Systems and methods for analyzing and controlling network traffic

The subject matter disclosed herein relates to systems and methods for analyzing and controlling network traffic associ ated with at least one device that resides between a first network and a second network.

Furthermore, the subject matter disclosed herein relates to a computer program and to a computer-readable medium carrying the computer program.

Edge computing enriches automation control with digital in dustrial applications close to the shop floor, in particular at the shop floor. This means close to industrial machines, actuators and other equipment. While adding new functionali ties such as increased production transparency and optimiza tion, predictive maintenance, condition monitoring and visual awareness, it also - by definition - represents a man-in-the- middle between operational and information technologies that must be carefully protected for platform stability, data pri vacy and other IT-security reasons. This aspect becomes even more important in case of open application ecosystems that allow OEMs, customers and 3 ^rd parties to deploy and run own applications on the edge and/or IIoT (Industrial Internet of Things) devices close to production-critical assets analyzing data and feeding back information to the operational equip ment influencing production-related control flows. On the one hand both valid application scenarios, production control and data privacy must not be negatively affected while at the same time the scope and flexibility of Edge application sce narios shall not be reduced without explicit transparency and control.

In such Edge ecosystems the problem to be solved is to allow for flexible extension of traditional shop floor functions by applications from third parties, and - at the same time - protecting the operator's production processes, hardware as sets, data privacy and additionally stability of Edge plat form and Edge applications even in case of presence of erro neous or malicious applications or external malicious threats.

One aspect of this problem is a need for means for data and data traffic control, which can enable the required protec tion in open application ecosystem approaches for Edge compu ting.

Regarding the data traffic control, it is necessary to cor rectly assess and distinguish between different types of net work traffic, so that both the protection of operator's pro duction processes, hardware assets, data privacy and the sta bility of Edge platform and Edge applications even in case of presence of erroneous or malicious applications or external malicious threats.

One possible approach is to apply a network bandwidth throt tling approach. There, a quota-oriented transfer buffer that controls network link bandwidth over time allowing for time- limited traffic bursts, limiting traffic to a restricted up per bound network bandwidth and refilling the burst buffer over time if traffic bandwidth is not fully utilized. This strategy allows to continuously run traffic related to e.g. high frequency data while at the same time allowing band width-limited continuous or time-bounded bursts for other traffic with several limitations.

The strategy shows a multitude of drawbacks and limitations. It cannot strictly distinguish between different continuous and burst traffics on the same network channels but assesses the union of all kinds of traffic over each channel at the same time. The control mechanism's boundary properties and thresholds are not dynamic as the real usage scenarios cannot be understood in an automated manner in form of a combined scenario formed by the individual traffic contributions.

Using this tradition approach it is not possible to distin guish between different types of traffic in case the traffic characteristics are resembling. In dynamic network link sce narios valid type-1 traffic may even be analyzed as a false positive (type-2 / malicious traffic) and throttled down as the required intelligence for situation understanding is missing. The same refers to type-2 traffic scenarios, whereat these are more error-prone in this aspect as they often occur in dynamic situations when Edge applications initiate ad-hoc type-2 network communication such as a best-effort download of a very big image or of report not fitting into the burst bandwidth quota and thus throttled down leading to customer dissatisfaction about improper platform networking qualities.

Another solution approach is known from the digital right management (DRM) context (e.g. https://www.capgemini .com/2015/11/drm-for-things-managing- rights-and-permissions-for-iot , https://link.springer .com/article/10.1007/sll042-020-08683- 2). Here, critical data is protected by applying digital cryptography in combination with a usage license. Though the approach can protect from unauthorized data access it cannot solve the problem of correctly handling mixed type-1 and type-2 traffic situations in case the protected data cannot be classified properly. DRM systems are also hard to inte grate and maintain (DRM license management on customer prem ises), and lead to increased costs for development, testing and necessary licensing of a DRM runtime.

Therefore, a sustainable and reliable solution for the above problem is needed.

