Michael Schiemer
55a330b223
- Add DISCOVERY_LOG_LEVEL=debug - Add DISCOVERY_SHOW_PROGRESS=true - Temporary changes for debugging InitializerProcessor fixes on production
11 KiB
WAF Feedback System
The Web Application Firewall (WAF) Feedback System allows users to provide feedback on WAF detections, helping to improve the accuracy of the security system over time. This document explains how to use the feedback system, how it works, and how to integrate it into your application.
Table of Contents
User Guide
Submitting Feedback
When the WAF detects a potential security threat, it may block the request or display a warning. Users with appropriate permissions can provide feedback on these detections to help improve the system's accuracy.
To submit feedback:
- Navigate to the security event in the admin dashboard
- Click on the "Provide Feedback" button
- Select the type of feedback (false positive, false negative, correct detection, or severity adjustment)
- Add an optional comment explaining your feedback
- Click "Submit"
Alternatively, you can use the API to submit feedback programmatically (see API Examples).
Types of Feedback
The WAF Feedback System supports four types of feedback:
-
False Positive: The WAF incorrectly identified a legitimate request as a security threat. This feedback helps reduce false alarms.
-
False Negative: The WAF failed to detect a security threat. This feedback helps improve detection coverage.
-
Correct Detection: The WAF correctly identified a security threat. This feedback confirms the accuracy of the detection.
-
Severity Adjustment: The WAF correctly identified a security threat, but the severity level was incorrect. This feedback helps calibrate the severity assessment.
Feedback Dashboard
The Feedback Dashboard provides an overview of all feedback submitted to the WAF system, along with analytics and trends. To access the dashboard:
- Navigate to Admin > Security > WAF > Feedback
- Use the filters to view specific types of feedback, categories, or time periods
- View charts and graphs showing feedback trends and detection accuracy
- Access detailed reports for specific detection categories
Technical Documentation
Architecture
The WAF Feedback System consists of several components that work together to collect, store, analyze, and learn from user feedback:
+-------------------+ +-------------------+ +-------------------+
| | | | | |
| Feedback API | --> | Feedback Service | --> | Feedback Storage |
| | | | | |
+-------------------+ +-------------------+ +-------------------+
|
v
+-------------------+ +-------------------+ +-------------------+
| | | | | |
| Learning Service | <-- | Analytics | --> | Reporting |
| | | | | |
+-------------------+ +-------------------+ +-------------------+
|
v
+-------------------+
| |
| ML Engine |
| |
+-------------------+
Components
The WAF Feedback System includes the following components:
-
Feedback API: Provides endpoints for submitting and retrieving feedback.
POST /api/security/waf/feedback: Submit feedbackGET /api/security/waf/feedback/{detectionId}: Get feedback for a specific detectionGET /api/security/waf/feedback/stats: Get feedback statisticsGET /api/security/waf/feedback/recent: Get recent feedback
-
Feedback Service: Handles the business logic for feedback submission and retrieval.
FeedbackService: Core service for handling feedbackDetectionFeedback: Value object representing feedbackFeedbackType: Enum of feedback types
-
Feedback Storage: Stores feedback data for later analysis.
FeedbackRepositoryInterface: Interface for feedback storageDatabaseFeedbackRepository: Database implementation
-
Learning Service: Analyzes feedback and adjusts the WAF models.
FeedbackLearningService: Core service for learning from feedbackModelAdjustment: Value object representing model adjustments
-
Analytics: Analyzes feedback data to identify patterns and trends.
FeedbackReportGenerator: Generates reports from feedback data
-
Reporting: Provides visualizations and reports on feedback data.
WafFeedbackDashboardController: Controller for the feedback dashboard
-
ML Engine: Machine learning engine that uses feedback to improve detection.
