AI module-based policy


In order to configure an AI module-based policy, proceed as the following states:

  1. Select Management > Policies.
  2. Click Add Policy.
  3. Provide a name for the policy.
  4. Select the Severity. Severity parameter value is included in the email notification message and in the Events log with the FSW0284 code.
  5. In the Policy type section, select the AI module` button.
  6. Select min, avg (default) or max option for the Threat Probability Threshold field and provide the value.

Note

Values for the Threat Probability metrics are calculated by the AI models for each session segment. The segment evaluations are averaged per model (e.g. Mouse Biometric, Keyboard Biometric) creating a model Threat Probability, thus the AI model delivers one Threat Probability per model for the whole session. These values are used in the policy and the policy actions can be applied to the minimum, average or maximum value of model Threat Probabilities.


In practice, if an administrator wants to decrease sensitivity of the policy so that it reacts to breaching a given threshold by all the models, the Threat Probability Threshold should be set to minimum. If the situation requires the policy to be more sensitive and react to the threshold breaching by at least one model, then the Threat Probability Threshold should be set to maximum.

Default value for the Threat Probability Threshold is average.

In order to avoid an excessive number of emails and unnecessary actions, min. recommended value is above 75%.

../../_images/5-5-policy-ai-add.png

  1. Select the actions that will be performed when the policy is breached:

    • - send email notification to system administrator.
    • - send SNMP TRAP notification to the receiver.
    • - pause connection.
    • - terminate connection.
    • - block user.

Note

  • Sending email notifications requires configuring and enabling notification service as well as Session AI notification enabled in Safe configuration.
../../_images/5-5-policy-ai-safe-notification.png
  • Sending SNMP TRAP notifications requires configuring the SNMPv3 TRAP in the System tab. Check the SNMPv3 TRAP page for more information.

Warning

If SNMP TRAP service is not configured, all notifications on policy violation will be discarded but other options related to the session management will work.

  1. Click Save.

AI module-based policy examples

Example 1. Sending SNMP TRAP notifications about suspicious sessions.


To configure the policy to send SNMPv3 TRAP notifications about suspicious sessions, follow the procedure:

  1. Create a user for SNMPv3 service:

    • Select Management > Users.

    • Create a new one.

    • Enter Login.

    • Choose the service in the Role field.

    • Select Static password in the Authentication section and provide your password.

    • Go to the More tab, to the SNMP section, and define the settings:

      • Enable SNMP.
      • Select SHA or MD5 in the Authentication Method field.
      • Select AES or DES in the Encryption field.

    • Click Save.

  2. Configure SNMPv3 TRAP:

    • Select Settings > System.
    • Scroll down to the Maintenance and supervision section.
    • Select the SNMPv3 TRAP option.
    • Configure the SNMPv3 TRAP server address and port.
    • Select the user with service role, created in step 1.
    • Click Save.

  3. Create policy:

    • Select Management > Policies.
    • Click Add policy.
    • Provide a name for the policy.
    • Select AI module in the Policy type field.
    • Select the option of the Threat Probability Threshold (e.g. avg) and add its value (e.g. 90%).
    • Select the SNMP TRAP option in the Policy Behaviour field.
    • Click Save.

  1. Assign the policy to a safe that is used to establish connections to servers.

    • Select Management > Safes.
    • Edit the selected safe by clicking on its name.
    • Go to the Policies tab and select the policy created in the previous step.
    • Click Save.
    ../../_images/5-5-policy-safe-add.png

Example 2. Terminating suspicious sessions when the Threat Probability Threshold is reached.


To configure the policy to terminate suspicious sessions when the Threat Probability Threshold is reached, follow the procedure:

  1. Create policy:

    • Select Management > Policies.
    • Click Add policy.
    • Provide a name for the policy.
    • Select AI module in the Policy type field.
    • Select the option of the Threat Probability Threshold (e.g. avg) and add its value (e.g. 90%).
    • Select the Terminate session option in the Actions field.
    • Click Save.

Note

For harsh actions like pausing or terminating a session or blocking a user it’s advised to use higher max thresholds to minimize consequences of false positives.

  1. Assign the policy to a safe that is used to establish connections to servers.

    • Select Management > Safes.
    • Edit the selected safe by clicking on its name.
    • Go to the Policies tab and select the policy created in the previous step.
    • Click Save.
    ../../_images/5-5-policy-safe-add.png

Related topics: