☠ ARIA

API Risk Intelligence & Automation

Zombie API Discovery & Defence Platform for Indian Banking Cybersecurity

Union Bank of India — Cyber Security Hackathon | Problem Statement 9

---

📌 Overview

ARIA is a full-lifecycle API security platform that finds every API a bank has — including the forgotten ones — classifies their lifecycle status, tests their security posture, generates AI-powered remediation reports for three audiences, and safely removes confirmed zombie APIs through a dependency-safe decommission workflow. It runs entirely on the bank's own infrastructure at zero licensing cost.

What is a Zombie API? A Zombie API is an endpoint that is still live and accessible on a bank's servers but is no longer actively maintained, monitored, or owned by any team. It was built for a feature that was removed, a system that was replaced, or a project that was abandoned — but nobody turned off the server.

---

🎯 The Problem

A mid-sized Indian bank operates 300–800 APIs across core banking (Finacle/Temenos), payments (SWIFT/RTGS/NEFT/UPI), mobile banking, internet banking, and internal microservices. With teams changing every 1–2 years, APIs accumulate silently.

API Type	Definition	Danger Level
Active	Live traffic, documented, owned	🟢 LOW
Deprecated	Officially marked for retirement, still running	🟡 MEDIUM
Orphaned	No owner, no documentation	🟠 HIGH
Shadow	Live traffic but NOT in any gateway or docs	🔴 CRITICAL
Zombie	No traffic 90+ days, no owner, still accessible	🔴 CRITICAL

Why existing tools fail: Every major security tool — Nessus, Burp Suite, OWASP ZAP, Salt Security, Akamai — requires knowing what to test or relies on traffic to discover APIs. A zombie API has zero traffic by definition. The moment an API stops receiving requests, every traffic-based tool goes blind.

ARIA finds what nobody knows about.

---

🏗️ Architecture

graph TB
    subgraph Frontend["🖥️ React Dashboard — Vite + React 18"]
        CC["Command Center"]
        INV["API Inventory"]
        GY["Zombie Graveyard"]
        HM["Security Heatmap"]
        DP["Decommission Pipeline"]
    end

    subgraph Gateway["⚡ Unified API Gateway — FastAPI :8000"]
        GW["Route Handler + CORS + Scan Engine"]
    end

    subgraph Services["🔧 Backend Services"]
        DS["Discovery Engine\n5 Crawlers"]
        CL["Risk Classifier\n6-Signal Scoring"]
        PR["Security Probes\n6 Non-Destructive Tests"]
        RP["Report Generator\n3 Audiences"]
        CM["Compliance Mapper\nRBI / PCI-DSS / DPDP"]
        DC["Decommission Manager\n5-Stage State Machine"]
        AG["Attack Graph\nMITRE ATT&CK TTPs"]
    end

    subgraph Data["💾 Data Layer"]
        REPO["In-Memory Repository\n(PostgreSQL in Production)"]
        SEED["12 Seed APIs\nRealistic Banking Endpoints"]
    end

    Frontend -->|HTTP| GW
    GW --> DS & CL & PR & RP & CM & DC & AG
    DS & CL & PR & RP & DC --> REPO
    REPO --> SEED

    style Frontend fill:#0d1b2a,stroke:#00e5ff,color:#e8edf3
    style Gateway fill:#1b2838,stroke:#00e5ff,color:#e8edf3
    style Services fill:#1b2838,stroke:#00e5ff,color:#e8edf3
    style Data fill:#1b2838,stroke:#00e5ff,color:#e8edf3

Loading

Data Flow

sequenceDiagram
    participant D as Dashboard
    participant G as Gateway
    participant Disc as Discovery (5 Crawlers)
    participant Risk as Risk Classifier
    participant Probe as Security Probes
    participant Rep as Report Generator
    participant Decomm as Decommission Manager

    D->>G: POST /scan (trigger)
    G->>Disc: Run 5 parallel crawlers
    Disc-->>G: 12 APIs discovered & merged
    
    loop For each API
        G->>Risk: Score with 6 signals
        Risk-->>G: Status + Score (0-100)
        G->>Probe: Run 6 security probes
        Probe-->>G: Findings with evidence
        G->>Rep: Generate 3 reports
        Rep-->>G: CISO + Dev + Auditor reports
    end
    
    G-->>D: Full inventory with scores, findings, reports
    
    D->>G: POST /decommission/start
    G->>Decomm: Begin 5-stage workflow
    Decomm-->>G: Identified → Notify → Watch → Block → Archive

Loading

---

⚡ Quick Start

Prerequisites

• Python 3.11+ and Node.js 18+

Backend

# Clone and setup
cd ARIA1
python -m venv .venv

# Windows
.\.venv\Scripts\Activate.ps1

# Install dependencies
pip install -r backend/requirements.txt

# Start API server
uvicorn backend.main:app --reload --host 127.0.0.1 --port 8000

Frontend

cd frontend
npm install
npm run dev

Open Dashboard

http://127.0.0.1:5173/

---

🔍 Five-Source Discovery Engine

Five independent crawlers run in parallel, each targeting a different infrastructure layer. Together they find every API — including ones no human has thought about in years.

