Airlock Anomaly Shield cookies

Cookie name

Description

Example values (values are urldecoded)

AL_ENV_ML_ANOMALY

The cookie carries the same session identifier that is used in the corresponding log message, ensuring traceability.

  • normal – no anomaly found
  • anomalous – incoming traffic matched a configured anomaly detection trigger
  • exception – a traffic matcher has intervened and no action is executed
  • redeemed – the session was initially classified as anomalous but has been reclassified as normal

AL_ENV_ML_ANOMALY:normal

AL_ENV_ML_DATA

The payload is in JSON format and %‑encoded.

Pretty printed example:

 
Example
{
  "val": {
    "grm": 0.1,
    "ifo": 0.2,
    "scm": 0.3,
    "tcs": 0.4,
    "qpm": 0.5,
    "cba": 0.6
  },
  "thr": {
    "grm": 0.11,
    "ifo": 0.22,
    "scm": 0.33,
    "tcs": 0.44,
    "qpm": 0.55,
    "cba": 0.66
  }
}

There are two different JSON top-keys: “val” (= values) and “thr” (= thresholds).

For every top-key, the full set of machine learning models with their current raw values is included:

  • “grm” – graph metrics cluster
  • “ifo” – isolation forest
  • “scm” – status code meta
  • “tcs” – timing cluster
  • “qpm” – query parameters
  • “cba” – client behavior

AL_ENV_ML_DATA:
%7B%22val%22%3A%7B%22grm%22%3A0.996%2C%22ifo%22%3A0.991%2C%22scm%22%3A0%2C%22tcs%22%3A0.976%2C%22qpm%22%3A0%2C%22cba%22%3A0%7D%2C%22thr%22%3A%7B%22grm%22%3A0.99%2C%22ifo%22%3A0.99%2C%22scm%22%3A0.99%2C%22tcs%22%3A0.99%2C%22qpm%22%3A0.85%2C%22cba%22%3A0.85%7D%7D

Further information and links

Internal links: