Network Control learning mode

In Network Control learning mode, Kaspersky Industrial CyberSecurity for Networks performs the following actions:

• If use of Network Integrity Control technology is enabled, the application generates rules based on this technology. When the application detects network communications matching inactive rules, it registers events based on Network Integrity Control technology. The event is registered using the system event type that is assigned the code 4000002601.
• If the use of Command Control technology is enabled, the application generates rules based on this technology. When the application detects system commands that satisfy inactive rules, it registers unauthorized system command detection events based on Command Control technology. The event is registered using the system event type that is assigned the code 4000002602.

When generating Network Control rules, the application adds new rules from analysis of network communications and system commands in industrial network traffic. For these rules, the Origin parameter contains the System value. If you manually change rule settings, the Origin parameter will take the User value.

Network communications detected during traffic analysis are checked for compliance with current Network Control rules. If a detected interaction does not match any rule, the application creates a new Network Control rule. In this case, an interaction detection event is not registered. When a new rule is created, the application makes it active and adds settings values based on the received data about the network interaction.

If the detected interaction only matches an inactive rule, the application registers an event based on the technology corresponding to this rule. A new active rule is not created.

During the learning process, the application can optimize the list of Network Control rules. Optimization involves combining two or more specific rules into one general rule, or deleting specific rules if a general rule is available. Rules that satisfy the following conditions are optimized:

• The rules are active.
• The Origin parameter contains the System value.
• The rules are related to the same technology.

Rules are merged during optimization if the resulting general rule will correspond only to the detected network interactions and no others. For example, one Network Control rule was created after a system command was detected during an interaction between two devices. Then another system command was detected during an interaction between these same devices. In this case, after optimization, only one general rule will remain. It will describe both system commands detected during network interaction between these devices.

The application periodically optimizes the list of Network Control rules while operating in learning mode. The frequency of optimization is once per minute. Optimization is performed if new interactions are detected in industrial network traffic. To keep the rules table up to date, you must update rules.

After learning mode is disabled, optimization is performed one more time.

There may be a delay before the rule list is optimized after learning mode is disabled. The length of the delay depends on the amount of data being received by the application, and may last up to three minutes. During this time, we recommend that you not make any changes to the rules generated in learning mode.

Network Control learning mode must be enabled for enough time to receive all the necessary data about network interactions. This amount of time depends on the number of devices in the industrial network and how frequently they operate and are serviced. We recommend that you enable learning mode for at least one hour. In large industrial networks, learning mode can be enabled for a period ranging from one to several days to accumulate the maximum amount of data.

Page top