Summary
This experiment investigates waf rule threshold tuning. Plackett-Burman screening of 6 WAF parameters for detection rate and false positive rate.
The design varies 6 factors: rate limit rps (rps), ranging from 100 to 10000, body inspection depth (bytes), ranging from 1000 to 65536, anomaly score threshold (score), ranging from 3 to 15, paranoia level (level), ranging from 1 to 4, sql injection sensitivity (level), ranging from 1 to 9, and xss detection level (level), ranging from 1 to 5. The goal is to optimize 2 responses: detection rate (%) (maximize) and false positive rate (%) (minimize). Fixed conditions held constant across all runs include waf engine = modsecurity, ruleset = owasp_crs.
A Plackett-Burman screening design was used to efficiently test 6 factors in only 8 runs. This design assumes interactions are negligible and focuses on identifying the most influential main effects.
Key Findings
For detection rate, the most influential factors were paranoia level (46.8%), body inspection depth (20.7%), sql injection sensitivity (15.2%). The best observed value was 101.2 (at rate limit rps = 100, body inspection depth = 65536, anomaly score threshold = 3).
For false positive rate, the most influential factors were paranoia level (38.5%), body inspection depth (18.0%), xss detection level (14.2%). The best observed value was 0.09 (at rate limit rps = 10000, body inspection depth = 65536, anomaly score threshold = 15).
Recommended Next Steps
- Follow up with a response surface design (CCD or Box-Behnken) on the top 3–4 factors to model curvature and find the true optimum.
- Consider whether any fixed factors should be varied in a future study.
- The screening results can guide factor reduction — drop factors contributing less than 5% and re-run with a smaller, more focused design.
Experimental Setup
Factors
| Factor | Low | High | Unit |
|---|---|---|---|
rate_limit_rps | 100 | 10000 | rps |
body_inspection_depth | 1000 | 65536 | bytes |
anomaly_score_threshold | 3 | 15 | score |
paranoia_level | 1 | 4 | level |
sql_injection_sensitivity | 1 | 9 | level |
xss_detection_level | 1 | 5 | level |
Fixed: waf_engine = modsecurity, ruleset = owasp_crs
Responses
| Response | Direction | Unit |
|---|---|---|
detection_rate | ↑ maximize | % |
false_positive_rate | ↓ minimize | % |
Configuration
use_cases/57_waf_rule_threshold/config.json
{
"metadata": {
"name": "WAF Rule Threshold Tuning",
"description": "Plackett-Burman screening of 6 WAF parameters for detection rate and false positive rate"
},
"factors": [
{
"name": "rate_limit_rps",
"levels": [
"100",
"10000"
],
"type": "continuous",
"unit": "rps"
},
{
"name": "body_inspection_depth",
"levels": [
"1000",
"65536"
],
"type": "continuous",
"unit": "bytes"
},
{
"name": "anomaly_score_threshold",
"levels": [
"3",
"15"
],
"type": "continuous",
"unit": "score"
},
{
"name": "paranoia_level",
"levels": [
"1",
"4"
],
"type": "continuous",
"unit": "level"
},
{
"name": "sql_injection_sensitivity",
"levels": [
"1",
"9"
],
"type": "continuous",
"unit": "level"
},
{
"name": "xss_detection_level",
"levels": [
"1",
"5"
],
"type": "continuous",
"unit": "level"
}
],
"fixed_factors": {
"waf_engine": "modsecurity",
"ruleset": "owasp_crs"
},
"responses": [
{
"name": "detection_rate",
"optimize": "maximize",
"unit": "%"
},
{
"name": "false_positive_rate",
"optimize": "minimize",
"unit": "%"
}
],
"settings": {
"operation": "plackett_burman",
"test_script": "use_cases/57_waf_rule_threshold/sim.sh"
}
}
Experimental Matrix
The Plackett-Burman Design produces 8 runs. Each row is one experiment with specific factor settings.
