on 04-Sep-2022 17:00 - edited on 15-Nov-2022 13:16 by JRahm
Web Application Firewall (WAF) has evolved to protect web applications from attack. A signature-based WAF responds to threats through the implementation of application-specific detection rules which block malicious traffic. These managed rules work extremely well for patterns of established attack vectors, as they have been extensively tested to minimize both false negatives and false positives.
Most of the Web Applications development is concentrated to deliver services seamlessly rather than integrating security services to tackle recent or every security attack. Some applications might have a logic or an operation that looks suspicious and might trigger a WAF rule. But that is how applications are built and made to behave depending on their purpose. Under these circumstances WAF considers requests to these areas as attack, which is truly not, and the respective attack signature is invoked which is called as False Positive. Though the requests are legitimate WAF blocks these requests.
It is tedious to update the signature rule set which requires greater human effort. AI/ML helps to solve this problem so that the real user requests are not blocked by WAF.
This article aims to provide configuration of WAF along with Automatic attack signature tuning to suppress false positives using AI/ML model.
F5 Distributed Cloud (F5 XC) AI/ML model uses self-learning probabilistic machine learning model that suppresses false positives triggered by Signature Engine.
AI/ML is a tool that identifies the false positives triggered by signature engine and acts as an additional layer of intelligence, which automatically suppresses false positives based on a Machine learning model without human intervention. This model minimizes false positives and helps to determine the probability that triggered the particular signature is evidence of an attack or just an error or a change in how users interact with the application. This model is trained using vast amount of benign and an attack traffic of real time customer log. AI/ML model does not rely on human involvement to understand operational patterns and user interactions with Web Application. Hence it saves a lot of human effort.
These are the steps to enable attack signatures and its accuracy
Step 1: Create an App Firewall
Steps 2: Assigning the Firewall to the Load Balancer
Step 3: Verify the auto supressed signatures for false positives
With the additional layer of intelligence to the signature engine F5 XC's AI/ML model can automatically suppresses false positives without human intervention. Customer can be less concerned about their activities of application that look suspicious which in turns to be actual behaviour and hence the legitimate requests are not blocked by this model. Decisions are based on enormous amount of real data fed to the system to understand application and user’s behaviour which makes this model more intelligent.
@chaithanya_dileep Thanks for the article and you already mentioned that F5 BIG-IP does not have such an option but what about F5 AWAF/ASM "False Positive Mode" (https://support.f5.com/csp/article/K20132133 ) ? Isn't it based on this or it is a different ML learning algorithm?
Hey @Nikoolayy1 - fyi @chaithanya_dileep is double-checking some details related to differences in how false positives are handled by F5 XC and BIG IP, and will reply to you soon. 🙂
HI @Nikoolayy1 We use different methods to detect false positves in BIG IP and F5 XC. BIG IP uses Policy Builder Functionality to identify whether the request is false positive or not. It is based on configs provided in BIG IP and it is not based on AI or ML algorithm as of now. In F5 XC, AI/ML algorithm will decide whether the request is False Positive are not.