Tuning the false-positive handling of Airlock Anomaly Shield

Anomaly Shield threshold tuning can be done in the analytics_indicator_thresholds.json file. The thresholds can be configured as default settings and as individual settings per application.

You can read out the current threshold values in JSON format using the export_thresholds command of the CLI analytics tool.

The JSON file is located under /opt/airlock/ml-service/conf/analytics_indicator_thresholds.json.
Security Gate Expert Settings can be set over the graphical UI in Section - Security Gate.

Note that any changes in the analytics_indicator_thresholds.json file require restarting the ml-service:

systemctl restart airlock-ml-service

Procedure-related prerequisites

See chapter-related prerequisites.

False-positives may be handled by:
Traffic exclusion
Enforcement rule exceptions
By changing indicator threshold values

Traffic exclusion

Exclude traffic that should not be considered to be used during Airlock Anomaly Shield ML model training. See also Optional configuration of Traffic Matchers.

Enforcement rule exceptions

The enforcement logic configuration of Airlock Anomaly Shield is part of the Security Gate configuration as described under Enforcement logic of the Security Gate.

Exceptions for Anomaly Shield applications can be configured in the Configuration Center under Response Rule Exception in Section – Anomaly Response.

Changing indicator threshold values

Anomaly indicator values are processed by a set of thresholds in the analytics_indicator_thresholds.json file to result in an anomaly indicator pattern. This anomaly indicator pattern is the value that is matched in the enforcement rules.

These thresholds have a big impact on what behavior may result in what action. Airlock Anomaly Shield delivers a set of thresholds that are the result of extensive research.

Changing them may be a way to reduce false positives but may also be very challenging to lead to good results.

The default indicator thresholds may be changed in the "default": {} section :

{ 
    "default": { 
        "ConnectionMetrics":    0.99, 
        "GraphMetricsCluster":  0.99, 
        "IsolationForest"       0.99, 
        "MultipleCountries":    0.99, 
        "StatusCodeMeta":       0.99, 
        "TimingCluster":        0.97, 
    }, 
    "ml-apps": {} 
}

To change indicator thresholds for individual ml-apps add a new indicator set to the "ml-apps": {} section:

{ 
    .... 
    "ml-apps": { 
        "myApp": { 
            "ConnectionMetrics":     0.85, 
            "GraphMetricsCluster":   0.95, 
            "IsolationForest":       0.92, 
            "MultipleCountries":     0.95, 
            "StatusCodeMeta":        0.98, 
            "TimingCluster":         0.96, 
        } 
    } 
}

Use the analytics tool to simulate how a change in thresholds would affect the evaluation of your sessions.
If an indicator leads to too many false positives start by increasing the threshold slightly.