After you add a website to WAF, you can enable the big data deep learning engine for the website. The big data deep learning engine is based on the deep neural network system of Alibaba Cloud. It performs classification training on all web attack data and normal business data in the cloud. In this way, potential attacks can be blocked in real time. You can adjust the protection policies of the big data deep learning engine as required.

Notice This topic describes the big data deep learning engine in the WAF console released in January 2020. If your WAF instance was created before this date, see Big data deep learning engine.

Prerequisites

  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.
  • If the billing method of the instance is subscription, the edition of the instance must be Business or Enterprise.

Background information

Web attack methods keep evolving as the Internet develops rapidly. Traditional single-method protection can no longer meet the security requirements of complex Internet services. Collaborative protection powered by multiple detection engines offers stronger protection.

Based on massive operations data of Alibaba Cloud, the big data deep learning engine trains models for normal web applications and identifies abnormalities from these models. It also refines attack models from various web application attacks. The big data deep learning engine uses these models to detect zero-day vulnerabilities. It also blocks potential attacks online in real time to make up for the deficiencies of other protection engines. When WAF is used to prevent web attacks, protected traffic data is forwarded to the RegEx Protection Engine. Then, the traffic data is forwarded to the big data deep learning engine. The two engines complement each other.

Scenarios

The big data deep learning engine mainly targets web attack requests with weak characteristics rather than HTTP flood attacks. If you have high requirements on web attack prevention, we recommend that you enable the big data deep learning engine.

The RegEx Protection Engine uses strong regular expression rules. It provides optimal protection against requests with strong attack characteristics. The RegEx Protection Engine may fail to detect potential risks from requests with weak attack characteristics such as cross-site scripting (XSS) attacks. It may also fail to detect these attacks even in strict mode. In this case, you can enable the big data deep learning engine to identify and block requests with weak attack characteristics that cannot be identified by strict rules of the RegEx Protection Engine.

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. On the Web Security tab, set the following parameters in Big Data Deep Learning Engine of the Web Intrusion Prevention section.Big data deep learning engine
    Parameter Description
    Status Enables or disables the big data deep learning engine.
    Mode Specifies the action that is taken on attack requests when they are detected. Valid values:
    • Block: Block the attack requests.
    • Warn: Trigger only alerts without blocking the attack requests.
    Attack Probability Sets the threshold of the probability that a request is identified as an attack under deep learning. The value is an integer ranging from 50 to 100.

    If the parameter value is large, the standard for determining that a request is an attack is strict and the big data deep learning engine blocks real attacks more accurately. However, this engine may also leave more potential risks unblocked.

    If the parameter value is small, the standard for determining that a request is an attack is not strict and the big data deep learning engine blocks more suspicious requests. However, this engine may also block some normal requests.