WO2019123449A1 - A system and method for analyzing network traffic - Google Patents

A system and method for analyzing network traffic Download PDF

Info

Publication number
WO2019123449A1
WO2019123449A1 PCT/IL2018/051348 IL2018051348W WO2019123449A1 WO 2019123449 A1 WO2019123449 A1 WO 2019123449A1 IL 2018051348 W IL2018051348 W IL 2018051348W WO 2019123449 A1 WO2019123449 A1 WO 2019123449A1
Authority
WO
WIPO (PCT)
Prior art keywords
entities
entity
network
content
destination
Prior art date
Application number
PCT/IL2018/051348
Other languages
French (fr)
Inventor
Daniel COHEN SASON
Yuval Dagan
Ori BECK
Original Assignee
Cyberbit Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cyberbit Ltd. filed Critical Cyberbit Ltd.
Publication of WO2019123449A1 publication Critical patent/WO2019123449A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the invention relates to a system and method for analyzing network traffic.
  • OT systems include hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, sensors, etc.
  • Many operational technology networks include both Information Technology (IT) systems, being data-centric systems for the collection, organization, storage and communication of information, as well as OT systems. Due to the limited capabilities of the existing network traffic analysis systems dealing with the network traffic originating from the OT systems, there is a need in the art for a new system and method for analyzing network traffic.
  • IT Information Technology
  • US Patent Application No. 2014/0204799 (Pietrowics et ah), published on July 24 th , 2014, discloses method for visualizing and analyzing a field area network, which includes obtaining, network, traffic data that includes atomic communications and packet detail from a packet intercept system on a field area.
  • This field area network includes a number of network nodes.
  • the method also includes a processor extracting connectivity and routing information from the traffic data, where the connectivity and routing information includes packet information and node information, determining network characteristics based on the extracted connectivity and routing information, retaining the network characteristics in a data structure, and importing the data structure into a computer readable storage medium that is accessible to the processor.
  • 2017/0205796 (Shmidt), published on July 20 th , 2017, discloses a method includes holding multiple primitives of a communication protocol, which is used for managing a controller that controls one or more field devices in an industrial control network. Multiple scenarios are defined, each corresponding to one or more respective sequences of primitives exchanged with the controller over the industrial control network for achieving a respective user-level operation. Multiple parsing rules for deriving the sequences of primitives from the respective scenarios are further defined. A sequence of primitives that were exchanged with the controller over the industrial control network is intercepted.
  • An attempt to reconstruct from the intercepted sequence of primitives, using the parsing rules, one or more scenarios that each corresponds to the intercepted sequence of primitives is carried out, and, in response to succeeding in reconstructing one or more scenarios, extracting user-level information from the reconstructed scenarios.
  • US Patent Application No. 2013/0191517 (Huang Ling et al.), published on July 25 th , 2013, discloses a system, a server and a method for reproducing topological change using device events are provided.
  • a server to collect device messages of network devices in a network environment and after determining and producing a device event that includes reproducing data based on the collected device messages, the device event is sent to a reproducing client.
  • the reproducing client updates and displays topological change in the network in accordance with the reproducing data in the device event.
  • the system and the method can use a GUI to display topological change in the network, and achieve the effect of understanding the change in linking state of network devices in the network intuitively.
  • US Patent Application No. US 2013/0094447 discloses a method for communication between a wireless device node in a wireless sensor network and control apparatus or control processes of an industrial control system.
  • the wireless network includes a plurality of device nodes and at least one gateway.
  • the method includes receiving at a gateway an aggregated data packet or a final address in the ICS.
  • the gateway processes the data packet, detects that it is an aggregated data packet and reconstructs the original data packets contained therein.
  • the gateway then sends each of the original data packets as standard data packets to the intended final address in the ICS.
  • a method, system and a computer program for carrying out the method are described.
  • US Patent Application No. US 2009/0238192 discloses a method and related device and computer-readable medium including one or more of the following: receiving a packet sent from the source node to the destination node; associating the packet with an active flow by accessing information in the packet; performing deep packet inspection (DPI) to identify an application associated with the active flow; associating application-identifying information with the packet; forwarding the packet including the application-identifying information towards the destination node; and performing application-specific processing at a downstream device on at least one packet belonging to the active flow, the downstream device identifying the application associated with the active flow by extracting the application-identifying information from the packet.
  • DPI deep packet inspection
  • a system for analyzing network traffic comprising a processing resource configured to: (a) monitor raw network traffic data, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an Operational Technology (OT) system; (b) identify a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated; and (c) repeat (a) to (b) continuously.
  • OT Operational Technology
  • the processing resource is further configured to extract content of at least some of the packets using Deep Packet Inspection (DPI) of the packets, and wherein the processing resource is further configured to utilize the content for the identify.
  • DPI Deep Packet Inspection
  • the processing resource is further configured to identify at least one application source entity, being a source application triggering creation of the content, and at least one application destination entity, being a destination application to which the content refers.
  • At least one of the content source entity, the content destination entities, the application source entity and the application destination entity is not identifiable without said extract.
  • the processing resource is further configured to generate a network map indicative of source entities and destination entities, and relationships therebetween, including the content source entity, the content destination entities, the application source entity and the application destination entity.
  • the processing resource is further configured to visually display the network map on a display.
  • the network map is visually displayed in a layer structure.
  • the layer structure is a Purdue layer structure.
  • the processing resource is further configured to: provide an existing map of previously identified content source entities and previously identified content destination entities, the existing map not comprising the identified content source entities and the identified content destination entities; and generate a visual indication on the existing map, indicating of the identified content source entities and content destination entities, wherein the visual indication is associated with the identified content source entities and the identified content destination entities.
  • the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the processing resource generates a list of one or more actions to be performed on the given entity, wherein upon selection of a given action, the given action is performed on the given entity.
  • the processing resource is further configured to: analyze the content to identify cyber threats on one or more threatened entities of the of the source entities and the destination entities; and provide a visual indication on the network map, indicating of the identified cyber threat, wherein the visual indication is associated with the threatened entities.
  • the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the processing resource provides information on the selected given entry.
  • the processing resource is further configured to analyze the content to identify cyber threats.
  • the processing resource is further configured to analyze the content to determine a pattern indicative of a type and a model of at least one of the content source entity, the content destination entities, the application source entity and the application destination entity.
  • the processing resource is further configured to calculate, for at least one given entity of the source entities and the destination entities, a vulnerability score indicative of a vulnerability thereof, wherein the vulnerability score is calculated based on the relationships of the given entity with other entities, the relationships being identifiable using the network map.
  • the processing resource is further configured to alert a user upon the vulnerability score exceeding a threshold.
  • the processing resource is further configured to calculate, for at least one given entity of the source entities and the destination entities, a risk score indicative of a cyber security risk, wherein the risk score is calculated based on analysis of the content. In some cases, the processing resource is further configured to alert a user upon the risk score exceeding a threshold.
  • the processing resource is further configured to group, within the network map, at least some of the source entities and at least some of the destination entities into one or more groups, wherein the relationships between the source entities and the destination entities within each of the groups meet a relationship-type threshold.
  • the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein the processing resource is further configured to hide, within the network map, at least part of the entries, being hidden entries, on a route connecting a first route entity of the entities and a second route entity of the entities.
  • the processing resource is further configured to display a virtual edge directly connecting the first route entity and the second route entity, and wherein upon selection of the virtual edge, the processing resource provides information on the route.
  • the information includes information on the hidden entries.
  • the OT systems include at least one Supervisory control and data acquisition (SCADA) entity.
  • SCADA Supervisory control and data acquisition
  • the OT systems include at least one Distributed Control System
  • a method of analyzing network traffic comprising: (a) monitoring, by a processing resource, raw network traffic data, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an Operational Technology (OT) system; (b) identifying, by the processing resource, a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated; and (c) repeating (a) to (b) continuously.
  • OT Operational Technology
  • the method further comprises extracting content of at least some of the packets using Deep Packet Inspection (DPI) of the packets, and utilizing the content for the identifying.
  • DPI Deep Packet Inspection
  • the method further comprises identifying at least one application source entity, being a source application triggering creation of the content, and at least one application destination entity, being a destination application to which the content refers.
  • At least one of the content source entity, the content destination entities, the application source entity and the application destination entity is not identifiable without said extract.
  • the method further comprises generating a network map indicative of source entities and destination entities, and relationships therebetween, including the content source entity, the content destination entities, the application source entity and the application destination entity.
  • the method further comprises visually displaying the network map on a display.
  • the network map is visually displayed in a layer structure.
  • the layer structure is a Purdue layer structure.
  • the method further comprises: providing an existing map of previously identified content source entities and previously identified content destination entities, the existing map not comprising the identified content source entities and the identified content destination entities; and generating a visual indication on the existing map, indicating of the identified content source entities and the identified content destination entities, wherein the visual indication is associated with the identified content source entities and the identified content destination entities.
  • the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the method further comprises generating a list of one or more actions to be performed on the given entity, wherein upon selection of a given action, the given action is performed on the given entity.
  • the method further comprises analyzing the content to identify cyber threats on one or more threatened entities of the of the source entities and the destination entities; and providing a visual indication on the network map, indicating of the identified cyber threat, wherein the visual indication is associated with the threatened entities.
  • the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the method further comprises providing information on the selected given entry.
  • the method further comprises analyzing the content to identify cyber threats.
  • the method further comprises analyzing the content to determine a pattern indicative of a type and a model of at least one of the content source entity, the content destination entities, the application source entity and the application destination entity.
  • the method further comprises, for at least one given entity of the source entities and the destination entities, a vulnerability score indicative of a vulnerability thereof, wherein the vulnerability score is calculated based on the relationships of the given entity with other entities, the relationships being identifiable using the network map.
  • the method further comprises alerting a user upon the vulnerability score exceeding a threshold.
  • the method further comprises calculating, for at least one given entity of the source entities and the destination entities, a risk score indicative of a cyber security risk, wherein the risk score is calculated based on analysis of the content.
  • the method further comprises alerting a user upon the risk score exceeding a threshold.
  • the method further comprises grouping, within the network map, at least some of the source entities and at least some of the destination entities into one or more groups, wherein the relationships between the source entities and the destination entities within each of the groups meet a relationship-type threshold.
  • the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein the method further comprises hiding, within the network map, at least part of the entries, being hidden entries, on a route connecting a first route entity of the entities and a second route entity of the entities.
  • the method further comprises displaying a virtual edge directly connecting the first route entity and the second route entity, and wherein upon selection of the virtual edge, the method further comprises providing information on the route.
  • the information includes information on the hidden entries.
  • the OT systems include at least one Supervisory control and data acquisition (SCADA) entity.
  • SCADA Supervisory control and data acquisition
  • the OT systems include at least one Distributed Control System
  • a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: (a) monitoring, by a processing resource, raw network traffic data, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an Operational Technology (OT) system; (b) identifying, by the processing resource, a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated; and (c) repeating (a) to (b) continuously.
  • OT Operational Technology
  • FIG. 1 is a schematic illustration of an exemplary operational technology network, in accordance with the presently disclosed subject matter
  • FIG. 2 is a block diagram schematically illustrating one example of a system, in accordance with the presently disclosed subject matter
  • FIG. 3 is a flowchart illustrating one example of a sequence of operations carried out for identifying entities within an operational technology network, in accordance with the presently disclosed subject matter
  • Fig. 4 is a flowchart illustrating one example of a sequence of operations carried out for generating a network map, in accordance with the presently disclosed subject matter
  • Fig. 5 is a flowchart illustrating one example of a sequence of operations carried out for generating a network map, in accordance with the presently disclosed subject matter
  • Fig. 6 is a flowchart illustrating one example of a sequence of operations carried out for identifying cyber threats, in accordance with the presently disclosed subject matter
  • Fig. 7 is a flowchart illustrating one example of a sequence of operations carried out for determining vulnerabilities scores, in accordance with the presently disclosed subject matter.
  • FIG. 8 there is shown a flowchart illustrating one example of a sequence of operations carried out for determining risk scores, in accordance with the presently disclosed subject matter.
  • the terms“computer”,“processor”, and“controller” should be expansively construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, a personal desktop/laptop computer, a server, a computing system, a communication device, a smartphone, a tablet computer, a smart television, a processor (e.g. digital signal processor (DSP), a microcontroller, a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), etc.), a group of multiple physical machines sharing performance of various tasks, virtual servers co-residing on a single physical machine, any other electronic computing device, and/or any combination thereof.
  • DSP digital signal processor
  • FPGA field programmable gate array
  • ASIC application specific integrated circuit
  • non-transitory is used herein to exclude transitory, propagating signals, but to otherwise include any volatile or non-volatile computer memory technology suitable to the application.
  • the phrase “for example,” “such as”, “for instance” and variants thereof describe non-limiting embodiments of the presently disclosed subject matter.
  • Reference in the specification to “one case”, “some cases”, “other cases” or variants thereof means that a particular feature, structure or characteristic described in connection with the embodiment(s) is included in at least one embodiment of the presently disclosed subject matter.
  • the appearance of the phrase “one case”, “some cases”, “other cases” or variants thereof does not necessarily refer to the same embodiment(s).
  • Figs. 1-2 illustrate a general schematic of the system architecture in accordance with an embodiment of the presently disclosed subject matter.
  • Each module in Figs 1-2 can be made up of any combination of software, hardware and/or firmware that performs the functions as defined and explained herein.
  • the modules in Figs. 1-2 may be centralized in one location or dispersed over more than one location.
  • the system may comprise fewer, more, and/or different modules than those shown in Figs. 1-2.
  • Any reference in the specification to a method should be applied mutatis mutandis to a system capable of executing the method and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that once executed by a computer result in the execution of the method.
  • Any reference in the specification to a system should be applied mutatis mutandis to a method that may be executed by the system and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that may be executed by the system.
  • Any reference in the specification to a non-transitory computer readable medium should be applied mutatis mutandis to a system capable of executing the instructions stored in the non-transitory computer readable medium and should be applied mutatis mutandis to method that may be executed by a computer that reads the instructions stored in the non-transitory computer readable medium.
  • FIG. 1 a schematic illustration of an exemplary operational technology network, in accordance with the presently disclosed subject matter.
  • an operational technology network 105 can be provided.
  • the operational technology network 105 can be comprised of one or more interconnected computerized networks, that can optionally be distributed over a plurality of geographical locations.
  • the operational technology network 105 can comprise Information Technology (IT) systems 110, such as IT devices l20-a, l20-b, ... 120-h (n being an integer), and Operational Technology systems 130, such as controllers l40-a, l40-b, ..., l40-m (m being an integer, equal to n or not).
  • IT Information Technology
  • controllers l40-a, l40-b, ..., l40-m m being an integer, equal to n or not.
  • l40-a can optionally be connected to one or more physical devices, such as valve/s 152, thermometer/s 154, sensor/s 156, etc.
  • a single controller e.g. l40-a
  • a plurality of physical devices e.g. valve 152 and thermometer 15
  • a plurality of virtual devices e.g. virtual controllers, etc.
  • At least some of the physical and/or virtual devices connected to the controllers l40-a to l40-m are not directly connected to the operational technology network 105, and in any case - they are not designed in a manner that enables them to communicate over the operational technology network 105.
  • the operational technology network 105 further comprises, or otherwise associated with, system 100, that obtains information originating from the IT systems 110 and/or from the OT systems 130, and utilizes such information for various purposes, including mapping of the operational technology network 105 and/or identification of cyber threats, etc., as further detailed herein.
  • Fig. 2 is a block diagram schematically illustrating one example of a system, in accordance with the presently disclosed subject matter.
  • system 100 can comprise a network interface 210 enabling connecting the system 100 to the operational technology network 105, and enabling it to monitor network traffic passing through the operational technology network 105.
  • the connection of the system 100 to the operational technology network 105 can be via routers (not shown) of the operational technology network 105, or any other device/s through which the network traffic to be monitored passes.
  • System 100 can further comprise or be otherwise associated with a data repository 220 (e.g. a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) configured to store data, including, inter alia, information of various source and/or destination entities, identified by the system 100, and relationships therebetween, as further detailed herein.
  • a data repository 220 e.g. a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.
  • System 100 further comprises a processing resource 230.
  • Processing resource 230 can be one or more processing units (e.g. central processing units), microprocessors, microcontrollers (e.g. microcontroller units (MCUs)) or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant system 100 resources and for enabling operations related to system 100 resources.
  • processing units e.g. central processing units
  • microprocessors e.g. microcontroller units (MCUs)
  • MCUs microcontroller units
  • the processing resource 230 can one or more of the following modules: network traffic monitoring module 240, network traffic analysis module 250, network mapping module 260, scoring module 270 and a Deep Packet Inspection module 280.
  • Network traffic monitoring module 240 can be configured to monitor network traffic passing through the operational technology network 105, as further detailed herein, inter alia with reference to Fig. 3.
  • Network traffic analysis module 250 can be configured to analyze the monitored network traffic, as further detailed herein, inter alia with reference to Figs. 3 and 6.
  • Network mapping module 260 can be configured to generate a network map indicative of entities identified within the operational technology network 105, as further detailed herein, inter alia with reference to Figs. 4 and 5.
  • Scoring module 270 can be configured to calculate vulnerability scores and/or risk scores, as further detailed herein, inter alia with reference to Figs. 7 and 8.
  • Deep packet inspection module 280 can be configured to perform deep packet inspection using various methods and/or techniques, either known or proprietary.
  • FIG. 3 there is shown a flowchart illustrating one example of a sequence of operations carried out for identifying entities within an operational technology network, in accordance with the presently disclosed subject matter.
  • system 100 can be configured to perform entities identification process 300.
  • system 100 can be configured to monitor, utilizing the network traffic monitoring module 240, raw network traffic data passing through the operational technology network 105 (e.g. utilizing the network interface 210 and the connection established therethrough to the operational technology network 105), the raw network traffic data can include a plurality of packets (passing through the operational technology network 105 over a time-period), wherein at least some of the packets originate from (a) an Operational Technology (OT) system of the OT systems 130, or (b) from a physical device connected to the OT system 130 and not directly connected to the operational technology network 105, or (c) from a virtual device, that is not designed in a manner that enables it to communicate over the operational technology network 105 (block 310).
  • the OT system of the OT systems 130 can be a Distributed Control System (DCS), a Supervisory control and data acquisition (SCADA) entity, or any other OT system.
  • DCS Distributed Control System
  • SCADA Supervisory control and data acquisition
  • System 100 can be further configured to identify, utilizing the network traffic analysis module 250, a content source entity, being an IT or an OT entity/system, sending at least some of the packets, and one or more content destination entities, being IT and/or OT entities/sy stems, to which at least some of the packets are designated (block 320).
  • the content source entity and the one or more content destination entities are directly connected to the operational technology network 105.
  • the content source entity and the one or more content destination entities can be identified by a unique identifier enabling identification thereof, comprised within the packets monitored at block 310.
  • the unique identifier can be a network layer level identifier (e.g. an Internet Protocol (IP) address, a proprietary address or any other address that is used for transferring the packets over a network).
  • IP Internet Protocol
  • the unique identifier is readily available as part of the monitored packets, while in other cases, in order to identify the content source entity and/or the content destination entities, the system 100 is required to extract content of at least part of the monitored packets using Deep Packet Inspection (DPI) (e.g. using the DPI module 280) of such packets, where required.
  • DPI Deep Packet Inspection
  • the system 100 is required to extract content of at least part of the monitored packets using Deep Packet Inspection (DPI) (e.g. using the DPI module 280) of such packets, where required.
  • DPI Deep Packet Inspection
  • identification information of the source/destination entity is not always available as an accessible part of each packet (e.g. a non-encrypted part, a non- identifiable part, etc.).
  • system 100 can be still further configured to identify (a) at least one network-external source entity, being a physical or virtual source entity that provided the trigger to the content being sent via the operational technology network 105, while the network-external source entity is not directly connected to the operational technology network 105 , and/or (b) at least one network-external destination entity, being a physical or virtual destination entity to which the content refers.
  • the network-external source entity and the network-external destination entity are (a) physical devices that are themselves not directly connected to the given operational technology network 105, and that do not have an IP address in the given operational technology network 105 (while noting that such devices can have an IP address of another network, other than the operational technology network 105), or (b) virtual devices that are not designed in a manner that enables them to communicate over the operational technology network 105, and that do not have an IP address in the given operational technology network 105.
  • a unique identifier of the network-external source entity and/or of the network-external destination entity is readily available as part of the monitored packets, while in other cases, in order to identify the network-external source entity and/or the network-external destination entity, the system 100 is required to extract content of at least part of the monitored packets using Deep Packet Inspection (DPI) (e.g. using the DPI module 280) of such packets (optionally along with information of proprietary protocols which enable identification of the unique identifiers from the information within the network traffic packets), where required.
  • DPI Deep Packet Inspection
  • the network-external source entity and/or the network-external destination entity cannot be otherwise identified, as identification information of the network- external source/destination entity is not always available as an accessible part of each packet (e.g. a non-encrypted part, a non-identifiable part, etc.).
  • a network-external source entity e.g. a sensor, a valve, a thermometer, etc.
  • a certain reading obtained by a sensor (a network-external source entity) that is not directly connected to the operational technology network 105 may trigger sending of the reading from an OT system 130 that is directly connected to the operational technology network 105 (e.g. a controller to which the sensor is connected), being a content source entity connected to the operational technology network 105, to a content destination entity that is also directly connected to the operational technology network 105.
  • the content source entity in such example serves as an intermediary device, mediating between the network- external source entity (the sensor), and the content destination entity.
  • some of the content that passes through the operational technology network 105 can designate a network-external destination entity that is not directly connected to the operational technology network 105 (e.g. a sensor, a valve, a thermometer, etc.).