In order to achieve this objective, the present invention provides a system for analyzing and controlling network traf fic associated with at least one device that resides between a first network and a second network, said system comprising a memory that stores machine-executable components, a proces sor that is operatively coupled to the memory, and is config ured to execute the machine-executable components, wherein the machine-executable components comprise a policy defini tion authority component and a network traffic analyze- control-component, wherein the policy definition authority component is configured to provide, to the network traffic analyze-control-component, at least one first data analytics model and at least one second data analytics model, the net work traffic analyze-control-component is configured to re ceive an input data representative of the network traffic, apply or run the at least one first data analytics model to the input data, wherein the at least one first data analytics model identifies at least one network traffic situation, ap ply the at least one second data analytics model to the at least one network traffic situation, wherein the at least one second data analytics model generates at least one rule ac cording to which the network traffic can be controlled, con trol the network traffic according to the at least one rule.

The system is, therefore, a situation-aware decision system for analyzing and controlling the network traffic, provides means for data and data traffic control and thus enables the required protection in open application ecosystem approaches for Edge computing.

It enables a proper identification of different classes (sit uations) of network transfers and a correct assessing and distinguishing between different types of network traffic.

For example, type-1 traffic can be a traffic of potentially time-critical (w.r.t. shopfloor functionality) importance for the functionality of the system including critical Edge ap plications based on must-have network traffic scenarios (e.g. Edge-inbound traffic with high frequency, high quality motion control or drive train data) as basis for operations. Improp er context-awareness of a networking situation and inadequate controllability may negatively affect data security and / or stability of the Edge computing platform and applications in terms of network-load characterized by data frequency and bandwidth, jitter and latency.

Type-1 traffic must be correctly classified, e.g. to distin guish between a valid high frequency machine tool data trans fer and an invalid overload situation such as an erroneous Edge application running high frequency traffic congesting I/O resources and leading to a potential unavailability of critical functions.

Type-2 traffic can be all other network traffic that is not time-critical for Edge computing functions such as best- effort data imports from customer systems (e.g. maintenance tasks), best-effort imports of background information for im proving data analysis (e.g. external CAD/CAM models), or best-effort Web-based access for accessing data from Ecosys tem applications running on the Siemens IIoT / Edge computing platforms (e.g. downloads of 2D / 3D graphs and PDF reports). As the combination of multiple type-2 traffic requests may lead to a type-1 traffic situation it is important to cor rectly understand and assess the contribution of each single traffic to an overall network traffic situation including er roneous and potentially malicious network traffic.

The system can, therefore, guarantee data transfers related to a first type of traffic (type-1 above) while allowing as much as possible flexibility of data transfers related to a second type of traffic (type-2 above) and detecting and iso lating invalid traffic scenarios at the same time.

In an embodiment, the network traffic associated with the at least one device can be a network traffic inbound to, a net work traffic on and a network traffic outbound from the at least one device. In an embodiment, the input data comprises a network traffic data and a network traffic context data representative of a context within which the network traffic occurs, wherein the at least one first data analytics model performs a context- based identification of the at least one network traffic sit uation.

Hence the system allows a context-based understanding of the overall traffic situation and fine-granular control over in dividual network links to overcome the limitations described above.

This context-based approach for situation understanding and flexible control strategies helps to reduce false-positive reasoning results in prior art approaches.

In an embodiment, the network traffic data can comprise at least one of bandwidth, jitter, frequencies of data loss, la tencies, network protocol.

In an embodiment, the network traffic context data can com prise at least one of identification of a user that initiates the network traffic, license information associated with the network traffic, information associated with system environ ment (production or test), outside temperature.

In an embodiment, the network traffic analyze-control- component comprises a network traffic analyzer component and a network traffic controller component, wherein the network traffic analyzer component is configured to apply / to run the at least one first data analytics model to the input da ta, and the network traffic controller component is config ured to apply the at least one second data analytics model to the at least one network traffic situation and to control the network traffic according to the at least one rule. In an embodiment, the first data analytics model and/or sec ond data analytics model are/is trained or defined on histor ical network traffic data.

