The goal of neural networking in cybersecurity is to detect unusual behavior and patterns, especially within OT assets and networks. Detecting unusual behavior often leads to the discovery that it has been compromised or that something has been misconfigured.
“Getting visibility into your industrial assets and networks is the first step in understanding your overall OT cybersecurity posture,” said Pete Lund, vice president of products for OT security at infrastructure cybersecurity specialist Opswat.
To leverage these capabilities, Opswat introduced its AI-powered network visibility solution, Neuralyzer. The software tool uses machine learning (ML) to learn the communication patterns between assets and networks to determine what is “normal” activity. This allows OT staff to focus on the main tasks at hand and only alert them when unusual activity occurs.
“Neural networks have the ability to learn similar to the human brain, so they can work like a second pair of eyes to spot red flags for you,” Lund explains. “The ML in Neuralyzer can identify the type of device or asset on the network, providing asset visibility.”
Machine learning looks for assets and anomalies
One application of ML in Neuralyzer is the ability to identify the type of device/asset on the network, referred to as an asset visibility feature.
For asset visibility, most tools use device fingerprinting (DFP), which is typically used to discover and/or profile the device. Typical OT devices, unlike IT devices, do not have a browser installed, so browser fingerprinting (an effective approach to DFP in IT) typically does not work for the OT environment.
“Through extensive research and experimentation, our team has worked out a selected function set and ML algorithm that works best – in terms of accuracy, performance and required inputs – to classify the device type,” explains Lund.
He says another application for ML is to detect anomalies in network connectivity and activity of a specific device or the network as a whole.
Neuralyzer can model the device or devices and their network connections as a diagram and then use the 1D convolutional neural network to detect anomalies.
“Network traffic analysis and anomaly detection are good use cases for ML and neural networks,” says Lund. “Network traffic analysis would be a viable approach for DFP in the OT.”
He points out that anomaly detection is an important aspect of visibility into the OT environment.
“An anomaly can relate not only to integrity — say, a network breach — but also to asset availability or normal operation, which is critical to the OT environment,” says Lund.
Neural networks offer several cybersecurity benefits
Bud Broomhead, CEO of automated IoT cyberhygiene provider Viakoo, says that like any other technology, neural networks can be used to both enhance and defeat cybersecurity.
“There are many examples of how neural networks can be trained to get bad results, or how data can be fed to disrupt systems,” he explains. “Nevertheless, massive improvements in efficiency — for example, detecting cyber threats in seconds or finding threat actors in a crowd almost instantly — will be many years from now to close the cybersecurity resource gaps.”
Neural networks can analyze complex systems and make intelligent decisions about their representation and classification. In other words, they take a lot of raw data and turn it into meaningful insights.
“Just having an asset inventory doesn’t show you combining them in a tightly coupled workflow — but that’s what organizations need to prioritize the vulnerabilities and risks of those systems,” says Broomhead.
John Bambenek, principal threat hunter at Netenrich, a security and operational analytics SaaS company, adds that neural networks enable statistical analysis well beyond the capacity of a human.
“With enough data points and thorough and effective training, they can quickly classify normal from abnormal, allowing an analyst to track events that would otherwise go undetected,” he says.
However, Bambenek says he doesn’t see neural networks as reliable for asset detection or vulnerability management.
“If an asset isn’t visible in the DHCP logs, there isn’t much data to find it elsewhere,” he points out. “Risk management, on the other hand, can find anomalous behaviors and then categorize the risky behavior using another available context to provide answers about the business risks.”
Broomhead says that detecting even subtle changes in OT system behavior can enable a neural network to identify when maintenance is needed, when cyber threats arise, and how environmental changes prompt the system to respond.
“Especially in times like now, when there are limited human resources to safely and reliably run OT systems, neural networks are a force multiplier that many organizations can rely on,” he says.