  • a certain command can be sent from a content source entity that is directly connected to the operational technology network 105 to a content destination entity (e.g. a controller to which a certain valve is connected) that is also directly connected to the operational technology network 105, while the command itself designates the certain valve that is itself not directly connected to the operational technology network 105.
  • the content destination entity in such example serves as an intermediary device, mediating between the content source entity and the network- external source entity (the valve).
  • a given IT system 110 that is connected to the operational technology network 105 can send, over the operational technology network 105, to a given controller that is also connected to the operational technology network 105, one or more packets comprising content according to which a command to open a given valve, that is not directly connected to the operational technology network 105, is to be executed by the given controller.
  • the content source entity in this case is the IT system
  • the content destination entity is the given controller, both of which are connected to the operational technology network 105
  • the device to which the content refers is the given valve, which is the network-external destination entity that is not directly connected to the operational technology network 105 (and does not have, for example, an IP address).
  • analysis of the content can enable identification of the content source entity, the content destination entity, and the network-external destination entity.
  • the valve can provide a confirmation to the controller that the command was executed, following which the controller can send content, comprising confirmation of execution of the command, to the given IT system 110.
  • the content source entity in this case is the given controller
  • the content destination entity is the given IT system 110
  • the device triggering the creation of the content is the given valve, which is the network-external source entity.
  • the entities identification process 300 enables identification of entities that are directly connected to the operational technology network 105, and that communicate over it (such as IT systems, OT controllers, etc.), as well as entities that are not directly connected to the operational technology network 105 and that do not communicate over it (such as valves, sensors, etc.).
  • the entities that are not directly connected to the operational technology network 105 and that do not communicate over it can be controlled by the entities that are connected to the operational technology network 105, and that do communicate over it.
  • identification of the application source entity and application destination entity can also require extraction of the content from the packets using DPI (e.g. using the DPI module 280).
  • DPI digital signal processing
  • at least one of the content source entity, the content destination entities, the network-external source entity and the network-external destination entity is not identifiable without extraction of the content from the packets using DPI.
  • the entities identification process 300 can be performed continuously and/or periodically (e.g. every pre-determined time-period, whenever a certain number of packets passes through the operational technology network 105, upon an instruction of a user, or based on any other rule/s).
  • FIG. 4 there is shown a flowchart illustrating one example of a sequence of operations carried out for generating a network map, in accordance with the presently disclosed subject matter.
  • system 100 can be configured to perform a network mapping process 400, utilizing the network mapping module 260.
  • system 100 can be configured to generate, using the information obtained by the entities identification process 300, a network map indicative of source entities and destination entities, and relationships therebetween, the source entities and destination entities include the content source entity, the content destination entities, the network-external source entities and the network-external destination entities, (block 410).
  • the system 100 can be configured to display the network map on a display (not shown) (block 420).
  • the entries are the entities shown on the map, including the content source entities, the content destination entities, the network-external source entities and the network-external destination entities.
  • Having information of the routes of the packets passing through the operational technology network 105 enables generating such map so that the entities displayed on the map (including the source entities and the destination entities) can be represented by a given symbology (e.g. circles, ellipses, rectangles, etc.), whereas the relationships therebetween can be represented by edges connecting the selected symbols, so that a pair of one given source entity that sent packets to one given destination entity will be connected by an edge (e.g. a non-directional line, an arrow, etc.).
  • a given symbology e.g. circles, ellipses, rectangles, etc.
  • edges connecting the selected symbols so that a pair of one given source entity that sent packets to one given destination entity will be connected by an edge (e.g. a non-directional line, an arrow, etc.).
  • an edge e.g. a non-directional line, an arrow, etc.
  • the network map comprises a plurality of entries of respective entities including the source entities and the destination entities.
  • the system 100 can provide information on the selected entity (e.g. it’s IP address (if it has one), its type and model (that can be determined, for example, by the system 100 by analyzing content within packets sent from the entity and/or received by the entity, to determine a pattern therein, indicative of a type and a model of the entity), its resources utilization, or any other type of information relating thereto available to the system 100).
  • the system 100 can generate a list of one or more actions that can be performed on the given entity, where upon selection of a given action, the given action is performed on the given entity. For example, upon selecting a representation of a given IT system 110 on the map, a list of actions including, for example, restarting the given IT system 110, shutting down the given IT system 110 can be presented. Upon selection of a certain action, for example, restarting the given IT system 110, the given IT system 110 can be restarted.
  • the system 100 can be configured to group, within the network map, at least some of the source entities and at least some of the destination entities into one or more groups, wherein the relationships between the source entities and the destination entities within each of the groups meet a relationship-type threshold For example, if the relationship type is a first-degree relationship-type only, only entities that are directly connected through a single edge are grouped. If the relationship type is a second-degree relationship-type, entities that are directly connected through a single edge, and entities that are both connected to a single intermediary entity, are grouped. It is to be noted that other relationship-type thresholds can be used (e.g. third- degree, fourth-degree, etc.).
  • the system 100 can be configured to hide, on the displayed network map, at least part of the entries (being the source entities and the destination entities shown on the map, which, as indicated above, include the content source entity, the content destination entities, the network-external source entities and the network-external destination entities) on a route connecting a first route entity, and a second route entity, both being entities having a route connecting them.
  • the entities that are hidden are also referred to herein as“hidden entries”.
  • a virtual edge can be displayed on the map, connecting the first route entity and the second route entity.
  • the system 100 can provide information on the route connecting the first route entity and the second route entity, including information on the hidden entries.
  • the network map can be visually displayed in a layer structure, and in more particular cases, the layer structure can be a Purdue layer structure.
  • FIG. 5 there is shown a flowchart illustrating one example of a sequence of operations carried out for generating a network map, in accordance with the presently disclosed subject matter.
  • system 100 can be configured to perform an entities addition visualization process 500, utilizing the network mapping module 260.
  • system 100 can be configured to provide an existing map (e.g. a map previously generated by the network mapping process 400) of previously identified content source entities and previously identified content destination entities, the existing map not comprising the identified content source entities and the identified content destination entities, identified at block 320 (block 510).
  • an existing map e.g. a map previously generated by the network mapping process 400
  • the system 100 can generate a visual indication on the existing map, indicating of the identified content source entities and the identified content destination entities, wherein the visual indication is associated with the identified content source entities and the identified content destination entities, giving rise to an updated network map (block 520).
  • Fig. 6 is a flowchart illustrating one example of a sequence of operations carried out for identifying cyber threats, in accordance with the presently disclosed subject matter.
  • system 100 can be configured to perform a cyber threat identification process 600, utilizing the network traffic analysis module 250.
  • system 100 can be configured to analyze content within packets passing through the operational technology network 105 to identify cyber threats on one or more threatened entities, being entities displayed on the network map (generated by the network mapping process 400) (block 610).
  • the cyber threats can be identified using known methods and/or techniques, or using any proprietary methods and/or techniques.
  • the system 100 can provide a visual indication on the network map, indicating of the identified cyber threat, wherein the visual indication is associated with the threatened entities (block 620).
  • threatened entities can be colored red, enlarged, the map can zoom in on the threatened entities, and any other visual indication that can enable a user viewing the map to identify the threatened entities can be provided.
  • Fig ⁇ 7 is a flowchart illustrating one example of a sequence of operations carried out for determining vulnerabilities scores, in accordance with the presently disclosed subject matter.
  • system 100 can be configured to perform a vulnerabilities score calculation process 700, utilizing the scoring module 270.
  • system 100 can be configured to calculate, for at least one given entity of the source entities and the destination entities (including the content source entities, the content destination entities, the network-external source entities and the network-external destination entities), a vulnerability score indicative of a vulnerability thereof, wherein the vulnerability score is calculated based on the relationships of the given entity with other entities, the relationships being identifiable using the network map generated by the network mapping process 400 (block 710).
  • the score can be calculated while taking into account one or more of the following: (a) the entity’s criticality (so that, for example, the more critical it is, the higher the score will be, assuming that a higher score is indicative of a higher vulnerability), (b) known vulnerabilities associated with the entity, or with entities connected thereto (so that, for example, the more known vulnerabilities exist the higher the score will be, assuming that a higher score is indicative of a higher vulnerability), (c) various anomalies associated with the entity, such as white alerts (so that, for example, the more white alerts detected the higher the score will be, assuming that a higher score is indicative of a higher vulnerability).
  • the system 100 can alert a user (block 720).
  • the alert can be provided in various manners, and in some cases, it can be presented in a manner that will enable the user to associate the alert with the corresponding entity (e.g. the corresponding entity can be colored red/yellow/other distinctive color, the alert can be provided on top of the corresponding entity, the alert can be provided with a line/arrow pointing at the corresponding entity, etc.).
  • FIG. 8 there is shown a flowchart illustrating one example of a sequence of operations carried out for determining risk scores, in accordance with the presently disclosed subject matter.
  • system 100 can be configured to perform a risk score calculation process 800, utilizing the scoring module 270.
  • system 100 can be configured to calculate, for at least one given entity of the source entities and the destination entities (including the content source entities, the content destination entities, the network-external source entities and the network-external destination entities), a risk score indicative of a cyber security risk, wherein the risk score is calculated based on analysis of content within packets sent to and/or sent by the given entity (block 810).
  • the score can be calculated while taking into account one or more of the following: (a) the entity’s criticality (so that, for example, the more critical it is, the higher the score will be, assuming that a higher score is indicative of a higher risk), (b) known vulnerabilities associated with the entity, or with entities connected thereto (so that, for example, the more known vulnerabilities exist the higher the score will be, assuming that a higher score is indicative of a higher risk), (c) various anomalies associated with the entity, such as white alerts (so that, for example, the more white alerts detected the higher the score will be, assuming that a higher score is indicative of a higher risk).
  • the system 100 can alert a user (block 820).
  • the alert can be provided in various manners, and in some cases, it can be presented in a manner that will enable the user to associate the alert with the corresponding entity (e.g. the corresponding entity can be colored red/yellow/other distinctive color, the alert can be provided on top of the corresponding entity, the alert can be provided with a line/arrow pointing at the corresponding entity, etc.).
  • system can be implemented, at least partly, as a suitably programmed computer.
  • the presently disclosed subject matter contemplates a computer program being readable by a computer for executing the disclosed method.
  • the presently disclosed subject matter further contemplates a machine-readable memory tangibly embodying a program of instructions executable by the machine for executing the disclosed method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A system for analyzing network traffic passing through a given Operational Technology (OT) network, the system comprising a processing resource configured to: (a) monitor raw network traffic data passing through the given OT network, the raw network traffic data comprising a plurality of packets; (b) extract content of at least some of the packets using Deep Packet Inspection (DPI) of the packets; (c) identify, utilizing the content, a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated; (d) identify at least one network-external source entity, being a source entity triggering creation of the content, or at least one network-external destination entity, being a destination entity to which the content refers, wherein the network- external source entity and the network-external destination entity are external to the given OT network; and (e) repeat (a)-(d) continuously.

