All Products
Search
Document Center

Web Application Firewall:Configure the positive security model

Last Updated:Jan 15, 2024

After you add a website to Web Application Firewall (WAF), you can enable the positive security model for the website. The positive security model uses the machine learning algorithms that are developed by Alibaba Cloud to automatically learn the legitimate traffic of a website. Then, the model generates custom protection rules for the website based on the learning results to prevent unknown attacks.

Prerequisites

  • A WAF instance that runs the Enterprise edition or higher is purchased.

  • Your website is added to WAF. For more information, see Tutorial.

Background information

Traditional protection methods protect websites from attacks based on detection rules. The positive security model uses unsupervised learning to automatically learn the traffic of a website. Then, the positive security model uses the model that is built by machine learning algorithms to generate a standard security score and grade different requests. The positive security model defines the baseline traffic of the website and generates custom protection rules for the website based on the request scores. The positive security model integrates with other protection modules of WAF to defend against attacks at different network layers.

image

Procedure

  1. Log on to the WAF console.

  2. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Protection Settings > Website Protection.

  4. In the upper part of the Website Protection page, select the domain name for which you want to configure a website protection whitelist from the Switch Domain Name drop-down list.切换域名

  5. On the Web Security tab, find the Positive Security Model section and configure the parameters.主动防御 The following table describes the parameters.

    Parameter

    Description

    Status

    The switch that enables or disables the positive security model.

    Mode

    The action that you want to perform on attacks that are detected by WAF. Valid values:

    • Warn: triggers alerts, but does not block requests.

    • Block: blocks malicious requests.

    Note

    By default, the positive security model is set to the Warn mode. In this mode, WAF records the requests that match the protection rules in security reports, but does not block the requests. Before you set the mode to Block, we recommend that you study the data in security reports and make sure that the protection rules do not cause false positives.

    The first time that you enable the positive security model for a website, WAF uses the model that is built by machine learning algorithms to automatically learn the historical traffic of the website. Then, WAF generates custom protection rules based on the learning results to protect the website. The time that is required to initially learn the traffic varies based on the total amount of traffic. In most cases, WAF initially learns the traffic of a website and generates protection rules within approximately 1 hour. After WAF completes the learning process, WAF sends you a notification by using internal messages, text messages, or emails.

    Important

    If you disable the positive security model, the traffic learning results that are generated become invalid. If you re-enable the positive security model, the positive security model needs to relearn the traffic of the website. If you upgrade your WAF instance, the learning results of the positive security model are not affected. If the traffic pattern of the website that is added to WAF changes, the learning results are no longer applicable. We recommend that you configure the positive security model to relearn the traffic of the website. Traffic pattern changes include the change of the service type of the website.