Airlock Anomaly Shield | Starting with release 7.6, Airlock Gateway includes Airlock Anomaly Shield, an unsupervised machine learning-based anomaly detection mechanism. Airlock Anomaly Shield can be licensed to detect anomalies in the web traffic of the applications protected by Airlock Gateway. |
airlock-ml-analytics | The |
airlock-ml-colddb-tool | The |
anomaly indicator values | When several requests during a session are processed by Airlock Anomaly Shield, the request evaluation results in anomaly indicator values. These values are cached in the HotDB and used by the security gate process to supplement and increase the security level. |
client behavior analysis | Client Behavior Analysis is a feature of Airlock Anomaly Shield that detects and analyzes user interactions with the application using a custom JavaScript injected into the application website. The feature collects information about keyboard, mouse and touchscreen interactions to calculate how likely they are to be human interaction. It can reliably distinguish human behavior from scripted bots and automation frameworks. |
ColdDB | The ColdDB is a persistent database where aggregated session information of the security gate process is stored for later usage by Airlock Anomaly Shield. The main purpose is, to hold training data to train the machine learning algorithm, but it may also be used for other analytics purposes. |
HotDB | The HotDB is a fast in-memory database used to cache session request data in the Airlock Gateway. It works as a communication channel between the Security Gate and the Anomaly Shield service. Cached session request data is mined by the Anomaly Shield machine learning algorithm and the resulting anomaly indicator values are returned to the HotDB. |
machine learning service (ML service) | The Airlock Anomaly Shield machine learning service runs on the Airlock Gateway appliance as a separate daemon process. It consumes the request data produced by the Security Gate and aggregates it for each session and application. This aggregated data is either persisted in the ColdDB as training data or used to be evaluated by already trained machine learning models. The evaluation result, the session anomaly indicator values, are written back to the HotDB, from where it is consumed by the Security Gate. |
machine learning (ML), unsupervised | Airlock Anomaly Shield features unsupervised machine learning algorithms that refine its anomaly detection automatically (unsupervised) by processing request and session data. |
security gate process | The security gate process is the Airlock Gateway's request-processing component and policy enforcement point. In combination with Airlock Anomaly Shield, the security gate process evaluates the anomaly information and may apply actions based on the evaluation result. |
IP Aggregates | Airlock Anomaly Shield can aggregate sessions from the same IP address to a virtual session. This allows for identifying suspicious IP addresses (e.g., from a bot node or automated tools) and detecting fragmented attacks that may span multiple regular sessions. Suspicious IPs can then be temporarily blocked. |
virtual session | IP aggregation enables the creation of a virtual session from (multiple) regular sessions that originate from the same (client) IP address. |