Graphic Airlock Secure Acces Hub

Anomaly Shield

Detecting bots with machine learning

Field of application


  • Countering automated attacks 
  • Detection and mitigation of undesired bot activity such as content scraping, denial of service, credential stuffing, etc.
  • Forechecking: Deterring hackers in the reconnaissance phase, e.g. by preventing vulnerability scans.

How Airlock Anomaly Shield works

Airlock Anomaly Shield learns during deployment how real users of an application behave. In order to optimise the precision and effectiveness, the raw data is processed and aggregated in a space-saving way prior to the unsupervised learning. The machine learning models generated in the training phase accurately map the characteristics of the business application. During operation, all active sessions are permanently compared with the learned behaviour. If the deviation is too large, the session is marked as an outlier. Whether an anomaly is only logged or whether the session is terminated and the IP address blocked can be controlled separately for each application.

Test license

Your are an Airlock Gateway customer? Just request the test license here: 


Request test-license

It's that easy

See how easy it is to set up the Airlock Anomaly Shield in our Quick Start Guide.


  • Quick setup without data science know-how:
    Configuration and maintenance are possible within minutes, even without any machine learning knowledge.
  • Defence against unknown types of attacks:
    The application-specific training results in a positive security model. As a result, unknown bots or zero-day attacks can also be detected because the protection is not based on signatures.
  • 100 % data protection and control:
    Neither the training data nor the anomaly decisions ever leave the Airlock Gateway cluster.
  • Adjustable sensitivity:
    In case of an increase in false positives/negatives, the sensitivity can be adjusted for each sensor.
  • High throughput:
    The anomaly detection takes place in the background and is decoupled from the normal request flow. A delay of the data traffic is excluded by the asynchronous assessment.



In just 20 minutes and without any machine learning knowledge, we were able to achieve significantly higher protection for our applica- tions thanks to the Airlock Anomaly Shield. This changeover was not noticeable to the user due to the same data throughput..

Florian Christberger, Team Manager Network Services at Bühler

To the reference

What are malicious bots?

Characteristics and examples

Malicious bot characteristics

Malicious bots often behave very similarly to human users. Nevertheless, they can be recognised by their behaviour over time.

The following anomalies occur very frequently when analysing bot traffic:

  • Unusually large number of requests within a short period of time
  • Unexpectedly high error rate or bounce rate
  • Abnormal sequence of page views
  • Irregular sender addresses or TLS sessions

Vulnerability Scanner

Hackers use automated tools to find vulnerable systems. With the help of bots, they often scan many systems simultaneously for possible security vulnerabilities. The individual steps of a scan are often not clearly recognisable as an attack - after all, the attacker wants to stay under the radar for as long as possible.

Web and API Scraping

In content scraping, a bot downloads all the content of a website, often with the aim of abusing the data obtained. Here, too, the attacker makes an effort to pretend to be a normal user. However, to cope with the large amount of data, many more page views are required. Airlock Anomaly Shield was developed to combat such scraping attacks and other types of malicious traffic.

Credential Stuffing

Credential stuffing exploits that the same password is often used for multiple services for laziness. Attackers can thus attempt to compro- mise user accounts by trying stolen credentials on many systems. A strong protection against credential stuffing is to detect bots. Two-factor authentication or CAPTCHAs can also be considered as countermeasures, but these are often perceived as a hassle by end users.

Denial-of-Service Attacks

In a denial-of-service (DoS) attack, a malicious actor attempts to make a service inaccessible to its intended users. The system is flooded with application requests until normal traffic can no longer be processed. Through behavioural analysis, DoS attacks can be detected at the application level and stopped before they set up damage.

Complete Bot Protection

For optimal application protection, the combination of various bot management functions in Airlock Secure Access Hub® is recommended:

  • Threat IntelligenceBrightCloud Threat Intelligence Service from Webroot uses real-time reputational data to block rogue IP addresses.
  • Rate limiting and DoS protection: If the number of requests or sessions per IP is particularly high, DoS protection prevents applications from being overloaded. Especially with APIs, the data throughput is also limited depending on the user identity.
  • Upfront authentication: To ensure that only authorised users can access the application, unidentified visitors are redirected to the Airlock IAM login page, for example.
  • Bot Management: Detects bots and requires that all callers return cookies. Many automated bots cannot pass this hurdle because they do not have a cookie store. Search engine bots must also access from the IP range of the respective search engine. In the event of repeated violations of the security rules within a short period of time, an IP is placed in quarantine. During the quarantine, no  more requests are accepted from these IP adresses.

You want to know more?

Watch our webinar recording about the Anomaly Shield

Ready for excellent IT security?

Contact us now.
Ergon Informatik AG+41 44 268 87 00

Information for you

-Our whitepapers-

Study Application and API Security 2022

In a recent study in cooperation with CIO, CSO and COMPUTERWOCHE, Ergon Airlock looked at application and API security in the container environment.

Request study

Zero Trust is a journey

The digital transformation of the world continues to progress, and it is profoundly affecting private life and job profiles in a manner that was hard to imagine just a few years ago.

This whitepaper covers the effects of continuous digitization and its implications.

Request free of charge

Toward DevSecOps

In this whitepaper, you will learn the most important insights into how you can successfully and efficiently implement DevSecOps, which security components are required for this, and what benefits a microgateway architecture brings.

Request free of charge

Airlock 2FA - Strong Authentication. Easy.

The two-factor authentication in the area of IT security offers double the security.

Find out more about strong authentication and the possibilities that Airlock offers in our whitepaper.

Request free of charge

Further whitepapers

We provide whitepapers on these and other topics free of charge:

  • successful IAM projects
  • Compliance
  • Data protection (GDPR)
  • Introduction of PSD2
  • PCI DSS requirements
Request free of charge