Fortinet black logo

Version:

7.2.2
7.2.1
7.2.0

Version:

7.0.6
7.0.5
7.0.4

Version:

7.0.4
7.0.3
7.0.2

Version:

7.0.1
7.0.0
6.4.2

Version:

6.4.1
6.4.0
6.3.19

Version:

6.3.18
6.3.17
6.3.16

Version:

6.3.15
6.3.14
6.3.13

Version:

6.3.11
6.3.10
6.3.9

Version:

6.3.7
6.3.6
6.3.5

Version:

6.3.4
6.3.3
6.3.2

Version:

6.3.1
6.3.0
6.2.5

Version:

6.2.4
6.2.3
6.2.2

Version:

6.2.1
6.2.0
6.1.2

Version:

6.1.1
5.7.0
5.6.1

Version:

5.6.0
5.6.0

Table of Contents

Administration Guide

6.1.1
7.2.2
7.2.1
7.2.0
7.0.6
7.0.5
7.0.4
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.2
6.4.1
6.4.0
6.3.19
6.3.18
6.3.17
6.3.16
6.3.15
6.3.14
6.3.13
6.3.11
6.3.10
6.3.9
6.3.7
6.3.6
6.3.5
6.3.4
6.3.3
6.3.2
6.3.1
6.3.0
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.2
6.1.1
5.7.0
5.6.1
5.6.0
5.6.0
Download PDF
Copy Link

Configuring anomaly detection profiles

Anomaly detection profiles are part of a server policy. They are created on the Policy > Sever Policy page. All anomaly detection profiles that you create will show up on the Machine Learning > Anomaly Detection page, where you can configure or edit them to your preference.

To configure an anomaly detection profile:

  1. Click Machine Learning > Anomaly Detection .
  2. Double-click the server policy that contains the desired anomaly detection profile (or highlight it and then click the Edit button on top of the page) to open it. The Edit Anomaly Detection Configuration page opens, which breaks down anomaly detection profile into several sections, each of which has various parameters you can use to configure the profile.
  3. Follow the instructions in the following subsections to configure an anomaly detection profile.
  4. Click OK when done.

 

Sections & Parameters Function
HMM Parameter Model Update
Sample Collection mode

Normal: up to 5000 samples will be collected to build a machine learning model for the parameter. The default sample collection mode is Normal.

Fast: up to 2500 samples will be collected to build a machine learning model for the parameter.

2500/5000 is the maximum number. If the system observes an obvious pattern of HTTP request behavior for this parameter, or there are enough valid samples to build a machine learning model, the system will stop collection and start building model even though the number of samples hasn't reached 2500/5000 yet.
Dynamically update when parameters change

Applications change frequently as new URLs are added and existing parameters provide new functions. This means the mathematical model of the same parameter might be different from what FortiWeb originally observed during the collection phase. In this case, FortiWeb needs to re-learn the parameter and updates the mathematical model for it.

Enable this option to automatically update the mathematical models of the parameters when they are changed.

Application Change Sensitivity

This option appears when you enable Dynamically update when parameters change.

The system uses boxplots to determine whether a parameter has changed. The boxplot displays the probability distribution of the parameter value. During sample collection period, the system generates 2 or 4 boxplots. After machine learning model is built, the system will keep on generating new boxplots to display the probability distribution of the new inputs. If the probability distribution area of the newly generated boxplot doesn't overlap with any one of the sample boxplots, the system determines this parameter has changed.

For more information on boxplots, see Probability Boxplots.

Depending on the Application Change Sensitivity level, the system triggers model update when it observes different extent of overlapping area.

  • Low—The system triggers model update only when the entire data distribution area (from the maximum value to the minimum value, that is, the entire area containing all the data) of the new boxplot doesn't have any overlapping part with that of the sample boxplots.
  • Medium—The system triggers model update if the notch area (the median rectangular area in the boxplot where most of the data is located) of the new boxplot doesn't have any overlapping part with the entire data distribution areas of the sample boxplots.
  • High—The system triggers model update as long as the notch area of the new boxplot doesn't have any overlapping part with that of the sample boxplots.
Update parameter model when number of boxplots do not overlap

This option appears when you enable Dynamically update when parameters change.

The default value is 2, which means if 2 newly generated boxplots don't overlap with any one of the sample boxplots, FortiWeb automatically updates the machine learning model.

You can set a value from 1 to 3.

Anomaly Detection Settings
Strictness Level for Anomaly

The machine learning model judges whether a request is normal or not based on its HMM probability and the length of the parameter value.

You can set the strictness level for the model. The value of the strictness level ranges from 0.1 to 1.0. The higher the value, the more anomalies will be triggered. For example, 0.1 means that the 0.1% of all samples with the largest HMM probability and length will be treated as anomalies.
Threat Model
View Threat Models

The system scans anomalies to verify whether they are attacks. It provides a method to check whether an anomaly is a real attack by the trained Support Vector Machine Model.

Click the View Threat Models link to enable or disable threat models for different types of threats such as cross-site scripting, SQL injection and code injection. Currently, seven trained Support Vector Machine Model are provided for seven attack types.

HTTP Method Setting
HTTP Method

This option is enabled by default, which means the system will build machine learning models and detect anomalies for Allow Methods. If an HTTP request method is used by more than 1% requests of the overall sample requests, the machine learning model will allow this method in the Allow Method Settings.

If certain methods should be treated as normal, but in the meanwhile they are too rarely used to touch the 1% threshold, it's suggested to use the set allow-method-exceptions command to exclude them from the machine learning model. In this way, the system will allow these methods. For more information on this command, see the config waf machine-learning-policy in FortiWeb CLI Reference Guide.

You can also disable this option, which means the machine learning will not learn and verify the HTTP method.
Action Settings
Action

All requests are scanned first by HMM and then by Threat model.

Double click the cells in the Action Settings table to choose the action FortiWeb takes when attack is verified for each of the following situations:

  • Alert—Accepts the connection and generates an alert email and/or log message.
  • Alert & Deny—Blocks the request (or resets the connection) and generates an alert and/or log message.
  • Period Block—Blocks the request for a certain period of time.
Block Period

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds. The default value is 60 seconds.

This option only takes effect when you choose Period Block in Action.

Severity

Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message.
Trigger Action

Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If potential or definite anomaly or HTTP Method Violation is detected, it will trigger the system to send email and/or log messages according to the trigger policy.

URL Replacer Policy

Select the name of the URL Replacer Policy that you have created in Machine Learning Templates.

If web applications have dynamic URLs or unusual parameter styles, you must adapt URL Replacer Policy to recognize them.

If you have not created an URL Replacer Policy yet, you can leave this option empty for now, and then edit this profile later when the URL Replacer Policy is created. For more information on URL Replacer Policy, see Configure a URL replacer rule

Allow sample collection for domains

Add domains in this table so that the system will collect samples and generate machine learning models for these domains.

Here's what you can do:

  • Click a domain or click the (View Domain) button in the Action column to view machine learning reports for that specific domain. See Viewing domain data
  • Click the (Refresh) button in the Action column to refresh the corresponding domain. Note:Refreshing deletes all existing learning results.
  • Click the (Export) button in the Action column to export the machine learning data of this domain.
  • Click Create New to add more domains to let FortiWeb perform sample collection and intrusion detection on those domains. You can use wildcard * to represent multiple domains. Refer to Maximum number of ADOMs, policies, & server pools per appliance for the maximum domain number supported by the Machine Learning feature for your FortiWeb Model.
  • Click Delete to remove the selected domain(s). Note: This will remove all machine-learning results related to those domain(s) as well.
  • Click Import to import the machine learning data from your local directory to FortiWeb

IP List Type and Source IP list

Add IP ranges in the Source IP list, then select Trust or Black to allow or disallow collecting traffic data samples from these IP addresses.

