=Paper=
{{Paper
|id=Vol-3125/paper4
|storemode=property
|title=A Novel Anomaly Detection Approach to Secure
APIs from Cyberattacks
|pdfUrl=https://ceur-ws.org/Vol-3125/paper9.pdf
|volume=Vol-3125
|authors=Arshardh Ifthikar,Nipun Thennakoon,Sanjeewa Malalgoda,Harsha Moraliyage,Thamindu Jayawickrama,Tiroshan Madushanka,Saman Hettiarachchi
|dblpUrl=https://dblp.org/rec/conf/sgai/IfthikarTMMJMH21
}}
==A Novel Anomaly Detection Approach to Secure
APIs from Cyberattacks==
Artificial Intelligence and Cyber Security (AI-CyberSec) A Novel Anomaly Detection Approach to Secure APIs from Cyberattacks Arshardh Ifthikar1 , Nipun Thennakoon2 , Sanjeewa Malalgoda3 , Harsha Moraliyage 4 , Thamindu Jayawickrama3 , Tiroshan Madushanka2 and Saman Hettiarachchi1 1 Informatics Institute of Technology, Sri Lanka 2 University of Kelaniya, Sri Lanka 3 WSO2, Sri Lanka 4 Centre for Data Analytics and Cognition, LaTrobe University, Australia Abstract Digital transformation driven rapid movement towards the digital economy resulted in an elevated amount of cyber risks and cyber threats for nations. In this feat, RESTful Application Programming Interfaces (APIs) are identified as the core building block of the backbone network which connects billions of people, businesses, devices, data, and processes. With almost every nation moving towards digital transformation, organizations adopt strategies such as anything as a service (XaaS) model and APIs are becoming a vital aspect for any business functionality. The rising popularity of APIs makes them an attractive target for hackers and malicious users. The risk and complexity of cyberattacks are increasing exponentially as attackers continuously evolve with the technology and use novel Artificial Intelligence(AI) techniques to launch more sophisticated attacks. Cyberattacks on APIs are often subtle by nature, and the uniqueness of API access patterns makes it even harder to effectively detect them using traditional methods. Organizations are moving towards adopting AI techniques to defend against cyberattacks which enable the possibility to create systems that could learn the unique access patterns of APIs, by monitoring its API traffic and using the gained knowledge to identify the cyberattacks on APIs. Those systems could even dynamically adapt to the changes in API access patterns due to external factors like time. In this study, we propose a novel hybrid approach of anomaly detection and classification ensuring that the API services can be consumed as needed, but passively analyzing the flow to identify anomalies and potential cyberattacks to the APIs and alerting the network administrators of any anomalies detected and ensuring cybersecurity. Experiments have shown that our system is effective in detecting attacks on APIs with a high level of accuracy and reliability. Keywords API security, anomaly detection, machine learning, K-Means, random forests, Artificial immune systems, Autoencoders, AI driven cybersecurity, AI-CyberSec 2021: Workshop on Artificial Intelligence and Cyber Security, December 14, 2021, Cambridge, UK £ arshardhifthikar@gmail.com (A. Ifthikar); nipunsampath@gmail.com (N. Thennakoon); sanjeewa190@gmail.com (S. Malalgoda); h.moraliyage@latrobe.edu.au (H. M. ); thamindudj.16@cse.mrt.ac.lk (T. Jayawickrama); tiroshanm@kln.ac.lk (T. Madushanka); saman.h@iit.ac.lk (S. Hettiarachchi) ç https://arshardh.com/ (A. Ifthikar); https://www.linkedin.com/in/sanjeewa-malalgoda/ (S. Malalgoda); https://medium.com/@harsz89/ (H. M. ); http://www.iit.ac.lk/mr-saman-hettiarachchi (S. Hettiarachchi) ȉ 0000-0002-1764-8079 (A. Ifthikar); 0000-0002-9568-3101 (N. Thennakoon); 0000−0001−6627−1477 (T. Madushanka) © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings http://ceur-ws.org ISSN 1613-0073 CEUR Workshop Proceedings (CEUR-WS.org) 1. Introduction An Application Programming Interface (API) is a software-to-software interface that defines the contract for applications to communicate with each other over a network without human interaction. It simplifies programming by exposing only the objects or actions and abstracting the underlying implementation.Web API or RESTful service is an API over the web which can be accessed for message transmission and URIs for resource identification and interaction . They have grown rapidly due to the ubiquity of digital devices and the network infrastructure.The growing popularity of APIs makes it an attractive target for hackers and malicious users which draws our attention to ensure cybersecurity for these APIs. Injection attacks, Application-level Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks, broken authentica- tion, and sensitive data exposure are prime examples of the threats directed at APIs. Even the big corporations like Venmo[1], T-Mobile [2], and Facebook [3] have recently experienced API security breaches. In general, every API has an access pattern unique to it. These access pat- terns may sometimes be unique to the API