Skip to main content
Version: v6

Learning

Enable Machine Learning in WAF

Overview

Haltdos’s security is adaptive through automated learning and can make policy recommendations by learning about application behavior, which can make it easier for security teams to manage policies. Administrators retain full control over the activation and deactivation of each ruleset, with the opportunity to screen for false-positive before committing to production.

This module also defends against 0-day attacks by assigning suspicion score to every request based on anomaly based machine learning techniques. The learning requires creation of baseline during normal operations to understand user and application behavior for every URL. Once the baseline has been set, the WAF solution starts to look for anomalous patterns and block malicious 0-day attacks. As an adaptive solution, the learning continues at the set sampling rate to improve the baseline for dynamic web applications.

learning

How to Use :

  1. Go to WAF > Listeners > Learning

  2. Configure your settings.

  3. Click Save Changes

ParameterAccepted ValuesDefault
Learning ModeDrop-downLearning Disabled
Sampling RateInteger10
Trigger ThresholdInteger100000
Error RateInteger5
Drop RateInteger5
IP PrefixesIntegerBlank

Description:

  1. Learning Mode

This option specify the learning mode to enable/disable Machine Learning. When enabled it will start learning the requests and store all the required information and accordingly take action on the request detected malicious.

  1. Sampling Rate

Specify the rate of sampling of requests for learning. This allows anomaly based machine learning to generate baseline at the specified sampling rate.

  1. Trigger Threshold

Specify the minimum number of HTTP requests required per URL to enable learning mitigations. When the threshold is breached then it triggers is turned on for the learnt URLs.

  1. Error Rate

Specify the maximum allowed error rate from the source IP beyond which the IP is temporarily blacklisted.

  1. Drop Rate

Specify the maximum allowed drop rate from the source IP beyond which the IP is temporarily blacklisted.

  1. IP Prefixes

Users can specify the list of IPs.