Configuration of Airlock Anomaly Shield applications

To detect anomalies, the Anomaly Shield must be configured and initially baseline-trained for each application separately. After training, the Anomaly Shield can analyze request traffic patterns of web sessions and generates anomaly information continuously as new requests arrive. The Airlock Anomaly Shield enforcement logic uses configured patterns against the anomaly information to determine the appropriate actions for each session.

Note that Airlock Anomaly Shield applications are a synonym for an Anomaly Shield setup for a back-end/back-end application. In most cases, you may want to have multiple Anomaly Shield applications set up to shield your back-end services.

Procedure-related prerequisites

  • See chapter-related prerequisites.

Instruction part 1 – Enable Anomaly Shield and create a new application

The following settings can be configured under Submenu - Anomaly Shield Applications.

  1. Section – Applications
  2. Enable Anomaly Shield by ticking the ON radio button.
  3. Click the + button to set up a new application. The section Application will open up.
  1. Section – Application
  2. Add a unique, self-explanatory name into the Application Name field. The application name will automatically be checked, i.e. names with blanks will be marked as invalid.
  3. Add a tenant to the Tenant field, if required/applicable.
  4. Change to Reverse Proxy to configure the mapping for the new application. Choose a mapping and click the editing button.
  5. In the tab Basic of the mapping, select the new application from the Anomaly Shield application list.
  6. Section - Anomaly Shield (Tab Basic)
  7. Change back to the Application detail page.
  8. The Mappings field now shows our configured mapping.
  9. Section - Application

Instruction part 2 – Configure the collection of training data

The machine learning service requires training data to effectively protect an application. The following settings can be configured on the Application detail page under Section – Training Data Collection.

Filter configuration is based upon regular expressions. For more information, see Configure filter rules using regular expression patterns.

Section - Training Data Collection

The Configuration Center features the following settings:

Field name

Description and usage

Example

Header Name

Filters requests by HTTP header names.

This field accepts regular expressions.

  • If field is left empty, no filtering happens.
  • Any HTTP conform header name

Header Value

Filters by header values.

This field accepts regular expressions.

  • As required.

Path

Filters by the path of a session/request.

This field accepts regular expressions.

  • Diverse

HTTP Method

Filters by the HTTP methods used by requests.

This field accepts regular expressions.

  • GET
  • POST
  • ...

Content Type

Filters for the content type of a request.

This field accepts regular expressions.

  • Text/html; charset=UTF-8
  • Any other content type.

IP Exclusions

Click the + button to select and add a new entry from the IP Address Lists.

See also Submenu – IP Address Lists

  • 172.16.33.0/24
  • 127.0.0.1

Instruction part 3 – Configure the anomaly detection and response

The following settings can be configured on the Application detail page under Section – Anomaly Detection and Response.

Airlock Anomaly Shield can be configured to execute an action or to log an event in case the Minimal Bit Count threshold for the application is reached.

Section - Anomaly Detection and Response

The Configuration Center features the following settings:

Field name

Description and usage

Example

Threat Handling

Set the Airlock Anomaly Shield action for live data.

  • Choose between:
  • Execute actions
  • Log only

Log session anomaly details

Sets the log level for ML-related session information.

See also Log messages and actions of Airlock Anomaly Shield.

  • Choose between:
  • Never
  • When session anomaly pattern changes
  • When raw session anomaly values change
  • For every request

Response Rules

Click the + button to select and add a new response rule from the list of Anomaly Shield Triggers & Rules.

See also Trigger, pattern and rule configuration.

  • As required.

Header Name

Filters requests by HTTP header names.

This field accepts regular expressions.

  • If field is left empty, no filtering happens.
  • Any HTTP conform header name

Header Value

Filters by header values.

This field accepts regular expressions.

  • As required.

Path

Filters by the path of a session/request.

This field accepts regular expressions.

  • Diverse

HTTP Method

Filters by the HTTP methods used by requests.

This field accepts regular expressions.

  • GET
  • POST
  • ...

Content Type

Filters for the content type of a request.

This field accepts regular expressions.

  • Text/html; charset=UTF-8
  • Any other content type.

IP Exclusions

Click the + button to select and add a new entry from the IP Address Lists.

See also Submenu – IP Address Lists

  • 172.16.33.0/24
  • 127.0.0.1

To complete the configuration of this Anomaly Shield application proceed with Trigger, pattern and rule configuration.