Part 1 – Preconfigure an Airlock Anomaly Shield application

One or more Anomaly Shield applications must be configured to shield back-end groups and applications with Airlock Anomaly Shield. Subsequently, Airlock Anomaly Shield's machine learning algorithms must be trained with production data to detect anomalous or suspicious traffic effectively.
In general, different back-end applications and similar back-end applications serving different business cases have different traffic behaviors. In this case, individual Anomaly Shield applications should be configured for each mapping and not be shared by different mappings.

  • Best practice regarding initial Anomaly Shield application setups is to start by configuring individual Anomaly Shield applications per mapping and observing the traffic:
  • When several thousand sessions occur weekly, stick with the multi Anomaly Shield application setup (one application per mapping).
  • When only a few hundred sessions occur per day/week, consider sharing one Anomaly Shield application for similar back-end applications so that a sufficient amount of similar traffic is cumulated.

See also the supplementary article Recommendations for assigning mappings to Anomaly Shield applications.

Preconfigure an Anomaly Shield application and assign it to a mapping

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Applications
  2. Select the ON radio button to activate Airlock Anomaly Shield.
  3. Click the + button to add a new Anomaly Shield Application.
    4. AAS enable and add a new application
  4. The Anomaly Shield Application page opens up.
  5. Set an Application Name.
    6. AAS new Tutorial Application
  6. The new Anomaly Shield application must be assigned to a mapping so that the Anomaly Shield application processes traffic on the mapping.
    Go to:
    Application Firewall >> Reverse Proxy
  7. Assign the Anomaly Shield application to each mapping that should be included in the same Anomaly Shield application. Select the corresponding Anomaly Shield application on the Basic tab of the mapping detail page.
    8. AAS edit a mapping and assign the new application
  8. Proceed with enabling training data collection.

Enable training data collection

Collecting realistic training data is required as input for the Anomaly Shield machine learning models. As a rule of thumb, at least several thousand sessions, including atypical or suspicious sessions, would provide a reasonable basis for training the machine learning model. This can be achieved best by using the automatic retrain and enforce feature and permanently enabling training data collection.

  • Note the following when collecting training data:
  • Collect realistic production data. If required, filter out internal vulnerability scans using Traffic Matchers as Training Data Collection Exclusion.
  • Collecting the full range of sessions and traffic behavior that may occur in typical calendar months is essential. We recommend using the automatic retrain and enforce option that collects 5–6 weeks of continuous session data, covering weekdays with working times, weekends, and day/night traffic in between training and model enforcement runs.
  • Anomaly Shield works with session data but does not require authenticated sessions. Continue collecting session data until at least several thousand sessions have been saved.
  • Automatic retraining options:
  • For continuous model improvement, we recommend choosing the option Retrain and enforce. This will automatically choose a period of typical training data within the last 3 months (see scheduled Next training date). This option is configured in the following.
  • The Retrain only option can be used in critical environments when model enforcement should not be performed automatically. In this case, the Next training date can be used to schedule the next manual enforcement date.
  • We do not recommend turning off Automatic retraining. You may turn off the option if you need complete control over which training data is used for the Anomaly Shield model or if continuous improvement is undesirable.

The training data are linked to the application name. Note that changing the Anomaly Shield application name, therefore, requires collecting new training data!

  1. Go to:
    Application Firewall >> Anomaly Shield
  2. In the application list, click the Button - Manage models (gears button) button to manage the machine learning model of the application. The Anomaly Shield Model Management page opens up.
  3. In section Training Task, enable Retrain and enforce.
    4. AAS Retrain and enforce enabled
  4. Go back to the Applications page. The Icon - Retrain icon appears in the column Enforced Model, indicating that automatic retraining and enforcement is activated.
  5. Enable Training Data Collection with a mouse click.
    6. AAS Data collection and automatic retraining enabled
  6. Proceed with Part 2 – Training and model enforcement to see when the next automatic retraining is scheduled.