The Attack Feature Detection (AFD) functionality in the Cequence Unified API Protection (UAP) platform uses machine learning (ML) to identify and analyze patterns in malicious traffic. The AFD ML models can generate new policies and rules in response to malicious traffic.

These capabilities make the AFD functionality useful in bot mitigation, API abuse detection, fraud prevention, and compliance.

When and where to run AFD

The typical use case for an AFD run is when your environment encounters a traffic spike where the traffic is largely malicious. Running the ML model can offer insights into the nature of the attack and provide actionable options to make your environment more resilient to that particular type of traffic. The Detection dashboard, which you reach by navigating to Threat Protection > Detection, provides information on the nature and composition of your traffic.

This figure shows an example traffic spike. Seeing unusual traffic patterns can be evidence of an attack, and running AFD on those patterns can help establish the nature of the attack and how to respond.

The anomalous traffic spans from 5PM on June 12 through 8PM on June 12. You can perform an AFD run on this traffic to learn more about the attack, and to generate rules and policies to mitigate attacks that use similar traffic patterns. A basic AFD run requires two elements: a time range of the traffic to analyze, and a way to specify the host or attack. You can specify a set of attack fingerprints or a set of URIs.

When you start the run, the ML model analyzes the 24 hours prior to the start of the suspect traffic to establish a baseline expectation for benign traffic. You can also specify a particular time range for this baseline, but it's not required. The ML model then analyzes the time range with the suspect traffic. The results look like the following figure.

The ML model has generated a new rule and a new policy based on that rule. When the ML model creates a new policy, that policy is based on a decision rule. The results page for an ML model run lists the following characteristics of a decision rule.

• Recall: The percentage of traffic identified as malicious. High Recall means there are fewer false negatives, or malicious traffic incorrectly marked as benign.
• False Positive rate: The percentage of traffic identified as malicious that is actually benign. A high rate of false positives means the rule is misidentifying a large amount of traffic.
• Precision: The percentage of traffic identified as malicious that is actually malicious. High Precision means there are fewer false positives, or false alarms.
• F score: A combined metric based on Precision and Recall. Higher values indicate a better balancing of precision and recall.
• Good samples: Number of benign traffic samples that the rule would erroneously identify as malicious.
• Bad Samples: Number of malicious traffic samples that the rule would correctly identify as malicious.

The run also provides a summary of training data at the bottom of the results report.

The Top Actionable Rules section has rules that will perform similarly to the one the model has used for the new policy. You can examine those rules in light of your use case and select a different one to use for a custom policy if you decide it's a better fit. You can make new custom policies by navigating to Threat Protection > Mitigation Policies and clicking Add New Policy.

Keep in mind that policies created by an ML model are inactive by default. To activate a policy, navigate to Threat Protection > Mitigation Policies, then use the search field in the Filters configuration dialog box to find the new policy. Each policy has a unique number. In the case of this example, the new policy is Attack Feature Detection - 1075. Once you've located the policy, select the toggle to activate the policy.

Runs without results

When a run isn't able to generate a mitigation rule, the results page looks similar to this example. Note particlarly the statement No decision rules found in the Model Results pane.

Performing a basic AFD run

1. Log in to the Cequence UAP platform.
2. Navigate to Threat Protection > Machine Learning Models.
   The list of ML models appears. Models you can manually run are tagged User Executable.
3. Click Attack Feature Detection.
   A list of former runs of this model appears.
4. In the top right corner, click Run.
   The configuration dialog box appears.
5. Type start and end timestamps in the Bad Time Range field.
   Hover on the chart to see details about the traffic at a given time.
6. Choose a run characteristic. You must specify at least one characteristic for a run. A characteristic is either a set of endpoints or a set of fingerprints.
7. To use endpoints, type a comma-separated list of endpoints.
   An endpoint is the URI of an API in your organization.
8. To use fingerprints, type a comma-separated list of fingerprints.
   To see a list of fingerprints, navigate to Threat Protection > Detection and select Fingerprint from the Group By drop-down.
9. Click Run.

The ML model analyzes traffic from the time window you specified.

Advanced settings for runs

To use advanced settings for an AFD ML model run, click Advanced Settings in the run configuration dialog box.

• Rules to include for bad traffic: A comma-separated list of rules. These rules are used to identify malicious traffic during the run.
• Rules to exclude for bad traffic: A comma-separated list of rules. The run ignores these rules when examining traffic.
• Minimum and maximum confidence: Taken together, these two values specify a confidence range. Confidence represents the certainty that a particular transaction is malicious.
• Good time range: You can specify a window of time to use to establish a baseline for what benign traffic looks like. By default, the AFD ML model examines one day of traffic for this baseline.
• Rules to include for good traffic: A comma-separated list of rules. These rules are used to identify benign traffic during the run.
• Rules to exclude for good traffic: A comma-separated list of rules. The run ignores these rules when examining traffic.
• Maximum false positive rate: When generating a rule, the rule generated cannot have a false positive rate above the rate specified here.