or sometimes to the user or sometimes both. This uniqueness makes it difficult to detect threats to API using traditional methods like static poli- cies in an accurate and efficient manner. However, by using machine learning techniques, it would be possible to create systems that could learn the unique access patterns of an API by monitoring the API traffic and use that knowledge to identify the malicious API calls. Further- more, these systems will be able to dynamically adapt to each API, as well as to the changes in its access patterns with external factors like time. 2. Related Work Anomaly-based intrusion detection systems operate by defining the normal behavior of the sys- tem and detecting intrusions by observing patterns that deviate from established norms. The main benefit of this approach is the ability to detect zero-day attacks [4]. Anomaly-based IDS generally use unsupervised learning techniques for modeling normal behavior. Several prior studies have been conducted using different unsupervised learning techniques to implement anomaly-based intrusion detection systems. Sipola et al. [5] proposed using diffusion maps and spectral clustering to detect anomalies on network logs. Their best accuracy and precision figures were 99.9% and 99.8% respectively. Fan [6] introduced a method based on hidden Markov models for anomaly detection of web- based attacks. They claimed that the detection of SQL injection attacks as anomalies is very effective, with a detection rate as high as 98%. Jin Wang et al. [7] proposed a novel anomaly- based HTTP-flooding detection scheme (HTTPsCAN), which can eliminate the influence of the web-crawling traces with the clustering algorithm. They had an average false positive rate of 2.5% and an average true positive rate of 100%. Zolotukhin et al. [4] has considered the analysis of HTTP logs for intrusion detection. Ac- cording to their experimental results, the Support Vector Data Description (SVDD) model had the highest detection rate (99.2%) for detecting anomalies using web resource while K-Means had the highest detection rate (100%) for detecting anomalies using query attributes and the DB- SCAN had the highest detection rate (97.5%) for detecting anomalies using user agent. Juvonen et al. [8] introduced an anomaly detection approach that uses dimensionality reduction tech- niques. They concluded that random projection works well when analyzing bigger datasets, and diffusion maps can be used for more accurate analysis on smaller sets of data. Peng et al. [9] proposed a clustering approach based on Mini Batch K-Means and PCA (PMBKM) for intru- sion detection. From the experimental results, they have concluded that PMBKM is effective, efficient, and can be used for intrusion detection in big data environments. The anomaly-based IDS also has some limitations when compared with signature-based IDS. The false alarm is generally higher in anomaly-based IDS [4] since it is possible that the detected anomaly may have been a legitimate outlier instead of an intrusion. Apart from that, they also cannot classify the intrusion types [10] like in the signature-based IDS. Next, lets shift focus to the paper authored by Tong Lanxuan, Cao Jian, Qi Qing and Qian Shiyou bearing the title AIMS: A predictive web API invocation behavior monitoring system[11]. The problem they are looking into solving is the need to analyze personalized web API invoca- tion behaviors. The main hurdle they are trying to overcome is to build a unified framework that is able to predict web API invocations by a user and using this model, to detect any anoma- lies in the web API invocation pattern. They have attempted to tackle this problem by using the K-Nearest-Neighbor classifier. They first convert the user’s invocation data to a time se- ries based on invocations and then uses permutation entropy to determine the randomness of this series and fed to the next steps. This information is first used to build an adaptive pre- diction model according to the active period of the users time series. They have tested this model with both fabricated and actual user invocation data. In conclusion, the authors state that their system; AIMS functioned efficiently, but they mention they wish to improve AIMS using non-linear models like neural networks. An anomaly detection method to detect web attacks using Stacked Auto-Encoder [12] was published in the 2018 6th Iranian Joint Congress on Fuzzy and Intelligent Systems (CFIS). Here the researchers use the n-gram model to extract data from the HTTP requests and then use a Stacked Auto Encoder for dimensionality reduction. Then once this is done, they use the Isolation forest algorithm to detect anomalies. They have made it a point to test accuracies measured in the number of true positives and false negatives with different n-gram numbers (unigram/bigram) and different activation functions for neurons. This is a good step, as this will allow getting the best possible