Before nevisDetect can start detecting malicious HTTP requests, it must pass a training phase. During this phase, nevisDetect is just collecting data, so that the detection technologies can train their models with this data.
You configure the training phase in nevisDetect by setting the Operation mode parameter to
For the configuration of the normalization, a sufficient number of overall plug-in risk scores is required. For each individual plug-in/detection technology, the number of plug-in risk scores is sufficient if the average risk score (the mean) and the variance do no longer change from day to day. nevisDetect therefore provides time series of the mean and the variance, computed on a daily basis.
In a next step, the action policy can be configured and the detection phase can be started, see the figure below. For this, set the Operation mode parameter to
Mixed. The difference between these two options is how an untrained user is treated:
- In a Detection operation mode, the system blocks the requests of an untrained user by creating a rule with a BLOCK action. This operation mode makes sense if there is a closed user group, and all users have participated in the training phase.
- In a Mixed operation mode, the system processes the requests of an untrained user as if it is in the training phase. This operation mode is useful if not all users have participated in the training phase, or if new users have been onboarded after completion of the training phase.