Part 2 – Training and model enforcement

After collecting several thousands of sessions as training data, the machine learning model can be prepared and enforced as described in this article.

Automatic retraining (scheduled)

Automatic retraining is the recommended option for training and already configured in Part 1 – Preconfigure an Airlock Anomaly Shield application. With this configuration, the data collected quarterly is analyzed as scheduled.

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Applications
    2. AAS (no dropshadow) applications in Data Collection mode
  2. In the application list, click the Button - Manage models (gears button) button to manage the machine learning model of the application. The Anomaly Shield Model Management page opens up.
  3. Optional: In the section ColdDB Cluster Sync click Merge remote data, if the Gateway is operated in a cluster setup,
  4. Make sure that Automatic retraining is enabled, as recommended and wait until the next scheduled, quarterly automatic retraining date.

    5. Proceed with Part 3 – Trigger, pattern and rule configuration.

Optional (initial) manual training

    If you don't want to wait for the scheduled automatic retraining date, proceed as follows:

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Applications
    2. AAS (no dropshadow) applications in Data Collection mode
  2. In the application list, click the Button - Manage models (gears button) button to manage the machine learning model of the application. The Anomaly Shield Model Management page opens up.
  3. Optional: In the section ColdDB Cluster Sync click Merge remote data, if the Gateway is operated in a cluster setup,
  4. Make sure that Automatic retraining is enabled, as recommended.
  5. Select a period of training data with the following in mind:
    • Collect at least several thousand sessions of realistic production data, i.e. a period of typical, little to non-anomalous session data.
    • Select session data for a period of 5 weeks/35 days or more. It is essential to train the machine learning model with the full range of different sessions and traffic behaviors that may occur in a typical calendar month.
    AAS Training Task
  6. Click the Train button to create a prepared model. Note that training may take some time, depending on the number of selected sessions and the available system resources.
  7. In the section Prepared Model status OK appears. If the status is Incomplete or Empty, consider using a larger data set for training.
    8. AAS Prepared Model
  8. In the section Prepared Model click the Enforce model button to enforce the prepared model for the Anomaly Shield application.
  9. The machine learning model is enforced with status OK.
    10. AAS Enforced Model

    Proceed with Part 3 – Trigger, pattern and rule configuration.