The goal of neural networking in cybersecurity is to be able to detect unusual behavior and patterns, especially within OT assets and networks. Detecting unusual behaviors often leads to the discovery that you have been compromised or something has been misconfigured.
“Having visibility into your industrial assets and networks is the first step to understanding your overall OT cybersecurity posture,” says Pete Lund, vice president of products for OT security at infrastructure cybersecurity specialist Opswat.
To take advantage of such abilities, Opswat unveiled a AI-powered network visibility solution, Neuralyzer. The software tool leverages machine learning (ML) to learn the communication patterns between assets and networks to determine what “normal” activity is. This enables OT workers to remain focused on the primary tasks at hand and only alerted when abnormal activity occurs.
“Neural networks have the ability to learn in a similar way as the human brain, and so they can spot red flags on your behalf like a second set of eyes,” Lund explains. “The ML in Neuralyzer can identify the type of device or asset on the network, providing asset visibility.”
Machine Learning Looks for Assets and Anomalies
One application of ML in Neuralyzer is the ability to identify the type of device/asset on the network, aptly called the asset visibility feature.
For asset visibility, most tools use the device fingerprint (DFP) to discover and/or profile the device. Typical OT devices, unlike IT devices, do not have a browser installed, so a browser fingerprint (an effective approach for DFP in IT) usually will not work for the OT environment.
“Through extensive research and experiments, our team has worked out a selected feature set and ML algorithm that works best — in terms of accuracy, performance, and required inputs — for classifying the device type,” explains Lund.
Another application for ML is to detect anomalies on the network connectivity and activity of a particular device or of the whole network, he says.
Neuralyzer can model the device or devices and their network connections as a graph, then use the 1D convolutional neural network for anomalies detection.
“Network traffic dissection and anomaly detection are good use cases for ML and neural networks,” Lund says. “Network traffic dissection would be a feasible approach for DFP in the OT.”
Anomaly detection is an important aspect in OT environment visibility, he points out.
“An anomaly might not only relate to integrity — for example, a network breach — but it might also relate to the availability or normal operation of the assets, which is crucial to the OT environment,” Lund says.
Neural Networks Offer Multiple Cybersecurity Advantages
Bud Broomhead, CEO at automated IoT cyber hygiene provider Viakoo, says neural networks, like any other technology, can be used both for improving and for defeating cybersecurity.
“Many examples exist on how neural networks can be trained to produce bad outcomes or be fed data to disrupt systems,” he explains. “Yet the massive improvement in efficiency — for example, detecting cyber threats in seconds or finding threat actors within a crowd almost immediately — will be needed for many years ahead to overcome the resource gaps present in cybersecurity.”
Neural networks can analyze complex systems and make intelligent decisions on how to present and classify them. In other words, they take a lot of raw data and turn it into meaningful insights.
“Simply having an asset inventory does not show you the combination of them in a tightly coupled workflow — yet that is what businesses need to prioritize the vulnerability and risk of these systems,” Broomhead says.
John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, adds that neural networks allow for statistical analysis well beyond the capacity of a human.
“Given enough data points and thorough and effective training, they can classify normal and abnormal quickly, allowing an analyst to follow up on events that would not be detected otherwise,” he says.
But Bambenek says he doesn’t see neural networks as reliable for asset discovery or vulnerability management.
“If an asset isn’t visible in DHCP logs, there isn’t a good deal of data to otherwise find it,” he points out. “Risk management, on the other hand, can find abnormal and then categorize the risky behavior using other available context to give the business risk answers.”
Even detecting subtle changes to OT system behavior can enable a neural network to see when maintenance is needed, when cyber threats occur, and how environmental changes cause the system to react, Broomhead says.
“Especially in times like now when there are limited human resources to keep OT systems operating safely and securely, neural networks are a force multiplier that many organizations have some to rely on,” he says.