| Run | rate_limit_rps | body_inspection_depth | anomaly_score_threshold | paranoia_level | sql_injection_sensitivity | xss_detection_level |
|---|---|---|---|---|---|---|
| 1 | 10000 | 65536 | 15 | 1 | 1 | 1 |
| 2 | 100 | 1000 | 15 | 4 | 1 | 1 |
| 3 | 100 | 65536 | 3 | 4 | 1 | 5 |
| 4 | 10000 | 65536 | 15 | 4 | 9 | 5 |
| 5 | 100 | 65536 | 3 | 1 | 9 | 1 |
| 6 | 10000 | 1000 | 3 | 4 | 9 | 1 |
| 7 | 100 | 1000 | 15 | 1 | 9 | 5 |
| 8 | 10000 | 1000 | 3 | 1 | 1 | 5 |
Step-by-Step Workflow
1
Preview the design
Terminal
$ doe info --config use_cases/57_waf_rule_threshold/config.json
2
Generate the runner script
Terminal
$ doe generate --config use_cases/57_waf_rule_threshold/config.json \
--output use_cases/57_waf_rule_threshold/results/run.sh --seed 42
3
Execute the experiments
Terminal
$ bash use_cases/57_waf_rule_threshold/results/run.sh
4
Analyze results
Terminal
$ doe analyze --config use_cases/57_waf_rule_threshold/config.json
5
Get optimization recommendations
Terminal
$ doe optimize --config use_cases/57_waf_rule_threshold/config.json
6
Multi-objective optimization
With 2 competing responses, use --multi to find the best compromise via Derringer–Suich desirability.
Terminal
$ doe optimize --config use_cases/57_waf_rule_threshold/config.json --multi
7
Generate the HTML report
Terminal
$ doe report --config use_cases/57_waf_rule_threshold/config.json \
--output use_cases/57_waf_rule_threshold/results/report.html
Features Exercised
| Feature | Value |
|---|---|
| Design type | plackett_burman |
| Factor types | continuous (all 6) |
| Arg style | double-dash |
| Responses | 2 (detection_rate ↑, false_positive_rate ↓) |
| Total runs | 8 |
Analysis Results
Generated from actual experiment runs using the DOE Helper Tool.
Response: detection_rate
Top factors: paranoia_level (46.8%), body_inspection_depth (20.7%), sql_injection_sensitivity (15.2%).
ANOVA
| Source | DF | SS | MS | F | p-value |
|---|---|---|---|---|---|
| Source | DF | SS | MS | F | p-value |
| rate_limit_rps | 1 | 2.2050 | 2.2050 | 0.105 | 0.7558 |
| body_inspection_depth | 1 | 239.8050 | 239.8050 | 11.383 | 0.0119 |
| anomaly_score_threshold | 1 | 59.4050 | 59.4050 | 2.820 | 0.1370 |
| paranoia_level | 1 | 1225.1250 | 1225.1250 | 58.152 | 0.0001 |
| sql_injection_sensitivity | 1 | 129.6050 | 129.6050 | 6.152 | 0.0422 |
| xss_detection_level | 1 | 14.0450 | 14.0450 | 0.667 | 0.4411 |
| rate_limit_rps*body_inspection_depth | 1 | 59.4050 | 59.4050 | 2.820 | 0.1370 |
| rate_limit_rps*anomaly_score_threshold | 1 | 239.8050 | 239.8050 | 11.383 | 0.0119 |
| rate_limit_rps*paranoia_level | 1 | 129.6050 | 129.6050 | 6.152 | 0.0422 |
| rate_limit_rps*sql_injection_sensitivity | 1 | 1225.1250 | 1225.1250 | 58.152 | 0.0001 |
| rate_limit_rps*xss_detection_level | 1 | 8.4050 | 8.4050 | 0.399 | 0.5477 |
| body_inspection_depth*anomaly_score_threshold | 1 | 2.2050 | 2.2050 | 0.105 | 0.7558 |
| body_inspection_depth*paranoia_level | 1 | 14.0450 | 14.0450 | 0.667 | 0.4411 |
| body_inspection_depth*sql_injection_sensitivity | 1 | 8.4050 | 8.4050 | 0.399 | 0.5477 |
| body_inspection_depth*xss_detection_level | 1 | 1225.1250 | 1225.1250 | 58.152 | 0.0001 |
| anomaly_score_threshold*paranoia_level | 1 | 8.4050 | 8.4050 | 0.399 | 0.5477 |
| anomaly_score_threshold*sql_injection_sensitivity | 1 | 14.0450 | 14.0450 | 0.667 | 0.4411 |
| anomaly_score_threshold*xss_detection_level | 1 | 129.6050 | 129.6050 | 6.152 | 0.0422 |
| paranoia_level*sql_injection_sensitivity | 1 | 2.2050 | 2.2050 | 0.105 | 0.7558 |
| paranoia_level*xss_detection_level | 1 | 239.8050 | 239.8050 | 11.383 | 0.0119 |
| sql_injection_sensitivity*xss_detection_level | 1 | 59.4050 | 59.4050 | 2.820 | 0.1370 |
| Error | (Lenth | PSE) | 7 | 147.4725 | 21.0675 |
| Total | 7 | 1678.5950 | 239.7993 |
Pareto Chart
Main Effects Plot
Normal Probability Plot of Effects
Half-Normal Plot of Effects
Model Diagnostics
Response: false_positive_rate
Top factors: paranoia_level (38.5%), body_inspection_depth (18.0%), xss_detection_level (14.2%).
ANOVA
| Source | DF | SS | MS | F | p-value |
|---|---|---|---|---|---|
| Source | DF | SS | MS | F | p-value |
| rate_limit_rps | 1 | 11.3764 | 11.3764 | 0.458 | 0.5201 |
| body_inspection_depth | 1 | 37.1522 | 37.1522 | 1.497 | 0.2607 |
| anomaly_score_threshold | 1 | 3.6181 | 3.6181 | 0.146 | 0.7139 |
| paranoia_level | 1 | 170.0168 | 170.0168 | 6.851 | 0.0345 |
| sql_injection_sensitivity | 1 | 21.7141 | 21.7141 | 0.875 | 0.3807 |
| xss_detection_level | 1 | 23.2562 | 23.2562 | 0.937 | 0.3653 |
| rate_limit_rps*body_inspection_depth | 1 | 3.6180 | 3.6180 | 0.146 | 0.7139 |
| rate_limit_rps*anomaly_score_threshold | 1 | 37.1522 | 37.1522 | 1.497 | 0.2607 |
| rate_limit_rps*paranoia_level | 1 | 21.7140 | 21.7140 | 0.875 | 0.3807 |
| rate_limit_rps*sql_injection_sensitivity | 1 | 170.0168 | 170.0168 | 6.851 | 0.0345 |
| rate_limit_rps*xss_detection_level | 1 | 0.0084 | 0.0084 | 0.000 | 0.9858 |
| body_inspection_depth*anomaly_score_threshold | 1 | 11.3764 | 11.3764 | 0.458 | 0.5201 |
| body_inspection_depth*paranoia_level | 1 | 23.2562 | 23.2562 | 0.937 | 0.3653 |
| body_inspection_depth*sql_injection_sensitivity | 1 | 0.0085 | 0.0085 | 0.000 | 0.9858 |
| body_inspection_depth*xss_detection_level | 1 | 170.0168 | 170.0168 | 6.851 | 0.0345 |
| anomaly_score_threshold*paranoia_level | 1 | 0.0085 | 0.0085 | 0.000 | 0.9858 |
| anomaly_score_threshold*sql_injection_sensitivity | 1 | 23.2562 | 23.2562 | 0.937 | 0.3653 |
| anomaly_score_threshold*xss_detection_level | 1 | 21.7140 | 21.7140 | 0.875 | 0.3807 |
| paranoia_level*sql_injection_sensitivity | 1 | 11.3764 | 11.3764 | 0.458 | 0.5201 |
| paranoia_level*xss_detection_level | 1 | 37.1522 | 37.1522 | 1.497 | 0.2607 |
| sql_injection_sensitivity*xss_detection_level | 1 | 3.6181 | 3.6181 | 0.146 | 0.7139 |
| Error | (Lenth | PSE) | 7 | 173.7251 | 24.8179 |
| Total | 7 | 267.1422 | 38.1632 |
Pareto Chart
Main Effects Plot
Normal Probability Plot of Effects
Half-Normal Plot of Effects
Model Diagnostics
Response Surface Plots
3D surfaces fitted with quadratic RSM. Red dots are observed data points.
