Patent Application Titled "Disrupting Automated Attacks on Client-Server Interactions Using Polymorphic Application Programming Interfaces" Published...

Computer Weekly News |

Patent Application Titled "Disrupting Automated Attacks on Client-Server Interactions Using Polymorphic Application Programming Interfaces" Published Online (USPTO 20160011732)

By a News Reporter-Staff News Editor at Computer Weekly News -- According to news reporting originating from Washington, D.C., by VerticalNews journalists, a patent application by the inventor Yang, Siying (Cupertino, CA), filed on , was made available online on .

No assignee for this patent application has been made.

Reporters obtained the following quote from the background information supplied by the inventors: "The Internet (and related networks) can be used to send e-mails, conduct business, automate machinery and used for data processing. Connected users can use the Internet to interact with other connected users and/or connected computer systems. Some of the Internet traffic is wanted by the parties involved, but other traffic is unwanted by at least one party. For example, by some estimates, more than three quarters of daily e-mail volume over the Internet is unwanted by its targeted recipient (sometimes referred to as 'spam'). More than just e-mail traffic is unwanted by its targeted recipient. For example, banks, bank customers, and bank network operators and managers do not want traffic that is attempting to break into a bank's online banking system. Of course, in today's world, there is some traffic that is wanted and/or necessary, so one task that online systems operators have to deal with is separating the wanted traffic from the unwanted traffic, letting the wanted traffic through and blocking the unwanted traffic.

"For example, the typical e-mail recipient does not want to receive all unsolicited commercial offers. The online network operator that limits access to resources to authorized users does not want to receive traffic from unauthorized users. Unfortunately, the initiators of such unwanted traffic really want to send it, and will attempt to do so even if it requires getting around limits and controls placed by the online network operator. This creates an 'arms race' between the initiators of unwanted traffic and the online network/systems operator.

"There are many reasons a sender of unwanted traffic might want to initiate the traffic. Often, those are financial reasons. For example, if a scammer can send out one million e-mails with a total expenditure of less than ten dollars and a half hour of time, and reap a few dollars in profits from just 0.01% of the e-mail recipients, it is cost-effective for the scammer to do so. If an criminal organization can apply 100,000 username-password pairs to an e-commerce website to find the 0.01% that are vulnerable, they would do so if the monetary returns from hacking ten user accounts is greater than the cost to the criminal organization of obtaining the username-password pairs plus the cost of executing 100,000 attempted logins.

"These unwanted attacks could be thwarted using guaranteed secure methods to filter out unwanted/unauthorized traffic from wanted/authorized traffic. However, as illustrated from the examples above, even a 99.99% success rate at blocking attacks would still allow enough traffic through to be a cost-effective attack. Some of this economics comes about because automation lowers the cost of transactions. Ironically, the very automation that makes it economically feasible for a bank, retailer, music distributor, online storage vendor, etc. to provide a low-cost service to millions of its customers also makes it economically feasible for a criminal or criminal organization to make millions of attempts to get at network resources in an unauthorized way.

"If the effort required to mount an attack on a network resource can be raised so that it is uneconomical to attack (but still easy enough for authorized users to access), the attacks might be reduced. Therefore, it would be desirable to increase the efforts/costs of access to the network resource in a way that makes it uneconomical for an organization to mount an attack on network resources, while allowing authorized uses.

"The typical web client-server interaction involves a user having a device that runs a web client (such as an Internet browser) communicating with a web server using the Hypertext Transport Protocol ('HTTP'). For example, the web client might make a specific request of a web server by sending that web server a structured HTTP request and the web server might respond with an HTTP response comprising a Hypertext Markup Language ('HTML') document, which the web client then 'renders' to form a displayable form of the HTML document (e.g., a web page) viewable by the user of the web client (or the device executing a software web client). Other applicable protocols might include API calls that use HTTPS, JavaScript, CSS, XML, JSON, or other forms of web traffic or web content.

"While this approach is efficient and allows for one HTML document to be viewable over a wide variety of web clients, devices executing the web clients, displays, interfaces, etc., the structured nature of HTML documents provides an opportunity for automated attacks. The structured nature of the communication provides, in effect, an application programming interface ('API') that programs (legitimate or otherwise) can use to automate HTTP interactions so that those programs can stand in the place of a human user of a device that executes a human-interface web browser.

"When any eavesdropper can easily discern, in an automated fashion, how to falsify an apparently valid HTTP request that appears to be coming from a legitimate web client, how to automate the equivalent of a human user interaction (but much faster and for longer), and how to extract valuable information from the HTML pages sent in reply to HTTP requests, this can be a problem as some attacks that are too costly to mount are done using computers instead of human actors.

