🤖 AI Summary
This study addresses the challenge of effectively detecting anomalies and malicious activities in HTTP REST APIs when comprehensive documentation is unavailable. To this end, the authors propose HRAL, a novel method that, for the first time, automatically learns API structure and normal behavioral patterns directly from network traffic in a fully unsupervised manner—without relying on predefined rules or API specifications. HRAL integrates unsupervised anomaly detection, traffic analysis, and API behavior modeling, and can be synergistically combined with the OWASP ModSecurity Core Rule Set (CRS) engine to achieve comprehensive coverage. Experimental results demonstrate that HRAL achieves an average recall of 82.07% and an F1-score of 87.24%; its performance in documentation-scarce scenarios closely matches that of methods leveraging complete API definitions, and when fused with rule-based detection, it attains a 100% attack detection rate.
📝 Abstract
Application Programming Interfaces (APIs) are essential in software development, enabling web services, mobile apps, and microservices. However, their widespread use introduces significant security risks, highlighting the importance of API security. This paper presents HTTP REST API Learning (HRAL), a novel unsupervised anomaly detection approach that models the structure and behavior of API endpoints directly from network traffic, without relying on predefined rules or documentation. HRAL enables robust detection of malicious activity by understanding how APIs behave and flagging deviations as potential threats. We evaluate HRAL across varying levels of OpenAPI documentation detail and compare it with existing techniques. HRAL achieves strong performance, with an average recall of 82.07% and an F1-score of 87.24%, significantly outperforming alternatives when API documentation is limited. Moreover, our results approach the effectiveness of full API document definitions. When combined with signature-based rules such as the OWASP ModSecurity CRS, our system achieves 100% detection. These results highlight HRAL's effectiveness in real-world, partially documented API environments and its potential as a foundational layer for modern API security solutions.