BacAlarm: Mining and Simulating Composite API Traffic to Prevent Broken Access Control Violations

Broken Access Control (BAC) violations, which consistently rank among the top five security risks in the OWASP API Security Top 10, refer to unauthorized access attempts arising from BAC vulnerabilities, whose successful exploitation can impose significant risks on exposed application programming interfaces (APIs). In recent years, learning-based methods have demonstrated promising prospects in detecting various types of malicious activities. However, in real-network operation and maintenance scenarios, leveraging learning-based methods for BAC detection faces two critical challenges. Firstly, under the RESTful API design principles, most systems omit recording composite traffic for performance, and together with ethical and legal bans on directly testing real-world systems, this leads to a critical shortage of training data for detecting BAC violations. Secondly, common malicious behaviors such as SQL injection typically generate individual access traffic that is inherently anomalous. In contrast, BAC is usually composed of multiple correlated access requests that appear normal when examined in isolation. To tackle these problems, we introduce \BAC, an approach for establishing a BAC violation detection model by generating and utilizing API traffic data. The \BAC consists of an API Traffic Generator and a BAC Detector. Experimental results show that \BAC outperforms current state-of-the-art invariant-based and learning-based methods with the $\text{F}_1$ and MCC improving by 21.2\% and 24.1\%.