A positive security model is also known as a whitelist. The positive security model
of Web Application Firewall (WAF) applies Alibaba Cloud machine learning to network
traffic to generate security rules, block malicious requests, and allow benign network
traffic to pass through.
Prerequisites
- Before you use the positive security model, make sure that you have added your domain
to WAF for protection. For more information, see Add domain names
- If you are using the WAF Pro or Enterprise edition, you must upgrade WAF to the Ultimate
edition. For more information about how to upgrade WAF, see Renew and upgrade.
Background information
Traditional security models use predefined security rules to detect malicious network
traffic. The positive security model of WAF applies machine learning to network traffic
in an unsupervised way. Deep learning models are trained based on benign network data
and then used to generate security rules. Only requests that reach the baselines of
benign traffic in these rules are allowed to pass through. The positive security model
works with other detection modules of WAF to prevent attacks at different network
layers.
Procedure
- Log on to the WAF console.
- In the left-side navigation pane, choose . On the top of the Website Configuration page, select the region of your WAF instance:
Mainland China or International.
- In the domain list, find the domain that you want to manage, and click Policies in the Operation column.
- In the Positive Security Model area, click the switch to enable the positive security model.
If this is the first time that you have enabled the positive security model for your
domain, WAF automatically uses historical network traffic data and deep learning to
train machine learning models. WAF then generates security rules to protect your domain.
Note The entire machine learning process may be time-consuming depending on the total amount
of the network traffic data. Typically it takes up to one hour for WAF to complete
learning and generating security rules. After WAF completes learning, you will receive
an internal message, SMS message, and email.
- After the machine learning process is complete, click Settings in the Positive Security Model area to check the generated security rules.
Note By default, the positive security model is set to the Detection mode. This mode only
reports requests that fail to match the security rules. These requests are not blocked.
Before you set the mode to Prevention, we recommend that you go to the Reports page
and check the statistics for a period of time to make sure that the security rule
does not incur any false positives.
For security rules in Prevention mode to block malicious requests, you must first
set the protection mode of the positive security model to Prevention. When the positive
security model is set to Detection, even if your security rules are set to Prevention,
malicious requests are not blocked.

- Optional:In the security rules list, click Edit in the Actions column to edit the protection mode of a security rule generated by
the positive security model. Click Delete to delete a security rule.
Note To ensure that the positive security model is protecting your domain efficiently,
we recommend that you do not modify or delete security rules. Before you set a security
rule to
Prevention, set it to
Detection, go to the
WAF security reports page, and make sure that the security rule does not incur any false positives.
Fields of security rules
Note Currently, you can only change the Protection Mode field for a security rule.
Field |
Description |
Rule name |
The name of the security rule. |
Mode |
Specifies the URL of HTTP requests. Request parameters are excluded. For example,
for URL /index.php? a = 122 , enter /index.php into this field. Security rules generated by the positive security model use regular
expressions to match requests.
|
Method |
Specifies the methods of HTTP requests. You can specify one or more methods. |
Parameters |
Specifies the request parameters in the URL. For example, the URL /index.php? a=122 contains the parameter a. The value of the parameter is 122. Security rules generated by the positive security model use regular expressions
to match requests.
|
Protection Mode |
The protection mode of the security rule. Valid values:
- Prevention: Before you set a security rule to Prevention to filter network traffic, you must
set the mode of the positive security model to Block. Otherwise, the security rule
does not block malicious requests.
- Detection: If a security rule is set to this mode, malicious requests are only reported. You
can check the detailed information about malicious requests on the Reports page.
Note We recommend that you set the mode of a newly added rule to Detection and then check
the statistics on the Reports page for a period of time. Make sure that the security
rule does not incur any false positives before you set the rule to Prevention.
|