API Security: Detecting Anomaly Usage Patterns in Microservices

Discover how AI and Machine Learning transform API security by detecting Shadow APIs, BOLA attacks, and anomalous usage patterns in modern microservices.

Updated on
5 min read
API Security: Detecting Anomaly Usage Patterns in Microservices
Photo of William Blondel

William Blondel

Part 5 of seriesSecure Coding in the Age of AI

Introduction: The Connective Tissue Under Attack

In modern software architecture, the monolithic application is dead. It has been replaced by sprawling webs of microservices, all communicating via Application Programming Interfaces (APIs). APIs are the lifeblood of mobile apps, cloud infrastructure, and B2B integrations. Unsurprisingly, they have also become the primary attack vector for cybercriminals.

Securing APIs is fundamentally different from securing a traditional web application. An attacker doesn’t necessarily need to inject malicious SQL code; in a zero-trust architecture, they often just use the API exactly as it was designed, but in ways the developer never anticipated. Traditional security controls are blind to this abuse. To protect the microservice ecosystem, DevSecOps teams are turning to Machine Learning to analyze behavioral patterns and detect anomalies that static rules miss.

1. The Failure of Static Rate Limiting

Historically, the first line of defense for an API was the API Gateway, configured with static rate limits (e.g., “Allow a maximum of 100 requests per IP address per minute”).

Today’s attackers easily bypass this logic. Using AI-driven botnets and massive residential proxy networks, an attacker can distribute an attack across 50,000 different IP addresses. If each IP makes just one malicious request per hour, the static rate limiter sees absolutely nothing wrong. The traffic flies completely under the radar. Furthermore, static rules cannot understand business logic. If an endpoint is designed to transfer money, an attacker scraping data slowly, one record at a time, won’t trigger a volumetric alarm.

2. Machine Learning for API Baselining

To catch “low and slow” attacks and distributed abuse, security tools must shift from volumetric thresholds to behavioral baselining.

Unsupervised Machine Learning models ingest API traffic logs to learn the “normal” rhythm of every single endpoint. The AI builds a mathematical profile for each API route based on dozens of parameters:

  • Sequence of Calls: A normal user logs in, queries their profile, and then requests their transaction history. An attacker might skip the profile query and directly brute-force the transaction history endpoint.
  • Payload Characteristics: The AI learns the typical size and structure of the JSON payload. If an endpoint usually receives a 2KB payload with five specific keys, and suddenly receives a 50KB payload containing nested arrays, the AI flags the anomaly, even if the JSON is perfectly valid.
  • Time and Velocity: The AI learns the daily and weekly cadence of machine-to-machine (M2M) API communication. If a microservice that usually pulls batch data at 2:00 AM suddenly starts streaming data continuously at 3:00 PM, the system intervenes.

3. Detecting BOLA (Broken Object Level Authorization)

According to the OWASP API Security Top 10, the most critical vulnerability is Broken Object Level Authorization (BOLA), formerly known as IDOR (Insecure Direct Object Reference).

BOLA occurs when an API endpoint does not properly validate if the authenticated user has permission to access the specific requested object. For example, User A (ID: 100) modifies the API request from api/v1/receipts/100 to api/v1/receipts/101 and successfully downloads User B’s data.

Legacy Web Application Firewalls (WAFs) cannot detect BOLA because the request itself contains no malicious payload; it is perfectly formatted HTTP traffic with a valid authentication token. Machine Learning models, however, excel at correlating identity with data access patterns. If the AI observes a single authentication token systematically iterating through sequential object IDs (101, 102, 103…), it recognizes the behavioral signature of a BOLA enumeration attack and cuts the connection.

4. Uncovering Shadow and Zombie APIs

You cannot secure an API you do not know exists. In rapid CI/CD environments, developers frequently spin up new API endpoints for testing or internal routing.

  • Shadow APIs: These are undocumented, unmanaged endpoints that bypass the official API Gateway entirely, meaning they lack authentication and rate limiting.
  • Zombie APIs: These are deprecated, legacy versions of an API (e.g., v1 when the current version is v3) that were never properly decommissioned. Attackers love Zombie APIs because they often lack the security patches applied to newer versions.

AI-driven API security tools solve this visibility crisis through passive network traffic analysis. By inspecting the actual traffic flowing across the network (e.g., via eBPF in Kubernetes clusters), the AI automatically discovers and catalogs every API endpoint in use, comparing the observed traffic against the developer’s Swagger/OpenAPI documentation. If the AI detects traffic flowing to an undocumented /api/v1/debug_users endpoint, it immediately alerts the DevSecOps team to the Shadow API.

Conclusion

As microservices continue to scale, APIs become the ultimate target for data exfiltration and business logic abuse. Relying on static gateways and manual documentation is a losing battle. By embedding AI into the API security lifecycle, organizations can automatically discover their true attack surface, baseline normal behavior, and shut down logic-based attacks before data leaves the perimeter.

# API Security# Microservices# DevSecOps# Machine Learning# BOLA# Shadow APIs

William Blondel

55 posts published

Senior full-stack web developer and amateur genealogist. Born geek with an Amstrad CPC 6128. PHP & Laravel Expert 🐘

Twitter / X GitHub LinkedIn williamblondel.fr