detection rate anomaly score threshold vs paranoia level
detection rate anomaly score threshold vs sql injection sensitivity
detection rate anomaly score threshold vs xss detection level
detection rate body inspection depth vs anomaly score threshold
detection rate body inspection depth vs paranoia level
detection rate body inspection depth vs sql injection sensitivity
detection rate body inspection depth vs xss detection level
detection rate paranoia level vs sql injection sensitivity
detection rate paranoia level vs xss detection level
detection rate rate limit rps vs anomaly score threshold
detection rate rate limit rps vs body inspection depth
detection rate rate limit rps vs paranoia level
detection rate rate limit rps vs sql injection sensitivity
detection rate rate limit rps vs xss detection level
detection rate sql injection sensitivity vs xss detection level
false positive rate anomaly score threshold vs paranoia level
false positive rate anomaly score threshold vs sql injection sensitivity
false positive rate anomaly score threshold vs xss detection level
false positive rate body inspection depth vs anomaly score threshold
false positive rate body inspection depth vs paranoia level
false positive rate body inspection depth vs sql injection sensitivity
false positive rate body inspection depth vs xss detection level
false positive rate paranoia level vs sql injection sensitivity
false positive rate paranoia level vs xss detection level
false positive rate rate limit rps vs anomaly score threshold
false positive rate rate limit rps vs body inspection depth
false positive rate rate limit rps vs paranoia level
false positive rate rate limit rps vs sql injection sensitivity
false positive rate rate limit rps vs xss detection level
false positive rate sql injection sensitivity vs xss detection level
Multi-Objective Optimization
When responses compete, Derringer–Suich desirability finds the best compromise. Each response is scaled to a 0–1 desirability, then combined via a weighted geometric mean.
Overall Desirability
D = 0.6593
Per-Response Desirability
| Response | Weight | Desirability | Predicted | Dir |
|---|---|---|---|---|
detection_rate |
1.5 |
0.7579
|
92.92 0.7579 92.92 % | ↑ |
false_positive_rate |
1.0 |
0.5349
|
7.41 0.5349 7.41 % | ↓ |
Recommended Settings
| Factor | Value |
|---|---|
rate_limit_rps | 2729 rps |
body_inspection_depth | 6.041e+04 bytes |
anomaly_score_threshold | 4.171 score |
paranoia_level | 3.911 level |
sql_injection_sensitivity | 8.183 level |
xss_detection_level | 1.079 level |
Source: from RSM model prediction
Trade-off Summary
Sacrifice = how much worse than single-objective best.
