Kaspersky Industrial CyberSecurity for Networks can detect network sessions created by the devices for connecting with other devices in the industrial network traffic. When network sessions are detected, the application registers them and saves information about them. Unlike connections on the network interaction map, registered network sessions provide more detailed information about the device interactions, including because of separate registration of sessions for different ports and protocols that were used in the interactions.
Network session detection can be performed when analyzing traffic received by monitoring points, as well as when receiving data from EPP applications. Each registered network session contains information about the connection between two devices that are interaction sides. A network session is characterized by the address information of the interaction sides (MAC and / or IP addresses), port numbers, and the application protocol that was used for the connection. The first device in a network session is usually the device that initiates the sending of network packets to the other device.
The saved information about network sessions enables an analysis of the network activity of devices, including through the use of Network Anomaly Detection rules. Network Anomaly Detection rule-based analysis utilizes the saved protocol attributes in network sessions (the application supports retention of attributes for the DCE/RPC, DNS, Kerberos, and LDAP protocols). You can also download data on transmitted network packets from traffic dump files.
The application registers network sessions and saves information for analyzing the network activity of devices if the following methods are enabled:
A network session is considered completed if no network packets are sent during one minute within this session or if the network session detection technology is disabled on the corresponding node or monitoring point.
If an excessive number of network sessions are detected, the application applies the following session registration restrictions:
The application saves network session data in the database on the Server. The total volume of saved entries cannot exceed the defined limit. If the volume exceeds the defined limit, the application automatically deletes 10% of the oldest entries. You can set a maximum volume limit for the network sessions when configuring data storage settings on the Server node in the Network sessions section.
You can view information about network sessions on the Network sessions tab in the Network map section.