Skip to content

Analytical Models

Analytical Models utilize on-server machine learning to automatically group assets into suggested clusters based on shared characteristics. These characteristics may include network traffic patterns (both inbound and outbound), asset tagging, metadata density and more. By leveraging Horizon's algorithm and model configurations, the system generates asset clusters that identify potential segments based on these common attributes.

This article describes how these Analytical Models are created, built and leveraged utilizing the Network Flow Chart as a model viewer.

For more information about the theory behind Analytical Models, read our post Leveraging Automatic Clustering for Effective Microsegmentation.

Note

As all data stays on-server for processing, it is never transmitted to 12Port cloud services or other external platforms for machine learning or any other purposes.

Creating Analytical Models

To create a new Model:

  1. Log in with an Administrator or Analytics Manager account.
  2. Navigate to Management > Analytics and click the Add button.
  3. Click on the parameter name for details about each or follow the guidance provided here:
    1. Name: Enter a unique and recognizable name for this model.
    2. Container: Specify the container, where assets are located, that will be used by the analytical model algorithm. To specify the root container, click the button to the right of the field.
    3. Density: The number of partitions configured to run the clustering algorithm determines the granularity of asset classification. A smaller number of partitions results in broader categories, while a higher number of partitions leads to more detailed classifications with smaller groups.
    4. Tags Impact: The tag impact parameter determines the importance of tag-matching when classifying assets. A higher tag impact value gives more weight to assets sharing similar tags. When None is selected for the tag impact, the algorithm primarily depends on the network traffic flow collected from the asset endpoints.
  4. Click the Save button to complete the operation.

Building Models

After a new model is created or an existing model is edited, it must be built against the defined assets so the algorithm can generate results.

To build a model, navigate to the Analytical Models page, locate the model from this list and from its Actions menu, click the Build button.

Analytical Models Build Option

This Build action will submit the operation to a background process. Depending on the amount of background processes currently in the platform, this build will be processed in a few seconds to minutes. After the build operation has been completed successfully (Status column shown as Success), its Last Built value will update to reflect the time of the model's last build time.

Analytical Models Last Built Date

Viewing Model Results

Once the model is built, it can be accessed and reviewed from the Network Flow Chart of the Container.

To access the Analytical Model results:

  1. Navigate to the model's container and open this container's Connection Report from its Report > Connections menu.
  2. Using the Connections Report's Search Query bar, use the drop-down menu and select the Analytical Model option.
  3. With the second drop-down Model menu, load the model to view by selecting its Name.

Connections Report Analytical Model Selection

When the model is loaded and ready for viewing, the third drop-down Cluster menu will be populated with each generated cluster based on the model configuration. For example, if the model's Density was set to 4, you should receive four items in this menu; if the Density was 8, you should receive eight items in this menu. Selecting any of the available clusters, will display the results of this cluster in the chart below.

Connections Report Analytical Model Cluster Selection

Understanding the Model Results

The algorithmic results of each model's Cluster will highlight the assets that have been assigned to each grouping. The assets in each cluster are grouped based on captured network traffic and the availability of asset tag impact used in the model configuration. These results could be used as suggestions for building microsegmentation policies.

To display Cluster results:

  1. Select a Cluster from the third drop-down menu to display its results. The assigned name of each cluster represents its "core," which can be interpreted as the central asset within the group. This core asset typically shares the most network traffic and similar tags with the other assets in the cluster.
  2. On the chart below, each asset of this cluster are highlighted with a red dot.
  3. Optionally, if you want to add these assets to a collection, you can Shift + Click on each asset in this chart and take appropriate actions from the Collection section below the chart.

Connections Report Analytical Model Cluster Results

Tip

Create and build multiple models with differing configurations, so you can switch between each to compare the results from the Chart.