KB: 1002
Enabling Learning for application
Problem Statement
Enabling Machine Learning based 0-day protection for web applications
Solution
Haltdos WAF solution uses a combination of built-in signatures, user defined policies and machine learning for detecting and blocking attacks on web apps. This module also defends against 0-day attacks by assigning suspicion score to every request based on anomaly based machine learning techniques.
Steps to Solve:-
- Enable Learning mode in WAF by going into Listener -> Learning and configuring the mode as Learning Only. For first time learning, configure the sample rate high based (30% or higher). You may restrict learning to be computed from selected IP pools for accurate learning.
NOTE: For accurate learning, keep the trigger threshold high enough for creating a good baseline for machine learning in WAF
- Keep the WAF in Learning Only mode for a few days. You can check the learning by visiting Discovery section for discovered URLs and allotted suspicion scores.
- Once more than 70% URLs are visible in auto-profiling section, configure Learning mode to Learn & Mitigate to enable WAF to continue learning as well as mitigating 0-day attacks based on existing learning.
NOTE: Reduce the sampling rate once in Learn & Mitigate mode to between 10-30% for effective improvement in baseline learning.