Anomaly Detection

Short facts

Anomaly detection is an innovative method for IT and OT security and condition monitoring. Unlike common security solutions, anomaly detection is not limited to detecting known threats or working along a generalized white list. The aim of the method is to detect any anomaly in a network. An anomaly describes any change in the specific established standard communication of a network. An anomaly may include both malware and cyberattacks, as well as faulty data packets and communication changes caused by network problems, capacity bottlenecks, or equipment failures. Thus, anomaly detection enables a holistic malfunction prevention, secures productivity and guarantees complete digital transparency.

Background: Common IT security and monitoring concepts have always focused on the detection of already known cyber threats. However, they are vulnerable to all factors that, outside of this strict definition, can disrupt an IT network or Industrial Control System (ICS) and lead to failures. Especially in the context of the increasing digitization of companies as well as the networking of components, the dangers for networks have become more diverse and complex. To address these new challenges, new concepts are needed to ensure network security and stability. An anomaly detection systematically addresses these challenges.

How does an anomaly detection work?

The idea of anomaly detection is based on three axioms:

  1. Companies are increasingly reliant on the disruption-free working of their IT (i.e. office) and OT (operational technology, i.e. industrial) networks.
  2. An effective network management can only work with complete digital transparency. Only the administrator who knows in detail what’s happening in his or her network, can operate and control it effectively and securely.
  3. Any change or anomaly in a network is a potential threat to its functionality.

Therefore, an anomaly detection supervises the entire communication within networks of any size. It analyzes its communication in real-time and instantly reports any anomaly to the administrator.

Deviations or anomalies can be, e.g.:

  • network problems (e.g. due to capacity bottlenecks or faulty data packets);
  • new network clients and devices;
  • new network connections;
  • changed command structure or hierarchy;
  • unknown (new or changed) data packets;
  • new protocol types between devices;
  • cyber attacks;
  • malware communication;
  • human sabotage.

With its focus on changes in the network also threats and communication patterns become visible, which so far have been unknown ‒ thus not yet defined in the threat data bases - or which operate in stealth modus causing a slow change.

To achieve this, the anomaly detection analyzes the existing network communication and infrastructure when installed. This network mapping allows administrators to get a clear overview of:

  • which device or client is part of the network;
  • which connections exist between the devices including
    • who communicates with whom and
    • which hierarchy is established between devices (e.g. master/slave);
  • which data packets are sent in the network;
  • what the content of each data packet is;
  • which protocols are used;
  • the frequency of certain communication patterns.

This digital transparency of its network allows the administrator to have a complete digital inventory of its infrastructure. On the other hand, based on the initial analysis, he can already detect security holes, faulty connections and unwanted communication packets, thus clean up the network. Based on the refined network mapping, the anomaly detection defines a standard pattern. This pattern acts as a template to detect changes or anomalies during operation.

This approach is particularly useful in ICS, where repetitive, predictable (deterministic) communication with clear command structures prevails, from which a standard pattern can be derived.

In order to gain access to the complete network communication, the data is passively monitored via mirror ports or network taps. The anomaly detection functions without feedback. In other words, if an anomaly is detected, it will not be automatically blocked, but reported to the administrator in real-time. The background to this is that at the time of the anomaly report it is often not yet clear whether the anomaly can cause a disturbance or damage. Automatic blocking could itself lead to serious disruptions in such cases. Rather, it's about making every change visible and helping operators react immediately to network changes in real-time.

What makes an industrial anomaly detection different to common IT security solutions?

In terms of technology and the basic monitoring approach the concept of an anomaly detection is quite different from common IT security solutions like firewalls, Intrusion Detection Systems and Security Informationen and Event Management Systems (SIEMS).


Industrial anomaly detection

Security Information & Event Management System (SIEMS)

Intrusion Detection Systems (IDS)



  • cyber security

  • network monitoring

  • ensuring plant availability and productivity

  • cyber security

  • network monitoring

  • cyber security
  • access management
  • cyber security


  • continuous network condition monitoring of complex OT networks with deterministic communication patterns

  • specialized on ICS and OT environments; conditionally for enterprise IT

  • level-2 security against (persistent, unknown) external threats as part of a defense-in-depth strategy

  • monitoring of complex IT networks

  • enterprise IT / office IT

  • management of authorizations

  • enterprise IT / office IT

  • level-1 security against (known) external threats

  • perimeter security


  • detection of all changes from a standard communication pattern (known and unknown)

  • digital transparency

  • in-depth analysis of communication

  • cyber asset management

  • long-term analysisof communication structure

  • identification of security gaps in networks

  • interception of known attack patterns (signatures) from within and outside the network
  • interception / blocking of known external threats


  • graphic and statistic visualization of suspicious activities

  • independent from the threat data base of IT security firms

    Depending on the provider:

  • risk scoring of detected anomalies

  • comprehensive filter options

  • full data integration in third-party platforms

  • very detailed reporting for forensic analysis (i.e. by providing raw data as PCAP by means of deep packet inspection technology)

  • graphic and statistic visualization of suspicious activities

  • very detailed reporting

  • defense efficiency depended on signature data base of IT security firm

  • detailed reporting

  • frequent false-positive and false-negative notes

  • defense efficiency depended on threat data base of IT security firm

  • reduced reporting function


  • ow configuration and storage space requirement

  • short learning cycles (if automated self-learning technology)

  • passive data feed

  • high costs

  • long learning cycles

  • active data feed

  • high configuration and storage space requirement

  • specific expert knowledge

  • very high costs

  • specific expert knowledge

  • high costs

  • continuous updates

  • medium costs


Furthermore, an anomaly detection not only monitors the boundaries of a network, but also keeps an eye on the inner workings of the network. Thus, the technology is more similar to a SIEMS, but without demanding its technical and monetary effort.