| Response | Predicted | Best Observed | Sacrifice |
|---|---|---|---|
false_positive_rate | 7.41 | 0.09 | +7.32 |
Top 3 Runs by Desirability
| Run | D | Factor Settings |
|---|---|---|
| #6 | 0.5786 | rate_limit_rps=10000, body_inspection_depth=1000, anomaly_score_threshold=3, paranoia_level=4, sql_injection_sensitivity=9, xss_detection_level=1 |
| #5 | 0.5438 | rate_limit_rps=100, body_inspection_depth=1000, anomaly_score_threshold=15, paranoia_level=4, sql_injection_sensitivity=1, xss_detection_level=1 |
Model Quality
| Response | R² | Type |
|---|---|---|
false_positive_rate | 0.9224 | linear |
Full Multi-Objective Output
doe optimize --multi
============================================================
MULTI-OBJECTIVE OPTIMIZATION
Method: Derringer-Suich Desirability Function
============================================================
Overall desirability: D = 0.6593
Response Weight Desirability Predicted Direction
---------------------------------------------------------------------
detection_rate 1.5 0.7579 92.92 % ↑
false_positive_rate 1.0 0.5349 7.41 % ↓
Recommended settings:
rate_limit_rps = 2729 rps
body_inspection_depth = 6.041e+04 bytes
anomaly_score_threshold = 4.171 score
paranoia_level = 3.911 level
sql_injection_sensitivity = 8.183 level
xss_detection_level = 1.079 level
(from RSM model prediction)
Trade-off summary:
detection_rate: 92.92 (best observed: 101.20, sacrifice: +8.28)
false_positive_rate: 7.41 (best observed: 0.09, sacrifice: +7.32)
Model quality:
detection_rate: R² = 0.9690 (linear)
false_positive_rate: R² = 0.9224 (linear)
Top 3 observed runs by overall desirability:
1. Run #3 (D=0.6151): rate_limit_rps=100, body_inspection_depth=65536, anomaly_score_threshold=3, paranoia_level=1, sql_injection_sensitivity=9, xss_detection_level=1
2. Run #6 (D=0.5786): rate_limit_rps=10000, body_inspection_depth=1000, anomaly_score_threshold=3, paranoia_level=4, sql_injection_sensitivity=9, xss_detection_level=1
3. Run #5 (D=0.5438): rate_limit_rps=100, body_inspection_depth=1000, anomaly_score_threshold=15, paranoia_level=4, sql_injection_sensitivity=1, xss_detection_level=1
Full Analysis Output
doe analyze
=== Main Effects: detection_rate ===
Factor Effect Std Error % Contribution
--------------------------------------------------------------
paranoia_level -24.7500 5.4749 46.8%
body_inspection_depth -10.9500 5.4749 20.7%
sql_injection_sensitivity 8.0500 5.4749 15.2%
anomaly_score_threshold 5.4500 5.4749 10.3%
xss_detection_level 2.6500 5.4749 5.0%
rate_limit_rps -1.0500 5.4749 2.0%
=== ANOVA Table: detection_rate ===
Source DF SS MS F p-value
-----------------------------------------------------------------------------
rate_limit_rps 1 2.2050 2.2050 0.105 0.7558
body_inspection_depth 1 239.8050 239.8050 11.383 0.0119
anomaly_score_threshold 1 59.4050 59.4050 2.820 0.1370
paranoia_level 1 1225.1250 1225.1250 58.152 0.0001
sql_injection_sensitivity 1 129.6050 129.6050 6.152 0.0422
xss_detection_level 1 14.0450 14.0450 0.667 0.4411
rate_limit_rps*body_inspection_depth 1 59.4050 59.4050 2.820 0.1370
rate_limit_rps*anomaly_score_threshold 1 239.8050 239.8050 11.383 0.0119
rate_limit_rps*paranoia_level 1 129.6050 129.6050 6.152 0.0422
rate_limit_rps*sql_injection_sensitivity 1 1225.1250 1225.1250 58.152 0.0001
rate_limit_rps*xss_detection_level 1 8.4050 8.4050 0.399 0.5477
