KB: 00001002

Enabling Learning for application

Problem Statement

Enabling Machine Learning based 0-day protection for web applications

Solution

Haltdos WAF solution uses a combination of built-in signatures, user defined policies and machine learning for detecting and blocking attacks on web apps. This module also defends against 0-day attacks by assigning suspicion score to every request based on anomaly based machine learning techniques.

Steps to Solve

1. Enable Learning mode in WAF by going into Listener -> Learning and configuring the mode as Learning Only. For first time learning, configure the sample rate high based (30% or higher). You may restrict learning to be computed from selected IP pools for accurate learning.

NOTE: For accurate learning, keep the trigger threshold high enough for creating a good baseline for machine learning in WAF

2. Keep the WAF in Learning Only mode for a few days. You can check the learning by visiting Auto Profiling section for discovered URLs and allotted suspicion scores.

3. Once more than 70% URLs are visible in auto-profiling section, configure Learning mode to Learn & Mitigate to enable WAF to continue learning as well as mitigating 0-day attacks based on existing learning.

NOTE: Reduce the sampling rate once in Learn & Mitigate mode to between 10-30% for effective improvement in baseline learning.

PreviousKB: 00001001 NextKB: 00001003

Last updated 3 years ago

Was this helpful?