Search

US-20260129071-A1 - DYNAMICALLY GENERATING OPERATIONAL TECHNOLOGY ASSET GROUPINGS FOR HEALTH AND SECURITY ANALYSIS

US20260129071A1US 20260129071 A1US20260129071 A1US 20260129071A1US-20260129071-A1

Abstract

Systems, methods, and apparatus are disclosed for analyzing Operational Technology (OT) networks. A cyber security appliance includes an OT module to receive data from a plurality of OT assets. An asset identification module passively monitors data to identify asset properties and generate a human-readable label for each OT asset. One or more machine-learning models are trained on a normal pattern of life for the plurality of OT assets. A comparator module compares network data to the normal pattern of life to detect anomalous activity, distinguishing between cyber threats and operational health issues, such as an absence of expected communication, and generates distinct alerts for each. An architecture generation module uses the labels to apply a grouping, such as by shared characteristic or user-defined filter, creating one or more asset groupings and generating visualization data for presentation on a display.

Inventors

  • Samuel Goldsmith
  • Jack Pearson
  • Ajeck Ndifon
  • Thomas Preston

Assignees

  • Darktrace Holdings Limited

Dates

Publication Date
20260507
Application Date
20251219

Claims (20)

  1. 1 . A cyber security appliance, comprising: an operational technology (OT) module configured to receive data from an OT network, wherein the data from the OT network is associated with a plurality of OT assets; an asset identification module configured to passively monitor the data from the OT network to identify one or more properties of the plurality of OT assets and generate a human-readable label for each of the plurality of OT assets based on the identified one or more properties, where the asset identification module is configured to cooperate with the OT module to identify the one or more properties of the plurality of OT assets; one or more machine-learning models trained on a normal pattern of life for the plurality of OT assets based on the data received by the OT module; a comparator module configured to compare the data received from the OT network to the normal pattern of life for the plurality of OT assets obtained from the one or more machine-learning models trained on the normal pattern of life for the plurality of OT assets in order to detect anomalous activity; an architecture generation module configured to i) receive the human-readable label for a corresponding OT asset in the plurality of OT assets from the asset identification module; ii) apply a grouping to the plurality of OT assets to create one or more asset groupings; and iii) generate architecture visualization data representing the one or more asset groupings utilized with the human-readable label for each of the plurality of OT assets in the asset identification module; and one or more processing units configured to cooperate with one or more non-transitory computer readable mediums, where when software instructions are used to implement portions of any of the OT module, the asset identification module, the comparator module, the architecture generation module, and the one or more machine-learning models, then the one or more non-transitory computer readable mediums are configured to store the software instructions and the one or more processing units are configured to execute the software instructions.
  2. 2 . The cyber security appliance of claim 1 , further comprising a user interface module configured to receive the architecture visualization data and present the one or more asset groupings on a display with a corresponding human-readable label.
  3. 3 . The cyber security appliance of claim 1 , wherein the grouping is configured to identify a shared characteristic among the plurality of OT assets.
  4. 4 . The cyber security appliance of claim 3 , wherein the shared characteristic is selected from a group consisting of a shared manufacturer, a shared device type, a shared communication protocol, and a shared subnet.
  5. 5 . The cyber security appliance of claim 1 , wherein the grouping comprises a user-defined filter applied to the plurality of OT assets.
  6. 6 . The cyber security appliance of claim 1 , wherein the asset identification module is configured to generate the human-readable label by: extracting an asset identifier from communication packets associated with an OT asset; determining a vendor associated with the asset identifier; and applying a priority-based rule set to the determined vendor and other identified properties to generate the human-readable label.
  7. 7 . The cyber security appliance of claim 6 , wherein the asset identifier is a Media Access Control (MAC) address.
  8. 8 . The cyber security appliance of claim 1 , wherein the comparator module is further configured to: distinguish between anomalous activity indicative of a cyber threat and anomalous activity indicative of an operational health issue; in response to detecting the cyber threat, generate a cyber threat alert; and and in response to detecting the operational health issue, generate an operational health alert.
  9. 9 . The cyber security appliance of claim 8 , wherein the comparator module is configured to generate the operational health alert by: monitoring an OT asset for an expected communication based on the asset's normal pattern of life; determining that an operational time window has expired; and generating the operational health alert in response to detecting an absence of the expected communication within the expired operational time window.
  10. 10 . The cyber security appliance of claim 8 , wherein the comparator module is configured to generate the operational health alert by: retrieving a stored operational state for an OT asset; monitoring communication packets from the OT asset to detect a current operational state; and generating the operational health alert in response to determining the current operational state which is different from the stored operational state.
  11. 11 . A method for visualizing a network to provide cyber security protection, comprising: receiving, by a cyber security appliance, data associated with a plurality of operational technology (OT) assets from an OT network; passively monitoring the data associated with the plurality of OT assets to identify one or more properties of the plurality of OT assets; generating a human-readable label for each of the plurality of OT assets based on the identified one or more properties; referencing one or more machine-learning models trained on a normal pattern of life for the plurality of OT assets; comparing data received from the OT network to the normal pattern of life to detect anomalous activity; applying a grouping to the plurality of OT assets to create one or more asset groupings; generating architecture visualization data representing the one or more asset groupings; and presenting the one or more asset groupings on a graphical user interface dashboard onto a display screen.
  12. 12 . The method of claim 11 , wherein the one or more properties are selected from a group consisting of an observed communication protocol, an identified device type, and a determined subnet.
  13. 13 . The method of claim 12 , wherein generating the human-readable label comprises applying a priority-based rule set to the identified one or more properties.
  14. 14 . The method of claim 13 , wherein the priority-based rule set is configured to generate a specific label by combining two or more of the identified properties selected from the group, and wherein the specific label is prioritized over a generic network identifier associated with the OT asset.
  15. 15 . The method of claim 11 , wherein passively monitoring the data comprises: parsing an internet protocol (IP) traffic payload from a gateway device to identify a sub-device address associated with an OT asset lacking a direct IP address; and creating a virtual asset associated with the sub-device address to be monitored as a unique asset.
  16. 16 . The method of claim 11 , wherein applying the grouping comprises: receiving a user-defined filter from an operator; and applying the user-defined filter to the plurality of OT assets to create the one or more asset groupings.
  17. 17 . A non-transitory computer readable medium including software modules to be executed by one or more processing units, the software modules comprising: an operational technology (OT) module configured to receive data from an OT network, where the data from the OT network is associated with a plurality of OT assets; an asset identification module configured to passively monitor the data from the OT network to identify one or more properties of the plurality of OT assets and generate a human-readable label for each of the plurality of OT assets based on the identified one or more properties, where the asset identification module is configured to cooperate with the OT module to identify the one or more properties of the plurality of OT assets; a comparator module configured to compare data received from the OT network to normal pattern of life for the plurality of OT assets obtained from one or more machine-learning models trained on a normal pattern of life for the plurality of OT assets in order to detect anomalous activity; an architecture generation module configured to: apply a grouping to the plurality of OT assets to create one or more asset groupings; and generate architecture visualization data representing the one or more asset groupings; and a user interface module configured to receive the architecture visualization data and present the one or more asset groupings on a display with a corresponding human-readable label.
  18. 18 . The non-transitory computer readable medium of claim 17 , wherein the asset identification module is configured to generate the human-readable label by: extracting an asset identifier from communication packets; querying a locally stored database with the asset identifier to determine a vendor; and applying a priority-based rule set to the determined vendor and other identified properties to generate the human-readable label.
  19. 19 . The non-transitory computer readable medium of claim 17 , wherein the comparator module is further configured to: generate a cyber threat alert in response to detecting anomalous activity indicative of a cyber threat; and generate an operational health alert in response to detecting anomalous activity indicative of an operational health issue.
  20. 20 . The non-transitory computer readable medium of claim 19 , wherein the user interface module is further configured to present both the cyber threat alert and the operational health alert on a unified dashboard displayed on a common display screen.

