Learning mode for Interaction Control technologies

In Interaction Control learning mode, the application does the following:

• If use of Network Integrity Control technology is enabled, the application generates rules based on this technology. When the application detects network interactions that match disabled rules, it registers events based on Network Integrity Control technology. The events are registered using the system event type that is assigned the code 4000002601.
• If the use of Command Control technology is enabled, the application generates rules based on this technology. When the application detects system commands that match disabled rules, it registers unauthorized system command detection events based on Command Control technology. The event is registered using the system event type that is assigned the code 4000002602.

When generating rules based on Interaction Control technologies, the application adds new rules obtained from its analysis of network interactions and system commands in industrial network traffic. For these rules, the Origin parameter contains the System value. If you manually change rule settings, the Origin parameter will take the User value.

Network interactions detected during traffic analysis are checked for compliance with current Interaction Control rules. If a detected interaction does not match any rule, the application creates a new rule. In this case, an interaction detection event is not registered. When a new rule is created, the application enables it and adds values of settings based on the received data about the network interaction.

If the detected interaction only matches a disabled rule, the application registers an event based on the technology corresponding to this rule. In this case, a new rule is not created.

During the learning process, the application can optimize the list of Interaction Control rules. Optimization involves combining two or more specific rules into one general rule, or deleting specific rules if a general rule is available. Rules that satisfy the following conditions are optimized:

• The rules are enabled.
• The Origin parameter contains the System value.
• The rules are related to the same technology.

Rules are merged during optimization if the resulting general rule will correspond only to the detected network interactions and no others. For example, one Interaction Control rule was created after a system command was detected during an interaction between two devices. Then another system command was detected during interaction between the same devices. In this case, after optimization, only one general rule will remain. It will describe both system commands detected during network interaction between these devices.

While operating in learning mode, the application periodically optimizes rules for the corresponding Interaction Control technology. The frequency of optimization is once per minute. Optimization is performed if new interactions are detected in industrial network traffic. To keep the rules table up to date, you must update rules.

After learning mode is disabled, optimization is performed one more time.

There may be a delay before the Interaction Control rules are optimized after learning mode is disabled. The length of the delay depends on the amount of data being received by the application, and may last up to three minutes. During this time, it is recommended to refrain from making any changes to rules that were generated during learning mode based on Network Integrity Control and Command Control technologies.

Interaction Control learning mode must be enabled for enough time to receive all the necessary information about network interactions. This amount of time depends on the number of devices in the industrial network and how frequently they operate and are serviced. We recommend that you enable learning mode for at least one hour. In large industrial networks, learning mode can be enabled for a period ranging from one to several days to accumulate the maximum amount of data.