In an embodiment, the at least one first data analytics model analyses statistical and / or stochastic and / or temporal correlations of the network traffic to identify the at least one network traffic situation.

In an embodiment, the at least one network traffic situation comprises streaming continuous high-frequency sensor data from the first network to the system and/or requesting, by the second network, a file download from the system.

In an embodiment, the first data analytics model and/or sec ond data analytics model are/is based on or comprise a rule engine, complex event processing engine, constraint reasoner, temporal logic reasoner, description logics reasoner, simula tion-based analyzer, statistical reasoner, mathematical opti mizer, neural network classifier or on a combination of one or multiple thereof.

In an embodiment, the network traffic analyze-control- component is configured to receive the input data continuous ly in an input data stream and/or in form of batches of input data, for example, each microsecond, millisecond, second or minute, and, while receiving the input data, run the at least one first data analytics model on the input data, wherein the at least one first data analytics model determines correla tions between the network traffic and a past and / or a cur rent and/or an anticipated / predicted network traffic (to identify the at least one network traffic situation).

The system using the network traffic context data provides a generic and flexible mechanism (in terms of increased usabil ity for application code developers) for protecting sensible data as it does not distinguish between "restricted" and "un restricted" data but assesses and controls all kinds of type- 1 and type-2 network traffic in the same homogeneous way by understanding the full situational context between inbound, outbound and on-device network traffic over time.

Therefore, the system can actively control inbound, outbound and on-device network traffic in dependence on the integrated analysis of past, current and anticipated situations of sin gle and combined traffic scenarios. These scenarios can be correlated in order to derive information about system and network stability and data privacy based on historic, current and / or simulated data.

In an embodiment, the network traffic analyze-control- component comprises or configured to access a data repository (e.g. a file or database) for storing historic network traf fic metrics and/or statistics that are used for improving the identification quality based on historical information.

In order to achieve the above-mentioned objective, the pre sent invention also provides a computer implemented method for analyzing and controlling network traffic associated with at least one device that resides between a first network and a second network, said system comprising a memory that stores machine-executable components, a processor that is operative ly coupled to the memory, and is configured to execute the machine-executable components, wherein the machine-executable components comprise a policy definition authority component and a network traffic analyze-control-component, the method comprising: providing, by the policy definition authority component, at least one first data analytics model and at least one second data analytics model to the network traffic analyze-control- component, receiving, by the network traffic analyze-control-component, an input data representative of the network traffic, applying, by the network traffic analyze-control-component, the at least one first data analytics model to the input da- ta, wherein the at least one first data analytics model iden tifies at least one network traffic situation, applying, by the network traffic analyze-control-component, the at least one second data analytics model to the at least one network traffic situation, wherein the at least one sec ond data analytics model generates at least one rule accord ing to which the network traffic can be controlled, controlling, by the network traffic analyze-control- component, the network traffic according to the at least one rule.

The above and other objects and advantages of the invention will be apparent upon consideration of the following detailed description of certain aspects indicating only a few possible ways which can be practiced. The description is taken in con junction with the accompanying drawings, in which like refer ence characters refer to like parts throughout, and in which:

FIG 1 a block diagram illustrating a computing system that may be used to facilitate communication between an OT- and an IT-network,

FIG 2 a block diagram of FIG 1 according to one possible embodiment,

FIG 3 a block diagram of FIG 1 according to one possible embodiment,

FIG 4 a flow diagram of a method that can be carried out by a network traffic control system, and FIG 5 computer-readable medium with a computer program.

The computing system 100 of FIG 1 comprises one or more IIoT (Industrial Internet of Things) or edge devices 101, an OT (Operational Technology) network 110, an IT network 120 and a network traffic control system 200.

For the sake of simplicity and where it is appropriate, the one or more IIoT or edge devices are referred to below as de vice 101. The device 101 resides between the OT network 110 and the IT network 120. The OT network 110 may comprise one or more OT devices 111 such as industrial sensors and automation controllers. Each OT device 111 can be designed to communicate with other de vices in the OT network 110 and with one or more of the IIoT / Edge Devices 101. Some of the OT devices can be designed as and serve as OT data sources 112 providing data (e.g. automa tion data and/or sensor signals) or OT data sinks 113 receiv ing data (e.g. automation control input and sensor and/or au tomation configuration data) or a combination thereof. Data sources can be referred to as data providers, data sinks can be referred to as data consumers and a combination thereof can be referred to as data prosumers.

The IT network 120 can comprise IT equipment such as Manufac turing Execution Systems (MES), Enterprise Resource Planning (ERP) systems, Computerized Maintenance Management Systems (CMMS), databases or data lakes on premises or in a cloud. Each element 121 in the IT network 120 can be designed to communicate with other devices in the IT network 120 and with one or more of the IIoT / Edge Devices 101. The elements can be designed as and serve as IT data sources 122 providing da ta (e.g. MES and ERP data or maintenance tasks from a CMMS) or IT data sinks 123 receiving data (e.g. motor and workpiece quality data, predictive maintenance-related information or detected process anomalies) or a combination thereof (IT data prosumers).

The device 101 is configured to establish connection between the OT 110 and IT networks 120 and to process data from both networks and/or data on the device 101 itself by routing be tween the networks and optionally to and from applications running on the device 101 (e.g. in the field of data analyt ics) close to the industrial equipment (e.g. a motor or a ma chine tool).

Each of the IIoT / edge devices 101 comprises an application runtime space 102 that can host and run one or more applica tions 103 (e.g. data analytics applications). The application runtime space 102 can be designed as runtime environment for the applications 103. Some of the applications 103 can be de signed and serve as data sinks 104 and/or data sources 105.

The data sinks 104 can be configured to receive data inbound to the device 101 and data from the applications 103 running on the device 101.

The network traffic control system 200 comprises a policy definition authority component 201, a network traffic analyz er component 202, and a network traffic controller component 203. The network traffic analyzer component 202 and the net work traffic controller component 203 can correspond to the network traffic analyze-control-component according to the invention.

Each of the components can be realized as a software and / or hardware component. For example, some of the components can be realized in form of ASICs (application-specific integrated circuits) integrated with a one or more of the IIoT / edge devices 101. In an embodiment some of the network traffic control system's components can be incorporated into a sys- tem-on-a-chip (SoC) which can be integrated with a one or more of the IIoT / edge devices 101.

In an embodiment each of the IIoT / edge devices 101 compris es a network traffic analyzer component 202 and a network traffic controller component 203 so that different network traffic analyzer components 202 and network traffic control ler components 203 reside on different IIoT / edge devices 101.

The policy definition authority component 201 can reside on the device 101 (not shown) or on a server, for example on a backend-server, e.g. on an on-prem backend server or on a cloud backend server. The policy definition authority component 201 can be config ured to receive data 204 based on a network traffic data as sociated with one or more of the IIoT/edge devices 101 (de- vice-specific network traffic data). This also can be a his torical or a real-time data. The policy definition authority component 201 can also be configured to retrieve data from a data lake that contains historical network traffic data asso ciated with one or more of the IIoT/edge devices 101. The da ta can be the device-specific network traffic data or, if re quested for IT security reasons, pre-processed, anonymized / pseudonymized data characteristics about related network traffic properties. The data 204 is representative for dif ferent network traffic control scenarios or situations.

Furthermore, the policy definition authority component is configured to generate (or provide) at least one first and at least one second data analytics model 205, 206 based on the received data 204.

In an embodiment, the data 204 comprises device-specific net work traffic data from different IIoT / edge devices 101 and the policy definition authority component 201 generates dif ferent first and second data analytics models 205, 206 for the different IIoT / edge devices 101.

The first data analytics model 205 and/or the second data an alytics model 206 can be based on one or more neural net works. In this case the data 204 can serve as a training data for the neural networks.

The first and second data analytics models 205, 206 are de signed or configured to be used to analyze and control de- vice-specific network traffic in dependence on inbound net work traffic to this device.

