open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page
  • Understand The Learning Level
  • Tuning Suggestions
  • Move To Prevent Mode

Was this helpful?

  1. HOW TO
  2. Configuration and Learning

Track Learning and Move From Learn/Detect to Prevent

PreviousConfiguration and LearningNextConfigure Contextual Machine Learning for Best Accuracy

Last updated 1 year ago

Was this helpful?

When it is recommended that open-appsec runs in Learn/Detect mode to allow it to create an initial baseline. When the is properly configured and the application receives a substantial amount of traffic, the learning period takes about 2-3 days.

Depending on amount and variance of traffic the machine learning engine will reach a stage where it has observed a sufficient amount of web requests to understand how the application is used. The faster this stage is reached, the faster detection is accurate and it is recommended to move to Prevent mode.

To speed up the learning period the engine proposes tuning suggestions. The administrator can review the tuning suggestions and help the engine reach even better accuracy, a Machine Learning process also known as supervised learning.

When a certain maturity level is reached, open-appsec will advice to move into Prevent mode. In this section you will understand how to track the learning level and how to optimize and tune the model for faster learning.

Understand The Learning Level

When HTTP requests are inspected the open-appsec model will reach different learning levels. Each level represents the maturity of the learning model and helps to understand what it needs to reach the next level. It will also indicate when it is time to move from Learn/Detect to Prevent mode. The model progresses through the following learning levels:

Step 1: Track the learning level

  1. Go to Assets and select the Asset you want to track.

  2. Select the Learn tab. This tab shows the learning statistics of the last 7 days, the Elapsed Time, the Learning Level and the Recommendation at this level.

The example below shows that the machine learning is in Kindergarten level and needs 999 additional HTTP requests and 6 additional learning hours to reach Primary School level.

When an agent enforcing open-appsec first sees a connection to a web application/web API defined URL, a banner will also show at the top of the management web application to denote that "Learning has started":

Step 2: Learn the recommended action

Recommendation
Action Required

Keep Learning

No action required. The machine learning model requires additional HTTP requests (and additional time).

Review Tuning Suggestions

Prevent Critical Severity Events

The system is ready to prevent critical severity events. Navigate to the Threat Prevention tab and change the Web Attacks practice Mode to Prevent for Critical Severity events.

Prevent High Severity And Above Events

The system is ready to prevent high severity (and above) events. Navigate to the Threat Prevention tab and change the Web Attacks practice Mode to Prevent for High and above Severity events.

In the example below the Recommendation is Keep Learning and additional HTTP requests are required to reach the next learning level.

Another example shows sufficient learning is achieved and the Recommendation is to Prevent High Severity And Above events. Since the Web Attack Practice is already in Prevent mode the tool tip shows a 'Well done!' message.

Tuning Suggestions

Step 1: Review Tuning Suggestions

  1. Go to Assets and select the Asset you want to review.

  2. Select the Learn tab. This tab shows Tuning Suggestions and Tuning Decisions.

  3. Review the proposed Tuning Suggestions.

Step 2: Provide feedback to the proposed Tuning Suggestions

  1. Click on the Malicious or Benign button next to the line of the Tuning Suggestion. Your Tuning Suggestion now moves to the Tuning Decisions list.

Step 3: Review the new recommended action

Move To Prevent Mode

Follow these actions when it is time to change the Practice mode from Learn/Detect to Prevent.

  1. Go to Assets and select the Asset you wish to Protect.

  2. Select the Learn tab and examine the recommendation.

  3. Select the Events tab and examine Critical and High Events for the asset from the last 1-2 days.

  4. Select the Threat Prevention tab and change the mode to Prevent

  5. You can further tune the sensitivity to block either High or above or just Critical events.

    • Set the level based on the recommendation in the Learn tab as well as your impression when looking at the events during the last day of the learning period.

    • You can also start with Critical for few days, examine the events and then move to High or above.

  6. Enforce policy.

When the learning level becomes Graduate, it is recommended to change the asset Mode to Prevent for either High confidence or above or Critical confidence events. Graduate level ensures very good level of accuracy (e.g. low amount of false positives). To reach Master or PhD level is is necessary to . The Phd level is the highest level, which means that more learning is less likely going to improve the model further.

Hover over the Learning Level tooltip to learn the current learning level and the next level. It will also indicate what is required to reach the next level in the 'Watch next?' section. Positive contributing factors to the learning process are: number of defined by the admin, time elapsed, amount of traffic inspected, amount of supervised learning suggestions and some other model parameters.

Hover over the Recommendation tooltip to learn what the current recommended action is for the asset. Recommendations include:

The learning mechanism generated tuning suggestions. Go to the section in this documentation to learn how to review them and decide whether the events are malicious or benign.

The model may ask to review certain events, also called Tuning Suggestions. Providing feedback to these suggestions is not mandatory as the engine is capable of learning by itself. However doing this, allows the machine learning engine to reach a higher maturity level and therefore a better accuracy faster based on human guidance.

Go to of the previous section to learn what to do next to improve the learning process.

If needed, right-click on event and add Exceptions for traffic that the machine learning engine may have misclassified (exceptions can be added based on the uri, source identifier, parameter, and more). See more about this .

ℹ️
configure Trusted Sources
ℹ️
trusted sources
Contextual Machine Learning
here
Step 2: Learn the recommended action
Optimize Learning And Tuning
a new asset is added
Contextual Machine Learning
Contextual Machine Learning
Contextual Machine Learning