Hi Frank, > OK - an attacker is characterized by being an anonymus. I would say NO ... instead, a attacker is characterized by accessing/using an "unknown API". He wanders into the honeypot.
> What if somebody registers regularly, then turns into an attacker? No alowed user/token will use this type of APIs. best regards Manfred Am Mo., 13. Mai 2019 um 11:38 Uhr schrieb Frank Leymann <fr...@wso2.com>: > OK - an attacker is characterized by being an anonymus. What if somebody > registers regularly, then turns into an attacker? This happens quite > often, e.g. if an employee is fired or feels treated badly, and he wants to > damage his employer. Then, the attacker is not anonymus - we might be able > to use some machine learning algorithms to finde that out - e.g. > classification. > > Best regards, > Frank > > > > > Am Mo., 13. Mai 2019 um 08:44 Uhr schrieb Nadee Poornima <nad...@wso2.com > >: > >> Hi Frank, >> >> Sure, you get information *about* the attacker from such headers. But >>> how do we *detect* (!) an attack - also from headers? Or do you have a >>> catalogue of IP addresses that are allowed to use the API (then, detection >>> would be simple)... >>> >>> >> In here we have deployed an API in GW but that doesn't see in Publisher >> or Store UI. Then once arrived a hacker, they could able to see this API >> also (as a service) and they will try to invoke that API also. Then that >> invocation will detect by us an anonymous invocation and provide an alert >> to system admins. That's how to detect anonymous users arrived in APIM. >> >> Thank you & regards, >> Nadee >> >> On Sat, May 11, 2019 at 5:35 PM Frank Leymann <fr...@wso2.com> wrote: >> >>> Sure, you get information *about* the attacker from such headers. But >>> how do we *detect* (!) an attack - also from headers? Or do you have a >>> catalogue of IP addresses that are allowed to use the API (then, detection >>> would be simple)... >>> >>> >>> Best regards, >>> Frank >>> >>> >>> >>> >>> Am Fr., 10. Mai 2019 um 07:37 Uhr schrieb Nadee Poornima < >>> nad...@wso2.com>: >>> >>>> Hi Frank, >>>> >>>> In deed: very nice idea, valuable feature! Which attributes should be >>>>> used to detect an attack? >>>>> >>>> >>>> Thank you very much for the feedback. >>>> >>>> In here, if anyone invokes this Honeypot API, it will detect as an >>>> anonymous attack. We are getting the headers (IP, if have access tokens) in >>>> order to identify the attacker. Currently, we are implementing to detect >>>> and alert this to the system admin. We hope to implement the blocking part >>>> also in future time. >>>> >>>> Thank you & regards, >>>> Nadee >>>> >>>> >>>> On Thu, May 9, 2019 at 10:47 PM Frank Leymann <fr...@wso2.com> wrote: >>>> >>>>> In deed: very nice idea, valuable feature! Which attributes should be >>>>> used to detect an attack? >>>>> >>>>> Best regards, >>>>> Frank >>>>> >>>>> >>>>> >>>>> >>>>> Am Do., 9. Mai 2019 um 11:09 Uhr schrieb Sanjeewa Malalgoda < >>>>> sanje...@wso2.com>: >>>>> >>>>>> Tracing and logging problematic API calls definitely add value to >>>>>> product. This is kind of alerting mechanism. But we should not stop from >>>>>> there. We can go one step ahead and block calls with similar attributes. >>>>>> We >>>>>> can block API calls temporary based on the API context, application id, >>>>>> user and IP address. Then users who accessed honeypot APIs will not be >>>>>> able >>>>>> to use other APIs. >>>>>> >>>>>> Blocking condition related updates we can put into topic from traffic >>>>>> manager. So we can use same mechanism here as well. >>>>>> >>>>>> Thanks, >>>>>> sanjeewa. >>>>>> >>>>>> On Thu, May 9, 2019 at 12:18 PM Nadee Poornima <nad...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> If published APIs in the store, they could invoke by the Hackers by >>>>>>> scanning the open ports of a system. Therefore in order to prevent such >>>>>>> attacks, the user needs to use different tools or mechanism. The >>>>>>> Honeypots[1] is such a system, user can use in their environment to >>>>>>> detect >>>>>>> such anonymous attacks. >>>>>>> >>>>>>> Instead of using such out of box tools or mechanism, we are trying >>>>>>> to implement a mechanism to detect such anonymous invocation of APIs >>>>>>> within >>>>>>> the APIM product. >>>>>>> >>>>>>> *The suggested Approach:* >>>>>>> There is a deployed API in the gateway(not showing the API in >>>>>>> publisher or store), once invoked that API by an anonymous user, it will >>>>>>> identify it as anonymous invocation and trigger an Alert (send an >>>>>>> email) to >>>>>>> admin user of the system. Request Data will publish to the Trafic >>>>>>> Manager >>>>>>> and they will persist to DB as well. >>>>>>> Those invocations will appear as a list in the Admin portal and >>>>>>> admin user could remove or persist them through the UI after reviewing >>>>>>> them. Further, we will implement an Admin UI part to configure that >>>>>>> Alert(like configuring email). >>>>>>> >>>>>>> [image: HoneyPotAPIAlertApproach.png] >>>>>>> >>>>>>> [1]. https://blog.rapid7.com/2016/12/06/introduction-to-honeypots/ >>>>>>> >>>>>>> Thank you and regards, >>>>>>> *Nadee Poornima* >>>>>>> Software Engineer - Support Team | WSO2 >>>>>>> >>>>>>> Email : nad...@wso2.com >>>>>>> Mobile : +94713441341 >>>>>>> MyBlog: https://medium.com/nadees-tech-stories >>>>>>> >>>>>>> <https://wso2.com/signature> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Sanjeewa Malalgoda* >>>>>> Software Architect | Associate Director, Engineering - WSO2 Inc. >>>>>> (m) +94 712933253 | (e) sanje...@wso2.com | (b) Blogger >>>>>> <http://sanjeewamalalgoda.blogspot.com>, Medium >>>>>> <https://medium.com/@sanjeewa190> >>>>>> >>>>>> GET INTEGRATION AGILE <https://wso2.com/signature> >>>>>> Integration Agility for Digitally Driven Business >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> Architecture@wso2.org >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>> >>>> >>>> -- >>>> *Nadee Poornima* >>>> Software Engineer - Support Team | WSO2 >>>> >>>> Email : nad...@wso2.com >>>> Mobile : +94713441341 >>>> MyBlog: https://medium.com/nadees-tech-stories >>>> >>>> <https://wso2.com/signature> >>>> >>> >> >> -- >> *Nadee Poornima* >> Software Engineer - Support Team | WSO2 >> >> Email : nad...@wso2.com >> Mobile : +94713441341 >> MyBlog: https://medium.com/nadees-tech-stories >> >> <https://wso2.com/signature> >> > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture