Mappings and ML applications
Assigning Mappings to ML applications

Combining Mappings into ML applications is a task that very much influences how well the Anomaly Shield will be able to recognize anomalous behavior.

Guidelines for assigning Mappings to ML applications

Client behavior

When multiple different clients use the same backend application, the question is, if the clients behave differently or not:

  • Use different ML applications if the clients are different.
    Example: One client is a mobile app and uses a REST interface. The other client is browser based using server side rendering.
  • Use the same ML application if the clients are similar.
    Example: The same client is deployed on mobile phones and to desktop browsers.

Multiple backends

When using multiple backends, the way the backend is implemented may lead to distinctly different behavior of the client.

  • Use different ML applications if the backend server behave differently
    Example: One backend requires constant polling and provides very small data snippets that need to be aggregated in the client. The other backend server provides all data to render one page in one single request.
  • Use the same ML application if the backend servers differ on the business layer only, but behave very similar on the technical layer.
    Example: E-banking and trading run on different backends but the software is provided by the same vendor and they use the identical technology stack and APIs behave very similar.

Segregating authentication

Authentication or other self-sevices that relate to identity and access management are typically something that should have their own ML application.

Background information - working with characteristics of applications

Anomaly detection works best if most of the data shows similar characteristics.
The picture shows a cluster of data (light blue) and two outliers (dark blue)
Superimposing data from different applications may increase the variance of the data and make training and detection more difficult.
The picture shows that outliers from the red data-set match the grouping of the blue data-set and vice versa.
Segregating mappings with different behavior and combining mappings with similar behavior is ideal.
The picture shows the data-sets segregated and the outliers are clearly detectable.