Malicious Users

• Select Web App & API Protection service on the Home page.

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.

• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.

• Go to the Common Security Controls section.

• Select Enable in the Malicious User Detection field.

• Select Save and Exit.

• Select the Shared Configuration service.
• Navigate to Security > AI & ML > App Types. Select Add App Type. Enter a name for the app type in the metadata section.
• Select Add Item for the AI/ML Feature Type field in the Application Type Features section.
• Use the AI/ML Feature Type drop-down and select Malicious User Detection.
• Select Save and Exit.

• Switch to the Web App & API Protection service and change to the desired namespace.
• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.
• Select Add label in the Labels field in the Metadata section.
• Select ves.io/app_type as the key and name of the app type you created in previous step as the value.
• Select Save and Exit.

• Using the Web App & API Protection service, go to Manage > AI & ML > App Settings and Select Add App setting.
• Enter a name and go to AppType Settings section. Select Add item.
• Select the Select app type drop-down and select the app type created in Step 1.
• In the Malicious User Detection section, select Configure to see the Malicious User Detecion form. This form is pre-populated with the defaults; Tune these settings per your needs.

This form shows the different problem categories used to identify a malicious user, sometimes including thresholds or sensitivity settings. By default, all methods of detecting malicious users are enabled. Based on a user's activities with respect to these problem categories, their threat level rises. Adjusting these parameters affects how much of an activity is required to raise their threat level. If the user stops activities in the problem categories for a period of time, their threat level is reduced. You can adjust that period of time by changing the Cooling Off Period at the bottom of the form.

• Include Namespace In Learning: The Distributed Cloud AI engine learns user beavior from traffic generated from all namespaces where virtual hosts and vK8s services are labelled with a valid apptype. Select Disable learning from this namespace to remove this capability for this namespace only.

• Enable Malicious User Detection: This field enables or disables malicious user detection. If you disable the feature, no traffic will be flagged as coming from a malicious user. The various methods for malicious user detection are shown below. You can adjust how malicious user detection works using the following fields:

  • Forbidden Activity Choice: A forbidden activity is any request that is denied through the service policy. This could be IP threat categories; forbidden domains and/or clients; HTTP methods, paths, query parameters, header; or more advanced matches. See Service Policy for more details. A user that exceeds the Forbidden Requests Threshold will be classified as malicious.

  • Falied Login Activity Choice: This feature keeps track of the number of login attempts that failed (specifically 401 Unauthorized response codes). When the number of login failures from a user exceeds the limit entered in the Login Failures threshold, the user will be classified as malicious. A successful login will not reset the login failure count. Only the cooling off period (discussed below) will reset the malicious user status.

  • WAF Activity Choice: WAF activity looks for known attack types and signatures, threat campaigns, malformed requests, and more. See Application Firewall for more details.

  • IP Reputation Choice: This uses a database of IP addresses with questionable reputations. IP addresses earn their reputations by performing exploits or attacks, or these addresses might represent proxy servers, scanners, or systems that have been infected. The database contains IP addresses that—

    • Are considered malicious Botnets,
    • Have launched Denial of Service (DoS) attacks,
    • Host illegal material or activity,
    • Are associated with phishing web sites or web proxies,
    • And other malicious activities.

  • Non-existent URL Activity Choice: This feature keeps track of the number of requests for an invalid path (specifically 404 Not Found response codes) and compares that number to the total throughput for the app to get a ratio of bad to good URL requests. This ratio is compared to an automatically calculated threshold (based on statistics for your application). The user is considered malicious when the current ratio exceeds the threshold. You can adjust this calculation in two ways:

    1. Select Include Non-Existent URL Activity using automatic threshold. The non-existent URL ratio threshold is automatically calculated based on statistics for your application. By default, the automatic threshold calculation is set to Medium sensitivity. You can adjust the sensitivity to Low sensitivity (meaning a higher ratio, or more invalid path requests, is required to classify a user as malicious) or High sensitivity (meaning a lower ratio will classify a user as malicious).
    2. Select Include Non-Existent URL Activity using custom threshold. Then, simply enter your desired ratio expressed as a percentage. For instance, if you enter 25, then the user will exceed the threshold if more than 25% of that user's requests are to a non-existing URL.

