Evaluation of Unsupervised Anomaly Detection in Structured API Logs : A Comparative Evaluation with a Focus on API Endpoints

Hult, Gabriel

January 2024

With large quantities of API logs being stored, it becomes difficult to manually inspect them and determine whether the requests are benign or anomalies, indicating incorrect access to an application or perhaps actions with malicious intent. Today, companies can rely on third-party penetration testers who occasionally attempt various techniques to find vulnerabilities in software applications. However, to be a self-sustainable company, implementing a system capable of detecting abnormal traffic which could be malicious would be beneficial. By doing so, attacks can be proactively prevented, mitigating risks faster than waiting for third parties to detect these issues. A potential solution is applying machine learning, specifically anomaly detection, which detects patterns that do not conform to normal standards. This thesis covers the process of having structured log data to find anomalies in the log data. Various unsupervised anomaly detection models were evaluated on their capabilities of detecting anomalies in API logs. These models were K-means, Gaussian Mixture Model, Isolation Forest and One-Class Support Vector Machine. The findings from the evaluation show that the Gaussian Mixture Model was the best baseline model, reaching a precision of 63%, a recall of 72%, resulting in an F1-score of 0.67, an AUC score of 0.76 and an accuracy of 0.71. By tuning the models, Isolation Forest performed the best with a precision of 67% and a recall of 80%, resulting in an F1-score of 0.73, an AUC score of 0.83 and an accuracy of 0.75. The pros and cons of each model are presented and discussed along with insights related to anomaly detection and its applicability in API log analysis and API security.

machine learning

api security

security

unsupervised learning

Computer Sciences

Datavetenskap (datalogi)

Webbsystem säkerhet : Ur ett API och webbapplikations perspektiv

Månsson, Anton

January 2017

Web applications and APIs have become more popular every year, and security risks haveincreased. Along with more security risks and the large amount of sensitive informationshared on web applications today, the problem grows. I therefore wanted to explore morein security deficiencies to increase my own knowledge and others in the field. To do that,a web application was developed and a survey was made of what security threats existtoday and what solutions they have. Some of the solutions encountered during theinvestigation were then implemented and tested in the web application. The result showedsome general solutions such as validation, which was a solution to a number of threats.The investigation also showed that security is not black and white and that it is possibleto implement actions but attackers can still find ways to attack systems.

Web Security

Web Applications

API

API Security

Injection

XSS

Access Control

Web Development

Web API

Computer Systems

Datorsystem