body_inspection_depth*anomaly_score_threshold 1 2.2050 2.2050 0.105 0.7558
body_inspection_depth*paranoia_level 1 14.0450 14.0450 0.667 0.4411
body_inspection_depth*sql_injection_sensitivity 1 8.4050 8.4050 0.399 0.5477
body_inspection_depth*xss_detection_level 1 1225.1250 1225.1250 58.152 0.0001
anomaly_score_threshold*paranoia_level 1 8.4050 8.4050 0.399 0.5477
anomaly_score_threshold*sql_injection_sensitivity 1 14.0450 14.0450 0.667 0.4411
anomaly_score_threshold*xss_detection_level 1 129.6050 129.6050 6.152 0.0422
paranoia_level*sql_injection_sensitivity 1 2.2050 2.2050 0.105 0.7558
paranoia_level*xss_detection_level 1 239.8050 239.8050 11.383 0.0119
sql_injection_sensitivity*xss_detection_level 1 59.4050 59.4050 2.820 0.1370
Error (Lenth PSE) 7 147.4725 21.0675
Total 7 1678.5950 239.7993
Note: Error estimated using Lenth's pseudo-standard-error (unreplicated design)
=== Interaction Effects: detection_rate ===
Factor A Factor B Interaction % Contribution
------------------------------------------------------------------------
rate_limit_rps sql_injection_sensitivity -24.7500 22.1%
body_inspection_depth xss_detection_level -24.7500 22.1%
rate_limit_rps anomaly_score_threshold 10.9500 9.8%
paranoia_level xss_detection_level -10.9500 9.8%
rate_limit_rps paranoia_level 8.0500 7.2%
anomaly_score_threshold xss_detection_level -8.0500 7.2%
rate_limit_rps body_inspection_depth -5.4500 4.9%
sql_injection_sensitivity xss_detection_level -5.4500 4.9%
body_inspection_depth paranoia_level 2.6500 2.4%
anomaly_score_threshold sql_injection_sensitivity -2.6500 2.4%
rate_limit_rps xss_detection_level 2.0500 1.8%
body_inspection_depth sql_injection_sensitivity 2.0500 1.8%
anomaly_score_threshold paranoia_level -2.0500 1.8%
body_inspection_depth anomaly_score_threshold 1.0500 0.9%
paranoia_level sql_injection_sensitivity -1.0500 0.9%
=== Summary Statistics: detection_rate ===
rate_limit_rps:
Level N Mean Std Min Max
------------------------------------------------------------
100 4 81.7500 19.2046 62.9000 101.2000
10000 4 80.7000 13.7833 66.5000 99.6000
body_inspection_depth:
Level N Mean Std Min Max
------------------------------------------------------------
1000 4 86.7000 16.3923 67.8000 101.2000
65536 4 75.7500 14.5221 62.9000 95.1000
anomaly_score_threshold:
Level N Mean Std Min Max
------------------------------------------------------------
15 4 78.5000 16.0601 66.5000 101.2000
3 4 83.9500 16.7870 62.9000 99.6000
paranoia_level:
Level N Mean Std Min Max
------------------------------------------------------------
1 4 93.6000 10.3926 78.5000 101.2000
4 4 68.8500 6.5689 62.9000 78.2000
sql_injection_sensitivity:
Level N Mean Std Min Max
------------------------------------------------------------
1 4 77.2000 16.2921 62.9000 99.6000
9 4 85.2500 15.8397 66.5000 101.2000
xss_detection_level:
Level N Mean Std Min Max
------------------------------------------------------------
1 4 79.9000 11.2886 67.8000 95.1000
5 4 82.5500 20.6741 62.9000 101.2000
=== Main Effects: false_positive_rate ===
Factor Effect Std Error % Contribution
--------------------------------------------------------------
paranoia_level -9.2200 2.1841 38.5%
body_inspection_depth -4.3100 2.1841 18.0%
xss_detection_level 3.4100 2.1841 14.2%
sql_injection_sensitivity 3.2950 2.1841 13.7%
