Intrusion Detection rules

An Intrusion Detection rule describes a traffic anomaly that could be a sign of an attack in the industrial network. The rules contain the conditions that the Intrusion Detection system uses to analyze traffic.

Intrusion Detection rules are stored on the Server and sensors.

Intrusion Detection rules are included in rule sets. A rule set includes Intrusion Detection rules grouped according to any attributes (for example, rules that contain interdependent traffic analysis conditions). The following types of rule sets may be used in the application:

Intrusion Detection rule sets may be active or inactive. Active state means that rules from the set are applied during traffic analysis if the rule-based Intrusion Detection method is enabled. If a rule set has been switched to inactive, the rules from this set are no longer applied.

When a rule set is loaded, the application checks the rules in the set. If errors are found when the rule set is checked (for example, duplicated rules are detected), the application displays information about the number of detected errors for this set. Rule sets with detected errors are ignored in the application (the rules from these sets are not applied, even if the sets are active).

When the conditions defined in an active Intrusion Detection rule are detected in traffic, the application registers a rule-triggering event. Events are registered with system event types that are assigned the following codes:

The severity levels of Kaspersky Industrial CyberSecurity for Networks events correspond to the priorities in Intrusion Detection rules (see the table below).

Mapping between rule priority and event severity

Intrusion Detection rule priority

Kaspersky Industrial CyberSecurity for Networks event severity

4 or higher


2 or 3




Page top