MachineLearningEngine: Core ML engineThresholdAdjustableInterface: Interface for adjustable thresholdsConfidenceAdjustableInterface: Interface for adjustable confidenceFeatureWeightAdjustableInterface: Interface for adjustable feature weights
Integration
To integrate the WAF Feedback System into your application:
- Register Services: Register the feedback services in your dependency injection container:
// Register feedback services
$container->singleton(FeedbackRepositoryInterface::class, DatabaseFeedbackRepository::class);
$container->singleton(FeedbackService::class, FeedbackService::class);
$container->singleton(FeedbackLearningService::class, FeedbackLearningService::class);
$container->singleton(FeedbackReportGenerator::class, FeedbackReportGenerator::class);
- Register Controllers: Register the feedback controllers:
// Register feedback controllers
$container->singleton(WafFeedbackController::class, WafFeedbackController::class);
$container->singleton(WafFeedbackDashboardController::class, WafFeedbackDashboardController::class);
- Schedule Learning: Schedule the learning process to run periodically:
// Schedule learning process to run daily
$scheduler->daily('waf:learn-from-feedback');
- Add UI Components: Add feedback UI components to your application:
// Add feedback button to WAF detection alerts
$alertComponent->addAction('Provide Feedback', '/admin/security/waf/feedback/submit/{detectionId}');
Learning Algorithms
The WAF Feedback System uses several learning algorithms to improve detection accuracy based on user feedback.
False Positive Reduction
When users report false positives, the system adjusts the detection models to reduce the likelihood of similar false positives in the future:
- Threshold Adjustment: Increases the detection threshold for the affected category, making it less sensitive.
- Confidence Reduction: Decreases the confidence score for similar detections, making them less likely to trigger alerts.
- Feature Weight Adjustment: Reduces the weights of features that contributed to the false positive.
False Negative Reduction
When users report false negatives, the system adjusts the detection models to improve detection coverage:
- Threshold Adjustment: Decreases the detection threshold for the affected category, making it more sensitive.
- Confidence Increase: Increases the confidence score for similar detections, making them more likely to trigger alerts.
- Feature Weight Adjustment: Increases the weights of features that should have contributed to detection.
Severity Adjustment
When users report incorrect severity levels, the system adjusts the severity assessment:
- Confidence Adjustment: Adjusts the confidence score based on the severity change.
- Category Default Severity: Updates the default severity for the detection category.
Examples
API Examples
Submitting Feedback
// Example: Submit false positive feedback
fetch('/api/security/waf/feedback', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-CSRF-TOKEN': csrfToken
},
body: JSON.stringify({
detection_id: 'abc123',
feedback_type: 'false_positive',
category: 'SQL_INJECTION',
severity: 'HIGH',
comment: 'This is a legitimate query used by our reporting system',
context: {
query: 'SELECT * FROM reports WHERE date > ?'
}
})
})
.then(response => response.json())
.then(data => console.log(data));
Getting Feedback Statistics
// Example: Get feedback statistics
fetch('/api/security/waf/feedback/stats')
.then(response => response.json())
.then(data => {
console.log('Total feedback:', data.stats.total_count);
console.log('False positives:', data.stats.by_feedback_type.false_positive);
console.log('False negatives:', data.stats.by_feedback_type.false_negative);
});
Dashboard Examples
Viewing Feedback Trends
The Feedback Dashboard provides visualizations of feedback trends over time:
- Accuracy Trend: Shows how detection accuracy has improved over time
- False Positive Rate: Shows how the false positive rate has decreased
- False Negative Rate: Shows how the false negative rate has decreased
- Category Breakdown: Shows feedback distribution by detection category
Analyzing Detection Categories
The Category Analysis view shows detailed information about each detection category:
- Accuracy: Detection accuracy for the category
- False Positive Rate: False positive rate for the category
- False Negative Rate: False negative rate for the category
- Severity Distribution: Distribution of severity levels for the category
- Common Patterns: Common patterns in false positives and false negatives
Learning Examples
Scheduled Learning
The learning process can be scheduled to run periodically:
# Run learning process daily
php console.php waf:learn-from-feedback
Manual Learning
The learning process can also be triggered manually:
# Run learning process with custom parameters
php console.php waf:learn-from-feedback --threshold=10 --learning-rate=0.5
Learning Results
The learning process provides detailed results:
Starting WAF feedback learning process...
Processing 25 false positives, 10 false negatives, 5 severity adjustments
Created 3 model adjustments for SQL_INJECTION, XSS, COMMAND_INJECTION
Applied 3 model adjustments
Learning process completed successfully in 0.5 seconds