Description

A SYSTEM AND METHOD FOR ANALYZING NETWORK TRAFFIC
TECHNICAL FIELD
The invention relates to a system and method for analyzing network traffic.
BACKGROUND
Various network traffic analysis systems exist nowadays for analysing network traffic for various purposes. However, in many cases, these systems have limited capabilities when parts of the network traffic originate from Operational Technology (OT) systems. OT systems include hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, sensors, etc. Many operational technology networks include both Information Technology (IT) systems, being data-centric systems for the collection, organization, storage and communication of information, as well as OT systems. Due to the limited capabilities of the existing network traffic analysis systems dealing with the network traffic originating from the OT systems, there is a need in the art for a new system and method for analyzing network traffic.
References considered to be relevant as background to the presently disclosed subject matter are listed below. Acknowledgement of the references herein is not to be inferred as meaning that these are in any way relevant to the patentability of the presently disclosed subject matter.
US Patent Application No. 2014/0204799 (Pietrowics et ah), published on July 24th, 2014, discloses method for visualizing and analyzing a field area network, which includes obtaining, network, traffic data that includes atomic communications and packet detail from a packet intercept system on a field area. This field area network includes a number of network nodes. The method also includes a processor extracting connectivity and routing information from the traffic data, where the connectivity and routing information includes packet information and node information, determining network characteristics based on the extracted connectivity and routing information, retaining the network characteristics in a data structure, and importing the data structure into a computer readable storage medium that is accessible to the processor. US Patent Application No. 2017/0205796 (Shmidt), published on July 20th, 2017, discloses a method includes holding multiple primitives of a communication protocol, which is used for managing a controller that controls one or more field devices in an industrial control network. Multiple scenarios are defined, each corresponding to one or more respective sequences of primitives exchanged with the controller over the industrial control network for achieving a respective user-level operation. Multiple parsing rules for deriving the sequences of primitives from the respective scenarios are further defined. A sequence of primitives that were exchanged with the controller over the industrial control network is intercepted. An attempt to reconstruct from the intercepted sequence of primitives, using the parsing rules, one or more scenarios that each corresponds to the intercepted sequence of primitives is carried out, and, in response to succeeding in reconstructing one or more scenarios, extracting user-level information from the reconstructed scenarios.
US Patent Application No. 2004/0260404 (Russel et al.), published on December 23rd, 2004, discloses in an industrial equipment network, each piece of equipment is provided a dedicated controller for providing control and identification information, and for being programmed to provide the interconnection and interaction of its associated piece of equipment with other equipment connected to the network, thereby permitting a SCADA system, via broadcasting from the controllers or polling the controllers, to self-configure itself to show a diagram of the entire equipment network and periodically update the diagram relative to changes thereto, and the status of the equipment on the network.
US Patent Application No. 2013/0191517 (Huang Ling et al.), published on July 25th, 2013, discloses a system, a server and a method for reproducing topological change using device events are provided. Using a server to collect device messages of network devices in a network environment and after determining and producing a device event that includes reproducing data based on the collected device messages, the device event is sent to a reproducing client. The reproducing client updates and displays topological change in the network in accordance with the reproducing data in the device event. The system and the method can use a GUI to display topological change in the network, and achieve the effect of understanding the change in linking state of network devices in the network intuitively. US Patent No. 8,769,412 (Gill et al.), published on July Ist, 2014, discloses a method and apparatus provides techniques for providing complete solutions for role- based, rules-driven access enforcement. An embodiment addresses blended risk assessment and security across logical systems, IT applications, databases, and physical systems from a single analytic dashboard, with auto-remediation capabilities. Further, an embodiment provides capability and functionality for providing visual risk and event monitoring, alerting, mitigation, and analytics displayed on a geospatial map.
US Patent Application No. US 2013/0094447 (Gidlund et al), published on April 18, 2013, discloses a method for communication between a wireless device node in a wireless sensor network and control apparatus or control processes of an industrial control system. The wireless network includes a plurality of device nodes and at least one gateway. The method includes receiving at a gateway an aggregated data packet or a final address in the ICS. The gateway processes the data packet, detects that it is an aggregated data packet and reconstructs the original data packets contained therein. The gateway then sends each of the original data packets as standard data packets to the intended final address in the ICS. In other aspects of the invention a method, system and a computer program for carrying out the method are described.
US Patent Application No. US 2009/0238192 (Dolganow et al. ), published on September 24, 2009, discloses a method and related device and computer-readable medium including one or more of the following: receiving a packet sent from the source node to the destination node; associating the packet with an active flow by accessing information in the packet; performing deep packet inspection (DPI) to identify an application associated with the active flow; associating application-identifying information with the packet; forwarding the packet including the application-identifying information towards the destination node; and performing application-specific processing at a downstream device on at least one packet belonging to the active flow, the downstream device identifying the application associated with the active flow by extracting the application-identifying information from the packet.
GENERAL DESCRIPTION
In accordance with a first aspect of the presently disclosed subject matter, there is provided a system for analyzing network traffic, the system comprising a processing resource configured to: (a) monitor raw network traffic data, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an Operational Technology (OT) system; (b) identify a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated; and (c) repeat (a) to (b) continuously.
In some cases, the processing resource is further configured to extract content of at least some of the packets using Deep Packet Inspection (DPI) of the packets, and wherein the processing resource is further configured to utilize the content for the identify.
In some cases, the processing resource is further configured to identify at least one application source entity, being a source application triggering creation of the content, and at least one application destination entity, being a destination application to which the content refers.
In some cases, at least one of the content source entity, the content destination entities, the application source entity and the application destination entity, is not identifiable without said extract.
In some cases, the processing resource is further configured to generate a network map indicative of source entities and destination entities, and relationships therebetween, including the content source entity, the content destination entities, the application source entity and the application destination entity.
In some cases, the processing resource is further configured to visually display the network map on a display.
In some cases, the network map is visually displayed in a layer structure.
In some cases, the layer structure is a Purdue layer structure.
In some cases, the processing resource is further configured to: provide an existing map of previously identified content source entities and previously identified content destination entities, the existing map not comprising the identified content source entities and the identified content destination entities; and generate a visual indication on the existing map, indicating of the identified content source entities and content destination entities, wherein the visual indication is associated with the identified content source entities and the identified content destination entities. In some cases, the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the processing resource generates a list of one or more actions to be performed on the given entity, wherein upon selection of a given action, the given action is performed on the given entity.
In some cases, the processing resource is further configured to: analyze the content to identify cyber threats on one or more threatened entities of the of the source entities and the destination entities; and provide a visual indication on the network map, indicating of the identified cyber threat, wherein the visual indication is associated with the threatened entities.
In some cases, the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the processing resource provides information on the selected given entry.
In some cases, the processing resource is further configured to analyze the content to identify cyber threats.
In some cases, the processing resource is further configured to analyze the content to determine a pattern indicative of a type and a model of at least one of the content source entity, the content destination entities, the application source entity and the application destination entity.
In some cases, the processing resource is further configured to calculate, for at least one given entity of the source entities and the destination entities, a vulnerability score indicative of a vulnerability thereof, wherein the vulnerability score is calculated based on the relationships of the given entity with other entities, the relationships being identifiable using the network map.
In some cases, the processing resource is further configured to alert a user upon the vulnerability score exceeding a threshold.
In some cases, the processing resource is further configured to calculate, for at least one given entity of the source entities and the destination entities, a risk score indicative of a cyber security risk, wherein the risk score is calculated based on analysis of the content. In some cases, the processing resource is further configured to alert a user upon the risk score exceeding a threshold.
In some cases, the processing resource is further configured to group, within the network map, at least some of the source entities and at least some of the destination entities into one or more groups, wherein the relationships between the source entities and the destination entities within each of the groups meet a relationship-type threshold.
In some cases, the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein the processing resource is further configured to hide, within the network map, at least part of the entries, being hidden entries, on a route connecting a first route entity of the entities and a second route entity of the entities.
In some cases, the processing resource is further configured to display a virtual edge directly connecting the first route entity and the second route entity, and wherein upon selection of the virtual edge, the processing resource provides information on the route.
In some cases, the information includes information on the hidden entries.
In some cases, the OT systems include at least one Supervisory control and data acquisition (SCADA) entity.
In some cases, the OT systems include at least one Distributed Control System
(DCS).
In accordance with a second embodiment of the presently disclosed subject matter, there is provided a method of analyzing network traffic, the method comprising: (a) monitoring, by a processing resource, raw network traffic data, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an Operational Technology (OT) system; (b) identifying, by the processing resource, a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated; and (c) repeating (a) to (b) continuously.
In some cases, the method further comprises extracting content of at least some of the packets using Deep Packet Inspection (DPI) of the packets, and utilizing the content for the identifying. In some cases, the method further comprises identifying at least one application source entity, being a source application triggering creation of the content, and at least one application destination entity, being a destination application to which the content refers.
In some cases, at least one of the content source entity, the content destination entities, the application source entity and the application destination entity, is not identifiable without said extract.
In some cases, the method further comprises generating a network map indicative of source entities and destination entities, and relationships therebetween, including the content source entity, the content destination entities, the application source entity and the application destination entity.
In some cases, the method further comprises visually displaying the network map on a display.
In some cases, the network map is visually displayed in a layer structure.
In some cases, the layer structure is a Purdue layer structure.
In some cases, the method further comprises: providing an existing map of previously identified content source entities and previously identified content destination entities, the existing map not comprising the identified content source entities and the identified content destination entities; and generating a visual indication on the existing map, indicating of the identified content source entities and the identified content destination entities, wherein the visual indication is associated with the identified content source entities and the identified content destination entities.
In some cases, the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the method further comprises generating a list of one or more actions to be performed on the given entity, wherein upon selection of a given action, the given action is performed on the given entity.
In some cases, the method further comprises analyzing the content to identify cyber threats on one or more threatened entities of the of the source entities and the destination entities; and providing a visual indication on the network map, indicating of the identified cyber threat, wherein the visual indication is associated with the threatened entities. In some cases, the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the method further comprises providing information on the selected given entry.
In some cases, the method further comprises analyzing the content to identify cyber threats.
In some cases, the method further comprises analyzing the content to determine a pattern indicative of a type and a model of at least one of the content source entity, the content destination entities, the application source entity and the application destination entity.
In some cases, the method further comprises, for at least one given entity of the source entities and the destination entities, a vulnerability score indicative of a vulnerability thereof, wherein the vulnerability score is calculated based on the relationships of the given entity with other entities, the relationships being identifiable using the network map.
In some cases, the method further comprises alerting a user upon the vulnerability score exceeding a threshold.
In some cases, the method further comprises calculating, for at least one given entity of the source entities and the destination entities, a risk score indicative of a cyber security risk, wherein the risk score is calculated based on analysis of the content.
In some cases, the method further comprises alerting a user upon the risk score exceeding a threshold.
In some cases, the method further comprises grouping, within the network map, at least some of the source entities and at least some of the destination entities into one or more groups, wherein the relationships between the source entities and the destination entities within each of the groups meet a relationship-type threshold.
In some cases, the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein the method further comprises hiding, within the network map, at least part of the entries, being hidden entries, on a route connecting a first route entity of the entities and a second route entity of the entities. In some cases, the method further comprises displaying a virtual edge directly connecting the first route entity and the second route entity, and wherein upon selection of the virtual edge, the method further comprises providing information on the route.
In some cases, the information includes information on the hidden entries.
In some cases, the OT systems include at least one Supervisory control and data acquisition (SCADA) entity.
In some cases, the OT systems include at least one Distributed Control System
(DCS).
In accordance with a third embodiment of the presently disclosed subject matter, there is provided a non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising: (a) monitoring, by a processing resource, raw network traffic data, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an Operational Technology (OT) system; (b) identifying, by the processing resource, a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated; and (c) repeating (a) to (b) continuously.
BRIEF DESCRIPTION OF THE DRAWINGS
In order to understand the presently disclosed subject matter and to see how it may be carried out in practice, the subject matter will now be described, by way of non limiting examples only, with reference to the accompanying drawings, in which:
Fig. 1 is a schematic illustration of an exemplary operational technology network, in accordance with the presently disclosed subject matter;
Fig. 2 is a block diagram schematically illustrating one example of a system, in accordance with the presently disclosed subject matter;
Fig. 3 is a flowchart illustrating one example of a sequence of operations carried out for identifying entities within an operational technology network, in accordance with the presently disclosed subject matter; Fig. 4 is a flowchart illustrating one example of a sequence of operations carried out for generating a network map, in accordance with the presently disclosed subject matter;
Fig. 5 is a flowchart illustrating one example of a sequence of operations carried out for generating a network map, in accordance with the presently disclosed subject matter;
Fig. 6 is a flowchart illustrating one example of a sequence of operations carried out for identifying cyber threats, in accordance with the presently disclosed subject matter;
Fig. 7 is a flowchart illustrating one example of a sequence of operations carried out for determining vulnerabilities scores, in accordance with the presently disclosed subject matter; and
Fig. 8, there is shown a flowchart illustrating one example of a sequence of operations carried out for determining risk scores, in accordance with the presently disclosed subject matter.
DETAILED DESCRIPTION
In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the presently disclosed subject matter. However, it will be understood by those skilled in the art that the presently disclosed subject matter may be practiced without these specific details. In other instances, well- known methods, procedures, and components have not been described in detail so as not to obscure the presently disclosed subject matter.
In the drawings and descriptions set forth, identical reference numerals indicate those components that are common to different embodiments or configurations.
Unless specifically stated otherwise, as apparent from the following discussions, it is appreciated that throughout the specification discussions utilizing terms such as “connecting”, “providing”, “hiding”, “alerting”, “calculating”, “analyzing”, “generating”,“displaying”,“extracting”,“monitoring” or the like, include action and/or processes of a computer that manipulate and/or transform data into other data, said data represented as physical quantities, e.g. such as electronic quantities, and/or said data representing the physical objects. The terms“computer”,“processor”, and“controller” should be expansively construed to cover any kind of electronic device with data processing capabilities, including, by way of non-limiting example, a personal desktop/laptop computer, a server, a computing system, a communication device, a smartphone, a tablet computer, a smart television, a processor (e.g. digital signal processor (DSP), a microcontroller, a field programmable gate array (FPGA), an application specific integrated circuit (ASIC), etc.), a group of multiple physical machines sharing performance of various tasks, virtual servers co-residing on a single physical machine, any other electronic computing device, and/or any combination thereof.
The operations in accordance with the teachings herein may be performed by a computer specially constructed for the desired purposes or by a general-purpose computer specially configured for the desired purpose by a computer program stored in a non-transitory computer readable storage medium. The term "non-transitory" is used herein to exclude transitory, propagating signals, but to otherwise include any volatile or non-volatile computer memory technology suitable to the application.
As used herein, the phrase "for example," "such as", "for instance" and variants thereof describe non-limiting embodiments of the presently disclosed subject matter. Reference in the specification to "one case", "some cases", "other cases" or variants thereof means that a particular feature, structure or characteristic described in connection with the embodiment(s) is included in at least one embodiment of the presently disclosed subject matter. Thus, the appearance of the phrase "one case", "some cases", "other cases" or variants thereof does not necessarily refer to the same embodiment(s).
It is appreciated that, unless specifically stated otherwise, certain features of the presently disclosed subject matter, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the presently disclosed subject matter, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination.
In embodiments of the presently disclosed subject matter, fewer, more and/or different stages than those shown in Figs. 3-8 may be executed. In embodiments of the presently disclosed subject matter one or more stages illustrated in Figs. 3-8 may be executed in a different order and/or one or more groups of stages may be executed simultaneously. Figs. 1-2 illustrate a general schematic of the system architecture in accordance with an embodiment of the presently disclosed subject matter. Each module in Figs 1-2 can be made up of any combination of software, hardware and/or firmware that performs the functions as defined and explained herein. The modules in Figs. 1-2 may be centralized in one location or dispersed over more than one location. In other embodiments of the presently disclosed subject matter, the system may comprise fewer, more, and/or different modules than those shown in Figs. 1-2.
Any reference in the specification to a method should be applied mutatis mutandis to a system capable of executing the method and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that once executed by a computer result in the execution of the method.
Any reference in the specification to a system should be applied mutatis mutandis to a method that may be executed by the system and should be applied mutatis mutandis to a non-transitory computer readable medium that stores instructions that may be executed by the system.
Any reference in the specification to a non-transitory computer readable medium should be applied mutatis mutandis to a system capable of executing the instructions stored in the non-transitory computer readable medium and should be applied mutatis mutandis to method that may be executed by a computer that reads the instructions stored in the non-transitory computer readable medium.
Bearing this in mind, attention is drawn to Fig. 1, a schematic illustration of an exemplary operational technology network, in accordance with the presently disclosed subject matter.
According to some examples of the presently disclosed subject matter, an operational technology network 105 can be provided. The operational technology network 105 can be comprised of one or more interconnected computerized networks, that can optionally be distributed over a plurality of geographical locations. The operational technology network 105 can comprise Information Technology (IT) systems 110, such as IT devices l20-a, l20-b, ... 120-h (n being an integer), and Operational Technology systems 130, such as controllers l40-a, l40-b, ..., l40-m (m being an integer, equal to n or not). Each controller (e.g. l40-a, ..., l40-m) can optionally be connected to one or more physical devices, such as valve/s 152, thermometer/s 154, sensor/s 156, etc. It is to be noted that in some cases, a single controller (e.g. l40-a) can be connected to a plurality of physical devices (e.g. valve 152 and thermometer 154) and/or to a plurality of virtual devices (e.g. virtual controllers, etc.), that are not designed in a manner that enables them to communicate over the operational technology network 105. At least some of the physical and/or virtual devices connected to the controllers l40-a to l40-m are not directly connected to the operational technology network 105, and in any case - they are not designed in a manner that enables them to communicate over the operational technology network 105.
The operational technology network 105 further comprises, or otherwise associated with, system 100, that obtains information originating from the IT systems 110 and/or from the OT systems 130, and utilizes such information for various purposes, including mapping of the operational technology network 105 and/or identification of cyber threats, etc., as further detailed herein.
Fig. 2 is a block diagram schematically illustrating one example of a system, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, system 100 can comprise a network interface 210 enabling connecting the system 100 to the operational technology network 105, and enabling it to monitor network traffic passing through the operational technology network 105. The connection of the system 100 to the operational technology network 105 can be via routers (not shown) of the operational technology network 105, or any other device/s through which the network traffic to be monitored passes.
System 100 can further comprise or be otherwise associated with a data repository 220 (e.g. a database, a storage system, a memory including Read Only Memory - ROM, Random Access Memory - RAM, or any other type of memory, etc.) configured to store data, including, inter alia, information of various source and/or destination entities, identified by the system 100, and relationships therebetween, as further detailed herein.
System 100 further comprises a processing resource 230. Processing resource 230 can be one or more processing units (e.g. central processing units), microprocessors, microcontrollers (e.g. microcontroller units (MCUs)) or any other computing devices or modules, including multiple and/or parallel and/or distributed processing units, which are adapted to independently or cooperatively process data for controlling relevant system 100 resources and for enabling operations related to system 100 resources.
The processing resource 230 can one or more of the following modules: network traffic monitoring module 240, network traffic analysis module 250, network mapping module 260, scoring module 270 and a Deep Packet Inspection module 280.
Network traffic monitoring module 240 can be configured to monitor network traffic passing through the operational technology network 105, as further detailed herein, inter alia with reference to Fig. 3.
Network traffic analysis module 250 can be configured to analyze the monitored network traffic, as further detailed herein, inter alia with reference to Figs. 3 and 6.
Network mapping module 260 can be configured to generate a network map indicative of entities identified within the operational technology network 105, as further detailed herein, inter alia with reference to Figs. 4 and 5.
Scoring module 270 can be configured to calculate vulnerability scores and/or risk scores, as further detailed herein, inter alia with reference to Figs. 7 and 8.
Deep packet inspection module 280 can be configured to perform deep packet inspection using various methods and/or techniques, either known or proprietary.
Turning to Fig. 3, there is shown a flowchart illustrating one example of a sequence of operations carried out for identifying entities within an operational technology network, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, system 100 can be configured to perform entities identification process 300.
For this purpose, system 100 can be configured to monitor, utilizing the network traffic monitoring module 240, raw network traffic data passing through the operational technology network 105 (e.g. utilizing the network interface 210 and the connection established therethrough to the operational technology network 105), the raw network traffic data can include a plurality of packets (passing through the operational technology network 105 over a time-period), wherein at least some of the packets originate from (a) an Operational Technology (OT) system of the OT systems 130, or (b) from a physical device connected to the OT system 130 and not directly connected to the operational technology network 105, or (c) from a virtual device, that is not designed in a manner that enables it to communicate over the operational technology network 105 (block 310). The OT system of the OT systems 130 can be a Distributed Control System (DCS), a Supervisory control and data acquisition (SCADA) entity, or any other OT system.
System 100 can be further configured to identify, utilizing the network traffic analysis module 250, a content source entity, being an IT or an OT entity/system, sending at least some of the packets, and one or more content destination entities, being IT and/or OT entities/sy stems, to which at least some of the packets are designated (block 320). The content source entity and the one or more content destination entities are directly connected to the operational technology network 105. The content source entity and the one or more content destination entities can be identified by a unique identifier enabling identification thereof, comprised within the packets monitored at block 310. In some cases, the unique identifier can be a network layer level identifier (e.g. an Internet Protocol (IP) address, a proprietary address or any other address that is used for transferring the packets over a network).
In some cases, the unique identifier is readily available as part of the monitored packets, while in other cases, in order to identify the content source entity and/or the content destination entities, the system 100 is required to extract content of at least part of the monitored packets using Deep Packet Inspection (DPI) (e.g. using the DPI module 280) of such packets, where required. It is to be noted that in some cases at least part of the content source entity and/or the content destination entities cannot be otherwise identified, as identification information of the source/destination entity is not always available as an accessible part of each packet (e.g. a non-encrypted part, a non- identifiable part, etc.).
In some cases, system 100 can be still further configured to identify (a) at least one network-external source entity, being a physical or virtual source entity that provided the trigger to the content being sent via the operational technology network 105, while the network-external source entity is not directly connected to the operational technology network 105 , and/or (b) at least one network-external destination entity, being a physical or virtual destination entity to which the content refers. The network-external source entity and the network-external destination entity are (a) physical devices that are themselves not directly connected to the given operational technology network 105, and that do not have an IP address in the given operational technology network 105 (while noting that such devices can have an IP address of another network, other than the operational technology network 105), or (b) virtual devices that are not designed in a manner that enables them to communicate over the operational technology network 105, and that do not have an IP address in the given operational technology network 105.
In some cases, a unique identifier of the network-external source entity and/or of the network-external destination entity, is readily available as part of the monitored packets, while in other cases, in order to identify the network-external source entity and/or the network-external destination entity, the system 100 is required to extract content of at least part of the monitored packets using Deep Packet Inspection (DPI) (e.g. using the DPI module 280) of such packets (optionally along with information of proprietary protocols which enable identification of the unique identifiers from the information within the network traffic packets), where required. It is to be noted that in some cases the network-external source entity and/or the network-external destination entity cannot be otherwise identified, as identification information of the network- external source/destination entity is not always available as an accessible part of each packet (e.g. a non-encrypted part, a non-identifiable part, etc.).
As indicated above, a network-external source entity (e.g. a sensor, a valve, a thermometer, etc.), can be responsible for triggering creation of content passing through the operational technology network 105. For example, a certain reading obtained by a sensor (a network-external source entity) that is not directly connected to the operational technology network 105 may trigger sending of the reading from an OT system 130 that is directly connected to the operational technology network 105 (e.g. a controller to which the sensor is connected), being a content source entity connected to the operational technology network 105, to a content destination entity that is also directly connected to the operational technology network 105. The content source entity in such example serves as an intermediary device, mediating between the network- external source entity (the sensor), and the content destination entity.
Furthermore, some of the content that passes through the operational technology network 105 can designate a network-external destination entity that is not directly connected to the operational technology network 105 (e.g. a sensor, a valve, a thermometer, etc.). For example, a certain command can be sent from a content source entity that is directly connected to the operational technology network 105 to a content destination entity (e.g. a controller to which a certain valve is connected) that is also directly connected to the operational technology network 105, while the command itself designates the certain valve that is itself not directly connected to the operational technology network 105. The content destination entity in such example serves as an intermediary device, mediating between the content source entity and the network- external source entity (the valve).
For example, a given IT system 110 that is connected to the operational technology network 105 can send, over the operational technology network 105, to a given controller that is also connected to the operational technology network 105, one or more packets comprising content according to which a command to open a given valve, that is not directly connected to the operational technology network 105, is to be executed by the given controller. The content source entity in this case is the IT system, the content destination entity is the given controller, both of which are connected to the operational technology network 105, and the device to which the content refers is the given valve, which is the network-external destination entity that is not directly connected to the operational technology network 105 (and does not have, for example, an IP address). In this case, analysis of the content can enable identification of the content source entity, the content destination entity, and the network-external destination entity. In response to the command, the valve can provide a confirmation to the controller that the command was executed, following which the controller can send content, comprising confirmation of execution of the command, to the given IT system 110. The content source entity in this case is the given controller, the content destination entity is the given IT system 110, and the device triggering the creation of the content is the given valve, which is the network-external source entity.
Accordingly, the entities identification process 300 enables identification of entities that are directly connected to the operational technology network 105, and that communicate over it (such as IT systems, OT controllers, etc.), as well as entities that are not directly connected to the operational technology network 105 and that do not communicate over it (such as valves, sensors, etc.). The entities that are not directly connected to the operational technology network 105 and that do not communicate over it can be controlled by the entities that are connected to the operational technology network 105, and that do communicate over it.
It is to be noted that identification of the application source entity and application destination entity can also require extraction of the content from the packets using DPI (e.g. using the DPI module 280). In more particular cases, at least one of the content source entity, the content destination entities, the network-external source entity and the network-external destination entity, is not identifiable without extraction of the content from the packets using DPI.
It is to be still further noted that the entities identification process 300 can be performed continuously and/or periodically (e.g. every pre-determined time-period, whenever a certain number of packets passes through the operational technology network 105, upon an instruction of a user, or based on any other rule/s).
It is to be noted that, with reference to Fig. 3, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
Attention is drawn to Fig. 4, there is shown a flowchart illustrating one example of a sequence of operations carried out for generating a network map, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, system 100 can be configured to perform a network mapping process 400, utilizing the network mapping module 260.
For this purpose, system 100 can be configured to generate, using the information obtained by the entities identification process 300, a network map indicative of source entities and destination entities, and relationships therebetween, the source entities and destination entities include the content source entity, the content destination entities, the network-external source entities and the network-external destination entities, (block 410).
In some cases, the system 100 can be configured to display the network map on a display (not shown) (block 420). It is to be noted that when reference is made herein to“entries”, the entries are the entities shown on the map, including the content source entities, the content destination entities, the network-external source entities and the network-external destination entities.
Having information of the routes of the packets passing through the operational technology network 105 enables generating such map so that the entities displayed on the map (including the source entities and the destination entities) can be represented by a given symbology (e.g. circles, ellipses, rectangles, etc.), whereas the relationships therebetween can be represented by edges connecting the selected symbols, so that a pair of one given source entity that sent packets to one given destination entity will be connected by an edge (e.g. a non-directional line, an arrow, etc.). This way, the map can visualize the relationships between the various entities.
The network map comprises a plurality of entries of respective entities including the source entities and the destination entities. In some cases, upon selection of a given entry associated with a given entity, the system 100 can provide information on the selected entity (e.g. it’s IP address (if it has one), its type and model (that can be determined, for example, by the system 100 by analyzing content within packets sent from the entity and/or received by the entity, to determine a pattern therein, indicative of a type and a model of the entity), its resources utilization, or any other type of information relating thereto available to the system 100).
Additionally, or alternatively, upon selection of a given entry associated with a given entity, the system 100 can generate a list of one or more actions that can be performed on the given entity, where upon selection of a given action, the given action is performed on the given entity. For example, upon selecting a representation of a given IT system 110 on the map, a list of actions including, for example, restarting the given IT system 110, shutting down the given IT system 110 can be presented. Upon selection of a certain action, for example, restarting the given IT system 110, the given IT system 110 can be restarted.
Additionally, or alternatively, the system 100 can be configured to group, within the network map, at least some of the source entities and at least some of the destination entities into one or more groups, wherein the relationships between the source entities and the destination entities within each of the groups meet a relationship-type threshold For example, if the relationship type is a first-degree relationship-type only, only entities that are directly connected through a single edge are grouped. If the relationship type is a second-degree relationship-type, entities that are directly connected through a single edge, and entities that are both connected to a single intermediary entity, are grouped. It is to be noted that other relationship-type thresholds can be used (e.g. third- degree, fourth-degree, etc.).
Still further, in some cases, the system 100 can be configured to hide, on the displayed network map, at least part of the entries (being the source entities and the destination entities shown on the map, which, as indicated above, include the content source entity, the content destination entities, the network-external source entities and the network-external destination entities) on a route connecting a first route entity, and a second route entity, both being entities having a route connecting them. The entities that are hidden are also referred to herein as“hidden entries”.
In some cases, upon hiding some of the entries, a virtual edge can be displayed on the map, connecting the first route entity and the second route entity. Upon selection of the virtual edge, the system 100 can provide information on the route connecting the first route entity and the second route entity, including information on the hidden entries.
In some cases, the network map can be visually displayed in a layer structure, and in more particular cases, the layer structure can be a Purdue layer structure.
It is to be noted that, with reference to Fig. 4, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. It is to be further noted that block 420 is optional. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
Turning to Fig. 5, there is shown a flowchart illustrating one example of a sequence of operations carried out for generating a network map, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, system 100 can be configured to perform an entities addition visualization process 500, utilizing the network mapping module 260. For this purpose, system 100 can be configured to provide an existing map (e.g. a map previously generated by the network mapping process 400) of previously identified content source entities and previously identified content destination entities, the existing map not comprising the identified content source entities and the identified content destination entities, identified at block 320 (block 510).
In order to visualize the addition of the new entities into the map, the system 100 can generate a visual indication on the existing map, indicating of the identified content source entities and the identified content destination entities, wherein the visual indication is associated with the identified content source entities and the identified content destination entities, giving rise to an updated network map (block 520).
It is to be noted that, with reference to Fig. 5, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
Fig. 6, is a flowchart illustrating one example of a sequence of operations carried out for identifying cyber threats, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, system 100 can be configured to perform a cyber threat identification process 600, utilizing the network traffic analysis module 250.
For this purpose, system 100 can be configured to analyze content within packets passing through the operational technology network 105 to identify cyber threats on one or more threatened entities, being entities displayed on the network map (generated by the network mapping process 400) (block 610). The cyber threats can be identified using known methods and/or techniques, or using any proprietary methods and/or techniques.
Upon identification of a cyber threat, the system 100 can provide a visual indication on the network map, indicating of the identified cyber threat, wherein the visual indication is associated with the threatened entities (block 620). For example, threatened entities can be colored red, enlarged, the map can zoom in on the threatened entities, and any other visual indication that can enable a user viewing the map to identify the threatened entities can be provided.
It is to be noted that, with reference to Fig. 6, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
Fig· 7, is a flowchart illustrating one example of a sequence of operations carried out for determining vulnerabilities scores, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, system 100 can be configured to perform a vulnerabilities score calculation process 700, utilizing the scoring module 270.
For this purpose, system 100 can be configured to calculate, for at least one given entity of the source entities and the destination entities (including the content source entities, the content destination entities, the network-external source entities and the network-external destination entities), a vulnerability score indicative of a vulnerability thereof, wherein the vulnerability score is calculated based on the relationships of the given entity with other entities, the relationships being identifiable using the network map generated by the network mapping process 400 (block 710).
The score can be calculated while taking into account one or more of the following: (a) the entity’s criticality (so that, for example, the more critical it is, the higher the score will be, assuming that a higher score is indicative of a higher vulnerability), (b) known vulnerabilities associated with the entity, or with entities connected thereto (so that, for example, the more known vulnerabilities exist the higher the score will be, assuming that a higher score is indicative of a higher vulnerability), (c) various anomalies associated with the entity, such as white alerts (so that, for example, the more white alerts detected the higher the score will be, assuming that a higher score is indicative of a higher vulnerability).
In case the vulnerability score exceeds a threshold (that can be a pre-defmed threshold, or a calculated threshold), the system 100 can alert a user (block 720). The alert can be provided in various manners, and in some cases, it can be presented in a manner that will enable the user to associate the alert with the corresponding entity (e.g. the corresponding entity can be colored red/yellow/other distinctive color, the alert can be provided on top of the corresponding entity, the alert can be provided with a line/arrow pointing at the corresponding entity, etc.).
It is to be noted that, with reference to Fig. 7, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
Turning to Fig. 8, there is shown a flowchart illustrating one example of a sequence of operations carried out for determining risk scores, in accordance with the presently disclosed subject matter.
According to certain examples of the presently disclosed subject matter, system 100 can be configured to perform a risk score calculation process 800, utilizing the scoring module 270.
For this purpose, system 100 can be configured to calculate, for at least one given entity of the source entities and the destination entities (including the content source entities, the content destination entities, the network-external source entities and the network-external destination entities), a risk score indicative of a cyber security risk, wherein the risk score is calculated based on analysis of content within packets sent to and/or sent by the given entity (block 810).
The score can be calculated while taking into account one or more of the following: (a) the entity’s criticality (so that, for example, the more critical it is, the higher the score will be, assuming that a higher score is indicative of a higher risk), (b) known vulnerabilities associated with the entity, or with entities connected thereto (so that, for example, the more known vulnerabilities exist the higher the score will be, assuming that a higher score is indicative of a higher risk), (c) various anomalies associated with the entity, such as white alerts (so that, for example, the more white alerts detected the higher the score will be, assuming that a higher score is indicative of a higher risk).
In case the risk score exceeds a threshold (that can be a pre-defmed threshold, or a calculated threshold), the system 100 can alert a user (block 820). The alert can be provided in various manners, and in some cases, it can be presented in a manner that will enable the user to associate the alert with the corresponding entity (e.g. the corresponding entity can be colored red/yellow/other distinctive color, the alert can be provided on top of the corresponding entity, the alert can be provided with a line/arrow pointing at the corresponding entity, etc.).
It is to be noted that, with reference to Fig. 8, some of the blocks can be integrated into a consolidated block or can be broken down to a few blocks and/or other blocks may be added. It should be also noted that whilst the flow diagram is described also with reference to the system elements that realizes them, this is by no means binding, and the blocks can be performed by elements other than those described herein.
It is to be understood that the presently disclosed subject matter is not limited in its application to the details set forth in the description contained herein or illustrated in the drawings. The presently disclosed subject matter is capable of other embodiments and of being practiced and carried out in various ways. Hence, it is to be understood that the phraseology and terminology employed herein are for the purpose of description and should not be regarded as limiting. As such, those skilled in the art will appreciate that the conception upon which this disclosure is based may readily be utilized as a basis for designing other structures, methods, and systems for carrying out the several purposes of the present presently disclosed subject matter.
It will also be understood that the system according to the presently disclosed subject matter can be implemented, at least partly, as a suitably programmed computer. Likewise, the presently disclosed subject matter contemplates a computer program being readable by a computer for executing the disclosed method. The presently disclosed subject matter further contemplates a machine-readable memory tangibly embodying a program of instructions executable by the machine for executing the disclosed method.

