After you add a website to Web Application Firewall (WAF), you can enable the positive
security model for your website. The positive security model uses the machine learning
algorithms developed by Alibaba Cloud to automatically learn the normal traffic of
a website. The positive security model then generates custom protection rules for
the website based on the learning results.
Prerequisites
- A WAF instance is purchased. The instance runs the Enterprise edition or higher.
For more information, see Purchase a WAF instance.
- Your website is added to WAF.
For more information, see Tutorial.
Background information
Traditional protection methods protect websites from attacks based on detection rules.
The positive security model uses unsupervised learning to automatically learn the
traffic of a website. Then, the positive security model uses the model built by machine
learning algorithms to generate a standard security score and grade different requests.
Based on the request scores, the positive security model defines the baseline traffic
of the website and generates custom protection rules for the website. The positive
security model collaborates with other protection modules of WAF to defend against
attacks at different network layers.
Procedure
- Log on to the WAF console.
- In the top navigation bar, select the resource group and region to which the WAF instance
belongs. The region can be Mainland China or International.
- In the left-side navigation pane, choose .
- In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist.

- On the Web Security tab, find the Positive Security Model section and configure the following parameters.

Parameter |
Description |
Status |
The switch that is used to enable or disable the positive security model. |
Mode |
The action that you want to perform on requests when WAF detects attacks. Valid values:
- Warn: triggers alerts but does not block requests.
- Block: blocks requests.
Note By default, the positive security model is set to the Warn mode. In this mode, WAF
reports the requests that match the protection rules but do not block the requests.
Before you set the mode to Block, we recommend that you study the data in security
reports and make sure that the protection rules do not cause false positives.
|
If this is the first time that you enable the positive security model for a website,
WAF uses the model built by machine learning algorithms to automatically learn the
historical traffic of the website. Then, WAF generates custom protection rules based
on the learning results to protect the website. The time that is required to initially
learn traffic varies based on the total amount of traffic. In most cases, WAF initially
learns the traffic of a website and generates protection rules within about one hour.
After WAF completes the learning process, WAF sends you a notification by using internal
messages, text messages, or emails.
Notice If you disable the positive security model, the traffic learning results that are
generated become invalid. If you enable the positive security model again, the positive
security model needs to learn the traffic of your website again. If you upgrade your
WAF instance, the learning results of the positive security model are not affected.
If the traffic pattern of your website that is added to WAF changes, the learning
results can no longer be used. We recommend that you configure the positive security
model to learn the traffic of your website again. The traffic pattern change includes
the change of the service type of your website.