The AI traffic analysis feature in Cloud Firewall provides visibility into how your assets access AI services. It offers multi-dimensional monitoring and analysis, including traffic visualization, outbound service tracking, and asset-level details for a clear overview of your AI service usage.
Prerequisites
-
If this is your first time using the feature, click Enable Now on the feature page to activate the service.
-
To monitor public network data, enable the internet firewall.
-
To monitor private network data, enable the NAT firewall for the relevant assets.
Feature page access
Log in to the Cloud Firewall console. In the left-side navigation pane, choose .
Traffic visualization and analysis
The AI Traffic page provides data statistics and asset node visualizations, offering a comprehensive overview of how your assets access AI services.
Data statistics
-
At the top of the AI Traffic page, you can view AI traffic statistics for all protected assets from the last seven days.
The metrics include the number of Outbound AI services, Public traffic volume, Private traffic volume, number of Intrusion Events, and sensitive data leakage (coming soon).
-
Public traffic volume: Statistics for assets protected by the internet firewall only.
-
Private traffic volume: Statistics for assets protected by the NAT firewall only.
-
-
The collapsible statistics panel in the upper-left corner of the tab displays AI-related traffic and data for public IPs and private IPs, aggregated into the following categories:
-
Top Outbound AI Services: The AI services that your assets access most frequently.
-
Top Source IPs: The asset IPs that generate the most AI service access traffic.
-
AI Attacks and Risks: Network attacks and potential risks related to AI services.
-
Access Interception: Number of blocked attempts to access prohibited AI services.
-
Intrusion Events: Number of attacks detected by the intrusion prevention system (IPS) engine during AI service access.
-
-
Visual analysis
The main area of the tab visualizes which assets are accessing AI services.
-
Click an asset node or AI service node to view a brief traffic summary. In the pop-up window, click Details to see the corresponding access monitoring list.
-
The upper-right corner of the visualizer provides a domain filter and visualizer tools. You can use these tools to filter domains, change the node layout, zoom in and out, fit to screen, and enter full-screen mode.
The panel provides a search box to quickly find domains. In the example, AI-related API domains such as
api.baichuan-ai.com,api.xf-yun.com, andopen.volcengineapi.comare selected.
Multi-dimensional data analysis
The tab presents data across three dimensions: Outbound AI Services, Internet Source, and Private Source. You can use these tabs to analyze traffic data and events related to your assets' outbound connections to AI services.
Outbound AI services
On the tab, you can view a list of all AI services accessed by your protected assets.
The list groups data by the domain names of the AI services that your assets connect to. At the top of the list, attribute filters let you filter the data and locate the websites you want to analyze.
The list includes the following columns: Domain, Website service, Traffic, Requests, Threat intelligence tag, Application protocol, Outbound asset count, Security suggestion, and Actions. You can filter the list by threat intelligence tag, website service type, public/private outbound connection, or domain name. In the upper-right corner of the list, you can access the whitelist and Followed list.
Actions
-
Click the
icon in the Actions column to see all available actions. -
Allowlist: Click Allowlist in the upper-right corner of the list to add domains to exclude from monitoring. You can also click Add to Allowlist in the Actions column. After you refresh the page, the domain will no longer appear in the list.
This Allowlist only filters the list and is distinct from the access control whitelist.
-
Watchlist: Click Watchlist in the upper-right corner to add domains for close monitoring. After you refresh the page, followed domains will be highlighted.
-
Configure ACL: Click the Configure ACL Policy-IPv4 or Configure ACL Policy-IPv6 link in the Actions column to go to the website's access control page and configure an ACL policy.
Use the Add to Address Book link to add the website to an address book for use in ACL policies.
NoteIn , you can find AI-related address books to reference directly in access control policies:
-
AI Server API: Trusted AI domains. We recommend that you configure an allow or monitor policy.
-
Large Model Risk Domains: Risky domains. We recommend that you configure a deny policy.
-
-
View Logs: Click the View Logs-IPv4 or View Logs-IPv6 link in the Actions column to open the Log Audit page. The website information is pre-filled, allowing you to query traffic logs for your assets.
-
View Intelligence Profile: Click the View Intelligence Profile link in the Actions column to view the website's intelligence profile. The profile includes the website's threat status, WHOIS data, domain resolution, and other intelligence.
Source asset analysis
On the tab, click Internet Source or Private Source to view an overview of data for internet-facing or private assets accessing AI services. Although the filter options differ, the operations on both tabs are the same.
The list is organized by asset instance. At the top of the list, attribute filters let you filter the data and locate the assets you want to analyze.
The list includes columns such as Asset IP, Asset type, Instance ID/Name, Region, Traffic, Requests, Intrusion prevention, and Actions. The filter options include dropdowns for All asset types and All asset regions, and a search box for Asset public IP.
Actions
-
Click the
icon in the Actions column to see all available actions. -
Watchlist: Click Watchlist in the upper-right corner to add assets for close monitoring.
-
View Logs: Click the View Logs link in the Actions column to go to the Log Audit page. The asset's information is pre-filled, making it easy to query its traffic logs.
-
Details: Click the Details link in the Actions column to view a statistical overview of the asset's outbound AI service traffic.
You can also use the links in the Suggestions column to perform quick actions for the domains accessed by the asset, such as Add to Whitelist (this Allowlist only filters the list and is distinct from the access control whitelist), Mark as Followed, Add to Address Book, and View Logs.
The pop-up table includes statistical columns such as Outbound domain/Outbound public IP, Requests, Category, and Tag. The View Logs action is split into two options: View Logs-IPv4 and View Logs-IPv6.
Export data
The lists on the different tabs under include a data export feature for offline analysis.
You can click the
icon in the upper-right corner of the respective tab list to perform a data export.