A positive security model is also known as a whitelist. The positive security model of Web Application Firewall (WAF) applies Alibaba Cloud machine learning to network traffic to generate security rules, block malicious requests, and allow benign network traffic to pass through.

Prerequisites

  • Before you use the positive security model, make sure that you have added your domain to WAF for protection. For more information, see Configure WAF in Overview of Alibaba Cloud WAF User Guide.
  • If you are using the WAF Pro or Enterprise edition, you must upgrade WAF to the Ultimate edition. For more information about how to upgrade WAF, see Renew and upgrade.

Background information

Traditional security models use predefined security rules to detect malicious network traffic. The positive security model of WAF applies machine learning to network traffic in an unsupervised way. Deep learning models are trained based on benign network data and then used to generate security rules. Only requests that reach the baselines of benign traffic in these rules are allowed to pass through. The positive security model works with other detection modules of WAF to prevent attacks at different network layers.



Procedure

  1. Log on to the WAF console.
  2. In the left-side navigation pane, choose Management > Website Configuration. On the top of the Website Configuration page, select the region of your WAF instance: Mainland China or International.
  3. In the domain list, find the domain that you want to manage, and click Policies in the Operation column.
  4. In the Positive Security Model area, click the switch to enable the positive security model.

    Enable the positive security model
    If this is the first time that you have enabled the positive security model for your domain, WAF automatically uses historical network traffic data and deep learning to train machine learning models. WAF then generates security rules to protect your domain.
    Note The entire machine learning process may be time-consuming depending on the total amount of the network traffic data. Typically it takes up to one hour for WAF to complete learning and generating security rules. After WAF completes learning, you will receive an internal message, SMS message, and email.
  5. After the machine learning process is complete, click Settings in the Positive Security Model area to check the generated security rules.
    Note By default, the positive security model is set to the Detection mode. This mode only reports requests that fail to match the security rules. These requests are not blocked. Before you set the mode to Prevention, we recommend that you go to the Reports page and check the statistics for a period of time to make sure that the security rule does not incur any false positives.

    For security rules in Prevention mode to block malicious requests, you must first set the protection mode of the positive security model to Prevention. When the positive security model is set to Detection, even if your security rules are set to Prevention, malicious requests are not blocked.


    View security rules
  6. Optional: In the security rules list, click Edit in the Actions column to edit the protection mode of a security rule generated by the positive security model. Click Delete to delete a security rule.
    Note To ensure that the positive security model is protecting your domain efficiently, we recommend that you do not modify or delete security rules. Before you set a security rule to Prevention, set it to Detection, go to the WAF security reports page, and make sure that the security rule does not incur any false positives.
    Fields of security rules
    Note Currently, you can only change the Protection Mode field for a security rule.
    Field Description
    Rule name The name of the security rule.
    Mode Specifies the URL of HTTP requests. Request parameters are excluded. For example, for URL /index.php? a = 122, enter /index.php into this field. Security rules generated by the positive security model use regular expressions to match requests.
    Method Specifies the methods of HTTP requests. You can specify one or more methods.
    Parameters Specifies the request parameters in the URL. For example, the URL /index.php? a=122 contains the parameter a. The value of the parameter is 122. Security rules generated by the positive security model use regular expressions to match requests.
    Protection Mode The protection mode of the security rule. Valid values:
    • Prevention: Before you set a security rule to Prevention to filter network traffic, you must set the mode of the positive security model to Block. Otherwise, the security rule does not block malicious requests.
    • Detection: If a security rule is set to this mode, malicious requests are only reported. You can check the detailed information about malicious requests on the Reports page.
    Note We recommend that you set the mode of a newly added rule to Detection and then check the statistics on the Reports page for a period of time. Make sure that the security rule does not incur any false positives before you set the rule to Prevention.