  • Cooling Off Period Setting: The Cooling off period (minutes) field specifies the number of minutes required to pass with no malicious activity in order to reduce a user's threat assessment. As each cooling off time period passes, a user's threat level will drop from high to medium, medium to low, and finally low to none. The cooling off period setting is used for all malicious user detection categories.

• Select Apply and to save the settings on the Malicious User Detection settings.
• Select Save and Exit to create the app settings object.

• Switch to Web App & API Protection service.

Note: Alternatively, you can search for load balancers in the search located on top of the Home page.

• Select Apps & APIs > Security.

• Select the load balancer of your choice from the list of load balancer beneath the graph. The dashboard tab is loaded by default.

• Switch to the Malicious Users tab.
• Select a user (IP address) from the list of malicious users on the left side. This will display activity from this user on the right side of the Malicious Users list:
  • The Suspicion Score chart shows a bar graph of activity time periods and their associated suspicious scores (the height of bar). Hover over a bar to get more details. Select a bar to zoom into that time period (use the time drop-down menu to zoom back out).
  • The Timeline section below the chart shows a list of timeline events. Select a time or suspicion score to see counts for problem categories to help you understand the suspicion score. Select the description link in the right column to see the events in the Security Events tab.
• On the top right side of the details, there are options Block User and Add to Allow List.
• Select Block User to manually add the malicious user's IP address to the deny list. Check other malicious user events also and block as necessary.

Note: The Add to Allow List removes the user from the malicious user list.

• Switch to the Web App & API Protection service and change to the desired namespace.
• Select Manage > Load Balancers > HTTP Load Balancers. A list of load balancers is presented.
• Select ... > Manage Configuration for your load balancer and select Edit Configuration on the loaded form.

• Go to the Common Security Controls section.
• Select Enable for the Malicious User Mitigation And Challenges drop-down.
• Select one of the options from the Malicious User Mitigation Settings drop-down as per the following guidelines:

  • The Default option is selected by default. This default mitigation action is applied in the following manner:

    • For the activity with low threat level, JavaScript challenge with default configuration will be issued.
    • For the activity with medium threat level, Captcha challenge with default configuration will be issued.
    • For the activity with high threat level, user will be temporarily blocked.

• Select Custom and select a malicious user mitigation object from the Custom drop-down. You can also use the Add Item option to create a new object and in case creating new object, do the following:

  • Enter a name for this malicious user mitigation object. In the Rules section, select Add item.
  • Select a threat level for the Threat Level field and an associated mitigation action for the Action field. By default, Threat Level Low and Javascript Challenge are populated.

  

  • Select Apply to save the rule.

  • Use the Add item in the Rules section to add more rules.

  

  • When finished adding rules, select Continue to add the malicious user mitigation object to the malicious user mitigation configuration.

• Scroll down and select Save and Exit to save changes to the load balancer.

  Note: The instructions shown in this document apply default settings for challenges such as JavaScript. Enable Show Advanced Fields option to view more options such as policy-based challenges to customize the configuration.

• Select the time period drop-down menu to change the time period for the data shown below. Selecting the Refresh option updates the data to the latest.
• Select a user in the Malicious Users column to see that user's malicious activity in the Activity and Timeline sections to the right.
• In the Activity section, select Block user to disallow all requests from this user, which will create a client blocking rule in your load balancer. Alternatively, select Add To Allow List skip malicious users actions for this user, which will create a trusted client rule in your load balancer. You will have the opportunity to expand the rule to include other actions.
• Select Hide Chart to have more screen area for the Timeline section. Select Show Chart to bring the chart back into view.
• Hover over a chart column to see the user's suspicion score for that time period. Select the column to zoom into that time period.
• Slide the thin gray bars to exclude time periods from the timeline below. This may also zoom in the graph.

*In the Timeline section, select a time, suspicion score, or arrow at the right to get details on requests and violations.

• In the Timeline section, select the underlined activity description to see that user's security events for that time period (on the Security Events tab). There you can see details for each specific event.