In an embodiment the first data analytics model 205 and/or second data analytics model 206 are/is based on or comprise a rule engine, complex event processing engine, constraint rea- soner, temporal logic reasoner, description logics reasoner, simulation-based analyzer, statistical reasoner, mathematical optimizer, neural network classifier or on a combination of one or multiple thereof.

In an embodiment the first data analytics model 205 comprises a simulation-based analyzer and a neural network classifier. Int this case it is possible to classify network traffic sit uations based on anticipated / predicted network traffic.

In an embodiment, the policy definition authority component 201 can be configured to allow a manual, e.g. by a human be ing, definition of rules, constraints or other kind of poli cies, so that the first data analytics model 205 and/or the second data analytics model 206 can be designed as a manually definable set of rules.

In an embodiment, the policy definition authority component 201 can be configured to provide a computer-aided support for facilitating one or multiple tasks of manual definitions, e. g. supervised machine learning. In this case the first data analytics model 205 and/or the second data analytics model 206 can be designed as models based on a machine learning al gorithm, e.g. on a neural network.

In an embodiment, the policy definition authority component 201 can be configured to generate the first data analytics model 205 and/or the second data analytics model 206 fully automatically, i.e. without human interaction, e.g. by uti lizing unsupervised training. After generating the first data analytics model 205 and/or the second data analytics model 206 the policy definition authority component 201 may present the result to a user for acceptance.

The at least one first data analytics model 205 is trans ferred to the network traffic analyzer component 202 of a corresponding IIoT / edge device. The at least one second data analytics model 206 is trans ferred to the network traffic controller component 203 of a corresponding IIoT / edge device.

The network traffic analyzer component 202 can reside at a IIoT / edge device or at one of the IIoT / edge devices 101 and is configured to receive an input data representative of the network traffic and to utilize the at least one first da ta analytics model 205 in order to identify at least one net work traffic situation. In an embodiment the network traffic analyzer component 202 produces a description of the at least one network traffic situation.

The network traffic associated with the device 101 is network traffic inbound to, network traffic on and network traffic outbound from the device 101.

In an embodiment the input data comprises a network traffic data and a network traffic context data representative of a context within which the network traffic occurs. In this case the at least one first data analytics model 205 performs a context-based identification of the at least one network traffic situation.

Examples of the network traffic data comprise at least one of but not restricted to bandwidth, jitter, frequencies of data loss, latencies, network protocol etc.

Examples of the network traffic context data comprise at least one of but not restricted to identification of a user that initiates the network traffic, license information asso ciated with the network traffic (e.g. whether the requesting party is allowed to use the network traffic), information as sociated with system environment (production or test), out side temperature.

Especially when the first and/or second data analytics model are based on a neural network or a machine learning algorithm the received input data can be used for training of new or for a further training of already existing models by the pol icy definition authority component 201. In this case it is transferred to the policy definition authority component 201 as the data 204.

To derive a network traffic situation the first data analyt ics model 205 is designed to apply statistical, stochastic and / or temporal correlations of the network traffic, i.e. the traffic inbound to and/or outbound from the one or more of the IIoT / edge devices 101 and/or the traffic on the one or more of the IIoT / edge devices 101 (on-device traffic).

The temporal correlations can be analyzed at a pre-determined point in time or over (a pre-determined period of) time.

In an embodiment the network traffic analyzer component 202 can be configured to receive the input data continuously in an input data stream and/or in form of batches of input data, for example, each microsecond, millisecond, second or minute. While receiving the input data, the network traffic analyzer component 202 can run the at least one first data analytics model 205 on the input data. During the runtime the least one first data analytics model 205 determines correlations be tween the network traffic and a past and / or a current and/or an anticipated / predicted network traffic. For exam ple, the network traffic analyzer component 202 can be con figured to store the input data at the beginning of the time period, for which the correlations will be analyzed, so that the past traffic can refer here to the traffic received with in the said pre-determined period of time. In general, it is not to confuse with the historical network traffic. The an ticipated network traffic can be produced for example by one of the above-mentioned machine-learning based algorithm, e.g. by a simulation-based analyzer.

The output of the first data analytics model 205 can for ex ample, be a continuous high-frequency sensor data streaming over the OT network 110 to the device 101 and/or an inbound request for a batch-based download of a large file from the 3 ^rd party app by a Web client 121 in the IT network 120 (FIG 2).

A further example of the at least one network traffic situa tion is a high-frequency (e.g. data point per 2 ms) streaming of high-quality data from a specific device in the OT network 110 before receiving a request for downloading high- frequency-granular data exports to the IT network 120. In an embodiment the high-frequency streaming of high-quality data can be buffered, e.g. for several hours or for a day, on one of the IIoT / edge devices 101, before it will be transferred to the IT network 120 (FIG 3).

Furthermore, the first data analytics model 205 can be used to assess incipient overload, system stability criticality and / or data privacy threats (e.g. if a receiver is not au thorized to access a certain quality of industrial IoT data).

The network traffic analyzer component 202 is configured to transfer the identified network traffic situation (s) to the network traffic controller component 203. This can be done periodically or continuously. In particular, the information is transferred in form of a computer-readable representation. For example, the network traffic analyzer component 202 may produce a JSON or XML-based output.

In other words, the network traffic analyzer component 202 (periodically or continuously) sends the results of the anal ysis performed with the aid of the one or more first data an alytics models 205 on the derived network traffic situation to the network traffic controller component 203.

In an embodiment, the network traffic controller component 203 can be based on or comprise a rule engine, complex event processing engine, constraint reasoner, temporal logic rea- soner, description logics reasoner, simulation-based analyz- er, statistical reasoner, mathematical optimizer, neural net work classifier or on a combination of one or multiple there of.

In an embodiment, the network traffic controller component 203 resides at a IIoT / edge device or at one of the IIoT / edge devices and is configured to use the at least one second data analytics model 206 to control the network traffic in bound to and/or outbound from the one or more of the IIoT / edge devices 101 and/or the traffic on the one or more of the IIoT / edge devices 101 (on-device traffic).

FIG 1, FIG 2 and FIG 3 illustrate the network traffic con troller component 203 comprising three interfaces 203a, 203b, 203c, wherein each interface can be used to allow data trans fer without any restrictions, to block data transfer entirely or to transform the data in some way before transferring it. The interface 203a is an interface to the OT network 110, in particular to the OT data sink 113; the interface 203b is an interface to the applications 103 within the device 101; the interface 203c is an interface to the IT network 120, in par ticular to the OT data sink 123.

In an embodiment, the communication links between the OT net work 110, the device 101 and the IT network 120 can be pro tected by cryptographic means. E.g. the information flow can be encoded by way of public-key cryptography or some similar method.

The network traffic controller component 203 uses the data received from the network traffic analyzer component 202 (identified network traffic situation) as an input data to the one or more second data analytics models 206 which output one or more rules or instructions on how to proceed with the network traffic within the scope of the identified network traffic situation. These instructions can comprise instruc tions associated with actions to be performed on the network traffic. Furthermore, the network traffic controller compo- nent 203 is configured to control the network traffic accord ing to the one or more instructions / rules.

In other words, based on the data / information associated with the classification of the at least one network traffic situation received from the network traffic analyzer compo nent 202, the network traffic controller component 203 con trols the network traffic in the corresponding network traf fic situations according to the output of the one or more second data analytics models 206.

As mentioned above, the network traffic controller component 203 can receive the input from the network traffic analyzer component 202 periodically or continuously. This may improve the functionality and quality of control of the network traf fic. The functionality and quality depend on the analysis of past, current and / or predicted future network traffic situ ation (s) and optionally on correlations between multiple net work traffic situation (s).

Sending (periodically or continuously) the data associated with the identified network traffic situations from the net work traffic analyzer component 202 allows to configure the network traffic controller component 203 and to improve the control of the network traffic.