  • Trust: The system will collect samples only from the IP ranges in the Source IP list.
  • Black: The system will collect sample from any IP addresses except the ones in the Source IP list.

Whether selecting Trust or Black, if you leave the Source IP list blank, the system will collect traffic data samples from any IP addresses. The maximum number of samples collected from each random IP address is 30. You can change the maximum value through CLI command waf machine-learning-policy.

If you select Trust, then add IP ranges in the Source IP list, the sample collection limit will not take effect, which means FortiWeb will collect traffic data samples only from the specified IP ranges and will not limit the number of samples.

Previous
Next

Configuring anomaly detection profiles

Anomaly detection profiles are part of a server policy. They are created on the Policy > Sever Policy page. All anomaly detection profiles that you create will show up on the Machine Learning > Anomaly Detection page, where you can configure or edit them to your preference.

To configure an anomaly detection profile:

  1. Click Machine Learning > Anomaly Detection .
  2. Double-click the server policy that contains the desired anomaly detection profile (or highlight it and then click the Edit button on top of the page) to open it. The Edit Anomaly Detection Configuration page opens, which breaks down anomaly detection profile into several sections, each of which has various parameters you can use to configure the profile.
  3. Follow the instructions in the following subsections to configure an anomaly detection profile.
  4. Click OK when done.

 

Sections & Parameters Function
HMM Parameter Model Update
Sample Collection mode

Normal: up to 5000 samples will be collected to build a machine learning model for the parameter. The default sample collection mode is Normal.

Fast: up to 2500 samples will be collected to build a machine learning model for the parameter.

2500/5000 is the maximum number. If the system observes an obvious pattern of HTTP request behavior for this parameter, or there are enough valid samples to build a machine learning model, the system will stop collection and start building model even though the number of samples hasn't reached 2500/5000 yet.
Dynamically update when parameters change

Applications change frequently as new URLs are added and existing parameters provide new functions. This means the mathematical model of the same parameter might be different from what FortiWeb originally observed during the collection phase. In this case, FortiWeb needs to re-learn the parameter and updates the mathematical model for it.

Enable this option to automatically update the mathematical models of the parameters when they are changed.

Application Change Sensitivity

This option appears when you enable Dynamically update when parameters change.

The system uses boxplots to determine whether a parameter has changed. The boxplot displays the probability distribution of the parameter value. During sample collection period, the system generates 2 or 4 boxplots. After machine learning model is built, the system will keep on generating new boxplots to display the probability distribution of the new inputs. If the probability distribution area of the newly generated boxplot doesn't overlap with any one of the sample boxplots, the system determines this parameter has changed.

For more information on boxplots, see Probability Boxplots.

Depending on the Application Change Sensitivity level, the system triggers model update when it observes different extent of overlapping area.

  • Low—The system triggers model update only when the entire data distribution area (from the maximum value to the minimum value, that is, the entire area containing all the data) of the new boxplot doesn't have any overlapping part with that of the sample boxplots.
  • Medium—The system triggers model update if the notch area (the median rectangular area in the boxplot where most of the data is located) of the new boxplot doesn't have any overlapping part with the entire data distribution areas of the sample boxplots.
  • High—The system triggers model update as long as the notch area of the new boxplot doesn't have any overlapping part with that of the sample boxplots.
Update parameter model when number of boxplots do not overlap

This option appears when you enable Dynamically update when parameters change.

The default value is 2, which means if 2 newly generated boxplots don't overlap with any one of the sample boxplots, FortiWeb automatically updates the machine learning model.

You can set a value from 1 to 3.

Anomaly Detection Settings
Strictness Level for Anomaly

The machine learning model judges whether a request is normal or not based on its HMM probability and the length of the parameter value.