accuracy possible for the model. Subsequent to this analysis, these researchers have reached an accuracy of 88.32%, which is an adequate number for this use case. The paper titled Streamlined anomaly detection in web requests using recurrent neural net- works [13] publisher in the 2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) takes a rather different approach to tackle the anomaly detection prob- lem, but using Recurrent Neural Networks (RNN). Here, they use the LSTM (Long Short Term Memory) algorithm to analyze each character of the set of headers of a given HTTP request which in turn gives a set of ratings for the characters. Then they use a binary classifier to look for anomalies in this data. The CSIC 2010 HTTP dataset has been used to evaluate the algorithm and they have come up with a 62% detection rate, which is a decent accuracy figure. They point out the importance of low false-positive rates over the detection rate which does make sense as the high number of false positives can break a system’s reliability and can be an inconvenience for administrators which makes the system impractical. According to the related work in this domain, it can be observed that even though anomaly- based intrusion detection systems were introduced to address the limitations in the signature- based systems, they also have their limitations. A hybrid approach will be beneficial for intru- sion detection if it could retain the advantages and address the limitations in anomaly-based IDS. Furthermore, most researches have been focused on detecting intrusions at the transport and network layers in the OSI model and not at the application layer where the APIs reside. Detecting intrusions at lower layers in the OSI models may not be able to detect application layer attacks directed towards APIs. Therefore, we will be focusing on detecting intrusions at the application layer. 3. Methodology 3.1. Design When designing a system for this use case, we need to make sure that we can meet the non- functional requirements such as having a low latency and hence, not having an adverse effect on the performance, while still maintaining a good accuracy. In order to ensure this, the design of the proposed solution is based on three different layers. These layers are shown in the diagram given below. Figure 1: Layered architecture diagram 3.1.1. Trend Change Detection Layer The responsibility of the trend change detection layer is to analyze the trend of API invocations and determine if there is any behavior that deviates from the normal. A deep learning model is proposed to achieve this task. The algorithm used for the deep learning model is a Stacked Autoencoder. The reason to go with a stacked autoencoder is because it is well recognized as a tool for outlier detection in recent papers. These stacked autoencoders work as a good medium to reduce the dimensionality of an input and represent it in a latent space which can then be used to determine outliers. In the process of training this deep learning model, we normally see use cases where we input raw information and expect the deep learning model to identify all patterns. This might work sometimes if we can input a very large dataset. But our focus should be to pre-process the data so that it is easier for the deep learning model to learn. In order to learn the trend of the API invocations, the dataset is arranged into buckets based on their timestamp. The ideal time that matched our dataset was ten seconds per bucket. These buckets are then processed to extract summary information that will be inserted to the deep learning model training process. The request count field contains the number of requests within the number of seconds of the bucket. The unique IP address count field contains the number of unique IP addresses within the request bucket. The unique access token count includes the unique number of access tokens used during the request bucket. The summary data also has broken down the HTTP method column to separate columns: GET request count within the bucket, the POST request count within the bucket, the DELETE request count within the bucket and the PUT request count within the bucket, in a one-hot encoded[14] manner. The summarized dataset also includes the unique invocation path count, the number of unique invocation paths that were invoked within the time duration, the longest invocation path that a resource was accessed within the time duration, the number of unique user agent values within the time duration, mean value of all response codes within the time duration and the total number of bytes communicated within the bucket. Once the model is trained and a latent space is obtained, this latent space is stored as a dimen- sionally reduced representation of the normal behavior of the API invocations in the gateway. The new requests that the gateway receives are aggregated into buckets of ten seconds and then compared with the latent representation, to obtain a score. This score represents the de- viation of the bucket in concern, from the normal behavior. We know the maximum deviation of normal requests from the latent space, which will help us to determine a threshold where we can set to consider incoming buckets as anomalies. In our effort, we set this threshold subsequent to adding a ten-point buffer to the normal maximum deviation score which was twenty-two, resulting in a threshold of thirty-two. This means that any request bucket that surpasses a deviation score of thirty-two, will be escalated to the in-depth classification layer for processing. These values such as the buffer value were obtained subsequent to many testing iterations involving attack datasets. 