Baoyuantop commented on issue #13027:
URL: https://github.com/apache/apisix/issues/13027#issuecomment-4035959964
Hi @MadhuTiwari-345, thanks for the detailed Phase 1 design.
After further thought, I think we need to discuss a few technical concerns
before moving to implementation:
1. **False positive handling**: EMA-based detection is sensitive to
legitimate
traffic patterns like daily peaks, promotions, or batch jobs. How should
we
handle cases where "normal" traffic looks like a spike to the algorithm?
2. **Cold start**: A new consumer has no baseline. What should the behavior
be
during the warm-up period?
3. **Value of Phase 1 alone**: A plugin that only tracks baselines without
enforcing limits is essentially a metrics collector. Would it be better to
jump directly to a minimal but complete implementation (tracking +
detection + basic enforcement) so users get immediate value?
4. **Scope consideration**: In many production setups, anomaly detection is
handled by external systems (WAF, monitoring). Could you share your use
case
— are you looking to replace an external system, or complement it?
I'd suggest starting with a PoC as an external plugin (using APISIX's
external
plugin mechanism) to validate the algorithm in a real environment. Once we
have
data on its effectiveness and performance impact, it would be much easier to
evaluate inclusion in core.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
