Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

chaithanya_dileep
F5 Employee
F5 Employee

on ‎04-Sep-2022 17:00 - edited on ‎15-Nov-2022 13:16 by Community Manager

Introduction: 

Web Application Firewall (WAF) has evolved to protect web applications from attack. A signature-based WAF responds to threats through the implementation of application-specific detection rules which block malicious traffic. These managed rules work extremely well for patterns of established attack vectors, as they have been extensively tested to minimize both false negatives and false positives.  

Most of the Web Applications development is concentrated to deliver services seamlessly rather than integrating security services to tackle recent or every security attack. Some applications might have a logic or an operation that looks suspicious and might trigger a WAF rule. But that is how applications are built and made to behave depending on their purpose. Under these circumstances WAF considers requests to these areas as attack, which is truly not, and the respective attack signature is invoked which is called as False Positive. Though the requests are legitimate WAF blocks these requests. 

It is tedious to update the signature rule set which requires greater human effort. AI/ML helps to solve this problem so that the real user requests are not blocked by WAF.  

This article aims to provide configuration of WAF along with Automatic attack signature tuning to suppress false positives using AI/ML model. 

 

A More Intelligent Solution: 

F5 Distributed Cloud (F5 XC) AI/ML model uses self-learning probabilistic machine learning model that suppresses false positives triggered by Signature Engine.  

AI/ML is a tool that identifies the false positives triggered by signature engine and acts as an additional layer of intelligence, which automatically suppresses false positives based on a Machine learning model without human intervention. This model minimizes false positives and helps to determine the probability that triggered the particular signature is evidence of an attack or just an error or a change in how users interact with the application. This model is trained using vast amount of benign and an attack traffic of real time customer log. AI/ML model does not rely on human involvement to understand operational patterns and user interactions with Web Application. Hence it saves a lot of human effort.  

 

Step by step procedure to enable attack signature tuning to supress false positives 

These are the steps to enable attack signatures and its accuracy 

  1. Create a firewall by enabling Automatic attack signatures 
  2. Assign the firewall to Load Balancer 

 

Step 1: Create an App Firewall 

  • Navigate to F5 XC Console Home > Load Balancers > Security > App Firewall and click on Add App Firewall 
  • Enter valid name for Firewall and Navigate to Detection Settings 
  • Select Security Policy as “Custom” with in the Detection settings and select Automatic Attack Signatures Tuning “Enable” as shown below,  
  • Select Signature Selection by Accuracy as “High and Medium” from the dropdown. 
  • Scroll down to the bottom and click on “Save and Exit” button. 

Fig 1: Security policy settings to enable Automatic Attack Signature TuningFig 1: Security policy settings to enable Automatic Attack Signature Tuning

Steps 2: Assigning the Firewall to the Load Balancer 

  • From the F5 XC Console homepage, Navigate to Load Balancers > Manage > Load Balancers > HTTP load balancer 
  • Select the load balancer to which above created Firewall to be assigned.  
  • Click on menu in Actions column of app Load Balancer and click on Manage Configurations as shown below to display load balancer configs. 

Fig 2: Selecting menu to manage configurations for load balancerFig 2: Selecting menu to manage configurations for load balancer

  • Once Load Balancer configurations are displayed click on Edit configuration button on the top right of the page.  
  • Navigate to Security Configuration settings and choose Enable in dropdown of Web Application Firewall (WAF)  
  • Assign the Firewall to the Load Balancer which is created in step 1 by selecting the name from the Enable dropdown as shown below,  
  • Scroll down to the bottom and click on “Save and Exit” button, with this Firewall is assigned to Load Balancer. 

Fig 3: Assigning firewall to the load balancerFig 3: Assigning firewall to the load balancer

Step 3: Verify the auto supressed signatures for false positives 

  • From the F5 XC Console homepage, Navigate to Web App and API Protection > Apps & APIs > Security and select the Load Balancer 
  • Select Security Events and click on Add filter 
  • Enter the key word Signatures.states and select Auto Supressed. 
  • Displayed logs shows the Signatures that are auto supressed by AI/ML Model. 

chaithanya_dileep_3-1660657133990.png

Fig 4: F5 XC Auto suppress attack signature Abuse of Functionality.Fig 4: F5 XC Auto suppress attack signature Abuse of Functionality.

Fig 5: Attack Signature is Auto Suppressed.Fig 5: Attack Signature is Auto Suppressed.

 

Conclusion: 

With the additional layer of intelligence to the signature engine F5 XC's AI/ML model can automatically suppresses false positives without human intervention. Customer can be less concerned about their activities of application that look suspicious which in turns to be actual behaviour and hence the legitimate requests are not blocked by this model. Decisions are based on enormous amount of real data fed to the system to understand application and user’s behaviour which makes this model more intelligent.  

Labels:
Comments
sokkhiang
Nimbostratus
Nimbostratus
‎08-Sep-2022 07:19

Does the AI/ML for signature tuning is also available in BIG-IP AWAF?

0 Kudos
chaithanya_dileep
F5 Employee
F5 Employee
‎24-Sep-2022 06:33

@sokkhiang As of now this feature is available in F5 XC only. 

Nikoolayy1
MVP
MVP
‎14-Feb-2023 00:56

@chaithanya_dileep  Thanks for the article and you already mentioned that F5 BIG-IP does not have such an option but what about F5 AWAF/ASM "False Positive Mode" (https://support.f5.com/csp/article/K20132133 ) ? Isn't it based on this or it is a different ML learning algorithm?

0 Kudos
Leslie_Hubertus
Community Manager
Community Manager
‎15-Feb-2023 08:31

Hey @Nikoolayy1  - fyi @chaithanya_dileep is double-checking some details related to differences in how false positives are handled by F5 XC and BIG IP, and will reply to you soon. 🙂

chaithanya_dileep
F5 Employee
F5 Employee
‎28-Feb-2023 02:04

HI @Nikoolayy1  We use different methods to detect false positves in BIG IP and F5 XC. BIG IP uses Policy Builder Functionality to identify whether the request is false positive or not. It is based on configs provided in BIG IP and it is not based on AI or ML algorithm as of now. In F5 XC, AI/ML algorithm will decide whether the request is False Positive are not.

Version history
Last update:
‎15-Nov-2022 13:16
Updated by:
Community Manager
Copyright © 2023 Khoros, LLC