Learning
The Learning page lets you manage how the typical behavior and components of your environment are learned. The software needs to learn the normal processes, patterns and communication of your environment in order for it to be able to detect anomalies.
Learning
Detection approach
- Adaptive Learning (default)
- Strict
Adaptive Learning uses a less granular and more scalable approach to anomaly detection where deviations are evaluated at a global level, rather than at a single node level. For example, the addition of a device similar to the ones already installed in the learned network will not produce alerts. This holds true for the appearance of a similar communication. Adaptive Learning shows its maximum capabilities when combined with Asset Intelligence.
Strict uses a detailed anomaly-based approach, so that deviations from the baseline will be detected and alerted. This approach is called strict because it requires the learned system to behave like it has behaved during the learning phase, and requires some knowledge of the monitored system in order to be maintained over time.
The engine has two distinct learning goals: the network and the process. For both cases the engine can be in learning and in protection mode, and they can be governed independently.
- Nodes
- Links
- Protocols
- Function Codes for example, commands, that are sent from one node to another
Process Learning is the learning of variables, and their behavior. You can use specific checks to fine-tune this learning.
Phase switching
- Dynamic
- Two-phase
Dynamic, or Dynamic window, lets you configure the time interval in which an engine considers a change to be learned. Every engine does this kind of evaluation per node and per network segment.
- Raises alerts when something is different from the learned baseline
- Adds suspicious components to the environment with the
is learned
attribute set to off, in such a way that an operator can confirm, delete, or take the appropriate action in the Manage network learning page
In this way, stable network nodes and segments become protected automatically. This prevents you from being overwhelmed with alerts due to the premature closing of learning mode.
- Learning
- Protecting
Learning: in this mode, the environment incorporates new behavior as learned.
Protecting: in this mode, you will receive alerts when an anomaly is detected
Variables
If you set the toggle to Learning and Protecting, an alert will be raised if a new variable is detected. You can set the toggle to Disabled, if you want to prevent this happening. For example, when you are making planned changes to your environment.
New values
If you set the toggle to Learning and Protecting, an alert will be dynamically raised if a change in the behavior of the process is detected. You can set the toggle to Disabled, if you want to prevent this happening. For example, when you are making planned changes to your environment.
Dynamic flow control
If you set the toggle to Learning and Protecting, an alert will be raised if reading and writing patterns of a Variable are detected. You can set the toggle to Disabled, if you want to prevent this happening. For example, when you are making planned changes to your environment.