Anomaly detection also takes a very different approach than, for example, firewalls and IDS. Both are dependent on the security updates of the IT security service providers who decide which action is considered a threat or not. Thus, these security concepts are always one step behind the potential attacker. Because the security service providers always update their so-called blacklists AFTER the occurrence of a hazard. This patching strategy makes networks vulnerable ‒ in particular industrial networks where updates very often are delayed to prevent downtimes or malfunctions.

Which functions does an effective industrial anomaly detection need?

Content analysis of data packets

To ensure complete digital transparency, network communication needs to be analyzed on its content level. Common IT security solutions only analyze the header of the data packets which carries the metadata including sender, recipient, protocol type. Thus, neither erroneous data packets nor masked communication patterns become visible.

Deep packet inspection technology (DPI) also reveals the actual content of data packets. DPI allows packet analysis at the content level, ensuring complete transparency and allowing for the detection of fragmented data packets and stealth attacks.

The details of each reported anomaly are stored as PCAP. This allows a detailed forensic analysis. If necessary, the stored data and anomaly note can be additionally tagged with a time stamp from a trust service provider. This enables companies to successfully use the data as evidence for example for claims for damages in courts.

Real-time reporting

The anomaly detection detects any anomaly in real-time and immediately notifies the operator. This ensures that the ICS administrator can check and block or clear the anomaly as quickly as possible. Especially in automation environments that depend on the real-time capabilities of assets, real-time reporting of anomalies determines productivity stability.

Also, the anomaly detection learns new permitted communication. An anomaly the administrator clears is automatically added to the standard communication pattern.

Risk scoring of anomalies

For an effective management of the anomaly notes, a risk assessment of each individual anomaly is carried out with regard to their potential danger to the productivity and device’s functionality within the network. Administrators can filter the anomalies according to the designated risk score and thus prioritize their measures. For example, if an authorization change is made on a device highly relevant for productivity, this anomaly is assigned a correspondingly high risk score. This allows the thorough risk assessment insurance companies are already demanding.

Other filter options are by e.g. protocol type, device, MAC address.

Tracking of anomalies

First-time anomalies can be monitored. If this anomaly appears again, the anomaly detection identifies and tags this anomaly as a recurrence. Thus, administrators can assess, if an anomaly might be systematic or if particular counter-measures were successful.

Integration in existing backend systems

The anomaly detection can be used as a data supplier for other control systems. This allows anomaly notes to be forwarded to active security components such as firewalls, but also maintenance or production control. This allows the company to use the anomaly data for the organization of basic network security, preventive maintenance, quality management and process optimization.

For an efficient management, data delivery to other backend systems can be automated. Policy filters allow the definition of automated data transfers between the anomaly detection system and a connected backend system. For example, anomalies that indicate a cybersecurity incident can be automatically sent to an active security component, i.e a firewall, to block it. An anomaly indicative of an equipment failure may be sent to the MES. The policy filters are freely definable.

The data transfer is realized via common industrial application programming interfaces (APIs) such as REST-API, SysLog, SNMP, IPFIX or IEC 104.

Utilizing an industrial anomaly detection in Industry 4.0 and IIoT

An industrial anomaly detection is tailored to the technological requirements of networked industrial environments. Again, the differences to common IT security solutions become clear.





Industrial Anomaly Detection

Security Information & Event Management System (SIEMS)

Intrusion Detection Systems (IDS)


Effectivity in Industry 4.0

  • Specialized on industrial networks (ICS)

  • reports security threats


  • reports operational anomalies like network bottlenecks, faulty communication and configuration problems

  • depending on provider: risk scoring of anomalies for priorization of measures

  • no specialization on industrial networks

  • no notification of operational anomalies like network bottlenecks, faulty communication and configuration problems

  • no specialization on industrial networks

  • no notification of operational anomalies like network bottlenecks, faulty communication and configuration problems 

  • no specialization on industrial networks

  • no notification of operational anomalies like network bottlenecks, faulty communication and configuration problems

Integration IT/OT

  • Depending on provider:
  • full data integration and bridging the gap between control station, MES, SAP and other third-party platforms

  • supplier of network data for quality assurance, cyber security and predictive maintenance
  • Collecting point for big data on security incidents from other systems
  • Generally does not support logging of SCADA systems
  • low compatibility with OT enviroments 
  • Collecting point and executive for data on security incidents from other systems (i.e. management of newly detected signuatures from anomaly detection)
  • low compatibility with OT enviroment 
  • Collecting point and executive for data on security incidents from other systems 

Industrial anomaly detection is the only effective tool in the area of Industry 4.0 and the Industrial Internet of Things (IIoT), which ensures complete transparency and the complete reporting of cyber threats and operational anomalies thus securing productivity and process stability. The integration to the corporate IT via APIs also enables the management of operational or plant-related anomalies.

Renowned IT market analyst Gartner Inc. recognized this outstanding potential in its »Market Guide for Operational Technology Security 2017« showing that anomaly detection has become increasingly important among the top 30 providers listed. In this guide, Rhebo was confirmed as the only German supplier of an industrial anomaly detection.