"Various methods (e.g., reference polymorphism) can be used to block automated attacks on HTTP/HTML traffic, or at least to raise the effort needed beyond an attacker's breakeven point. Some of these methods will reduce the availability of the 'unintentional API' that HTTP/HTML provides.

"For intentional APIs, i.e., an API that the server operator, by design, intends to interact with computer-based clients making server requests (as opposed to only human users initiating such server requests). In such cases of intentional APIs, modifying interactions so that only human users can interact with the server and computer processes cannot easily interact with the server would tend to frustrate the purpose of the intentional API.

"One scenario where intentional APIs are common is in the use of web 'apps', which are specific purpose programs that have a communication component. For example, an interactive game on a mobile device might be an app. An app might communicate with a corresponding server using HTTP using a defined intentional API. While this might provide more user experience features than would be available with a browser interface, it means that the app will often be making structured API calls. Thus, an attacker that is blocked from automating an attack on web client to web server interactions involving HTTP/HTML in the clear may turn to automated attacks on APIs. It would be desirable to allow legitimate API traffic while blocking illegitimate API traffic."

In addition to obtaining background information on this patent application, VerticalNews editors also obtained the inventor's summary information for this patent application: "A server services responses to requests received, via a network, from clients executed by user devices. The user device requests are in the form of application programming interface calls ('API calls'). In a typical operation, the app is interacting with a human user of the user device that is executing the app while the app is also interacting over a network connection to a server, an API server, by making API calls to the API server and using the responses. An intermediary is provided between the API server and user devices/clients that modifies application programming interface interactions to disrupt automated attacks on those client-server interactions.

"In some embodiments, the API comprises a set of possible API calls wherein some of the possible API calls are designated as 'human-interaction' API calls and others are designated as 'computer-interaction' API calls. A human-interaction API call is a type of API call where the initiation of the call can be presumed to be the result of a human interaction with the app, whereas a computer-interaction API call is a type of API call where the initiation of the call is more typically the result of some processing that is happening in the app. The human-interaction API calls are modified to thwart automated attacks using those API calls through disassociation. Disassociating can be done by separating labels from their meaning, such as by assigning random values to the labels and maintaining a separate mapping to determine labels from those random values, or other methods of obfuscating relations and structure.

"In specific embodiments, the disassociation provided through the use of user interface builder packages ('UIBPs'). A UIBP provides the necessary details for the app to construct a particular user interface to get the human input-output-etc. that the app requires for a given set of one or more human-interaction API calls. The UIBPs can be generated at the app server and sent to the app as needed, via the intermediary. The app is configured to make or process calls to a local user interface builder and provide a UIBP at the appropriate time so that the app can generate and operate the needed human user interface. In this manner, an app can run, provide a user interface for human interaction, and interface to an API server, while making it difficult for an attacker to automate the human interaction needed to operate the app.

"The following detailed description together with the accompanying drawings will provide a better understanding of the nature and advantages of the present invention.


"FIG. 1 is a block diagram of an app-API server system illustrating an example new app interaction process and various elements.

"FIG. 2 is a flow diagram of an HI-API (human-interaction API) initialization process.

"FIG. 3 is a swim diagram illustrating interactions of an app, an intermediary, and an API server.

"FIG. 4 illustrates an example of a reference for a human-interaction API.

"FIG. 5 illustrates an example of a user interface builder package ('UIBP'), in pseudo code form, as might be sent from an API server.

"FIG. 6 illustrates an example of a user interface builder package ('UIBP'), transformed by an intermediary for use by an app to generate user interface elements.

"FIG. 7 is a block diagram of a larger system comprising a plurality of clients and a plurality of servers.

"In the figures, like reference symbols in the various drawings indicate like elements, and multiple instances of objects might be denoted parenthetically (e.g., 101(1), 101(2), . . . , 101(n)). Where numbered objects in figures are shown with parenthetical sub-numbers ranging from 0 or 1 up to some letter designation (e.g., '1, 2, . . . , k' or 1, 2, . . . , n''), it should be understood that the letter designation represents some finite number the value of which is not essential for the understanding of the invention, unless otherwise indicated."

For more information, see this patent application: Yang, Siying. Disrupting Automated Attacks on Client-Server Interactions Using Polymorphic Application Programming Interfaces. Filed and posted . Patent URL:

Keywords for this news article include: Patents, Software, Computers, Web Server.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2016, NewsRx LLC

DISCLOSURE: The views and opinions expressed in this article are those of the authors, and do not represent the views of Readers should not consider statements made by the author as formal recommendations and should consult their financial advisor before making any investment decisions. To read our full disclosure, please go to:



Symbol Last Price Change % Change





















World Economic Forum at Davos 2019 - Ben Yablon Executive VP Salt Lending

Matt Bird sits down with Ben Yablon - Executive VP of Salt Lending - at the World Economic Forum in Davos January 2019