Parameter View displays anomaly detection statistics for all the parameters. Click the parameter name in the left-side navigation bar to see details for this parameter.
Parameter Name: The name of the parameter.
HMM Learning Stage: The stage which the HMM learning process is in. It can be one of the following:
- Collecting—The system is collecting data samples.
- Building—Sample collection is completed, and is building the mathematical models.
- Running—The system enters this stage after the testing has completed successfully. FortiWeb will use this mathematical model to evaluate all new samples for this argument. If the samples are anomalies, the system will employ the second anomaly detection layer to verify whether the anomaly is an attack and take the corresponding action.
- Discarded—FortiWeb has determined that it cannot build a mathematical model for these parameters, and therefore will not use anomaly detection to protect them.
Collected Samples: The number of samples collected during the sample collection period.
Please note that the diagrams introduced below are available only when the status is in running stage.
Distribution of Anomalies triggered by HMM
This diagram displays the anomalies in red and the legitimate requests in blue. The system judges whether a request is legitimate or not based on its probability and the length of the parameter value.
Anomaly Strictness Level Details
The system uses the following formula to calculate whether a sample is an anomaly:
The probability of the anomaly > μ + the strictness level * σ
If the probability of the sample is larger than the value of "μ + the strictness level * σ", this sample will be identified as anomaly.
μ and σ are calculated based on the probabilities of all the samples collected during the sample collection period, where μ is the average value of all the parameters' probabilities, σ is the standard deviation. They are fixed values. So, the value of "μ + the strictness level * σ" varies with the strictness level you set. As shown in the following diagram, the dotted red line (that is, the value of "μ + the strictness level * σ") stays at the position where the strictness level is set to 3, as in μ + 3σ. If the strictness level is set to a smaller value, then the dotted red line will move closer to the center, which may cause some samples to be detected as anomaly. In a word, the smaller the value of the strictness level is, the more strict the anomaly detection model will be.
Manage anomaly-detecting settings
You can use the following options to experiment on the strictness levels.
Inherit global settings: Select this option if you want this parameter to inherit the strictness level you have set for the domains in the anomaly detection policy.
Custom settings: Select this option if you want a different strictness level for this parameter. Specify different values and observe the movement of dotted red line in the Anomaly Strictness Level Details diagram. Choose an appropriate value to get the most optimistic detection accuracy, meanwhile the normal samples are not be falsely detected as anomalies.
Test Sample : Click Test Sample, then enter a parameter value to verify whether it will be detected as an anomaly at the current strictness level.
Actions you can take on any parameter
There is a configuration button which, when clicked, will open a drop-down menu with the following options.
|Rebuild Parameter||Clear the preceding mathematical model for the parameter, and then begin collecting new samples and build the models again. The samples collected for the previous model will be discarded.|
|Discard||Discards this parameter and does not re-build it. This will disable the learning for this parameter and bypass anomaly detection all together for this parameter.|
|Export||Export the mathematical model for this parameter to a file. You can import the model to arbitrary URL. See Import under Parameter View|
Noisy samples are the abnormal samples detected during the sample collection period. They are excluded from the samples used to build the anomaly detection model.
If you believe a sample is falsely detected as a noise, you can click the status icon to exclude it from noisy samples, so that it can be re-admitted to build the anomaly detection model.
The samples which have been recognized as anomalies. The list may change as new strictness settings are applied.
These are the samples manually added from the attack logs. For more information, see Add additional sample from attack logs.
The anomaly detection events, such as sample collection, model running, building and testing, along with the time periods when these events take place. These events are also displayed in the anomaly detection Events dashboard in Overview tab.