rate_limit_rps -2.3850 2.1841 10.0%
anomaly_score_threshold 1.3450 2.1841 5.6%
=== ANOVA Table: false_positive_rate ===
Source DF SS MS F p-value
-----------------------------------------------------------------------------
rate_limit_rps 1 11.3764 11.3764 0.458 0.5201
body_inspection_depth 1 37.1522 37.1522 1.497 0.2607
anomaly_score_threshold 1 3.6181 3.6181 0.146 0.7139
paranoia_level 1 170.0168 170.0168 6.851 0.0345
sql_injection_sensitivity 1 21.7141 21.7141 0.875 0.3807
xss_detection_level 1 23.2562 23.2562 0.937 0.3653
rate_limit_rps*body_inspection_depth 1 3.6180 3.6180 0.146 0.7139
rate_limit_rps*anomaly_score_threshold 1 37.1522 37.1522 1.497 0.2607
rate_limit_rps*paranoia_level 1 21.7140 21.7140 0.875 0.3807
rate_limit_rps*sql_injection_sensitivity 1 170.0168 170.0168 6.851 0.0345
rate_limit_rps*xss_detection_level 1 0.0084 0.0084 0.000 0.9858
body_inspection_depth*anomaly_score_threshold 1 11.3764 11.3764 0.458 0.5201
body_inspection_depth*paranoia_level 1 23.2562 23.2562 0.937 0.3653
body_inspection_depth*sql_injection_sensitivity 1 0.0085 0.0085 0.000 0.9858
body_inspection_depth*xss_detection_level 1 170.0168 170.0168 6.851 0.0345
anomaly_score_threshold*paranoia_level 1 0.0085 0.0085 0.000 0.9858
anomaly_score_threshold*sql_injection_sensitivity 1 23.2562 23.2562 0.937 0.3653
anomaly_score_threshold*xss_detection_level 1 21.7140 21.7140 0.875 0.3807
paranoia_level*sql_injection_sensitivity 1 11.3764 11.3764 0.458 0.5201
paranoia_level*xss_detection_level 1 37.1522 37.1522 1.497 0.2607
sql_injection_sensitivity*xss_detection_level 1 3.6181 3.6181 0.146 0.7139
Error (Lenth PSE) 7 173.7251 24.8179
Total 7 267.1422 38.1632
Note: Error estimated using Lenth's pseudo-standard-error (unreplicated design)
=== Interaction Effects: false_positive_rate ===
Factor A Factor B Interaction % Contribution
------------------------------------------------------------------------
rate_limit_rps sql_injection_sensitivity -9.2200 19.2%
body_inspection_depth xss_detection_level -9.2200 19.2%
rate_limit_rps anomaly_score_threshold 4.3100 9.0%
paranoia_level xss_detection_level -4.3100 9.0%
body_inspection_depth paranoia_level 3.4100 7.1%
anomaly_score_threshold sql_injection_sensitivity -3.4100 7.1%
rate_limit_rps paranoia_level 3.2950 6.8%
anomaly_score_threshold xss_detection_level -3.2950 6.8%
body_inspection_depth anomaly_score_threshold 2.3850 5.0%
paranoia_level sql_injection_sensitivity -2.3850 5.0%
rate_limit_rps body_inspection_depth -1.3450 2.8%
sql_injection_sensitivity xss_detection_level -1.3450 2.8%
rate_limit_rps xss_detection_level 0.0650 0.1%
body_inspection_depth sql_injection_sensitivity 0.0650 0.1%
anomaly_score_threshold paranoia_level -0.0650 0.1%
=== Summary Statistics: false_positive_rate ===
rate_limit_rps:
Level N Mean Std Min Max
------------------------------------------------------------
100 4 6.5375 7.6726 0.0900 15.9500
10000 4 4.1525 5.1368 0.1000 11.6800
body_inspection_depth:
Level N Mean Std Min Max
------------------------------------------------------------
1000 4 7.5000 7.5505 0.0900 15.9500
65536 4 3.1900 4.4332 0.1000 9.6400
anomaly_score_threshold:
Level N Mean Std Min Max
------------------------------------------------------------
15 4 4.6725 7.6069 0.0900 15.9500
3 4 6.0175 5.4751 0.4700 11.6800
paranoia_level:
Level N Mean Std Min Max
