Currently, most web application firewalls on the market use regex rules and semantics rules as the detection methods. As the two methods have inherent limitations, "false positives" and "false negatives" cannot be completely avoided. To solve this problem, Tencent Cloud Web Application Firewall (WAF) leverages machine-learning-based cyberattack detection technology. Leveraging the self-learning, self-evolution, and adaptation capabilities of the AI engine, WAF can maximize the detection success rate and capture rate for known and unknown threats, minimize false positives, and flexibly adapt to ever-changing web applications.
When the AI engine learns the payload of a submitted false positive, it will take some time to change the state from unlearned to learned.
After the AI engine learns the payload of the submitted false positive, you can check whether this parameter will trigger false positives again on the Online AI Verification page.
Add a false negative
When the payload of an attack is missed by the AI engine (false negative), you can click Add False Negative to add the corresponding false negative information to the false negative list. The following example uses the parameter a with the value admin^*$.
Process the false negative in the AI engine
Click the AI False Negative Processing tab to view the added false negative records. You can also manually add a false negative to the list. In the status column, click Learn. The AI engine will then update the model and optimize the algorithm based on the false negative information.
When the AI engine learns the payload of a submitted false negative, it will take some time to change the state from unlearned to learned.
After the AI engine learns the payload of the submitted false negative, you can check whether this parameter will trigger false negatives again on the Online AI Verification page.
The AI engine uses a strict mode with the highest protection level.
The AI engine can learn from the feedback you manually provide in the console and also supports self-learning at the backend.
We recommend that you enable the "Observe" mode of the AI engine for a certain period of time (such as 20 days). If you directly enable the "Block" mode, this may result in occasional false positives.
The AI engine and the rule engine operate in series. When malicious requests are blocked by the rule engine, they will not be sent to the AI engine for detection. When they are allowed by the rule engine, they will be sent to and blocked by the AI engine.
False positive submission methods:
(1) On the AI False Positive Processing page, manually add a false positive.
(2) On the Online AI Verification page, confirm that a verified payload is a false positive and submit it.
(3) On the left sidebar, choose Web Application Firewall -> Attack Log, click the log entry whose attack type is "Detected by AI Engine", confirm that this attack is a false positive, and add it to the list.
When false positives occur for multiple requests of the same type, you only need to add one of them as a false positive.
False negative submission methods:
(1) On the AI False Negative Processing page, manually add a false negative.
(2) On the Online AI Verification page, confirm that a verified payload is a false negative and submit it.
If a submitted false positive or negative is found to be incorrect later, you can select it on the AI False Positive Processing or AI False Negative Processing page and click Delete to delete it.