| E1 | Input Layer (App Entities) | Fields and structures controlled by the user in the request payload |
| | → Param Name, Param Value, POST body, JSON, XML, Multipart, etc. |
| | → Request Headers (custom, standard), Cookies |
| | → Referrer Header, User-Agent Header |
| | → File Uploads |
| | Common use: Signature detection, meta character rules, size checks |
| | |
| E2 | Source Identity Layer | Network and contextual origin of the request |
| | → Source IP, NAT IP, Geo IP |
| | → URL / FQDN requested |
| | → Request frequency (RPS), Session count |
| | → Failed logins, anomaly patterns |
| | Common use: Ratelimiting, anomaly detection, session abuse |
| | |
| E3 | Protocol & Flow Layer | HTTP-level and protocol behavior |
| | → HTTP Method, UA string, Protocol anomalies |
| | → Request/Response structure (x00, headers, RFC violations) |
| | → Flow sequences, evasion attempts |
| | Common use: Restriction rules, RFC parsing, request/response anomaly |
| | |
| E4 | Client Behavior Layer | Client/browser characteristics and behavior |
| | → HTTP Client Type (L1-L3: bot to full browser) |
| | → JS capabilities (cookies, location, screen size, etc.) |
| | → Mouse movements, click behavior |
| | → CAPTCHAs, SID (JS fingerprinting) |
| | Common use: Client interrogation, bot detection, behavioral gating |
