Application Programming Interface (API) attacks refer to the unauthorized or malicious use of APIs, which are often exploited to gain access to sensitive data or manipulate online systems for illicit purposes. Identifying actors that deceitfully utilize an API poses a demanding problem. Although there have been notable advancements and contributions in the field of API security, there still remains a significant challenge when dealing with attackers who use novel approaches that don't match the well-known payloads commonly seen in attacks. Also, attackers may exploit standard functionalities in unconventional manners and with objectives surpassing their intended boundaries. This means API security needs to be more sophisticated and dynamic than ever, with advanced computational intelligence methods, such as machine learning models that can quickly identify and respond to anomalous behavior. In response to these challenges, we propose a novel few-shot anomaly detection framework, named FT-ANN. This framework is composed of two parts: First, we train a dedicated generic language model for API based on FastText embedding. Next, we use Approximate Nearest Neighbor search in a classification-by-retrieval approach. Our framework enables the development of a lightweight model that can be trained with minimal examples per class or even a model capable of classifying multiple classes. The results show that our framework effectively improves API attack detection accuracy compared to various baselines.

翻译：应用程序编程接口（API）攻击指对API的未授权或恶意使用，常被利用以获取敏感数据或操控在线系统实施非法活动。识别以欺骗性方式使用API的行为主体构成了一项严峻挑战。尽管API安全领域已取得显著进展与贡献，但面对采用不匹配常见攻击载荷的创新攻击手法时，仍存在重大难题。此外，攻击者可能以非常规方式滥用标准功能，并追求超出预期边界的恶意目标。这意味着API安全需要比以往更具复杂性和动态性，亟需先进的计算智能方法，例如能够快速识别并响应异常行为的机器学习模型。针对这些挑战，我们提出了一种新颖的少样本异常检测框架FT-ANN。该框架由两部分组成：首先，基于FastText嵌入训练专用的API通用语言模型；其次，采用近似最近邻搜索实现检索式分类方法。本框架支持开发轻量级模型，既能通过每类极少样本完成训练，也可实现多类别分类。实验结果表明，与多种基线方法相比，该框架有效提升了API攻击检测准确率。