After you add a website to Web Application Firewall (WAF), you can enable the positive security model for your website. The positive security model uses the machine learning algorithms developed by Alibaba Cloud to automatically learn the normal traffic of a website. The positive security model then generates custom protection rules for the website based on the learning results.

Prerequisites

  • A WAF instance is purchased. The instance runs the Enterprise edition or higher.

    For more information, see Purchase a WAF instance.

  • Your website is added to WAF.

    For more information, see Tutorial.

Background information

Traditional protection methods protect websites from attacks based on detection rules. The positive security model uses unsupervised learning to automatically learn the traffic of a website. Then, the positive security model uses the model built by machine learning algorithms to generate a standard security score and grade different requests. Based on the request scores, the positive security model defines the baseline traffic of the website and generates custom protection rules for the website. The positive security model collaborates with other protection modules of WAF to defend against attacks at different network layers.

Defense

Procedure

  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist. Switch Domain Name
  5. On the Web Security tab, find the Positive Security Model section and configure the following parameters. Positive Security Model
    Parameter Description
    Status The switch that is used to enable or disable the positive security model.
    Mode The action that you want to perform on requests when WAF detects attacks. Valid values:
    • Warn: triggers alerts but does not block requests.
    • Block: blocks requests.
    Note By default, the positive security model is set to the Warn mode. In this mode, WAF reports the requests that match the protection rules but do not block the requests. Before you set the mode to Block, we recommend that you study the data in security reports and make sure that the protection rules do not cause false positives.
    If this is the first time that you enable the positive security model for a website, WAF uses the model built by machine learning algorithms to automatically learn the historical traffic of the website. Then, WAF generates custom protection rules based on the learning results to protect the website. The time that is required to initially learn traffic varies based on the total amount of traffic. In most cases, WAF initially learns the traffic of a website and generates protection rules within about one hour. After WAF completes the learning process, WAF sends you a notification by using internal messages, text messages, or emails.
    Notice If you disable the positive security model, the traffic learning results that are generated become invalid. If you enable the positive security model again, the positive security model needs to learn the traffic of your website again. If you upgrade your WAF instance, the learning results of the positive security model are not affected. If the traffic pattern of your website that is added to WAF changes, the learning results can no longer be used. We recommend that you configure the positive security model to learn the traffic of your website again. The traffic pattern change includes the change of the service type of your website.