Trigger and Pattern detail page

Airlock Anomaly Shield is preconfigured with a set of (default) trigger patterns and rules that are known to work well for most security requirements.

Custom triggers and rules may be configured to analyze traffic proactively.

AAS default Trigger and Rules templates

For an example configuration of an additional custom trigger and rule, see article Part 2 – Training and model enforcement.

Section – Trigger

Add an AAS Trigger
  • Name – assign a unique name for the entry.
  • Tenant – add tenants to allow tenancy access. See also Multitenancy feature.

Section – Patterns

The following screenshot shows a random example of a pattern configuration:

Add AAS Patterns
  • Use the + button to add one or more patterns.
  • The different anomaly indicators form a pattern. Each indicator can be selected to be:
  • Icon - Gray dot - OFF

    Grey dot – neutral, will match any behavior of this indicator.

    Icon - Red dot

    Red dot – matches if this indicator shows anomalous behavior.

    Icon - Green dot - ON

    Green dot – matches if this indicator shows normal behavior.

A best practice configuration example is described in the article trigger, pattern and rule configuration of our Airlock Anomaly Shield configuration guide.

Airlock Anomaly Shield currently implements the following indicators:

Name of the indicator bit

Short description


This indicator is based on various metrics on the request path sequence, e.g., how often the same path is repeated or the following path is a child, etc. It evaluates the client's surfing behavior.


This indicator can detect suspicious requests. A generic anomaly detection algorithm is applied to session metrics from various categories.


This indicator detects high rates and unusual distribution of (unwanted) responses using a majority vote on three different status code indicators.

Timing Cluster

This indicator detects unusual time sequences of page views. The clustering is based on the distribution of the request timing deltas.

Query Parameters

The query parameter model (QPM) indicator can detect parameter probing, tampering and polluting.

  • It monitors:
  • HTTP status codes.
  • Frequency of parameter use.
  • Rarely used parameter names and values.

Client Behavior

This indicator tracks the client's keyboard, mouse, and touchscreen usage through a custom JavaScript injected on the target website. It is optimized to detect bots.