BacAlarm: Mining and Simulating Composite API Traffic to Prevent Broken Access Control Violations

TL;DR

This paper introduces BACAlarm, a method that generates synthetic API traffic data to detect broken access control violations, overcoming data scarcity and complex attack patterns in real-world scenarios.

Contribution

The paper presents BACAlarm, a novel approach combining traffic generation and detection to improve BAC violation identification in APIs.

Findings

BACAlarm outperforms existing methods in detection accuracy.

F1 score and MCC improved by over 21% and 24%.

Effective in real-network scenarios with limited data.

Abstract

Broken Access Control (BAC) violations, which consistently rank among the top five security risks in the OWASP API Security Top 10, refer to unauthorized access attempts arising from BAC vulnerabilities, whose successful exploitation can impose significant risks on exposed application programming interfaces (APIs). In recent years, learning-based methods have demonstrated promising prospects in detecting various types of malicious activities. However, in real-network operation and maintenance scenarios, leveraging learning-based methods for BAC detection faces two critical challenges. Firstly, under the RESTful API design principles, most systems omit recording composite traffic for performance, and together with ethical and legal bans on directly testing real-world systems, this leads to a critical shortage of training data for detecting BAC violations. Secondly, common malicious behaviors such as SQL injection typically generate individual access traffic that is inherently anomalous. In contrast, BAC is usually composed of multiple correlated access requests that appear normal when examined in isolation. To tackle these problems, we introduce \BAC, an approach for establishing a BAC violation detection model by generating and utilizing API traffic data. The \BAC consists of an API Traffic Generator and a BAC Detector. Experimental results show that \BAC outperforms current state-of-the-art invariant-based and learning-based methods with the $\text{F}_1$ and MCC improving by 21.2\% and 24.1\%.