You can set the strictness level for the model. The value of the strictness level ranges from 0.1 to 1.0. The higher the value, the more anomalies will be triggered. For example, 0.1 means that the 0.1% of all samples with the largest HMM probability and length will be treated as anomalies.
Threat Model
View Threat Models

The system scans anomalies to verify whether they are attacks. It provides a method to check whether an anomaly is a real attack by the trained Support Vector Machine Model.

Click the View Threat Models link to enable or disable threat models for different types of threats such as cross-site scripting, SQL injection and code injection. Currently, seven trained Support Vector Machine Model are provided for seven attack types.

HTTP Method Setting
HTTP Method

This option is enabled by default, which means the system will build machine learning models and detect anomalies for Allow Methods. If an HTTP request method is used by more than 1% requests of the overall sample requests, the machine learning model will allow this method in the Allow Method Settings.

If certain methods should be treated as normal, but in the meanwhile they are too rarely used to touch the 1% threshold, it's suggested to use the set allow-method-exceptions command to exclude them from the machine learning model. In this way, the system will allow these methods. For more information on this command, see the config waf machine-learning-policy in FortiWeb CLI Reference Guide.

You can also disable this option, which means the machine learning will not learn and verify the HTTP method.
Action Settings
Action

All requests are scanned first by HMM and then by Threat model.

Double click the cells in the Action Settings table to choose the action FortiWeb takes when attack is verified for each of the following situations:

  • Alert—Accepts the connection and generates an alert email and/or log message.
  • Alert & Deny—Blocks the request (or resets the connection) and generates an alert and/or log message.
  • Period Block—Blocks the request for a certain period of time.
Block Period

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds. The default value is 60 seconds.

This option only takes effect when you choose Period Block in Action.

Severity

Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message.
Trigger Action

Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If potential or definite anomaly or HTTP Method Violation is detected, it will trigger the system to send email and/or log messages according to the trigger policy.

URL Replacer Policy

Select the name of the URL Replacer Policy that you have created in Machine Learning Templates.

If web applications have dynamic URLs or unusual parameter styles, you must adapt URL Replacer Policy to recognize them.

If you have not created an URL Replacer Policy yet, you can leave this option empty for now, and then edit this profile later when the URL Replacer Policy is created. For more information on URL Replacer Policy, see Configure a URL replacer rule

Allow sample collection for domains

Add domains in this table so that the system will collect samples and generate machine learning models for these domains.

Here's what you can do:

  • Click a domain or click the (View Domain) button in the Action column to view machine learning reports for that specific domain. See Viewing domain data
  • Click the (Refresh) button in the Action column to refresh the corresponding domain. Note:Refreshing deletes all existing learning results.
  • Click the (Export) button in the Action column to export the machine learning data of this domain.
  • Click Create New to add more domains to let FortiWeb perform sample collection and intrusion detection on those domains. You can use wildcard * to represent multiple domains. Refer to Maximum number of ADOMs, policies, & server pools per appliance for the maximum domain number supported by the Machine Learning feature for your FortiWeb Model.
  • Click Delete to remove the selected domain(s). Note: This will remove all machine-learning results related to those domain(s) as well.
  • Click Import to import the machine learning data from your local directory to FortiWeb

IP List Type and Source IP list

Add IP ranges in the Source IP list, then select Trust or Black to allow or disallow collecting traffic data samples from these IP addresses.

  • Trust: The system will collect samples only from the IP ranges in the Source IP list.
  • Black: The system will collect sample from any IP addresses except the ones in the Source IP list.

Whether selecting Trust or Black, if you leave the Source IP list blank, the system will collect traffic data samples from any IP addresses. The maximum number of samples collected from each random IP address is 30. You can change the maximum value through CLI command waf machine-learning-policy.

If you select Trust, then add IP ranges in the Source IP list, the sample collection limit will not take effect, which means FortiWeb will collect traffic data samples only from the specified IP ranges and will not limit the number of samples.

Previous
Next