The result of this configuration process is the network traf fic controller component 203 that executes the one or more second data analytics models 206, which define one or multi ple control policies, once / periodically / continuously for each new / existing network traffic. A control policy (set of rules, weights for a neural network) can allow to dynamically transform traffic by removing parts of the transferred Indus trial IoT data or by reducing the quality of Industrial IoT data (e.g. reduce data resolution in data streams such as video camera image streams, timeseries data streams, event data streams, and set an optional data quality field to the new resolution value and an optional reason field containing the reason for quality reduction for transparency reasons) or block / postpone selected traffic.

In summary, the network traffic control system 200 allows to perform a proper identification and control of different classes (situations) of network transfers to correctly assess and distinguish between different types of network traffic.

In an embodiment, there are two types of the network traffic. Type-1 traffic is a type is of potentially time-critical (w.r.t. shopfloor functionality) importance for the function ality of the system including critical IIoT / edge applica tions based on must-have network traffic scenarios (e.g. edge device inbound traffic with high frequency, high quality mo tion control or drive train data) as basis for operations. Improper context-awareness of a networking situation and in adequate controllability may negatively affect data security and / or stability of the edge computing platform and appli cations in terms of network-load characterized by data fre quency and bandwidth, jitter and latency.

Type-2 traffic regards to all other network traffic that is not time-critical for edge computing functions such as best- effort data imports from customer systems (e.g. maintenance tasks), best-effort imports of background information for im proving data analysis (e.g. external CAD/CAM models), or best-effort Web-based access for accessing data from Ecosys tem applications running on the Siemens IIoT / Edge computing platforms (e.g. downloads of 2D / 3D graphs and PDF reports). As the combination of multiple type-2 traffic requests may lead to a type-1 traffic situation it is desirable to cor rectly understand and assess the contribution of each single traffic to an overall network traffic situation including er roneous and potentially malicious network traffic.

To be able to classify the Type-1 traffic is important, e.g. in order to be able to distinguish between a valid high fre quency machine tool data transfer and an invalid overload situation such as an erroneous IIoT/edge device application running high frequency traffic congesting I/O resources and leading to a potential unavailability of critical functions.

The following description is essentially limited to the dif ferences from the exemplary embodiment in FIG 1, reference being made to the description of the exemplary embodiment in FIG 1 with regard to system that remain the same.

FIG 2 shows the system 100 of FIG 1, wherein the policy defi nition authority component 201 provides the same set of rules 205, 206 to the network traffic analyzer component 202 and to the network traffic controller component 203. The set com prises two rules:

1) Allow periodic downloads of big data chunks where down loads must follow each other with at least 5 minutes la tency, and

2) Block all other traffic.

The OT network 110 is designed as a machine network and the IT network 120 is designed as a factory network. The OT de vice 111 can be designed as a machine tool that can comprise a control unit and a connector device for high-frequency ma chine data transfer. The web client 121 in the factory net work 120 may continuously request monitoring reports.

The machine data source 110 provides Type-1 traffic, i.e. high-frequency machine tool data (streaming) to the network traffic analyzer component 202. This data is further request ed by an application 103 running on the device 101. It will be appreciated that requesting and streaming the data goes through the network traffic analyzer component 202 and the network traffic controller component 203. E.g. the data stream to the app 103 goes through the interface 203b of the network traffic controller component 203.

The application 103 running on the device 101 can be a 3 ^rd party app (i.e. an app developed by neither of the entities governing machine and/or factory networks nor the entity gov erning the device). The application 103 can be a 3rd party high-frequency machine data monitoring app. The app 103 can comprise a Webserver for downloading monitoring reports from the machine network 110.

After analyzing the network traffic according to the rules provided by the policy definition authority component 201 the network traffic analyzer component 202 identifies the follow ing network traffic situation "3rd Party Edge application 103 is continuously receiving high quality data from a machine 111 on the OT network 110; There is request for a batch-based download of a large file from the 3rd party app 103 by a Web client 121 in the IT (factory) network 120" and passes this information to the network traffic controller component 203. The first data analytics model 205 and the second data ana lytics model 206 can be based on a rule engine in this case.

