After you add a website to Web Application Firewall (WAF), you can enable the deep learning engine feature for your website. The deep learning engine is developed based on the deep neural network system of Alibaba Cloud. The feature performs classification training on all web attack data and normal business data in the cloud. This way, potential attacks can be blocked in real time.

Prerequisites

  • A WAF instance is purchased. The instance must reside in the Chinese mainland and run the Business edition or higher.

    For more information, see Purchase a WAF instance.

  • Your website is added to WAF.

    For more information, see Tutorial.

Background information

Web attack methods keep evolving as the Internet develops. Traditional single-method protection no longer meets the security requirements of complex Internet services. Collaborative protection that uses multiple detection engines is more effective.

Based on massive operations data of Alibaba Cloud, the deep learning engine trains models for normal web applications and identifies abnormalities in these models. The engine also refines attack models from various web application attacks. The deep learning engine uses these models to detect zero-day vulnerabilities. When WAF is used to prevent web attacks, protected traffic is forwarded to the protection rules engine. Then, the traffic is forwarded to the deep learning engine. The two engines complement each other.

Scenarios

The deep learning engine scans for web requests that have weak attack characteristics rather than HTTP flood attacks. If you have more precise requirements on web attack protection, we recommend that you enable the deep learning engine.

The protection rules engine uses strong regular expression rules. The engine provides optimal protection against requests that have strong attack characteristics. The protection rules engine may fail to detect risks from requests that have weak attack characteristics, such as cross-site scripting (XSS) attacks. The engine may also fail to detect these attacks even in strict mode. In this case, you can enable the deep learning engine to identify and block requests that have weak attack characteristics and cannot be detected based on strict rules of the protection rules engine.

Procedure

  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist. Switch Domain Name
  5. Click the Web Security tab, find the Deep Learning Engine section, and configure following parameters. Deep learning engine
    Parameter Description
    Status The switch that is used to enable or disable the deep learning engine.
    Note After the deep learning engine is enabled, all requests that are destined for your website are checked by the engine. You can configure the whitelist in the Web Intrusion Prevention section. Then, the requests that match the rules specified in the whitelist can bypass the check. For more information, see Configure a whitelist for web intrusion prevention.
    Mode The action that you want to perform on requests when WAF detects attack requests. Valid values:
    • Block: blocks requests.
    • Warn: triggers alerts but does not block requests.
    Attack Probability The threshold value of the probability that a request is identified as an attack when the deep learning engine is used. The value is an integer within the range of 50 to 100.

    If the parameter value is large, the standard for determining that a request is an attack is strict, and the deep learning engine blocks real attacks in a more accurate manner. The engine may not block other risks.

    If the parameter value is small, the standard for determining that a request is an attack is not strict, and the deep learning engine blocks more suspicious requests. However, the engine may also block normal requests.

What to do next

After you enable the deep learning engine, you can view the records of matched rules of the deep learning engine. To view the records, click Security Report and choose Web Security > Web Intrusion Prevention. For more information, see View Security Reports.