Graphic Airlock Secure Acces Hub

Anomaly Shield

Detecting bots with machine learning

Field of application

 

  • Countering automated attacks 
  • Detection and mitigation of undesired bot activity such as content scraping, denial of service, credential stuffing, etc.
  • Forechecking: Deterring hackers in the reconnaissance phase, e.g. by preventing vulnerability scans.
     

How Airlock Anomaly Shield works

Airlock Anomaly Shield learns during deployment how real users of an application behave. In order to optimise the precision and effectiveness, the raw data is processed and aggregated in a space-saving way prior to the unsupervised learning. The machine learning models generated in the training phase accurately map the characteristics of the business application. During operation, all active sessions are permanently compared with the learned behaviour. If the deviation is too large, the session is marked as an outlier. Whether an anomaly is only logged or whether the session is terminated and the IP address blocked can be controlled separately for each application.

Test license

Your are an Airlock Gateway customer? Just request the test license here: 

 

Request test-license

It's that easy

See how easy it is to set up the Airlock Anomaly Shield in our Quick Start Guide.

Advantages

  • Quick setup without data science know-how:
    Configuration and maintenance are possible within minutes, even without any machine learning knowledge.
  • Defence against unknown types of attacks:
    The application-specific training results in a positive security model. As a result, unknown bots or zero-day attacks can also be detected because the protection is not based on signatures.
  • 100 % data protection and control:
    Neither the training data nor the anomaly decisions ever leave the Airlock Gateway cluster.
  • Adjustable sensitivity:
    In case of an increase in false positives/negatives, the sensitivity can be adjusted for each sensor.
  • High throughput:
    The anomaly detection takes place in the background and is decoupled from the normal request flow. A delay of the data traffic is excluded by the asynchronous assessment.

References

Bühler

In just 20 minutes and without any machine learning knowledge, we were able to achieve significantly higher protection for our applica- tions thanks to the Airlock Anomaly Shield. This changeover was not noticeable to the user due to the same data throughput..

Florian Christberger, Team Manager Network Services at Bühler

To the reference

What are malicious bots?

Characteristics and examples

Malicious bot characteristics

Malicious bots often behave very similarly to human users. Nevertheless, they can be recognised by their behaviour over time.

The following anomalies occur very frequently when analysing bot traffic:

  • Unusually large number of requests within a short period of time
  • Unexpectedly high error rate or bounce rate
  • Abnormal sequence of page views
  • Irregular sender addresses or TLS sessions

Vulnerability Scanner

Hackers use automated tools to find vulnerable systems. With the help of bots, they often scan many systems simultaneously for possible security vulnerabilities. The individual steps of a scan are often not clearly recognisable as an attack - after all, the attacker wants to stay under the radar for as long as possible.

Web and API Scraping

In content scraping, a bot downloads all the content of a website, often with the aim of abusing the data obtained. Here, too, the attacker makes an effort to pretend to be a normal user. However, to cope with the large amount of data, many more page views are required. Airlock Anomaly Shield was developed to combat such scraping attacks and other types of malicious traffic.

Credential Stuffing

Credential stuffing exploits that the same password is often used for multiple services for laziness. Attackers can thus attempt to compro- mise user accounts by trying stolen credentials on many systems. A strong protection against credential stuffing is to detect bots. Two-factor authentication or CAPTCHAs can also be considered as countermeasures, but these are often perceived as a hassle by end users.

Denial-of-Service Attacks

In a denial-of-service (DoS) attack, a malicious actor attempts to make a service inaccessible to its intended users. The system is flooded with application requests until normal traffic can no longer be processed. Through behavioural analysis, DoS attacks can be detected at the application level and stopped before they set up damage.

Complete Bot Protection

For optimal application protection, the combination of various bot management functions in Airlock Secure Access Hub® is recommended:

  • Threat IntelligenceBrightCloud Threat Intelligence Service from Webroot uses real-time reputational data to block rogue IP addresses.
  • Rate limiting and DoS protection: If the number of requests or sessions per IP is particularly high, DoS protection prevents applications from being overloaded. Especially with APIs, the data throughput is also limited depending on the user identity.
  • Upfront authentication: To ensure that only authorised users can access the application, unidentified visitors are redirected to the Airlock IAM login page, for example.
  • Bot Management: Detects bots and requires that all callers return cookies. Many automated bots cannot pass this hurdle because they do not have a cookie store. Search engine bots must also access from the IP range of the respective search engine. In the event of repeated violations of the security rules within a short period of time, an IP is placed in quarantine. During the quarantine, no  more requests are accepted from these IP adresses.
     

You want to know more?

Watch our webinar recording about the Anomaly Shield

Ready for excellent IT security?

Contact us now.
Ergon Informatik AG+41 44 268 87 00

Information for you

-Our whitepapers-

Executive View: KuppingerCole - Airlock Secure Access Hub for applications and APIs

This KuppingerCole Executive View report provides an architectural and functional overview of the Airlock Secure Access Hub, an integrated platform for secure access management - a multicloud-native security tool for web applications, APIs and beyond.

 

Fill out the form now and receive Executive View!

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge