Earlier, I talked about network anomaly detection.
It is the kind of technology based on the past activities to predict if your network is healthy and normal.
Key considerations to evaluate for deployment:
- The “past” activities must be correctly understood by the technology in the first place as the baseline reference
- Using a typical life cycle management concept, the algorithm must be intelligent enough to manage the entire suite of new, change, delete use cases of network traffic without too much false negative nor false positive
- Predict “new” traffic deviated from the baseline with different severity level per intention
- Whether the algorithm is equipped with deep packet inspection (or even better with machine learning capability) to inspect expected connections with different payload from baseline
- Report missing traffic from baseline that could be sign of malfunctioned field device(s) to the host or controller
Challenges are:
- Competency and capability of the deployment team to understand your environment
- Criteria to sign off as project completion from contractual perspective
- And don’t forget … this is just about to advance the detection for things that have already happened in THE PAST; that said, all you see is past based on intelligence derived from the past