------------------------------------------------------------
1 4 9.9550 5.5931 2.5500 15.9500
4 4 0.7350 1.0451 0.0900 2.2800
sql_injection_sensitivity:
Level N Mean Std Min Max
------------------------------------------------------------
1 4 3.6975 5.4304 0.0900 11.6800
9 4 6.9925 7.2333 0.1000 15.9500
xss_detection_level:
Level N Mean Std Min Max
------------------------------------------------------------
1 4 3.6400 4.1489 0.0900 9.6400
5 4 7.0500 8.0051 0.1000 15.9500
Optimization Recommendations
doe optimize
=== Optimization: detection_rate ===
Direction: maximize
Best observed run: #4
rate_limit_rps = 100
body_inspection_depth = 65536
anomaly_score_threshold = 3
paranoia_level = 1
sql_injection_sensitivity = 9
xss_detection_level = 1
Value: 101.2
RSM Model (linear, R² = 0.9950, Adj R² = 0.9649):
Coefficients:
intercept +81.2250
rate_limit_rps -5.2250
body_inspection_depth +5.4750
anomaly_score_threshold -8.4750
paranoia_level +6.6250
sql_injection_sensitivity +4.0250
xss_detection_level -4.4250
Predicted optimum (from linear model, at observed points):
rate_limit_rps = 100
body_inspection_depth = 65536
anomaly_score_threshold = 3
paranoia_level = 1
sql_injection_sensitivity = 9
xss_detection_level = 1
Predicted value: 102.2250
Surface optimum (via L-BFGS-B, linear model):
rate_limit_rps = 100
body_inspection_depth = 65536
anomaly_score_threshold = 3
paranoia_level = 4
sql_injection_sensitivity = 9
xss_detection_level = 1
Predicted value: 115.4750
Model quality: Excellent fit — surface predictions are reliable.
Factor importance:
1. anomaly_score_threshold (effect: 17.0, contribution: 24.7%)
2. paranoia_level (effect: 13.2, contribution: 19.3%)
3. body_inspection_depth (effect: 11.0, contribution: 16.0%)
4. rate_limit_rps (effect: -10.5, contribution: 15.3%)
5. xss_detection_level (effect: -8.9, contribution: 12.9%)
6. sql_injection_sensitivity (effect: 8.0, contribution: 11.8%)
=== Optimization: false_positive_rate ===
Direction: minimize
Best observed run: #1
rate_limit_rps = 10000
body_inspection_depth = 65536
anomaly_score_threshold = 15
paranoia_level = 1
sql_injection_sensitivity = 1
xss_detection_level = 1
Value: 0.09
RSM Model (linear, R² = 1.0000, Adj R² = 0.9998):
Coefficients:
intercept +5.3450
rate_limit_rps -2.2250
body_inspection_depth +2.1550
anomaly_score_threshold -4.0900
paranoia_level +1.1925
sql_injection_sensitivity +1.6475
xss_detection_level -1.7125
Predicted optimum (from linear model, at observed points):
rate_limit_rps = 100
body_inspection_depth = 65536
anomaly_score_threshold = 3
paranoia_level = 1
sql_injection_sensitivity = 9
xss_detection_level = 1
Predicted value: 15.9825
Surface optimum (via L-BFGS-B, linear model):
rate_limit_rps = 10000
body_inspection_depth = 1000
anomaly_score_threshold = 15
paranoia_level = 1
sql_injection_sensitivity = 1
xss_detection_level = 5
Predicted value: -7.6775
Model quality: Excellent fit — surface predictions are reliable.
Factor importance:
1. anomaly_score_threshold (effect: 8.2, contribution: 31.4%)
2. rate_limit_rps (effect: -4.4, contribution: 17.1%)
3. body_inspection_depth (effect: 4.3, contribution: 16.5%)
4. xss_detection_level (effect: -3.4, contribution: 13.2%)
5. sql_injection_sensitivity (effect: 3.3, contribution: 12.7%)
6. paranoia_level (effect: 2.4, contribution: 9.2%)