Part 2 – Training and model enforcement

After initial setup, the machine learning models need to be trained with production traffic data to effectively detect anomalies and suspicious behavior. To identify the training strategy that best aligns with your requirements, see Section – Training Task of the Anomaly Shield model management page.

Automatic retraining (scheduled)

Best Sessions and Retrain and Enforce are the recommended options for Training Strategy and Automatic retraining, respectively. In this configuration, Anomaly Shield performs a daily evaluation to determine if model retraining is required. When retraining is recommended, the system automatically retrains the models and enforces them.

  1. Go to:
    Application Firewall >> Anomaly Shield >> tab Applications
  3. In the application list, click the button to manage the machine learning model of the application. The Anomaly Shield Model Management page opens.
  4. In section Training Task, enable Best sessions and Retrain and enforce.
  6. Go back to the Applications page. The icon appears in the column Enforced Model, indicating that automatic retraining and enforcement is activated.
  7. Proceed with Part 3 – Trigger, pattern and rule configuration.

Optional (initial) manual training

  1. As of Gateway 8.4, Anomaly Shield no longer requires manual model training when the Training Task is set to Best Sessions with Retrain and enforce enabled.

  2. To retrain immediately rather than waiting for the scheduled retraining, proceed as follows:

  3. Go to:
    Application Firewall >> Anomaly Shield >> tab Applications
  5. In the application list, click the button to manage the machine learning model of the application. The Anomaly Shield Model Management page opens up.
  6. Optional: in the section ColdDB Cluster Sync, click Merge remote data if the Gateway is operated in a cluster setup.
  7. Select a period of training data with the following in mind:
    • Collect at least several thousand sessions of realistic production data—i.e., a period of typical, little to non-anomalous session data.
    • Select session data for a period of 5 weeks / 35 days or more. It is essential to train the machine learning model with the full range of different sessions and traffic behaviors that may occur in a typical calendar month.
  10. Click the Train button to create a prepared model. Note that training may take some time, depending on the number of selected sessions and the available system resources.
  11. In the section Prepared Model status OK appears. If the status is Incomplete or Empty, consider using a larger data set for training.
  13. In the section Prepared Model click the Enforce model button to enforce the prepared model for the Anomaly Shield application.
  14. The machine learning model is enforced with status OK.
  16. Proceed with Part 3 – Trigger, pattern and rule configuration.

Further information and links

Internal links: