Advanced API Security uses detection rules to detect unusual patterns in
API traffic that could represent malicious activity. These rules include both
machine learning models, trained on real API data, and descriptive rules,
based on known types of API threats.
The following table lists the detection rules and their descriptions.
Detection rule
Description
A machine learning model for detecting anomalies—unusual patterns of events—in
API traffic. See About Advanced Anomaly Detection.
Brute Guessor
High proportion of response errors during previous 24 hours
Flooder
High proportion of traffic from an IP address in a 5-minute window
OAuth Abuser
Large number of OAuth sessions with small number of user agents during the previous
24 hours
Robot Abuser
Large number of 403 rejection errors in the past 24 hours
Static Content Scraper
High proportion of response payload size from an IP address in a 5-minute window
TorListRule
Tor exit nodes IP list. A Tor exit node is the last Tor node that traffic passes through
in the Tor network
before exiting onto the internet. Detecting Tor exit nodes indicates that
an agent has sent traffic to your APIs from the Tor network, possibly for
malicious purposes.
About Advanced Anomaly Detection
The Advanced Anomaly Detection algorithm learns from your API traffic, taking into account
factors like error rates, traffic volume, request size, latency, geolocation, and other traffic
metadata at the environment level. If there are significant shifts in traffic patterns (for
example, a surge in traffic, error rates, or latency), the model flags the IP address that
contributed to the anomaly in Detected Traffic.
To reduce the risk that bad actors can exploit the model, we do not expose specific details
about how the model works or how incidents are detected. However, this additional
information can help you make the best use of anomaly detection:
Accounting for seasonal variance:Because the model is trained on your traffic data,
it can recognize and account for
seasonal traffic variances (such as holiday traffic), if your traffic data includes
previous data for that pattern, such as the same holiday in a previous year.
Surfacing anomalies:
For existing Apigee and hybrid customers: Apigee
recommends that you have at least 2 weeks of historical API traffic data and, for more
accurate results 12 weeks of historical data is preferable. Advanced Anomaly Detection
starts surfacing anomalies within six hours of opting in to model training.
New Apigee users: The model starts surfacing anomalies 6 hours after
opt-in, if you have a minimum of 2 weeks of historical data.
However, we recommend using caution when acting on detected anomalies until the
model has at least 12 weeks of data for training. The model is continuously trained on
your historical traffic data so that it becomes more accurate over time.
Limitations
For Abuse Detection Advanced Anomaly Detection:
Anomalies are detected at the environment
level. Anomaly detection at an individual proxy level is not supported at this time.
Anomaly detection is not supported for VPC-SC
customers at this time.
Machine learning and detection rules
Advanced API Security uses models built with Google's machine learning algorithms to
detect security threats to your APIs. These models are pre-trained on real
API traffic data sets (including your current traffic data, if enabled) that contain known
security threats. As a result,
the models learn to recognize unusual API traffic patterns, such as API scraping and anomalies,
and cluster events together based on similar patterns.
