Learning

The Learning page lets you manage how the typical behavior and components of your environment are learned. The software needs to learn the normal processes, patterns and communication of your environment in order for it to be able to detect anomalies.



Learning

Detection approach

This dropdown lets you choose from these options:
  • Adaptive Learning (default)
  • Strict

Adaptive Learning uses a less granular and more scalable approach to anomaly detection where deviations are evaluated at a global level, rather than at a single node level. For example, the addition of a device similar to the ones already installed in the learned network will not produce alerts. This holds true for the appearance of a similar communication. Adaptive Learning shows its maximum capabilities when combined with Asset Intelligence.

Strict uses a detailed anomaly-based approach, so that deviations from the baseline will be detected and alerted. This approach is called strict because it requires the learned system to behave like it has behaved during the learning phase, and requires some knowledge of the monitored system in order to be maintained over time.

The engine has two distinct learning goals: the network and the process. For both cases the engine can be in learning and in protection mode, and they can be governed independently.

Network Learning is the learning of:
  • Nodes
  • Links
  • Protocols
  • Function Codes for example, commands, that are sent from one node to another
A wide range of parameters is checked in this engine and can be fine-tuned.

Process Learning is the learning of variables, and their behavior. You can use specific checks to fine-tune this learning.

Phase switching

You can set this to one of these options:
  • Dynamic
  • Two-phase

Dynamic, or Dynamic window, lets you configure the time interval in which an engine considers a change to be learned. Every engine does this kind of evaluation per node and per network segment.

After this period of time, the learning phase is automatically, and safely, switched to protection mode. This:
  • Raises alerts when something is different from the learned baseline
  • Adds suspicious components to the environment with the is learned attribute set to off, in such a way that an operator can confirm, delete, or take the appropriate action in the Manage network learning page

In this way, stable network nodes and segments become protected automatically. This prevents you from being overwhelmed with alerts due to the premature closing of learning mode.

The Two phase dropdown lets you choose between:
  • Learning
  • Protecting

Learning: in this mode, the environment incorporates new behavior as learned.

Protecting: in this mode, you will receive alerts when an anomaly is detected

Variables

If you set the toggle to Learning and Protecting, an alert will be raised if a new variable is detected. You can set the toggle to Disabled, if you want to prevent this happening. For example, when you are making planned changes to your environment.

New values

If you set the toggle to Learning and Protecting, an alert will be dynamically raised if a change in the behavior of the process is detected. You can set the toggle to Disabled, if you want to prevent this happening. For example, when you are making planned changes to your environment.

Dynamic flow control

If you set the toggle to Learning and Protecting, an alert will be raised if reading and writing patterns of a Variable are detected. You can set the toggle to Disabled, if you want to prevent this happening. For example, when you are making planned changes to your environment.