Terms and definitions related to Airlock Anomaly Shield
Airlock Anomaly Shield
Starting with release 7.6, Airlock Gateway includes Airlock Anomaly Shield, an unsupervised machine learning-based anomaly detection mechanism. Airlock Anomaly Shield can be licensed to detect anomalies in the web traffic of the applications protected by Airlock Gateway.
airlock-ml-analytics tool
The airlock-ml-analytics tool is a CLI dry-run application that allows administrators to run trained machine learning models against collected session metrics data from the ColdDB. This allows Airlock Anomaly Shield session data evaluation to be repeatedly analyzed with different model parameters. Indicator values are the result of this analysis can be used to adjust the enforcement configuration of the Airlock Anomaly Shield engine.
The airlock-ml-colddb-tool is a CLI application that allows administrators to perform a set of actions on ColdDB machine learning data collections. This includes data check, merge, move, copy and delete actions. It can also be used to shrink the ColdDB itself.
anomaly indicator values
When several requests during a session are processed by Airlock Anomaly Shield, the request evaluation results in anomaly indicator values. These values are cached in the HotDB and used by the security gate process to supplement and increase the security level.
The ColdDB is a persistent database where aggregated session information of the security gate process is stored for later usage by Airlock Anomaly Shield. The main purpose is, to hold training data to train the machine learning algorithm, but it may also be used for other analytics purposes.
The HotDB is a fast in-memory database used to cache session request data in the Airlock Gateway. It works as a communication channel between the Security Gate and the Anomaly Shield service. Cached session request data is mined by the Anomaly Shield machine learning algorithm and the resulting anomaly indicator values are returned to the HotDB.
machine learning service (ML service)
The Airlock Anomaly Shield machine learning service runs on the Airlock Gateway appliance as a separate daemon process. It consumes the request data produced by the Security Gate and aggregates it for each session and application. This aggregated data is either persisted in the ColdDB as training data or used to be evaluated by already trained machine learning models. The evaluation result, the session anomaly indicator values, are written back to the HotDB, from where it is consumed by the Security Gate.
machine learning (ML), unsupervised
Airlock Anomaly Shield features unsupervised machine learning algorithms that refine its anomaly detection automatically (unsupervised) by processing request and session data.
model trainer
The Airlock Anomaly Shield model trainer is a CLI application that allows an administrator to train machine learning models with session metrics from collected ColdDB data. The trained models are then used by the Anomaly Shield service to evaluate future sessions.
The model trainer allows the selected data to be optionally constrained by defining an application or time range.
security gate process
The security gate process is the request-processing component and policy enforcement point of the Airlock Gateway.
In combination with Airlock Anomaly Shield, the security gate process evaluates the anomaly information and may apply actions based on the evaluation result.