Under the conditions set out by the policy definition author ity component 201 and based on the identified network traffic situation the network traffic controller component 203 can perform following actions on the network traffic.

• Allow outbound file download via interface 203c to the Web client 123 in the factory network 120 with maximal bandwidth, do not transform or block the traffic,

• Block all other outbound traffic (e.g. traffic to ma chine tool data sink 113),

• Evaluate the situation again if a new traffic request is received or existing traffic characteristics are changed .

Turning to FIG 3 the policy definition authority component 201 defines the following rules:

1) Allow all streaming traffic to clients as long as there is no overload situation,

2) On overload or if receiver is not authorized (data priva cy): transform all outbound traffic to IT network by reducing data point frequency. The OT network 110 can be designed as a machine network and the IT network 120 can be designed as a factory network. The OT device 111 can be designed as a machine tool that can com prise a control unit and a connector device for high- frequency machine data transfer. The web client 121 in the factory network 120 may continuously request high frequency and/or high quality data.

The analysis of the network traffic by the network traffic analyzer component 202 provides the following network traffic situation "3rd Party machine data monitoring application 103 is continuously receiving high quality data from a machine 111 on the OT network 110; There is request for high frequen cy transfer of high-quality data from the 3rd party app 103 by a Web client 121 in the IT (factory) network 120 that will lead to a network overload scenario or system instability".

Based on the above rules and the identified network traffic situation the network traffic controller component 203 con trols the network traffic accordingly:

• Transform and send via interface 203c: low-quality / low-frequency data transfer to the Web client 123 in the IT network 120 with restricted bandwidth,

• Block all other outbound traffic,

• Evaluate the situation again if a new traffic request is received or existing traffic characteristics are changed.

It will be appreciated that the quality of the analysis and control of the network traffic can be improved, if the data associated with the network data is used for improving the first data analytics model 205 and the second data analytics model 206 that are provided by the policy definition authori ty component 201. When available the improved models can be uploaded to the network traffic analyzer component 202 and/or to the network traffic controller component 203 and deployed there to replace the old models. In an embodiment the network traffic analyzer includes or ac cesses a data repository (e. g. a file or database) for stor ing historic network traffic metrics / statistics that are used for improving the classification quality of the compo nent based on historical information.

In an embodiment the network channels and / or the trans ferred data and / or the network statistics / metrics and / or the analytical models and/ or the Network Traffic Control ler 203 configuration by the Network Traffic Analyzer 202 component is protected for confidentiality reasons by crypto graphic symmetric or asymmetric encryption for inbound, out bound and / or on-device data transfers.

FIG 4 shows a flow diagram of a method that can be carried out by a network traffic control system, e.g. by the network traffic control system 200 of figures 1 to 3.

The method comprises - Step SI - providing, by the policy definition authority component 201, at least one first data analytics model 205 and at least one second data analytics model 206 to a network traffic analyze-control-component, that can comprise the network traffic analyzer component 202 and the network traffic controller component 203,

Step S2 - receiving, by the network traffic analyze-control- component, an input data representative of the network traf fic,

Step S3 - applying, by the network traffic analyze-control- component, the at least one first data analytics model 205 to the input data, wherein the at least one first data analytics model 205 identifies at least one network traffic situation. Step S4 - applying, by the network traffic analyze-control- component, the at least one second data analytics model 206 to the at least one network traffic situation, wherein the at least one second data analytics model 206 generates at least one rule according to which the network traffic can be con trolled. Step S5 - controlling, by the network traffic analyze- control-component, the network traffic according to the at least one rule. FIG 5 shows computer-readable medium 2000 with a computer program 2001. The computer program 2001 comprises instruc tions which, when executed by the network traffic control system 200, cause the network traffic control system 200 to carry out the steps of the above-mentioned method.

The above-described embodiments of the present disclosure are presented for purposes of illustration and not of limitation. In particular, the embodiments described with regard to fig ures are only few examples of the embodiments described in the introductory part. Technical features that are described with regard to systems can be applied to augment methods dis closed herein and vice versa.