Fortinet black logo

Administration Guide

Viewing anomaly detection log

Viewing anomaly detection log

There are new attack logs for anomaly detection model violations. The anomaly detection log has the following sub-types:

  • Definite Anomaly in http argument
  • Potential Anomaly in http argument
  • HTTP Method violation
  • Charset detect failed

When machine learning detects an attack, the "Definite Anomaly in http argument" or "Potential Anomaly in http argument" attack logs will be generated. Click an attack to view more information about that attack in the far-right panel.

Detailed Information

Anomaly Detection Information (bar chart)

The illustration below shows the anomaly values of HMM probability and argument length for the argument in a bar chart. The green bar represents the average values of the learned samples for the argument; the yellow bar represents the anomaly values for the current argument. Comparing it with the average values, you can easily see how abnormal the argument is.

Attack Detection Information

The illustration shows the threat analysis results. Using this information, you can see what kind of attack the argument could include. Anomaly detection model may detect multiple attack types in one argument. There are three suspicious levels as shown in the pie chart.

The chart above reports two kinds of attack types: Cross-site Scripting and Local File Inclusion/Remote File Inclusion. The system treats the Cross Site Scripting attack as more suspicious.

Add additional samples from attack logs

If the attack reported by the model is wrongly detected as an anomaly and should be the categorized to regular traffic, you can click This is not a threat!. The system will include this newly added sample into the sample set and rebuild the model, so that the traffic which has the similar characteristics with this sample will not be reported as attacks anymore.

This process may take one or two minutes, and FortiWeb will not detect machine-learning anomalies at this process.

The added samples will be displayed as Additional Samples in the Parameter View.

Adjust machine-learning model

You can adjust an anomaly detection model by clicking the Operation button. It has two options: Refresh the Model and Goto Argument Setting.

Button Description
Refresh the Model

Clicking this button lets the system to relearn the argument related to the HMM model. This discards all the learned data for the argument. The HMM learning stage for the argument will be changed to Collecting from Running.

Goto Argument Setting

Clicking this button to display the dialog where you can adjust the argument related to anomaly detection.

Machine Learning HTTP Method Violation

The attack log below shows HTTP Method Violation.

From the right panel, you can see which HTTP method was learned by the anomaly detection module.

The anomaly detection log sub-type "Charset detect failed" is triggered when the machine learning module fails to detect the argument charset. In the case, the system is unable to work for the argument. You must check to see if there are such logs when the anomaly detection model is not working properly.

Aggregate machine-learning log

There are also aggregation logs for anomaly detection in Aggregation Attacks, as illustrated below.

.

Enable packet log for machine-learning attack logs

There is also a packet log for machine-learning attack logs. It is enabled by default. You can enable packet log for anomaly detection attack logs from the GUI, as shown below.

Viewing anomaly detection log

There are new attack logs for anomaly detection model violations. The anomaly detection log has the following sub-types:

  • Definite Anomaly in http argument
  • Potential Anomaly in http argument
  • HTTP Method violation
  • Charset detect failed

When machine learning detects an attack, the "Definite Anomaly in http argument" or "Potential Anomaly in http argument" attack logs will be generated. Click an attack to view more information about that attack in the far-right panel.

Detailed Information

Anomaly Detection Information (bar chart)

The illustration below shows the anomaly values of HMM probability and argument length for the argument in a bar chart. The green bar represents the average values of the learned samples for the argument; the yellow bar represents the anomaly values for the current argument. Comparing it with the average values, you can easily see how abnormal the argument is.

Attack Detection Information

The illustration shows the threat analysis results. Using this information, you can see what kind of attack the argument could include. Anomaly detection model may detect multiple attack types in one argument. There are three suspicious levels as shown in the pie chart.

The chart above reports two kinds of attack types: Cross-site Scripting and Local File Inclusion/Remote File Inclusion. The system treats the Cross Site Scripting attack as more suspicious.

Add additional samples from attack logs

If the attack reported by the model is wrongly detected as an anomaly and should be the categorized to regular traffic, you can click This is not a threat!. The system will include this newly added sample into the sample set and rebuild the model, so that the traffic which has the similar characteristics with this sample will not be reported as attacks anymore.

This process may take one or two minutes, and FortiWeb will not detect machine-learning anomalies at this process.

The added samples will be displayed as Additional Samples in the Parameter View.

Adjust machine-learning model

You can adjust an anomaly detection model by clicking the Operation button. It has two options: Refresh the Model and Goto Argument Setting.

Button Description
Refresh the Model

Clicking this button lets the system to relearn the argument related to the HMM model. This discards all the learned data for the argument. The HMM learning stage for the argument will be changed to Collecting from Running.

Goto Argument Setting

Clicking this button to display the dialog where you can adjust the argument related to anomaly detection.

Machine Learning HTTP Method Violation

The attack log below shows HTTP Method Violation.

From the right panel, you can see which HTTP method was learned by the anomaly detection module.

The anomaly detection log sub-type "Charset detect failed" is triggered when the machine learning module fails to detect the argument charset. In the case, the system is unable to work for the argument. You must check to see if there are such logs when the anomaly detection model is not working properly.

Aggregate machine-learning log

There are also aggregation logs for anomaly detection in Aggregation Attacks, as illustrated below.

.

Enable packet log for machine-learning attack logs

There is also a packet log for machine-learning attack logs. It is enabled by default. You can enable packet log for anomaly detection attack logs from the GUI, as shown below.