False positives are created whenever Airlock Anomaly Shield flags legitimate sessions as anomalous. The causes of false positives can be very different – thus we have to choose the correct measures to successfully reduce the number of false positives.
- Keep training data clean:
- Create traffic exclusions to exclude non-legitimate traffic before gathering training data and ML model training.
See also Optional configuration of Traffic Matchers.
Training data should be based solely on legitimate traffic.
- Configure response rule exceptions and anomaly detection exclusions for Anomaly Shield applications:
- Configure response rule exceptions for Anomaly Shield applications if applicable.
See also Section – Anomaly Detection. - Configure anomaly detection exclusions for Anomaly Shield applications if applicable.
See also Traffic Matchers detail page.
Adding new response rule exceptions to Anomaly Shield applications can effectively reduce the number of blocks. However, creating exceptions will not influence the anomaly detection itself – logs will still be written whenever an anomaly has been detected.
Anomaly detection exclusions allow bypassing certain traffic from being analyzed, which can be an appropriate measure to reduce false positives. Detection exclusions can also reduce the system load.
- Fine-tune the thresholds for anomaly detection to reduce the false positive rate:
- Ensure the ML models have been trained with clean traffic data and that exceptions have been configured before testing/attempting any fine-tuning measures.
- The default Anomaly Shield model thresholds can be tuned globally and for individual applications. See the table below.
- Airlock Anomaly Shield evaluates sessions after the first 15 requests by default. This threshold can be increased so that the session evaluation happens at a later point of a session. See the table below.
Tuning anomaly detection thresholds greatly impact what behavior may result in what action. Keep in mind that the default threshold set is the result based on extensive research and is suitable for a wide variety of use cases.