Starting with the 6.0 release, FortiWeb offers a machine-learning function that enables it to automatically detect malicious web traffic. In addition to detecting known attacks, the feature can detect potential unknown zero-day attacks to provide real-time protection for web servers.
Machine Learning is intended to replace Auto Learn, which is now disabled by default on new installations. If you still prefer to use Auto Learn, be sure to enable it by selecting System > Config > Feature Visibility > Auto Learn from the GUI.
Machine learning discovers the URLs, arguments, and HTTP Method of HTTP and/or HTTPS sessions by observing traffic that is passing to your web servers. To learn about whether a request is legitimate or a potential malicious attack attempt, it performs the following tasks:
FortiWeb employs two layers of machine learning to detect malicious attacks. The first layer uses the Hidden Markov Model (HMM) and monitors access to the application and collects data to build a mathematical model behind every parameter and HTTP method. Once completed, it will verify every request against the model to determine whether it's an anomaly or not.
Once the first layer of machine learning triggers a request as an anomaly, FortiWeb will use the second layer of machine learning to verify whether it's a real attack or just a benign anomaly that should be ignored. To do so, FortiWeb includes pre-built trained threat models. Each represents a certain attack category, such as SQL Injection, Cross-site Scripting, and so on. Each threat model is already trained based on analysis of thousands of attack samples. Threat models are continuously updated using the FortiWeb Security Service. When new attack types are released, the FortiGuard team analyzes the new threats and re-trains the relevant threat model. The new threat model is then pushed to all customer installations in a way similar to how signatures are updated.