To detect anomalies, the Anomaly Shield must be configured and initially baseline-trained for each application separately. After training, the Anomaly Shield can analyze request traffic patterns of web sessions and generates anomaly information continuously as new requests arrive. The Airlock Anomaly Shield enforcement logic uses configured patterns against the anomaly information to determine the appropriate actions for each session.
Note that Airlock Anomaly Shield applications are a synonym for an Anomaly Shield setup for a back-end/back-end application. In most cases, you may want to have multiple Anomaly Shield applications set up to shield your back-end services.
Procedure-related prerequisites
- ●See chapter-related prerequisites.
Instruction part 1 – Enable Anomaly Shield and create a new application
The following settings can be configured under Submenu - Anomaly Shield Applications.
- Section – Applications
- 1.Enable Anomaly Shield by ticking the ON radio button.
- 2.Click the + button to set up a new application. The section Application will open up.
- Section – Application
- 3.Add a unique, self-explanatory name into the Application Name field. The application name will automatically be checked, i.e. names with blanks will be marked as invalid.
- 4.Add a tenant to the Tenant field, if required/applicable.
- 5.Change to Reverse Proxy to configure the mapping for the new application. Choose a mapping and click the editing button.
- 6.In the tab Basic of the mapping, select the new application from the Anomaly Shield application list.
- 7.Change back to the Application detail page.
- The Mappings field now shows our configured mapping.
.theme/1.0/en-us.Section_-_Anomaly_Shield_(Tab_Basic)_html.png)
Instruction part 2 – Configure the collection of training data
The machine learning service requires training data to effectively protect an application. The following settings can be configured on the Application detail page under Section – Training Data Collection.
Filter configuration is based upon regular expressions. For more information, see Configure filter rules using regular expression patterns.
The Configuration Center features the following settings:
Field name | Description and usage | Example |
Header Name | Filters requests by HTTP header names. This field accepts regular expressions. |
|
Header Value | Filters by header values. This field accepts regular expressions. |
|
Path | Filters by the path of a session/request. This field accepts regular expressions. |
|
HTTP Method | Filters by the HTTP methods used by requests. This field accepts regular expressions. |
|
Content Type | Filters for the content type of a request. This field accepts regular expressions. |
|
IP Exclusions | Click the + button to select and add a new entry from the IP Address Lists. See also Submenu – IP Address Lists |
|
Instruction part 3 – Configure the anomaly detection and response
The following settings can be configured on the Application detail page under Section – Anomaly Detection and Response.
Airlock Anomaly Shield can be configured to execute an action or to log an event in case the Minimal Bit Count threshold for the application is reached.
The Configuration Center features the following settings:
Field name | Description and usage | Example |
Threat Handling | Set the Airlock Anomaly Shield action for live data. |
|
Log session anomaly details | Sets the log level for ML-related session information. |
|
Response Rules | Click the + button to select and add a new response rule from the list of Anomaly Shield Triggers & Rules. |
|
Header Name | Filters requests by HTTP header names. This field accepts regular expressions. |
|
Header Value | Filters by header values. This field accepts regular expressions. |
|
Path | Filters by the path of a session/request. This field accepts regular expressions. |
|
HTTP Method | Filters by the HTTP methods used by requests. This field accepts regular expressions. |
|
Content Type | Filters for the content type of a request. This field accepts regular expressions. |
|
IP Exclusions | Click the + button to select and add a new entry from the IP Address Lists. See also Submenu – IP Address Lists |
|
To complete the configuration of this Anomaly Shield application proceed with Setting up Anomaly Shield triggers and rules.
Further information and links
- ●For a brief example of setup, usage and operation, see: Training, tuning and advanced configuration of Airlock Anomaly Shield