Detect suspicious user activity rest api

Question

I am curently implementing a rest api for a project. It will be a kind of social network. To secure it, only authenticated users can make requests. So basically a user send user password. If there are correct I generate a token with jwt and user can make request to my api. For subscription I am using recaptcha to validate that user is not a bot who want to create thousands of account.

To avoid brut force I wanted to use fail2ban and haproxy with rate limiting.

However I have another problem. If an authenticated malicious user send for example every second or 5 second the same request like random friend request for example. How can I detect this ?

Is there any good practices like storing the daily activity of the user in db or in a cache so I can run a process which analyze this and block him ?

My code is in java and I am using jaxrs.

Answer 1

As you mentioned, you will need to implement diagnostic logging. Usually that is how you can determine such suspicious activity performed over a longer period of time. For every API request that comes in, you would want to store information like "who triggered the transaction", "what API was called", "start time", "end time" and more relevant data as per your application. You'll also need a reporting and analysis system running where you can configure required rules which trigger alerts to you/support or automatically ban users as required. If storage is constraint, you can store aggregate data like who invoked the API, what API was invoked and count. Partition your table into daily partition so that you can analyze data for the day and apply rules on it.