory processor-readable medium of claim 1 , wherein the traffic parameter baseline value is based on network traffic received from a plurality of sources. 6. The non-transitory processor-readable medium of claim 1 , wherein the API is from a plurality of APIs, each API from the plurality of APIs associated with an anomaly detection model from the plurality of anomaly detection models. 7. The non-transitory processor-readable medium of claim 1 , wherein the API is from a plurality of APIs and the receiving is at an API gateway configured to receive network traffic addressed to the plurality of APIs. 8. A method, comprising: receiving a data packet addressed to an Application Programming Interface (API); identifying the API as associated with an API class from a plurality of API classes; identifying, in response to receiving the data packet, an anomaly detection model from a plurality of anomaly detection models and associated with the API class, each anomaly detection model from the plurality of anomaly detection models being associated with a different API class from the plurality of API classes; analyzing, using the anomaly detection model, traffic parameter data associated with the data packet to identify deviations between the traffic parameter data and a traffic parameter baseline associated with the API; and classifying the data packet as an anomaly when the deviations meet a criterion. 9. The method of claim 8 , wherein the API is from a plurality of APIs and the receiving is at an API gateway configured to receive network traffic addressed to the plurality of APIs. 10. The method of claim 8 , further comprising: discarding the data packet based on classifying the data packet as an anomaly. 11. The method of claim 8 , further comprising: restricting network traffic associated with the API based on classifying the data packet as an anomaly. 12. The method of claim 8 , wherein the API is from a plurality of APIs associated with an API class, the identifying the anomaly detection model including identifying the anomaly detection model based on the API class. 13. The method of claim 8 , wherein the receiving the data packet is at a time, the traffic parameter baseline is based on the time. 14. The method of claim 8 , wherein the traffic parameter baseline is based on at least one of geolocation of a source of the data packet, a datacenter associated with the data packet, a device type associated with the data packet, an application associated with the data packet, an amount of network traffic addressed to the API, or a payload type of the data packet. 15. An apparatus, comprising: a memory; and a processor of a network gateway associated with a plurality of Application Programming Interfaces (APIs), the processor operatively coupled to the memory, the processor configured to: receive an event trigger to analyze traffic parameter data associated with network traffic of an API from the plurality of APIs; identify the API as associated with an API class from a plurality of API classes; identify, in response to the event trigger, an anomaly detection model from a plurality of anomaly detection models and associated with the API class, each anomaly detection model from the plurality of anomaly detection models being associated with a different API class from the plurality of API classes; analyze, using the anomaly detection model associated with the API class and in response to the event trigger, the traffic parameter data to identify deviations between the traffic parameter data and a traffic parameter baseline value associated with the API; and restrict network traffic associated with the API when the deviations meet a criterion. 16. The apparatus of claim 15 , wherein the event trigger is based on at least one of receiving a data request, receiving a data message, a periodic time event trigger or an instruction for initiating analysis. 17. The apparatus of claim 15 , wherein the traffic parameter baseline value is based on a time associated with the network traffic. 18. The apparatus of claim 15 , wherein the traffic parameter baseline value is based on at least one of geolocation of a source of the network traffic, a datacenter associated with the network traffic, a device type associated with the network traffic, an application associated with the network traffic, an amount of the network traffic, or a payload type of the network traffic.
Assignees
Inventors
Classifications
- H04L63/0281Primary
Proxies · CPC title
Detecting local intrusion or implementing counter-measures · CPC title
involving event detection and direct action · CPC title
at program execution time, where the protection is within the operating system · CPC title
Machine learning · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11855968B2 cover?
- The present invention relates to the field of networking and API/application security. In particular, the invention is directed towards methods, systems and computer program products for deep learning based API traffic analysis and network security. The invention provides an automated approach to threat and/or attack detection by machine learning based accumulation and/or interpretation of vari…
- Who is the assignee on this patent?
- Ping Identity Corp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0281. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 26 2023 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).