Claims

CLAIMS:
1. A system for analyzing network traffic passing through a given Operational Technology (OT) network, the system comprising a processing resource configured to:
(a) monitor raw network traffic data passing through the given OT network, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an OT system;
(b) extract content of at least some of the packets using Deep Packet Inspection (DPI) of the packets;
(c) identify, utilizing the content, a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated;
(d) identify at least one network-external source entity, being a source entity triggering creation of the content, or at least one network-external destination entity, being a destination entity to which the content refers, wherein the network-external source entity and the network-external destination entity are external to the given OT network; and
(e) repeat (a) to (d) continuously.
2. The system of claim 1, wherein at least one of the content source entity, the content destination entities, the network-external source entity or the network-external destination entity, is not identifiable without said extract.
3. The system of claim 2, wherein the processing resource is further configured to generate a network map indicative of source entities and destination entities, and relationships therebetween, including the content source entity, the content destination entities, the network-external source entity or the network-external destination entity.
4. The system of claim 3, wherein the processing resource is further configured to visually display the network map on a display.
5. The system of claim 4, wherein the network map is visually displayed in a layer structure.
6. The system of claim 5, wherein the layer structure is a Purdue layer structure.
7. The system of claim 4, wherein the processing resource is further configured to: provide an existing map of previously identified content source entities and previously identified content destination entities, the existing map not comprising the identified content source entities and the identified content destination entities; and
generate a visual indication on the existing map, indicating of the identified content source entities and the identified content destination entities, wherein the visual indication is associated with the identified content source entities and the identified content destination entities.
8. The system of claim 4, wherein the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the processing resource generates a list of one or more actions to be performed on the given entity, wherein upon selection of a given action, the given action is performed on the given entity.
9. The system of claim 4, wherein the processing resource is further configured to: analyze the content to identify cyber threats on one or more threatened entities of the source entities and the destination entities; and
provide a visual indication on the network map, indicating of the identified cyber threat, wherein the visual indication is associated with the threatened entities.
10. The system of claim 4, wherein the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the processing resource provides information on the selected given entry.
11. The system of claim 1, wherein the processing resource is further configured to analyze the content to identify cyber threats.
12. The system of claim 1, wherein the processing resource is further configured to analyze the content to determine a pattern indicative of a type and a model of at least one of the content source entity, the content destination entities, the network-external source entity and the network-external destination entity.
13. The system of claim 3, wherein the processing resource is further configured to calculate, for at least one given entity of the source entities and the destination entities, a vulnerability score indicative of a vulnerability thereof, wherein the vulnerability score is calculated based on the relationships of the given entity with other entities, the relationships being identifiable using the network map.
14. The system of claim 13, wherein the processing resource is further configured to alert a user upon the vulnerability score exceeding a threshold.
15. The system of claim 3, wherein the processing resource is further configured to calculate, for at least one given entity of the source entities and the destination entities, a risk score indicative of a cyber security risk, wherein the risk score is calculated based on analysis of the content.
16. The system of claim 15, wherein the processing resource is further configured to alert a user upon the risk score exceeding a threshold.
17. The system of claim 4, wherein the processing resource is further configured to group, within the network map, at least some of the source entities and at least some of the destination entities into one or more groups, wherein the relationships between the source entities and the destination entities within each of the groups meet a relationship- type threshold.
18. The system of claim 4, wherein the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein the processing resource is further configured to hide, within the network map, at least part of the entries, being hidden entries, on a route connecting a first route entity of the entities and a second route entity of the entities.
19. The system of claim 18, wherein the processing resource is further configured to display a virtual edge directly connecting the first route entity and the second route entity, and wherein upon selection of the virtual edge, the processing resource provides information on the route.
20. The system of claim 19, wherein the information includes information on the hidden entries.
21. The system of claim 1, wherein the OT systems include at least one Supervisory control and data acquisition (SC AD A) entity.
22. The system of claim 1, wherein the OT systems include at least one Distributed Control System (DCS).
23. A method of analyzing network traffic passing through a given Operational Technology (OT) network, the method comprising:
(a) monitoring, by a processing resource, raw network traffic data passing through the given OT network, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an
OT system;
(b) extracting content of at least some of the packets using Deep Packet Inspection (DPI) of the packets;
(c) identifying, utilizing the content, by the processing resource, a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated; (d) identifying at least one network-external source entity, being a source entity triggering creation of the content, or at least one network-external destination entity, being a destination entity to which the content refers, wherein the network-external source entity and the network-external destination entity are external to the given OT network; and
(e) repeating (a) to (d) continuously.
24. The method of claim 23, wherein at least one of the content source entity, the content destination entities, the network-external source entity or the network-external destination entity, is not identifiable without said extract.
25. The method of claim 24, further comprising generating a network map indicative of source entities and destination entities, and relationships therebetween, including the content source entity, the content destination entities, the network-external source entity or the network-external destination entity.
26. The method of claim 25, further comprising visually displaying the network map on a display.
27. The method of claim 26, wherein the network map is visually displayed in a layer structure.
28. The method of claim 27, wherein the layer structure is a Purdue layer structure.
29. The method of claim 26, further comprising:
providing an existing map of previously identified content source entities and previously identified content destination entities, the existing map not comprising the identified content source entities and the identified content destination entities; and
generating a visual indication on the existing map, indicating of the identified content source entities and the identified content destination entities, wherein the visual indication is associated with the identified content source entities and the identified content destination entities.
30. The method of claim 26, wherein the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the method further comprises generating a list of one or more actions to be performed on the given entity, wherein upon selection of a given action, the given action is performed on the given entity.
31. The method of claim 26, further comprising:
analyzing the content to identify cyber threats on one or more threatened entities of the of the source entities and the destination entities; and
providing a visual indication on the network map, indicating of the identified cyber threat, wherein the visual indication is associated with the threatened entities.
32. The method of claim 26, wherein the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein upon selection of a given entry associated with a given entity, the method further comprises providing information on the selected given entry.
33. The method of claim 23, further comprising analyzing the content to identify cyber threats.
34. The method of claim 23, further comprising analyzing the content to determine a pattern indicative of a type and a model of at least one of the content source entity, the content destination entities, the network-external source entity and the network-external destination entity.
35. The method of claim 25, further comprising calculating, for at least one given entity of the source entities and the destination entities, a vulnerability score indicative of a vulnerability thereof, wherein the vulnerability score is calculated based on the relationships of the given entity with other entities, the relationships being identifiable using the network map.
36. The method of claim 35, further comprising alerting a user upon the vulnerability score exceeding a threshold.
37. The method of claim 25, further comprising calculating, for at least one given entity of the source entities and the destination entities, a risk score indicative of a cyber security risk, wherein the risk score is calculated based on analysis of the content.
38. The method of claim 37, further comprising alerting a user upon the risk score exceeding a threshold.
39. The method of claim 26, further comprising grouping, within the network map, at least some of the source entities and at least some of the destination entities into one or more groups, wherein the relationships between the source entities and the destination entities within each of the groups meet a relationship-type threshold.
40. The method of claim 26, wherein the network map comprises a plurality of entries of respective entities including the source entities and the destination entities, and wherein the method further comprises hiding, within the network map, at least part of the entries, being hidden entries, on a route connecting a first route entity of the entities and a second route entity of the entities.
41. The method of claim 40, further comprising displaying a virtual edge directly connecting the first route entity and the second route entity, and wherein upon selection of the virtual edge, the method further comprises providing information on the route.
42. The method of claim 41, wherein the information includes information on the hidden entries.
43. The method of claim 23, wherein the OT systems include at least one Supervisory control and data acquisition (SCADA) entity.
44. The method of claim 23, wherein the OT systems include at least one Distributed Control System (DCS).
45. A non-transitory computer readable storage medium having computer readable program code embodied therewith, the computer readable program code, executable by at least one processor of a computer to perform a method comprising:
(a) monitoring, by a processing resource, raw network traffic data passing through a given Operational Technology (OT) network, the raw network traffic data comprising a plurality of packets, wherein at least some of the packets originate from an OT system;
(b) extracting content of at least some of the packets using Deep Packet Inspection (DPI) of the packets;
(c) identifying, utilizing the content, by the processing resource, a content source entity sending at least some of the packets and one or more content destination entities to which at least some of the packets are designated;
(d) identifying at least one network-external source entity, being a source entity triggering creation of the content, or at least one network-external destination entity, being a destination entity to which the content refers, wherein the network-external source entity and the network-external destination entity are external to the given OT network; and
(e) repeating (a) to (d) continuously.
PCT/IL2018/051348 2017-12-20 2018-12-12 A system and method for analyzing network traffic WO2019123449A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL256464A IL256464B (en) 2017-12-20 2017-12-20 A system and method for analyzing network traffic
IL256464 2017-12-20

Publications (1)

Publication Number Publication Date
WO2019123449A1 true WO2019123449A1 (en) 2019-06-27

Family

ID=61198569

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2018/051348 WO2019123449A1 (en) 2017-12-20 2018-12-12 A system and method for analyzing network traffic

Country Status (2)

Country Link
IL (1) IL256464B (en)
WO (1) WO2019123449A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220247777A1 (en) * 2020-04-27 2022-08-04 WootCloud Inc. Assessing Computer Network Risk

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080320582A1 (en) * 2007-06-19 2008-12-25 Rockwell Automation Technologies, Inc. Real-time industrial firewall
US20160094518A1 (en) * 2014-05-13 2016-03-31 Dell Software Inc. Method to enable deep packet inspection (dpi) in openflow-based software defined network (sdn)
US20170126516A1 (en) * 2015-10-30 2017-05-04 Nicira, Inc. Automatic health check and performance monitoring for applications and protocols using deep packet inspection in a datacenter

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080320582A1 (en) * 2007-06-19 2008-12-25 Rockwell Automation Technologies, Inc. Real-time industrial firewall
US20160094518A1 (en) * 2014-05-13 2016-03-31 Dell Software Inc. Method to enable deep packet inspection (dpi) in openflow-based software defined network (sdn)
US20170126516A1 (en) * 2015-10-30 2017-05-04 Nicira, Inc. Automatic health check and performance monitoring for applications and protocols using deep packet inspection in a datacenter

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220247777A1 (en) * 2020-04-27 2022-08-04 WootCloud Inc. Assessing Computer Network Risk
US11936679B2 (en) * 2020-04-27 2024-03-19 Netskope, Inc. Assessing computer network risk

Also Published As

Publication number Publication date
IL256464B (en) 2019-03-31
IL256464A (en) 2018-01-31

Similar Documents

Publication Publication Date Title
US11750631B2 (en) System and method for comprehensive data loss prevention and compliance management
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
US11792229B2 (en) AI-driven defensive cybersecurity strategy analysis and recommendation system
US11323471B2 (en) Advanced cybersecurity threat mitigation using cyberphysical graphs with state changes
US20220210200A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US10609079B2 (en) Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management
US11582207B2 (en) Detecting and mitigating forged authentication object attacks using an advanced cyber decision platform
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US11848966B2 (en) Parametric analysis of integrated operational technology systems and information technology systems
US11799900B2 (en) Detecting and mitigating golden ticket attacks within a domain
US20220224723A1 (en) Ai-driven defensive cybersecurity strategy analysis and recommendation system
US20200259866A1 (en) Rating organization cybersecurity using active and passive external reconnaissance
US20180013771A1 (en) Advanced cybersecurity threat mitigation for inter-bank financial transactions
US11757849B2 (en) Detecting and mitigating forged authentication object attacks in multi-cloud environments
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
RU2757597C1 (en) Systems and methods for reporting computer security incidents
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
Khan et al. Towards an applicability of current network forensics for cloud networks: A SWOT analysis
WO2019018829A1 (en) Advanced cybersecurity threat mitigation using behavioral and deep analytics
WO2019123449A1 (en) A system and method for analyzing network traffic
CN115827379A (en) Abnormal process detection method, device, equipment and medium
JPWO2016038662A1 (en) Information processing apparatus, information processing method, and program
WO2019092711A1 (en) A system and method for threat detection
Dasireddy et al. Alerts visualization and clustering in network-based intrusion detection

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18892623

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 21.10.2020)

122 Ep: pct application non-entry in european phase

Ref document number: 18892623

Country of ref document: EP

Kind code of ref document: A1