3.1.2. In-depth Classification Layer In the in-depth classification layer, the buckets containing the anomalous requests and their neighbouring buckets are analyzed at a more granular level to narrow down the actual anoma- Table 1 Summary - Anomaly detection models Model Description Features Anomaly detection based on the geoloca- - Geolocation Geolocation tion of the API request origin. The geoloca- - Geo velocity tion is obtained using request IP address User No.of user agent encounters in the agent-based Anomaly detection based on the behavior past 24 hours, past hour and the past access of the user agent on the API request. 5 minutes frequency HTTP No.of HTTP method encounters method-based Anomaly detection based on the behavior within the past 24 hours, past hour access of the HTTP method on the API request and the past 5 minutes frequency Request No.of request path encounters within path-based Anomaly detection based on the behavior the past 24 hours, past hour and the access of the request path on the API request. past 5 minutes. frequency lous requests. This request-by-request analysis is performed via a hybrid approach of both supervised and unsupervised learning techniques. The process consists of two phases. The unsupervised phase addresses the absence of labeled data in a production environment, and the supervised phase addresses the classification problem. The anomaly detection phase learns the normal behavior of a user by using the HTTP header data from the API requests as input parameters. Instead of training a single model from all data, a collection of machine learning models is trained, where each model focuses on a specific area of the API request. This approach reduces the dimensionality of the training data and allows the models to learn the nuance details since they are more focused. There are four such anomaly detection models per user in the proposed approach. K-Means and Local Outlier Factor algorithms were evaluated as the possible candidate algo- rithms for anomaly detection. K-Means was selected as the best performing algorithm due to its lower false-positive rate. Both algorithms were roughly equal in other aspects. It should also be worth noting that the anomaly detection models should be trained using the entire dataset rather than using the requests filtered out from the trend change detection layer to model the normal behavior as closely as possible. The prediction results from the anomaly detection models are used as inputs for a random forest classifier in the classification phase. Since this model only learns how the predictions of each anomaly detection model affect the final request classification, it does not depend on the behavior of a particular API. In other words, the behavior of this classification model is not unique to a certain API. Therefore, the classification model can be pre-trained using the outputs of the anomaly detection models to “normal”, “token hijacking” and “abnormal token usage” API requests and embedded in a production-ready system. The system will still train on the API specific data for anomaly detection and as a result, the whole system will still be able to adapt to the unique access patterns in the APIs for detecting attacks. This approach is able to address both the lack of labelled data in a production environ- ment and the classification problem while being able to learn from the data instead of relying on the domain knowledge and the experience of the humans. Features of the supervised classifier, • Prediction of the geolocation model. • Prediction of the user-agent based access frequency model. • Prediction of the HTTP method based access frequency model. • Prediction of the request path based access frequency model. • Whether the user IP is previously encountered for the particular user. • Whether the user agent is previously encountered for the particular user. Figure 2: Decision making process with classification model 3.1.3. The Background Layer - Per Request Analysis In the main three-layer mechanism we have designed, the main focus is given to the trends of the requests received by the gateway. And if the trend seems to deviate from the identi- fied normal, the trend change detection layer identifies this and