Airlock Anomaly Shield

Starting with release 7.6, Airlock Gateway includes Airlock Anomaly Shield, an unsupervised machine learning-based anomaly detection mechanism. Airlock Anomaly Shield can be licensed to detect anomalies in the web traffic of the applications protected by Airlock Gateway.

The Airlock Anomaly Shield must be configured and initially baseline-trained for each application separately to detect anomalies. After training, the Anomaly Shield analyzes web session request traffic patterns and generates anomaly information continuously as new requests arrive. The Anomaly Shield enforcement logic uses configured patterns against the anomaly information to determine the appropriate actions for each session.

Airlock Anomaly Shield operates on the behavior of a web session and complements conventional security features of the Security Gate core service that acts directly on the properties of every request.

Unsupervised machine learning

Airlock Anomaly Shield is based on unsupervised machine learning (ML) models. This has the advantage that no data labeling is required.

  • However, initial ML training is required:
  • To train the ML models for a new application, Airlock Gateway can be configured to collect traffic as training data during normal operation. This cold data collection is used to establish the baseline training for the ML models.
  • After training Airlock Anomaly Shield may be used to evaluate and detect anomalous traffic and take action upon it.

Asynchronous Design

Airlock Anomaly Shield requires analyzing multiple requests of a web session, not just the properties of a single request. The evaluation of multiple requests is used to obtain anomaly indicator values. Anomaly detection can be further improved if back-end application responses are also processed.

During detection, there is a short delay between the start of the web session and the availability of anomaly indicator values by design. The delay is because anomalous behavior can only be detected once a sufficient number of requests have been processed. Keep in mind that anomaly evaluation focuses on the web session as a whole, so the detection time shift has little impact in practice.

Running anomaly evaluation and request processing asynchronously ensures that the security gate process does not have to wait for anomaly evaluation values. The security gate process will perform at peak efficiency even under high loads.

Anomaly detection may require a lot of system resources, forcing the Airlock Anomaly Shield to continue processing the evaluation results while new requests arrive. The request data from such requests are automatically included in the next evaluation run.