#	Crawler	Target	What It Finds	Tool
1	API Gateway Scout	Kong Admin API	Registered routes (baseline for cross-reference)	httpx
2	Git Repository Miner	GitHub/GitLab repos	Routes in code history — even deleted ones, with author + date	GitPython, tree-sitter
3	Network Subnet Scanner	Internal IP ranges	Rogue servers on non-standard ports nobody registered	python-nmap
4	Kubernetes Watcher	K8s Ingress/Service events	Containers deployed directly, bypassing gateway	kubernetes client
5	OpenAPI Spec Harvester	/swagger.json paths	Self-documenting but unregistered APIs	httpx, pyyaml

Shadow API Detection: An API found by the network scanner that is NOT in the Kong gateway AND NOT documented AND has traffic = Shadow API. Immediately escalated to CRITICAL.

---

📊 6-Signal Zombie Classification Engine

Every discovered API runs through a deterministic weighted scoring function. No black-box ML — every classification is explainable and auditable.

Signal	Weight	Max Score Condition	Data Source
Last Traffic	35%	No requests in 90+ days	Kong access logs
Gateway Registration	20%	Not registered in any gateway	Kong Admin API
Documentation	15%	No valid OpenAPI spec found	Spec Harvester
Owner Assignment	15%	No accountable team owner	Git blame + LDAP
Code Reference	10%	Route absent from all main branches	Git Miner
Environment Consistency	5%	Exists in prod only, absent from lower envs	K8s Watcher

Score Range	Label	Risk Level	Action
85–100	ZOMBIE	🔴 CRITICAL	Immediate decommission
65–84	ORPHANED	🟠 HIGH	Find owner or decommission
40–64	SHADOW	🔴 CRITICAL	Emergency security review
20–39	DEPRECATED	🟡 MEDIUM	Accelerate planned retirement
0–19	ACTIVE	🟢 LOW	Monitor regularly

---

🛡️ 6 Non-Destructive Security Probes

Safe to run inside a bank's network — no attack payloads, no fuzzing. Will never trigger the bank's WAF or IDS.

Probe	Test Method	Fail = Risk Level
Authentication	Zero-credential GET request	🔴 CRITICAL
TLS/Encryption	SSL protocol + certificate check	🟠 HIGH
Rate Limiting	100 concurrent requests burst	🟠 HIGH
PII Exposure	Indian PII detection (Aadhaar, PAN, IFSC, Phone)	🔴 CRITICAL
CORS Policy	Malicious Origin header injection	🟡 MEDIUM
HTTP Methods	OPTIONS/DELETE/PUT on GET-only endpoints	🟠 HIGH

---

📋 AI Reports — Three Audiences, One Finding

Report	Audience	Purpose	Format
Executive Summary	CISO	30-second risk decision	3 sentences, plain English
Engineering Runbook	Developer	Step-by-step fix guide	Numbered CLI commands
Compliance Statement	Auditor	Regulatory evidence pack	RBI/PCI-DSS/DPDP clauses

Production path: Mistral 7B via Ollama + LangChain RAG over OWASP API Top 10 + MITRE ATT&CK. No fine-tuning needed — prompt engineering + RAG achieves 90% of quality.

---

🔄 5-Stage Dependency-Safe Decommission

stateDiagram-v2
    [*] --> Identified: Zombie confirmed
    Identified --> OwnerNotify: Auto email + Slack
    OwnerNotify --> SilentWatch: 30-day grace period
    SilentWatch --> GatewayBlock: Zero traffic confirmed
    SilentWatch --> OwnerNotify: Traffic detected! Pause.
    GatewayBlock --> Archived: Zero complaints (7d)
    GatewayBlock --> Identified: Unblock (reversible)
    Archived --> [*]: Spec archived forever

Loading

Stage	Duration	What Happens	Reversible?
Identified	Instant	Metadata snapshot, Jira ticket created	N/A
Owner Notify	0–3 days	Git blame → LDAP → Email + Slack notification	✅
Silent Watch	30 days	Kong logger injected, ANY request = PAUSE	✅
Gateway Block	7 days	Kong route enabled:false, returns HTTP 410	✅
Archived	Final	Route deleted, DNS removed, cert revoked, spec archived	❌

One-click block: Security team can immediately block any API from the dashboard in under 3 seconds. Fully reversible — one click re-enables.

