Configuration of Anomaly Shield applications
Configuration of Airlock Anomaly Shield applications

To detect anomalies, the Anomaly Shield must be configured and initially baseline-trained for each application separately. After training, the Anomaly Shield can analyze request traffic patterns of web sessions and generates anomaly information continuously as new requests arrive. The Airlock Anomaly Shield enforcement logic uses configured patterns against the anomaly information to determine the appropriate actions for each session.

Note that Airlock Anomaly Shield applications are a synonym for an Anomaly Shield setup for a back-end/back-end application. In most cases, you may want to have multiple Anomaly Shield applications set up to shield your back-end services.

Procedure-related prerequisites

  • See chapter-related prerequisites.

Instruction part 1 – Enable Anomaly Shield and create a new application

The following settings can be configured under Submenu - Anomaly Shield Applications.

  • Section – Applications
  • 1.
    Enable Anomaly Shield by ticking the ON radio button.
  • 2.
    Click the + button to set up a new application. The section Application will open up.
  • Section – Application
  • 3.
    Add a unique, self-explanatory name into the Application Name field. The application name will automatically be checked, i.e. names with blanks will be marked as invalid.
  • 4.
    Add a tenant to the Tenant field, if required/applicable.
  • 5.
    Change to Reverse Proxy to configure the mapping for the new application. Choose a mapping and click the editing button.
  • 6.
    In the tab Basic of the mapping, select the new application from the Anomaly Shield application list.
  • Section - Anomaly Shield (Tab Basic)
  • 7.
    Change back to the Application detail page.
  • The Mappings field now shows our configured mapping.
  • Section - Application

Instruction part 2 – Configure the collection of training data

The machine learning service requires training data to effectively protect an application. The following settings can be configured on the Application detail page under Section – Training Data Collection.

Filter configuration is based upon regular expressions. For more information, see Configure filter rules using regular expression patterns.

Section - Training Data Collection

The Configuration Center features the following settings:

Field name
Description and usage
Example
Header Name
Filters requests by HTTP header names.
This field accepts regular expressions.
  • If field is left empty, no filtering happens.
  • Any HTTP conform header name
Header Value
Filters by header values.
This field accepts regular expressions.
  • As required.
Path
Filters by the path of a session/request.
This field accepts regular expressions.
  • Diverse
HTTP Method
Filters by the HTTP methods used by requests.
This field accepts regular expressions.
  • GET
  • POST
  • ...
Content Type
Filters for the content type of a request.
This field accepts regular expressions.
  • Text/html; charset=UTF-8
  • Any other content type.
IP Exclusions
Click the + button to select and add a new entry from the IP Address Lists.
  • 172.16.33.0/24
  • 127.0.0.1

Instruction part 3 – Configure the anomaly detection and response

The following settings can be configured on the Application detail page under Section – Anomaly Detection and Response.

Airlock Anomaly Shield can be configured to execute an action or to log an event in case the Minimal Bit Count threshold for the application is reached.

Section - Anomaly Detection and Response

The Configuration Center features the following settings:

Field name
Description and usage
Example
Threat Handling
Set the Airlock Anomaly Shield action for live data.
  • Choose between:
  • Execute actions
  • Log only
Log session anomaly details
Sets the log level for ML-related session information.
  • Choose between:
  • Never
  • When session anomaly pattern changes
  • When raw session anomaly values change
  • For every request
Response Rules
Click the + button to select and add a new response rule from the list of Anomaly Shield Triggers & Rules.
  • As required.
Header Name
Filters requests by HTTP header names.
This field accepts regular expressions.
  • If field is left empty, no filtering happens.
  • Any HTTP conform header name
Header Value
Filters by header values.
This field accepts regular expressions.
  • As required.
Path
Filters by the path of a session/request.
This field accepts regular expressions.
  • Diverse
HTTP Method
Filters by the HTTP methods used by requests.
This field accepts regular expressions.
  • GET
  • POST
  • ...
Content Type
Filters for the content type of a request.
This field accepts regular expressions.
  • Text/html; charset=UTF-8
  • Any other content type.
IP Exclusions
Click the + button to select and add a new entry from the IP Address Lists.
  • 172.16.33.0/24
  • 127.0.0.1

To complete the configuration of this Anomaly Shield application proceed with Setting up Anomaly Shield triggers and rules.

Further information and links