Fortinet black logo

Administration Guide

Viewing anomaly detection log

Viewing anomaly detection log

There are new attack logs for anomaly detection model violations. The anomaly detection log has the following sub-types:

  • Anomaly in http argument
  • HTTP Method violation
  • Charset detect failed

When machine learning detects an attack, the attack logs will be generated in Log & Report. Click an attack to view more information about that attack in the far-right panel.

Anomaly Detection Information (bar chart)

The illustration below shows the anomaly values of HMM probability and argument length for the argument in a bar chart. The green bar represents the average values of the learned samples for the argument; the yellow bar represents the anomaly values for the current argument. Comparing it with the average values, you can easily see how abnormal the argument is.

Attack Detection Information

The illustration shows the threat analysis results. Using this information, you can see what kind of attack the argument could include. Anomaly detection model may detect multiple attack types in one argument. There are three suspicious levels as shown in the pie chart.

The chart above reports two kinds of attack types: Cross-site Scripting and Local File Inclusion/Remote File Inclusion. The system treats the Cross Site Scripting attack as more suspicious.

Add additional samples from attack logs

If the attack reported by the model is wrongly detected as an anomaly and should be categorized to regular traffic, you can click This is not a threat!. The system will include this newly added sample into the sample set and rebuild the model, so that the traffic which has the similar characteristics with this sample will not be reported as attacks anymore.

This process may take one or two minutes, and FortiWeb will not detect machine-learning anomalies at this process.

The added samples will be displayed as Additional Samples in the Parameter View.

Adjust machine-learning model

You can adjust an anomaly detection model by clicking the Operation button. It has three options: Rebuild the Model, Relearn the Model, and Goto Argument Setting.

Button Description
Rebuild the Model Clear the preceding model, and then begin collecting new samples and build the models again. The samples collected for the previous model will be discarded.

Relearn the Model

Clear the preceding model, and then begin collecting more samples to build the model. The samples collected for the previous model will be not discarded. They will be reused to build the new model.

Goto Argument Setting

Clicking this button to display the dialog where you can adjust the argument related to anomaly detection.

Machine Learning HTTP Method Violation

The attack log below shows HTTP Method Violation.

From the right panel, you can see which HTTP method was learned by the anomaly detection module.

The anomaly detection log sub-type "Charset detect failed" is triggered when the machine learning module fails to detect the argument charset. In the case, the system is unable to work for the argument. You must check to see if there are such logs when the anomaly detection model is not working properly.

Aggregate machine-learning log

There are also aggregation logs for anomaly detection in Aggregation Attacks, as illustrated below.

Enable packet log for machine-learning attack logs

There is also a packet log for machine-learning attack logs. It is enabled by default. You can enable packet log for anomaly detection attack logs from the GUI, as shown below.

Viewing anomaly detection log

There are new attack logs for anomaly detection model violations. The anomaly detection log has the following sub-types:

  • Anomaly in http argument
  • HTTP Method violation
  • Charset detect failed

When machine learning detects an attack, the attack logs will be generated in Log & Report. Click an attack to view more information about that attack in the far-right panel.

Anomaly Detection Information (bar chart)

The illustration below shows the anomaly values of HMM probability and argument length for the argument in a bar chart. The green bar represents the average values of the learned samples for the argument; the yellow bar represents the anomaly values for the current argument. Comparing it with the average values, you can easily see how abnormal the argument is.

Attack Detection Information

The illustration shows the threat analysis results. Using this information, you can see what kind of attack the argument could include. Anomaly detection model may detect multiple attack types in one argument. There are three suspicious levels as shown in the pie chart.

The chart above reports two kinds of attack types: Cross-site Scripting and Local File Inclusion/Remote File Inclusion. The system treats the Cross Site Scripting attack as more suspicious.

Add additional samples from attack logs

If the attack reported by the model is wrongly detected as an anomaly and should be categorized to regular traffic, you can click This is not a threat!. The system will include this newly added sample into the sample set and rebuild the model, so that the traffic which has the similar characteristics with this sample will not be reported as attacks anymore.

This process may take one or two minutes, and FortiWeb will not detect machine-learning anomalies at this process.

The added samples will be displayed as Additional Samples in the Parameter View.

Adjust machine-learning model

You can adjust an anomaly detection model by clicking the Operation button. It has three options: Rebuild the Model, Relearn the Model, and Goto Argument Setting.

Button Description
Rebuild the Model Clear the preceding model, and then begin collecting new samples and build the models again. The samples collected for the previous model will be discarded.

Relearn the Model

Clear the preceding model, and then begin collecting more samples to build the model. The samples collected for the previous model will be not discarded. They will be reused to build the new model.

Goto Argument Setting

Clicking this button to display the dialog where you can adjust the argument related to anomaly detection.

Machine Learning HTTP Method Violation

The attack log below shows HTTP Method Violation.

From the right panel, you can see which HTTP method was learned by the anomaly detection module.

The anomaly detection log sub-type "Charset detect failed" is triggered when the machine learning module fails to detect the argument charset. In the case, the system is unable to work for the argument. You must check to see if there are such logs when the anomaly detection model is not working properly.

Aggregate machine-learning log

There are also aggregation logs for anomaly detection in Aggregation Attacks, as illustrated below.

Enable packet log for machine-learning attack logs

There is also a packet log for machine-learning attack logs. It is enabled by default. You can enable packet log for anomaly detection attack logs from the GUI, as shown below.