Attackers continue to adapt and Wallarm continues to innovate API protection. We’ve introduced improvements to API Abuse Prevention in order to improve detection of Account Takeover (ATO) attacks. Wallarm now supports two additional machine learning detectors. 

IP Rotation

The IP rotation detector identifies account takeover attacks where attackers utilize a pool of IP addresses to perform an attack. In these types of attacks, the session remains stable, with cookies, headers, and other key fields unchanged, but each request or a small set of requests is made from a different IP address, often using each IP only once. This results in a single long session involving multiple IPs.

The detector analyzes this IP diversity within a consistent session to flag sophisticated automated attacks that evade traditional security measures.

Session Rotation

The Session rotation detector identifies account takeover attacks where attackers rotate session identification to avoid detection. In these types of attacks, a unique session (e.g., a cookie-based ID) is assigned to each client, but an attacker intentionally modifies or removes the session identifier. This results in one attacker using a single IP address with multiple sessions.

The detector analyzes this unusual behavior of high session diversity from the same IP to detect sophisticated automated attacks.

Both of these new detectors were created to better identify anomalies in API traffic that indicates an account takeover attack. You can read more about API Abuse Prevention in the documentation.