Part 1 – Preconfiguring an Anomaly Shield application

To protect back-end groups and applications using Airlock Anomaly Shield, one or more Anomaly Shield applications must be configured and training data collection must be enabled.

Preconfigure an Anomaly Shield application and assign it to a mapping

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Applications
  2. Select the ON radio button to activate Airlock Anomaly Shield.
  3. Click the + button to add a new Anomaly Shield Application.
  4. The Anomaly Shield Application page opens up.
  5. Set an Application Name.
  7. The new Anomaly Shield application can be assigned to one or more mappings, enabling it to process traffic handled by those mappings.
  8. Go to:
    Application Firewall >> Reverse Proxy
  9. Assign the Anomaly Shield application to each mapping that should be included in the same Anomaly Shield application. Select the corresponding Anomaly Shield application on the Basic tab of the mapping detail page.
  11.  
    Info

    Best practice is to configure one Anomaly Shield application per mapping and to observe the production traffic patterns. This approach helps to isolate anomalous behaviors and ensures better model accuracy.

    • If a mapping handles several thousand sessions per week, continue using one Anomaly Shield application per mapping.
    • If a mapping handles a few hundred sessions per day or week, consider combining similar mappings into a shared Anomaly Shield application to accumulate sufficient data.

    See also Assigning mappings to Anomaly Shield applications.

  12. Proceed with enabling training data collection.

Enable training data collection

Collecting realistic training data is required as input for the Anomaly Shield machine learning model. As a rule, a minimum of 3000 sessions—including atypical and suspicious ones—provides a solid foundation for training the machine learning models. The most effective way to achieve this is by enabling data collection and using the automatic retrain and enforce feature.

Note the following when collecting training data:

  • Model training requires production data.
  • If required, filter out internal vulnerability scans using Traffic Matchers as Training Data Collection Exclusion.
  • 35 days of training data are ideal for model training. This time period contains an equal amount of weekdays and weekends and it covers all the monthly fluctuations (e.g. salary payment day).
  • Anomaly Shield works with session data but does not require authenticated sessions. Continue collecting session data until at least 3000 sessions have been saved.
 
Functional limitation

The training data is stored under the ML application name in the database. Changing the ML application name requires collecting new training data!

  1. Go to:
    Application Firewall >> Anomaly Shield >> Tab Applications >> {{ML Application}}
  3. Set Training Data Collectionto On.
  4. If the option Client Behavior is enabled, Anomaly Shield will inject JavaScript code to collect data about mouse, keyboard and touchscreen usage. Disable this option if client behavior is not desired or JS injection causes problems.
  5. Proceed with Part 2 – Training and model enforcement to configure the model training strategy.

Further information and links

Internal links: