IP Reputation
IP Reputation is a mechanism that provides per-client IP context to Airlock Anomaly Shield (AAS) models. Shared across AAS-enabled applications, IP Reputation uses prior AAS evaluations to compute scores that help AAS react faster and be more strict with suspicious clients.
How it works
AAS maintains two scores for each client IP address:
- Short-term score (STS)
Tracks the severity profile of a client IP over approximately one day to highlight active attackers and immediate threats. - Long-term score (LTS)
Tracks behavior over a 30‑day horizon to surface recurring attackers more quickly.
Both scores increase with suspicious activity and decay during benign periods. The scores are computed from AAS model outcomes across all AAS‑enabled applications. The resulting per‑client IP scores are shared for use in each application’s decision logic.
Activation and configuration
IP Reputation is automatically active when Detection Mode is enabled for at least one application. There is no separate UI control.
Exceptions and exclusions
IP Reputation integrates with existing Traffic Matchers. Your current IP allowlists in Traffic Matchers continue to apply — no additional configuration is required.
Deactivation
IP Reputation cannot be disabled independently. To prevent score computation, disable AAS detection.
Logging
When a score changes for a client IP, AAS emits the following log events:
ML-SVC-IPRP-200— STS updateML-SVC-IPRP-201— LTS update
Use these events to monitor score evolution and correlate reputation changes with request/decision logs to understand behavior changes and investigate spikes.
Operational notes
- LTS data is persisted in the SQLite database
iprp.db. Use the airlock-ml-iprpdb-tool to inspect or delete LTS entries if required. - The scores are shared across all AAS‑enabled applications; activity observed in one application can influence decisions in others. AAS models use the scores to adjust thresholds and improve decisions, but IP Reputation itself does not block traffic.