Part 1 – Preconfigure an Airlock Anomaly Shield application

To shield back-end groups and applications with Airlock Anomaly Shield, one or more Anomaly Shield applications must be configured. Airlock Anomaly Shield's machine learning algorithms must be trained with production data to detect anomalous or suspicious traffic. Different applications do have different traffic behavior, and therefore it is important to individually configure and train multiple Anomaly Shield applications to effectively detect anomalies.

  • The following guidelines may help to determine if mappings should use different Anomaly Shield applications or not:
  • Airlock IAM is a separate backend system that has unique characteristics in how it interacts with both REST and browser clients. Airlock IAM mappings should almost always be in a separate Anomaly Shield Application.
  • If there is no good reason to assign a single Anomaly Shield application to multiple mappings, it is recommended to configure and train separate Anomaly Shield applications per mapping.
  • If multiple mappings are connected to a single back-end application (e.g. Wordpress), then only one Anomaly Shield application should be assigned on all corresponding mappings.
  • If a back-end or back-end group provides services to multiple different applications (e.g. separate e-banking and trading apps) through a single mapping, this mapping should be split up into one mapping per back-end application. For each mapping, a separate Anomaly Shield application should be configured and assigned.

Preconfigure an Anomaly Shield application and assign it to a mapping

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Applications
  2. Select the ON radio button to activate Airlock Anomaly Shield.
  3. Click the + button to add a new Anomaly Shield Application.
  4. AAS enable and add a new application
  5. The Anomaly Shield Application page opens up.
  6. Set an Application Name.
  7. AAS new Tutorial Application
  8. The new Anomaly Shield application must be assigned to a mapping so that traffic on the mapping is processed by the Anomaly Shield application.
    Go to:
    Application Firewall >> Reverse Proxy
  9. Assign the Anomaly Shield application to each mapping that should be included in the same Anomaly Shield application. Select the corresponding Anomaly Shield application on the Basic tab of the mapping detail page.
  10. AAS edit a mapping and assign the new application
  11. Proceed with enabling training data collection.

Enable training data collection

Collecting realistic training data is required as input for the Anomaly Shield machine learning models. As a rule of thumb, at least several thousand sessions, including atypical or suspicious sessions, would provide a good basis for training the machine learning model.

  • Note the following when collecting training data:
  • Collect realistic production data. If required, filter out internal vulnerability scans using Traffic Matchers as Training Data Collection Exclusion.
  • Collect session data for at least 1 (preferably 2) full weeks to cover weekdays with working times, weekends, and day/night traffic. It is important to collect the full range of different sessions and traffic behavior that may occur in a typical calendar week or two.
  • Continue collecting session data until at least several thousand sessions have been saved.

The training data are linked to the application name. Note that changing the Anomaly Shield application name, therefore, requires collecting new training data!

  1. Go to:
    Application Firewall >> Anomaly Shield
  2. Enable Training Data Collection with a mouse click.
  3. AAS (no dropshadow) applications in Data Collection mode
  4. Machine learning models must subsequently be trained and finally enforced. Proceed with Part 2 – Training and model enforcement after a few weeks of collecting session training data.