sends the set of suspicious requests to the in-depth classification layer to classify them. However, during our experiment, we identified that there could be some anomalies that do not make a significant impact on the overall trend of the gateway. The background layer is used to identify these anomalies that get through the trend change detection layer. The background layer is a replica of the in-depth classification layer. It uses the same models trained from the same data using the same algorithms. However, while the in-depth classifi- cation layer only receives the filtered requests from the trend detection layer, the background layer receives and analyzes every request that is received by the gateway. This layer operates as a background process and yields more accurate results. But it can take some time since each request that the gateway receives needs to be analyzed individually. The anomalies detected in the background layer are sent to the human verification layer along with the anomalies detected in the trend change detection layer for further analysis. 3.1.4. Human Verification Layer This layer is important until the system is fully tuned. Once the system gains a considerable amount of data, we can move towards setting a criteria to enforce policies based on the results of the previous layers. 3.2. The Dataset 3.2.1. Normal Dataset The datasets for the experiment were collected using a traffic simulator which can be con- figured against the WSO2 API Manager. The simulator will first set up the data generation environment by creating a set of APIs and applications with necessary subscriptions according to the provided configurations. Also a configured number of users will be created in the system to consume these applications. These users will be randomly distributed among applications assuming a normal distribution in the user count vs number of applications and the user count vs request frequency for each application. The datasets will be collected while consuming these APIs using the created user accounts according to a normalized real world scenario. 3.2.2. Attack Dataset The above-mentioned traffic simulator is capable of simulating DOS, DDOS, token hijacking (stolen token attack), abnormal token behavior, and extreme delete API attack scenarios by altering the appropriate request parameters. The simulated attack dataset has been used to test and evaluate the experiment. Token Hijacking/ Stolen Token We define token hijacking as a malicious activity per- formed by a bad actor where they would steal the API access token from a legitimate API user and use it for malicious purposes. The device from which the API request originates will be different than the usual, and the access pattern of the attacker will also deviate from the usual user behavior. Abnormal Token Usage We define abnormal token usage as an instance where even though the device from which the API request originates will match the usual pattern, the access pat- tern still deviates from the usual user behavior. A person accessing an API from a stolen device could be a good example of this. But it should be noted that these type of anomalies are not al- ways an attack, but could merely be an abnormal behaviour that might be worth investigating. Extreme Delete Attack These attacks focus on deleting large amounts of API data in place, instead of extracting them. These can be detected by a sudden surge in the amount of DELETE and PUT requests coming into the system. Therefore it is paramount that the API call HTTP method information to be fed into our classification system as a feature. 3.2.3. Dataset Fields Field Description Timestamp in which the request was sent. Includes all time values until the Timestamp number of milliseconds IP Address The origin IP address from where the request originated The access token that the request was sent with. This token is used by the Access Token gateway to verify if the request was sent by a verified user who has enough permissions to access the resource. HTTP Method The HTTP method relevant to the request. The invoke path field gives the path which the request is trying to invoke. This Invoke Path value also includes the path parameters. Cookie The cookie value relevant to the request Accept The mime type preferred by the client Content-Type The mime type of the request payload X-Forwarded- The x-forwarded-for header which normally includes the path in which a re- For quest follows to reach the gateway (Ex: proxies and load balancers) User Agent The user agent value for the request Response Code The final response code of the response pertaining to the request Body Total amount of bytes that was associated with the request payload Size Label The classification label for the request. Table 2: Dataset description 4. Results 4.1. The Trend Change Detection Layer The trend change detection layer was tested by orchestrating a set of attacks on the gateway. We selected a mixture DDoS attacks, stolen