---

📜 Indian Regulatory Compliance Mapping

Every security finding is automatically mapped to specific regulatory clauses:

Finding	RBI IT Framework	PCI-DSS v4.0	DPDP Act 2023
No authentication	§7.3 Access Control	Req 8.2 User Auth	§8 Data Protection by Design
PII exposed	§8.1 Data Confidentiality	Req 3.5 Protect Data	§4(1)(c) Data Minimisation
No rate limiting	§11.2 Availability Controls	Req 6.4 Web App Security	—
Shadow API	§5.4 Asset Management	Req 12.3 Asset Inventory	§8 Technical Measures
Zombie API (90d+)	§7.1 Access Lifecycle	Req 8.3 Inactive Accounts	§4(1)(e) Storage Limitation
Weak TLS	§8.2 Encryption Standards	Req 4.2 Strong Crypto	§8 Technical Measures

---

🖥️ Dashboard Views

View	Purpose	Key Features
Command Center	CISO morning briefing	Metric cards, trend charts, risk distribution, critical alerts
API Inventory	Full endpoint catalog	Filterable table, detail panel, score breakdown, probe results, AI reports
Zombie Graveyard	Visual risk communication	Tombstone cards with dormancy days, pulsing glow, attack paths
Security Heatmap	Posture gap analysis	API × Probe matrix, pass/fail cells, coverage percentage
Decommission Pipeline	Safe removal workflow	5-stage pipeline, audit trail, block/unblock actions

---

🛠️ Technology Stack

Backend

Component	Technology	Purpose
Language	Python 3.12	Async support, ML/security ecosystem
Framework	FastAPI 0.115	Auto OpenAPI docs, native async, WebSocket
Validation	Pydantic v2	Type-safe request/response schemas
HTTP Client	httpx 0.28	Async probing and gateway API calls

Frontend

Component	Technology	Purpose
Framework	React 18	Component-based SPA
Build Tool	Vite 6	Instant HMR, 10x faster builds
Charts	Recharts 2	Trend, bar, pie charts
State	Zustand 5	Lightweight global state
Icons	Lucide React	Consistent icon set
Routing	React Router 6	Multi-view navigation
Fonts	IBM Plex Mono + Inter	Technical monospace + clean sans-serif

Production Path (Phase 2)

Component	Technology	Purpose
LLM	Ollama + Mistral 7B	Local report generation
Embeddings	all-MiniLM-L6-v2	RAG vector similarity
Vector Store	FAISS	OWASP + MITRE knowledge base
PII Detection	Microsoft Presidio	Aadhaar, PAN, IFSC recognizers
Graph DB	Neo4j 5	Attack path computation
Task Queue	Celery + Redis	Scheduled scans, async LLM
Database	PostgreSQL 15	ACID-compliant primary store
Orchestration	Docker Compose / K8s	One-command deployment

---

📂 Project Structure

ARIA1/
├── backend/
│   ├── main.py                    # Unified FastAPI gateway
│   ├── requirements.txt           # Python dependencies
│   ├── shared/
│   │   ├── schemas.py             # Pydantic domain models
│   │   ├── config.py              # Environment configuration
│   │   ├── seed.py                # 12 realistic banking APIs
│   │   └── repository.py          # In-memory data store
│   └── services/
│       ├── discovery.py           # 5-source crawler engine
│       ├── classifier.py          # 6-signal scoring engine
│       ├── probes.py              # 6 security probes
│       ├── reports.py             # 3-audience report generator
│       ├── compliance.py          # RBI/PCI-DSS/DPDP mapper
│       ├── decommission.py        # 5-stage state machine
│       └── attack_graph.py        # Lateral movement risk
├── frontend/
│   ├── index.html                 # Entry point
│   ├── package.json               # NPM dependencies
│   ├── vite.config.js             # Vite configuration
│   └── src/
│       ├── main.jsx               # React app with routing
│       ├── styles.css             # Dark cybersecurity design system
│       ├── api.js                 # Backend API client
│       ├── store.js               # Zustand global state
│       └── pages/
│           ├── CommandCenter.jsx  # Dashboard overview
│           ├── Inventory.jsx      # API table + detail panel
│           ├── Graveyard.jsx      # Tombstone visualization
│           ├── Heatmap.jsx        # Probe results matrix
│           └── Decommission.jsx   # Pipeline + audit trail
├── .env.example                   # Environment template
├── .gitignore
└── README.md

---

🏆 Why ARIA Wins

Gap	Industry Status	ARIA Solution
Zero-Traffic Discovery	Every tool goes blind when traffic stops	5-source discovery finds APIs that never sent a byte in years
Managed Decommission	Every tool stops at "here is the risk"	5-stage dependency-safe removal with audit trail
Indian Compliance	Tools map to GDPR/SOC2, not Indian regulations	Built-in RBI IT Framework, PCI-DSS, DPDP Act mapping
Cost	Enterprise tools cost ₹50L–2Cr/year	100% open source, zero licensing cost
Data Sovereignty	SaaS tools violate RBI data localisation	Runs entirely on-premise, zero external API calls

---

📄 License

MIT License — Built for Union Bank of India Cyber Security Hackathon

---

☠ ARIA — Find Every Forgotten Door. Close It Before They Walk In.