Two of the detection rules are based on machine learning models:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis page provides information about Advanced API Security features in Apigee and Apigee hybrid.\u003c/p\u003e\n"],["\u003cp\u003eAdvanced API Security uses detection rules, including machine learning models and descriptive rules, to identify unusual patterns in API traffic that might indicate malicious activity.\u003c/p\u003e\n"],["\u003cp\u003eThe detection rules include machine learning models like "Advanced API Scraper" and "Advanced Anomaly Detection," which are trained on real API traffic data to identify patterns indicative of security threats.\u003c/p\u003e\n"],["\u003cp\u003eOther detection rules include "Brute Guessor," "Flooder," "OAuth Abuser," "Robot Abuser," "Static Content Scraper," and "TorListRule", each targeting specific types of potential API abuse.\u003c/p\u003e\n"],["\u003cp\u003eSecurity incidents, which are groups of similar events representing security threats, can be triggered by one or multiple detection rules.\u003c/p\u003e\n"]]],[],null,["# Detection rules\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nAdvanced API Security uses *detection rules* to detect unusual patterns in\nAPI traffic that could represent malicious activity. These rules include both\nmachine learning models, trained on real API data, and descriptive rules,\nbased on known types of API threats.\n| **Note:** The Advanced API Security [Abuse detection](/apigee/docs/api-security/abuse-detection) page uses detection rules to detect security incidents. A security incident is a group of events with similar patterns that could represent a security threat. Note that one incident might be triggered by multiple detection rules, in which case all of the rules that triggered the incident are listed in the Abuse detection [Environment details](/apigee/docs/api-security/abuse-detection#environment-details) view.\n\nThe following table lists the detection rules and their descriptions.\n\nAbout Advanced Anomaly Detection\n--------------------------------\n\nThe Advanced Anomaly Detection algorithm learns from your API traffic, taking into account\nfactors like error rates, traffic volume, request size, latency, geolocation, and other traffic\nmetadata at the environment level. If there are significant shifts in traffic patterns (for\nexample, a surge in traffic, error rates, or latency), the model flags the IP address that\ncontributed to the anomaly in Detected Traffic.\n| **Note:** Use of Advanced Anomaly Detection requires opting in to training the model on your API traffic data. For more information, see [Opt in for machine learning models for Abuse Detection](/apigee/docs/api-security/abuse-detection#opt-in-for-machine-learning-models-for-machine-learning).\n\nYou can also combine anomaly detection with\n[security actions](/apigee/docs/api-security/security-actions) to automatically flag\nor deny traffic that is detected as anomalous by the model. See the\n[\"Using Apigee Advanced API Security's Security Actions to Flag and Block Suspicious Traffic\"\ncommunity post](https://www.googlecloudcommunity.com/gc/Cloud-Product-Articles/Using-Apigee-Advanced-API-Security-s-Security-Actions-to-Flag/ta-p/842645) for additional information.\n\n### Model behavior\n\nTo reduce the risk that bad actors can exploit the model, we do not expose specific details\nabout how the model works or how incidents are detected. However, this additional\ninformation can help you make the best use of anomaly detection:\n\n- **Accounting for seasonal variance:**Because the model is trained on your traffic data, it can recognize and account for seasonal traffic variances (such as holiday traffic), if your traffic data includes previous data for that pattern, such as the same holiday in a previous year.\n- **Surfacing anomalies:**\n - **For existing Apigee and hybrid customers:** Apigee recommends that you have at least 2 weeks of historical API traffic data and, for more accurate results 12 weeks of historical data is preferable. Advanced Anomaly Detection starts surfacing anomalies within six hours of opting in to model training.\n - **New Apigee users:** The model starts surfacing anomalies 6 hours after opt-in, if you have a minimum of 2 weeks of historical data. However, we recommend using caution when acting on detected anomalies until the model has at least 12 weeks of data for training. The model is continuously trained on your historical traffic data so that it becomes more accurate over time.\n\n### Limitations\n\nFor Abuse Detection Advanced Anomaly Detection:\n\n- Anomalies are detected at the environment level. Anomaly detection at an individual proxy level is not supported at this time.\n- Anomaly detection is not supported for VPC-SC customers at this time.\n\nMachine learning and detection rules\n------------------------------------\n\nAdvanced API Security uses models built with Google's machine learning algorithms to\ndetect security threats to your APIs. These models are pre-trained on real\nAPI traffic data sets (including your current traffic data, if enabled) that contain known\nsecurity threats. As a result,\nthe models learn to recognize unusual API traffic patterns, such as API scraping and anomalies,\nand cluster events together based on similar patterns.\n\nTwo of the detection rules are based on machine learning models:\n\n- Advanced API Scraper\n- Advanced Anomaly Detection\n\n| **Note:** The data used to train the machine learning models for the rules Advanced API Scraper and Advanced Anomaly Detection contain metadata, including source IP address, source geography, and the values of some HTTP request headers. However, the detection data received by the models do not include the actual values of this metadata. The model makes detections based on the statistical properties of the data, not on the values of the metadata."]]
