Leveraging Capsule Networks to Defend APIs from Ransomware Attacks

Written by
Tommy Perniciaro
Published on
March 6, 2023

In the first post of this series, Capsule Networks vs CNN’s for Ransomware Detection, we discussed the basics of why Capsule Networks (CapsNets) are more effective at detecting ransomware attack campaigns, and how they can be leveraged to overcome some of the challenges involved in detecting novel ransomware variants.

In the second article, Capsule Network Detections vs Ransomware, we took a deep dive into how CapsNets can prevent a Ransomware-as-a-Service (RAAS) campaign like LockBit 2.0, and how it can amplify bad behaviors and enhance XDR/EDR detections.

In this article, we examine issues we see with some of the high-profile API attacks in recent years, and how CapsNets can have been effective in detecting and preventing some of these attacks from being successful.  

First, here are a few use cases for applying CapsNets to defend against API attacks:  

  • API Traffic Analysis: CapsNets can be used to analyze API traffic and detect anomalies or suspicious patterns that may indicate a security breach or a potential attack. CapsNets can be trained to detect patterns of traffic that are characteristic of specific types of attacks such as SQL injection or cross-site scripting. They can also be used to classify API traffic into distinct categories based on the type of API, the payload, or other features.
  • Bot Detection: CapsNets can be used to detect and block malicious bots that are attempting to access APIs. CapsNets can be trained on data that represents normal API traffic and used to identify patterns of traffic that are characteristic of bots or automated scripts. This can prevent bot attacks that are designed to steal data or overload the API with requests.
  • Behavioral Biometrics: CapsNets can be used to develop behavioral biometric models for API users. CapsNets can be trained to analyze the usage patterns of API users and to identify patterns that are characteristic of normal behavior. This can detect anomalies in user behavior that may indicate a security breach or a compromised account.
  • Image-Based Security: CapsNets can be used to develop image-based security features for APIs. CapsNets can be used to generate unique images that are associated with API users or accounts. These images can be used as a form of two-factor authentication to prevent unauthorized access to APIs.

Past API Security Breaches

In 2020, there was a security breach at Twitter that allowed hackers to take over the accounts of high-profile individuals and post fraudulent messages. The attackers used a combination of social engineering and technical exploits to gain access to Twitter's internal tools and systems.

One of the technical exploits used by the attackers involved a vulnerability in Twitter's API. The attackers were able to use the API to access user account information and post tweets on behalf of the compromised accounts. CapsNets could have detected this attack by analyzing the API traffic and identifying patterns of behavior that were characteristic of the attack.  

For example, the CapsNet could have detected a high volume of API traffic from unusual IP addresses or devices, or traffic that contained suspicious keywords or payloads. The CapsNet could have also detected abnormal usage patterns of the API, such as an unusually high number of requests or requests that were being made at odd times of the day.

Detecting Hierarchical Relationships Between Features

In the Twitter example, a Convolutional Neural Network (CNN) will not be as effective as CapsNet at detecting the attack because of the hierarchical relationships between features in the API traffic. The attackers in the Twitter hack used a combination of social engineering and technical exploits to gain access to Twitter's internal tools and systems, including a vulnerability in Twitter's API.  

A CNN might be able to detect some features of the attack, such as a high volume of traffic or traffic from unusual IP addresses or devices. However, a CNN might not be as effective at capturing the hierarchical relationships between features in the API traffic, such as the relationship between specific API requests and the payload of those requests.

A CapsNet, on the other hand, is designed to capture hierarchical relationships between features and could potentially be more effective at detecting the attack. A CapsNet could analyze the API traffic and identify patterns of behavior that were characteristic of the attack, such as a sequence of requests that were used to exploit the vulnerability in the API. The CapsNet could also detect abnormal usage patterns of the API, such as requests that were being made at odd times of the day or from unusual locations.

Takeaway

Overall, while CNNs are a powerful technology for image and pattern recognition tasks, they are not as effective as CapsNets for certain types of API security applications. CapsNets are specifically designed to capture hierarchical relationships between features and can be more effective at detecting complex patterns of behavior in API traffic.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups, and their victims.

Subscribe to receive the latest blog posts to your inbox every week.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

See All Blog Posts

The Resilient Enterprise: Navigating the Evolving Threat Landscape

This article examines the evolving threat landscape and trends, providing valuable insights into constructing a robust security framework for prevention and resilience...

Read the Blog

Bypassing, Evading and Unhooking Endpoint Security Solutions

The top 20 most active ransomware groups have been observed leveraging one or more Endpoint Protection bypass and evasions techniques to get around security tools...

Read the Blog

Unmasking QakBot: A Deep Dive into Osquery for Enhanced Detection and Response

In this article, we'll delve into the technical aspects of osquery, exploring how it can enhance your QakBot detection and response capabilities...

Read the Blog

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.