CyberLympha news

Patent granted to CyberLympha for the developed technology for anomaly detection in control system networks

We are proud to announce that a patent №2 738 460 has been issued to CyberLympha by the Federal Service for Intellectual Property (Rospatent).

The patented technology is at the heart of our CyberLympha Thymus software - an innovative security incident detection solution. CL Thymus uses machine learning methods and algorithms that allow it to learn the protected system and its normal operation without operator intervention. After completion of the learning process, anomalies in the system state, that may be the result of a security breach, are efficiently detected and reported.

Unlike traditional IDS systems that rely on known attack signatures or other solutions that detect general abnormalities in network traffic (i.e. traffic amount, average packet size or packet transmission frequency), CL Thymus works with automatic protocol reverse engineering and agent-based modeling methods. This allows for higher precision in anomaly detection and ability to explain algorithm's decision. These methods are the base of the patented anomaly detection technology.

Automatic protocol reverse engineering method allows deep packet inspection for protocols that have no strict format specification defined in the system. This specification is generated automatically as the method progresses in learning. Protected system's network topology and node interaction protocol are defined during network traffic analysis and passed to the input of the next method.

Agent-based modeling method builds system model as an aggregate of intercommunicating agents, which can be used for overall system behaviour prediction. Whenever the input signals differ from the predicted states the method detects an abnormal condition. The key advantage of this method is the ability to pinpoint the timeframe and the corresponding parameter values that led to detection triggering.

CL Thymus can be integrated with various security monitoring solutions, particularly CL DATAPK, that operate as a data source for CL Thymus. This approach improves incident detection efficiency and enables the operator to precisely identify all impacted assets. Furthermore, CL Thymus can in turn be a data source for an upstream SOAR-class system to enable automatic impact mitigation.

As Industrial Control Systems market is expected to demonstrate significant growth in the near future, we also see the increase in the number and complexity of successful cyberattacks that target the ICSs. No such thing as absolute security exists and each control system is subject to security-related threats. This requires suitable countermeasures - next-generation incident detection and security monitoring tools, including products that utilise machine learning algorithms, - remarks Alexei Shanin, CyberLympha CEO.