Airlock Anomaly Shield is preconfigured with a set of (default) trigger patterns and rules that are known to work well for most security requirements.
Custom triggers and rules may be configured to analyze traffic proactively.
For an example configuration of an additional custom trigger and rule, see article Part 2 – Training and model enforcement.
The following screenshot shows a random example of a pattern configuration:
| Grey dot – neutral, will match any behavior of this indicator. |
| Red dot – matches if this indicator shows anomalous behavior. |
| Green dot – matches if this indicator shows normal behavior. |
A best practice configuration example is described in the article trigger, pattern and rule configuration of our Airlock Anomaly Shield configuration guide.
Airlock Anomaly Shield currently implements the following indicators:
Name of the indicator bit | Short description |
|---|---|
GraphMetricsCluster | This indicator is based on various metrics on the request path sequence, e.g., how often the same path is repeated or the following path is a child, etc. It evaluates the client's surfing behavior. |
IsolationForest | This indicator can detect suspicious requests. A generic anomaly detection algorithm is applied to session metrics from various categories. |
StatusCodeMeta | This indicator detects high rates and unusual distribution of (unwanted) responses using a majority vote on three different status code indicators. |
Timing Cluster | This indicator detects unusual time sequences of page views. The clustering is based on the distribution of the request timing deltas. |
Query Parameters | The query parameter model (QPM) indicator can detect parameter probing, tampering and polluting.
|
Client Behavior | This indicator tracks the client's keyboard, mouse, and touchscreen usage through a custom JavaScript injected on the target website. It is optimized to detect bots. |