Description

CLAIM FOR PRIORITY This application claims the benefit under 35 USC § 119 of provisional Application Ser. No. 63/736,488 filed on Dec. 19, 2024, as well as the benefit of priority under 35 USC 120 as a continuation in part patent application from U.S. patent application Ser. No. 19/242,732 filed Jun. 18, 2025, titled ‘A CYBER SECURITY APPLIANCE FOR AN OPERATIONAL TECHNOLOGY NETWORK,’ as well as the benefit of priority under 35 USC 120 as a continuation patent application from U.S. patent application Ser. No. 18/387,322 filed Nov. 6, 2023, titled ‘A CYBER SECURITY APPLIANCE FOR AN OPERATIONAL TECHNOLOGY NETWORK,’ which claims the benefit of priority under 35 USC 120 from U.S. patent application Ser. No. 16/278,953 filed Feb. 19, 2019, titled ‘A CYBER SECURITY APPLIANCE FOR AN OPERATIONAL TECHNOLOGY NETWORK,’ which claims priority to and the benefit of under 35 USC 119 of U.S. provisional patent application titled “A cyber threat defense system with various improvements,” filed Feb. 20, 2018, Ser. No. 62/632,623, which are all hereby expressly incorporated by reference in their entirety for all purposes. NOTICE OF COPYRIGHT A portion of this disclosure contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the material subject to copyright protection as it appears in the United States Patent & Trademark Office's patent file or records, but otherwise reserves all copyright rights whatsoever. FIELD Embodiments of the design provided herein generally relate to cyber security and the monitoring of operational technology (OT) networks. BACKGROUND Computer networks have become essential to modern enterprise operations, interconnecting a vast array of computing devices, servers, and databases. These Information Technology (IT) networks facilitate communication and data transfer, but their complexity and the value of the data they carry also make them significant targets for malicious actors. Cybersecurity threats, such as malware and unauthorized access attempts, constantly evolve, posing a persistent risk to network integrity and data confidentiality. Consequently, network security monitoring has become a critical field, focusing on analyzing network traffic to detect anomalous activities that may indicate a cyber threat. Beyond traditional IT environments, many industrial sectors also rely heavily on Operational Technology (OT) networks. These networks are typically found in settings such as manufacturing facilities, power plants, and other industrial control systems. OT networks are used to monitor and control physical machinery and processes, often utilizing specialized devices like Programmable Logic Controllers (PLCs). The communication protocols used within these OT environments are often distinct from standard internet protocols (IP) and are tailored for specific industrial tasks. Historically, IT and OT networks were often isolated from one another. However, modern operational demands have led to increasing convergence, where IT networks are connected to OT networks to provide updates, remote monitoring, and data analytics. This IT/OT convergence, while beneficial for business efficiency, creates significant security vulnerabilities. A cyber threat that successfully infiltrates the IT network may be able to “cross over” and send malicious commands to the OT network, potentially causing physical disruption, damaging machinery, or halting critical infrastructure operations. Monitoring these complex, converged environments presents a substantial challenge for network administrators and security teams. Security personnel may be experts in IT threats but often have less familiarity with the specialized protocols and operational behaviors of OT assets. Furthermore, the sheer number of devices in a modern enterprise, spanning both IT and OT domains, makes it difficult to maintain a clear and accurate inventory or understand the complex web of interactions between them. SUMMARY Methods, systems, and apparatus are disclosed for an Artificial Intelligence-based cyber security system. The Artificial Intelligence based (AI-based) cyber security system may include many features including the following twenty concepts. In an embodiment, a cyber security appliance, includes a processing component, and a non-transitory computer readable medium including one or more software modules accessible by the processing component, the one or more software modules include an operational technology (OT) module configured to receive data from an OT network, the data associated with a plurality of OT assets, an asset identification module configured to passively monitor the data to identify one or more properties of the plurality of OT assets and generate a human-readable label for each of the plurality of OT assets based on the identified one or more properties, one or more machine-learning models trained on a normal pattern of life for the plurality of