open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snot Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page
  • About open-appsec's Machine Learning Models
  • How to Download the Advanced Machine Learning Model
  • How to Deploy / Update the Advanced Machine Learning Model
  • Validate the use of the Advanced Model

Was this helpful?

  1. Getting started

Using the Advanced Machine Learning Model

PreviousMonitor EventsNextAgents

Last updated 2 months ago

Was this helpful?

About open-appsec's Machine Learning Models

open-appsec uses two machine learning models:

  1. A "Supervised Model" that was trained offline based on millions of requests, both malicious and benign.

  2. An "Unsupervised Model" that is being built in real time in the protected environment. This model uses traffic patterns specific to the environment.

For the supervised model (see above) there are two alternative options you can chose from:

  • A "Basic Model" is provided as part of the and the default installations. This is recommended for use in Monitor-Only and Test environments.

  • An "Advanced Model" can be downloaded from . This is more accurate and recommended for Production use.

How to Download the Advanced Machine Learning Model

To download and extract the open-appsec advanced machine learning model follow these steps:

  • Login to the open-appsec portal at .

  • Download the advanced machine learning model by going to: User Menu -> Download Advanced ML Model.

This model updates from time to time and you will get an email when these updates happen. When the model is updated please redeploy the Advanced Machine Learning Model by downloading the new file, and following the instructions bellow.

How to Deploy / Update the Advanced Machine Learning Model

To deploy and use open-appsec's advanced machine learning model follow the instructions below to install this Advanced Model in your specific environment:

Deployment and usage of the advanced model inside the docker

  1. Create a folder called open-appsec-advanced-model

mkdir open-appsec-advance-model
  1. Copy the tgz file into the folder.

  2. Map this .tgz file into the appsec container to "/advanced-model/open-appsec-advanced-model.tgz" file inside the container.

If you are using docker run command to run the agent container add a volume mount to the command as follows: -v=./open-appsec-advance-model/open-appsec-advanced-model.tgz:/advanced-model/open-appsec-advanced-model.tgz:rw

See also the following example docker run command for the agent to which the additional volume mount was added accordingly.

docker run --name=open-appsec-agent \
--ipc=host \
-v=<path-to-persistent-location-for-agent-config>:/etc/cp/conf \
-v=<path-to-persistent-location-for-agent-data-files>:/etc/cp/data \
-v=<path-to-persistent-location-for-agent-debugs-and-logs>:/var/log/nano_agent \
-v=<path-to-local-configuration-file>:/ext/appsec \
-v=./open-appsec-advance-model/open-appsec-advanced-model.tgz:/advanced-model/open-appsec-advanced-model.tgz:rw \
-e user_email=<add-your-email-here> \
-e https_proxy=<user:password@proxy-address:port> \
-it -d ghcr.io/openappsec/agent:latest /cp-nano-agent --standalone

If you are using docker compose to deploy open-appsec add a volume mount under the agent container as follows: - ./open-appsec-advance-model/open-appsec-advanced-model.tgz:/advanced-model/open-appsec-advanced-model.tgz:rw See also the following example docker-compose file (used for deployment with NGINX Proxy Manager) to which the additional volume mount for the appsec-agent container was added accordingly:

version: '3.3'
# docker compose for npm open-appsec integration

services:
  appsec-npm:
    container_name: npm-attachment
    image: 'ghcr.io/openappsec/nginx-proxy-manager-attachment:latest'
    ipc: host
    restart: unless-stopped
    ports:
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
      - ./appsec-logs:/ext/appsec-logs
      - ./appsec-localconfig:/ext/appsec

  appsec-agent:
    container_name: appsec-agent
    image: 'ghcr.io/openappsec/agent:latest'
    network_mode: service:appsec-npm
    ipc: host
    restart: unless-stopped
    environment:
      # adjust with your own email below
      - user_email=user@email.com
      - nginxproxymanager=true
      - autoPolicyLoad=true
    volumes:
      - ./appsec-config:/etc/cp/conf
      - ./appsec-data:/etc/cp/data
      - ./appsec-logs:/var/log/nano_agent
      - ./appsec-localconfig:/ext/appsec
      - ./open-appsec-advance-model/open-appsec-advanced-model.tgz:/advanced-model/open-appsec-advanced-model.tgz:rw
    command: /cp-nano-agent --standalone
  1. Run the agent container (if you already have a running agent container make sure to redeploy it)

Deployment and usage of the advanced model in Kubernetes

  1. Create a config map from the tgz file in the relevant namespace: kubectl create configmap advanced-model-config --from-file open-appsec-advanced-model.tgz -n <namespace>

  2. Restart all open-appsec agent pods in the namespace of your open-appsec deployment, you can restart the pods by following the steps below:

    1. get open-appsec deployment name

      kubectl get deployment -n <open-appsec deployment namespace>

    2. Restart pods

      kubectl rollout restart deployment <open-appsec deployment name> -n <open-appsec deployment namespace>

Deployment and usage of the advanced model with a Linux-embedded agent

  1. Create a folder under the following path in the root directory: /advanced-model mkdir -p /advanced-model

  2. Copy the .tgz file into the folder you created cp ./open-appsec-advanced-model.tgz /advanced-model/open-appsec-advanced-model.tgz.

  3. Deploy the embedded agent

  4. if you already have an open-appsec agent.

    1. Complete steps 1-3

    2. Run open-appsec-ctl --stop-agent

    3. Extract the model to the relevant folder by running tar -xzf /advanced-model/open-appsec-advanced-model.tgz -C /etc/cp/conf/waap

    4. Run open-appsec-ctl --start-agent

Adding the advanced model when building new agent code

  1. Clone the open-appsec agent GitHub repository (https://github.com/openappsec/openappsec).

  2. Extract the open-appsec-advanced-model.tgz file. On Linux you can do this by using the following command: tar -xvf open-appsec-advanced-model.tgz

  3. Copy the extracted files to the components/security_apps/waap/resources folder.

  4. Build the agent package or Docker by following the instructions in the GitHub repository README (https://github.com/openappsec/openappsec/blob/main/README.md).

Validate the use of the Advanced Model

The machine learning (AI) model version info is shown in the open-appsec-ctl tool from version 1.1.0 and onwards.

The machine learning AI model type and version being used can be validated using the command:

open-appsec-ctl --status 

The model being used by each agent can also be validated using the Agents tab in the web UI:

GitHub repository
open-appsec portal
my.openappsec.io
Output of open-appsec-ctl --status
Agents tab in Web UI