To address the scarcity of realistic composite API request traffic and the failure of conventional methods in detecting Business Logic Access Control (BAC) violations—where individual requests appear legitimate but their sequential composition violates access policies—this paper proposes a generative data construction and learning-driven detection framework. We introduce the first composite traffic generator that jointly leverages API specification mining and context-aware sequence modeling to synthesize realistic, semantically valid multi-step request sequences, thereby overcoming the dual challenges of BAC behavior stealthiness and severe label scarcity. Crucially, we pioneer end-to-end BAC anomaly modeling using synthetic traffic, integrating a graph neural network with temporal attention to detect privilege escalation arising from legitimate-but-malicious request compositions. Experiments demonstrate significant improvements: +21.2% in F₁-score and +24.1% in Matthews Correlation Coefficient (MCC) over state-of-the-art invariant- and learning-based approaches.

Broken Access Control (BAC) violations, which consistently rank among the top five security risks in the OWASP API Security Top 10, refer to unauthorized access attempts arising from BAC vulnerabilities, whose successful exploitation can impose significant risks on exposed application programming interfaces (APIs). In recent years, learning-based methods have demonstrated promising prospects in detecting various types of malicious activities. However, in real-network operation and maintenance scenarios, leveraging learning-based methods for BAC detection faces two critical challenges. Firstly, under the RESTful API design principles, most systems omit recording composite traffic for performance, and together with ethical and legal bans on directly testing real-world systems, this leads to a critical shortage of training data for detecting BAC violations. Secondly, common malicious behaviors such as SQL injection typically generate individual access traffic that is inherently anomalous. In contrast, BAC is usually composed of multiple correlated access requests that appear normal when examined in isolation. To tackle these problems, we introduce BAC, an approach for establishing a BAC violation detection model by generating and utilizing API traffic data. The BAC consists of an API Traffic Generator and a BAC Detector. Experimental results show that BAC outperforms current state-of-the-art invariant-based and learning-based methods with the $ ext{F}_1$ and MCC improving by 21.2% and 24.1%.