token attacks, data deletion attacks and data ex- traction attacks for this task. This experiment gave us an accuracy of 97%. The attacks that were misclassified here were low impact isolated attacks that we orchestrated to experiment with the thresholds. The following diagram represents a confusion matrix of such an attack dataset. Very few normal requests were used in this effort as we are testing the attack detection capabilities of this layer. Figure 3: Classification results for the trend change detection layer 4.2. The In-depth Classification Layer The performance of the in-depth classification layer in conjunction of the trend change de- tection layer has been evaluated next. The table 3 depicts the performance of each anomaly detection model against the filtered request buckets sent from the trend change detection layer. Table 3 Anomaly detection results - In-depth classification layer TP FN FP TN Model Category N % N % N % N % Geolocation 1495 50 1495 50 0 0 138 100 User Agent 2180 72.91 810 27.09 43 31.16 95 68.84 HTTP Method 2665 89.13 335 10.87 91 73.19 37 26.81 Request Path 2499 83.58 491 16.42 102 73.91 36 26.09 In this context, the true positives (TP) are the actual anomalies that the models were able to identify correctly. The true negatives (TN) are the actual normal requests that the models were able to identify correctly as normal requests. The false negatives (FN) are the anoma- lies that the models have misclassified as normal requests, and the false positives(FP) are the normal requests that the models have misclassified as anomalies. The TP and FN percentages are calculated with respect to the total anomalies in the filtered dataset while the FP and TN percentages are calculated with respect to the total number of normal requests in the filtered dataset. One interesting observation is that the geolocation model has only identified 50% of the total anomalies. A deeper analysis reveals that the geolocation model has not been able to identify any of the abnormal token usage requests. This is to be expected since by definition abnormal token usage anomalies have the same IP address as the normal users and therefore roughly the same geolocation. Also, one can observe that the false positive rate is rather high, and the true negative rate is rather low for the HTTP method and request path models. This happens due to two reasons. The first reason is that the request buckets received by the in-depth classification layer contain only a small number of normal requests (138 compared to the 2990 anomalies) since most of the normal requests are filtered in the trend detection layer. Therefore, misclassifying a single normal request could significantly raise the false positive rate. The next reason is because of the nature of the normal requests in the requests buckets. If a normal request passes through the filtration process of the trend change detection layer, it means the request is closer to abnormal behavior than the normal behavior. Therefore, we could expect more false positives in the filtered request buckets. It is important to understand that the values represented in the table 3 are only an interme- diate result. Since each model focuses on a particular area of the request these models have a narrower point of view than the final classification model. This means that while one model may consider a particular request an anomaly, another may consider the same request as a normal request based on its viewpoint. The classification model which predicts the final result considers the big picture and more accurate since it considered the outputs from every model for its output. The confusion matrix and the classification reports for the request buckets after the requests are classified is as follows. Figure 4: Classification results for the request buckets Table 4 Classification report for the request buckets Precision Recall F1-score Support Normal 0.25 0.25 0.25 138 Stolen token 1.00 1.00 1.0 1495 Abnormal token 0.93 0.93 0.93 1495 Accuracy 0.93 3128 Macro average 0.73 0.73 0.73 3128 Weighted average 0.93 0.93 0.93 3128 4.3. The Background Layer In this section we have evaluated the performance of the background layer. The table 5 depicts the performance of each anomaly detection model against the every request received by the gateway at the testing phase. Table 5 Anomaly detection results - Background layer TP FN FP TN Model Category N % N % N % N % Geolocation 2500 50 2500 50 0 0 4613 100 User Agent 3921 78.42 1079 21.58 385 8.35 4228 91.65 HTTP Method 4156 83.12 844 16.88 683 14.81 3930 85.19 Request Path 3955 79.10 1045 20.90 717 15.54 3896 84.46 Here, the true positive(TP) and false negative (FN) percentages are calculated with respect to the total anomalies in the requests received by the gateway while the false positive (FP) and true negative (TN) percentages are calculated with respect to the total number of normal requests in the same dataset. When comparing table 5 with