Terms and definitions related to Airlock Anomaly Shield

Starting with release 7.6, Airlock Gateway includes Airlock Anomaly Shield, an unsupervised machine learning-based anomaly detection mechanism. Airlock Anomaly Shield can be licensed to detect anomalies in the web traffic of the applications protected by Airlock Gateway.

The airlock-ml-analytics tool is a CLI dry-run application that allows administrators to run trained machine learning models against collected session metrics data from the ColdDB. This allows Airlock Anomaly Shield session data evaluation to be repeatedly analyzed with different model parameters. Indicator values are the result of this analysis can be used to adjust the enforcement configuration of the Airlock Anomaly Shield engine.

The airlock-ml-colddb-tool is a CLI application that allows administrators to perform a set of actions on ColdDB machine learning data collections. This includes data check, merge, move, copy and delete actions. It can also be used to shrink the ColdDB itself.

When several requests during a session are processed by Airlock Anomaly Shield, the request evaluation results in anomaly indicator values. These values are cached in the HotDB and used by the security gate process to supplement and increase the security level.

The ColdDB is a persistent database where aggregated session information of the security gate process is stored for later usage by Airlock Anomaly Shield. The main purpose is, to hold training data to train the machine learning algorithm, but it may also be used for other analytics purposes.

The HotDB is a fast in-memory database used to cache session request data in the Airlock Gateway. It works as a communication channel between the Security Gate and the Anomaly Shield service. Cached session request data is mined by the Anomaly Shield machine learning algorithm and the resulting anomaly indicator values are returned to the HotDB.

The Airlock Anomaly Shield machine learning service runs on the Airlock Gateway appliance as a separate daemon process. It consumes the request data produced by the Security Gate and aggregates it for each session and application. This aggregated data is either persisted in the ColdDB as training data or used to be evaluated by already trained machine learning models. The evaluation result, the session anomaly indicator values, are written back to the HotDB, from where it is consumed by the Security Gate.

Airlock Anomaly Shield features unsupervised machine learning algorithms that refine its anomaly detection automatically (unsupervised) by processing request and session data.

The security gate process is the Airlock Gateway's request-processing component and policy enforcement point.

In combination with Airlock Anomaly Shield, the security gate process evaluates the anomaly information and may apply actions based on the evaluation result.

Airlock Anomaly Shield can aggregate sessions from the same IP address to a virtual session.

This allows for identifying suspicious IP addresses (e.g., from a bot node or automated tools) and detecting fragmented attacks that may span multiple regular sessions. Suspicious IPs can then be temporarily blocked.

IP aggregation enables the creation of a virtual session from (multiple) regular sessions that originate from the same (client) IP address.