Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the "add to cart" and "complete purchase" functions in less than one second)
I am agree when the behavior detection is for website access via browser
On the other hand, it can happen when user's beta program accessing an API server during development the crawler program.
I feel that "deviation from business flow with excessive access" is the clue to a solution.
Currently, each of "deviation from business flow" and "excessive access" alone is likely to pick up a lot of noise.
The number of behaviors that are small (or appear to be small) are often stealthy and difficult to find.
Unlike malware C2 URLs, there are no IOCs that are difficult to FP, so this is based on anomaly detection.
Unlike normal browser access to the Web, access to API servers does not have much information that can be taken from the header as fingerprinting, so it is more difficult to detect anomalies.
I'm considering source information, access volume and the deviation from the normal access flow bound by source IP, API Token, JWT, etc.
I am agree when the behavior detection is for website access via browser On the other hand, it can happen when user's beta program accessing an API server during development the crawler program.
I feel that "deviation from business flow with excessive access" is the clue to a solution. Currently, each of "deviation from business flow" and "excessive access" alone is likely to pick up a lot of noise. The number of behaviors that are small (or appear to be small) are often stealthy and difficult to find. Unlike malware C2 URLs, there are no IOCs that are difficult to FP, so this is based on anomaly detection. Unlike normal browser access to the Web, access to API servers does not have much information that can be taken from the header as fingerprinting, so it is more difficult to detect anomalies. I'm considering source information, access volume and the deviation from the normal access flow bound by source IP, API Token, JWT, etc.
I hope this will be of help to you. Thank you. :)