Submenu – Anomaly Shield

This entry page provides direct access to enable, configure, train and apply Airlock Anomaly Shield protection to applications. Anomaly Shield Applications are configured using resources from the Triggers & Rules and Traffic Matchers tabs.

  • Note that enabling the Airlock Anomaly Shield service requires a valid license.
  • In order to shield an application, Airlock Anomaly Shield machine learning models must be trained based on a sufficient amount of relevant training data. See Part 2 – Training and model enforcement.

Tab – Applications

Submenu - Anomaly Shield Applications (full)
  • ON/OFF radio buttons:
  • The complete Airlock Anomaly Shield service can be enabled/disabled by the ON/OFF radio buttons. By default, the service is disabled.

In the Applications table, applications that should be protected by Airlock Anomaly Shield can be managed:

Name of the column

Description

Anomaly Shield Application

List of configured applications.

Data Collection

Indicates the state of data collection. Can be enabled (green) or disabled (gray).

Detection and Response

Indicates the state of detection and response handling. Can be enabled (green) or disabled (gray).

Enforced Model

Information about the enforced machine learning model. An enforced model is required to enable Detection and Response. Enforced models can be overwritten by enforcing a prepared model in Section – Prepared Model or by importing prepared models.
The icon Icon - Retrain indicates that the option Retrain and enforce is enabled on the Anomaly Shield model management page.

Prepared Model

Preparation status and information about the prepared machine learning model. Prepared models can be generated with training data in Section – Training Task.
The icon Icon - left hand indicates that a new prepared model is ready to be enforced.

An additional note is displayed on login to the Configuration Center:
AAS - Info for new model can be enforced

Models

Clicking the button will open the Anomaly Shield model management page page.

(Delete, add new applications)

List of configured applications. Entries can be added or deleted using the corresponding button.

Clicking on an existing entry or adding a new entry to the list will open the Application detail page.

Tab – Triggers & Rules

Submenu - Anomaly_Shield_Triggers_and_Rules

Airlock Anomaly Shield provides a set of default triggers and rules for general security that cannot be changed. Custom triggers and rules can be added if required and can be selected as resources for individual applications.

Traffic to Anomaly Shield Applications is analyzed, and depending on the Triggers, the configured Rules are enforced.

Rules are processed in top-down order. Sorting can be done by drag and drop, except for default rules. The first matching rule will be applied!

Tab – Traffic Matcher

Tab - Traffic Matcher

Traffic Matchers are configured as sets of regex filters and IP Lists that can be applied to incoming traffic.

  • Traffic Matchers are resources for the Anomaly Shield Applications detail page and can be referenced under:
  • Training Data Collection, e.g., to exclude vulnerability scanning sessions from being analyzed and collected as training data by Airlock Anomaly Shield.
  • Anomaly Detection Exclusions to bypass potentially non-threatening sessions (e.g., internal network traffic) around Airlock Anomaly Shield.
  • Response Rule Exceptions to prevent false positives and matching requests bypass the Airlock Anomaly Shield. Other requests of the same session are not affected by the exclusion and are processed by Airlock Anomaly Shield as usual.
  • For configuration, the detail page can be opened by either clicking on an existing entry or by adding a new entry to the list:
  • Traffic Matchers detail page