table 3, it is evident that the false positive rate and the true negative rate of the intermediate result has been improved significantly due to the availability of the total dataset for the background layer. Furthermore, it should be noted that the true positive and false negative rates of the user agent model have been slightly improved while deteriorating slightly in the HTTP method and request path models. The confusion matrix and the classification report for the total test dataset is shown in figure ?? and table 6. Precision, recall and F1 score values for normal requests in the background layer denoted in table 6 are considerably higher than the values for in-depth classification layer denoted in table 4. As explained earlier, this is because of the request filtering done by the trend change detection layer. As the trend change detection layer filters out most of the normal requests, most of the normal requests that reach the in-depth classification layer borders on the abnormal behavior. As a result, there is a higher chance of those normal requests be classified as abnormal requests. Figure 5: Classification results for the total dataset Table 6 Classification report for the total dataset Precision Recall F1-score Support Normal 0.91 0.85 0.88 4613 Stolen token 1.00 1.00 1.00 2500 Abnormal token 0.75 0.85 0.80 2500 Accuracy 0.89 9613 Macro average 0.89 0.90 0.89 9613 Weighted average 0.89 0.89 0.89 9613 5. Conclusion and Future Work The layered approach proposed in this paper was able to successfully overcome the problems and shortcomings of our previous approaches. According to the results of the experiments con- ducted throughout this effort, a good performance is shown in the department of identifying anomalies in the request stream with great efficiency. Further development is needed for the classification part of things so that this solution can move towards a completely automated defence system that requires negligible amounts of human intervention. The in-depth classi- fication layer needs to be expanded further to identify more attacks so that a criteria can be written to automate the response to an attack and also help administrators to get a clear idea without too much analysis. Another future development eyed is to get rid of the third layer completely. Utilizing the classification done in the third layer with human input, to retrain the model will help with this task. Hope this research will be a major step taken towards a secure API ecosystem that is a testament to pure creativity without the worry of cyberattacks. References [1] Z. Whittaker, Millions of venmo transactions scraped in warning over privacy settings, 2019. URL: https://techcrunch.com/2019/06/16/millions-venmo-transactions-scraped/. [2] M. Kumar, T-mobile hacked — 2 million customers’ personal data stolen, 2018. URL: https: //thehackernews.com/2018/08/t-mobile-hack-breach.html. [3] M. Isaac, S. Frenkel, Facebook security breach exposes accounts of 50 million users, 2018. URL: https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach. html. [4] M. Zolotukhin, T. Hamalainen, T. Kokkonen, J. Siltanen, Analysis of http requests for anomaly detection of web attacks, 2014, pp. 406–411. doi:10.1109/DASC.2014.79 . [5] T. Sipola, A. Juvonen, J. Lehtonen, Anomaly detection from network logs using diffusion maps, volume 363, 2011, pp. 172–181. doi:10.1007/978- 3- 642- 23957- 1_20 . [6] W. Fan, An adaptive anomaly detection of web-based attacks, 2012, pp. 690–694. doi:10. 1109/ICCSE.2012.6295168 . [7] J. Wang, M. Zhang, X. Yang, K. Long, Z. Chimin, Http-scan: Detecting http-flooding attack by modeling multi-features of web browsing behavior from noisy dataset, volume 12, 2013, pp. 677–682. doi:10.1109/APCC.2013.6766035 . [8] A. Juvonen, T. Sipola, T. Hämäläinen, Online anomaly detection using dimensionality reduction techniques for http log analysis, Computer Networks 91 (2015) 46–56. doi:10. 1016/j.comnet.2015.07.019 . [9] K. Peng, Q. Huang, Clustering approach based on mini batch kmeans for intrusion de- tection system over big data, IEEE Access PP (2018) 1–1. doi:10.1109/ACCESS.2018. 2810267 . [10] Z. Li, A. Das, J. Zhou, Usaid: Unifying signature-based and anomaly-based intrusion detection, 2005, pp. 702–712. doi:10.1007/11430919_81 . [11] L. Tong, J. Cao, Q. Qi, S. Qian, Aims: A predictive web api invocation behavior monitoring system, 2019, pp. 373–382. doi:10.1109/ICWS.2019.00067 . [12] A. Moradi Vartouni, S. Sedighian Kashi, M. Teshnehlab, An anomaly detection method to detect web attacks using stacked auto-encoder, 2018, pp. 131–134. doi:10.1109/CFIS. 2018.8336654 . [13] A. Bochem, H. Zhang, D. Hogrefe, Poster abstract: Streamlined anomaly detection in web requests using recurrent neural networks, 2017, pp. 1016–1017. doi:10.1109/INFCOMW. 2017.8116538 . [14] J. Brownlee, Why one-hot encode data in machine learning?, 2020. URL: https:// machinelearningmastery.com/why-one-hot-encode-data-in-machine-learning.html.