Recommendations for assigning mappings to Anomaly Shield applications

Every Anomaly Shield application can combine one or more data collection, training, and protection mappings – but how can you decide whether two mappings should be combined into the same AS application or kept separate? The information in this article should help answer this question.

  • General considerations:
  • Mappings that behave similarly should be combined into a single AS application. Combining multiple mappings into a single AS application allows for faster training data collection and improves model training to determine normal (non-anomalous) traffic.
  • Mappings that protect back-end applications with different technology or different business logic should be assigned to separate AS applications.
  • Separate AS applications for mappings with differences in business logic:
  • Mappings belong to different business functions.
  • Mappings cover different user groups, e.g. normal users and professional users.
  • Different business functions and user groups generate inhomogeneous traffic – an AS application works best with homogeneous traffic.

  • Separate AS applications for mappings with differences in used technologies:
  • Mappings distinguish between a desktop and mobile application.
  • Mappings belong to different technical components.
  • Mappings belong to different software versions, and there may be significant changes between versions.
  • Different back-end technologies and functions can generate non-comparable traffic – an AS application works best with comparable traffic.

Examples

The following examples demonstrate how the above rules can be applied:

Use case

Mappings

Reason

An e-banking application uses Airlock IAM to authenticate its users.

separate

The e-banking application and Airlock IAM use different technology and provide different business logic.

The same users use an e-banking application and a trading platform application.

separate

If the applications are from different vendors, the technology and business logic difference is sufficient to keep them separate.

combined

If the applications are from the same vendor and use the same technology, you should keep them combined.

A large Wordpress site that hosts portals for multiple customers.

combined

The technology is the same and the business logic is still very similar. These sites should be kept combined.