Detection rules

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

Advanced API Security uses detection rules to detect unusual patterns in API traffic that could represent malicious activity. These rules include both machine learning models, trained on real API data, and descriptive rules, based on known types of API threats.

The following table lists the detection rules and their descriptions

Detection rule Description

A machine learning model that detects API scraping, which is the process of extracting targeted information from APIs for malicious purposes.

A machine learning model for detecting anomalies—unusual patterns of events—in API traffic.
Brute Guessor High proportion of response errors during previous 24 hours
Flooder High proportion of traffic from an IP in a 5-minute window
OAuth Abuser Large number of OAuth sessions with small number of user agents during the previous 24 hours
Robot Abuser Large number of 403 rejection errors in the past 24 hours
Static Content Scraper High proportion of response payload size from an IP in a 5-minute window
TorListRule Tor exit nodes IP list. A Tor exit node is the last Tor node that traffic passes through in the Tor network before exiting onto the internet. Detecting Tor exit nodes indicates that an agent has sent traffic to your APIs from the Tor network, possibly for malicious purposes.

Machine learning and detection rules

Advanced API Security uses models built with Google's machine learning algorithms to detect security threats to your APIs. These models are pre-trained on real API traffic data sets (not your current traffic data) that contain known security threats. As a result, the models learn to recognize unusual API traffic patterns, such as API scraping and anomalies, and cluster events together based on similar patterns.

Two of the detection rules listed above are based on machine learning models:

  • Advanced API Scraper
  • Advanced Anomaly Detection