After you add a website to Web Application Firewall (WAF), you can configure the positive security model for the website. The positive security model uses the machine learning algorithms developed by Alibaba Cloud to automatically learn the normal traffic of a website. The positive security model then generates custom protection rules for the website based on the learning results. You can adjust the protection mode and rules of the positive security model based on your business requirements.

Prerequisites

  • A WAF instance is purchased. The instance runs the Enterprise edition or higher. For more information, see Editions and features.
  • Your website is added to WAF. For more information, see Add websites.

Background information

Traditional protection methods protect websites from attacks based on detection rules. The positive security model uses unsupervised learning to automatically learn the traffic of a website. Then, the positive security model uses the model built by machine learning algorithms to generate a standard security score and grade different requests. Based on the request scores, the positive security model defines the baseline traffic of the website and generates custom protection rules for the website. The positive security model collaborates with other protection modules of WAF to defend against attacks at different network layers.

Positive security model

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist. Switch Domain Name
  5. On the Web Security tab, find the Positive Security Model section and configure the following parameters. Positive security model
    Parameter Description
    Status The switch that is used to enable or disable the positive security model.
    Mode The action that is performed on the requests in which WAF detects attacks. Valid values:
    • Warn: triggers alerts but does not block requests.
    • Block: blocks requests.
    Note By default, the positive security model is set to the Warn mode. In this mode, WAF reports the requests that match the protection rules but does not block the requests. Before you set the mode to Block, we recommend that you study the data in security reports and make sure that the protection rules do not cause false positives.
    If this is the first time that you enable the positive security model for a website, WAF uses the model built by machine learning algorithms to automatically learn the historical traffic of the website. Then, WAF generates custom protection rules based on the learning results to protect the website. The time that is required to initially learn traffic varies based on the total amount of traffic. In most cases, WAF initially learns the traffic of a website and generates protection rules within about one hour. After WAF completes the learning process, WAF sends you a notification by using internal messages, text messages, or emails.