After you set up Web Application Firewall (WAF) for a website, you can enable the positive security model for the website. A positive security model is also known as a whitelist. The positive security model of WAF uses Alibaba Cloud machine learning algorithms to automatically study normal network traffic of a website. The positive security model then generates security rules tailored for the website based on the collected data. You can adjust the protection mode and rules of the positive security model as needed.

Notice This topic uses the new version of the WAF console released in January 2020. If your WAF instance was created before January 2020, see Positive security model.

Prerequisites

  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.
  • Subscription-based WAF instances must use the Enterprise or Exclusive edition. For more information, see Editions and features.

Background information

Traditional protection methods against web attacks are based on detection rules. The positive security model automatically studies the network traffic of a domain and uses machine learning algorithms to generate a standard security score and grade different requests. Based on the request scores, the positive security model defines the baseline traffic of a domain and tailors security policies for the domain. The positive security model collaborates with other detection modules of WAF to detect attacks at different network layers.

Positive security model

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. Click the Web Security tab, and find Positive Security Model in the Advanced protection section.Positive security model
    Parameter Description
    Status Enable or disable the positive security model.
    Mode Select a mode to manage attacks. Supported modes:
    • Monitor: triggers alerts but does not block requests.
    • Block: blocks requests.
    Note By default, the positive security model is set to the monitor mode. In this mode, WAF only reports requests that match the security rules but does not block the requests. We recommend that you study the data in security reports to make sure that the security rule does not cause false positives before you set the mode to Block.
    If this is your first time enabling the positive security model for a domain, WAF automatically studies the network traffic history of the domain based on machine learning algorithms. WAF then tailors security rules to protect the domain. The initial machine learning process may take a long time to complete depending on the total amount of network traffic data. Typically, it takes about one hour for WAF to complete learning and generating security rules. After WAF completes the learning process, it notifies you through internal messages, SMS messages, and emails.