Automating OT Threat Detection with Neural-ASR and NLP

TLDR: Researchers at DEF CON 2025 demonstrated a novel method for generating Attack Surface Reduction (ASR) rules in OT environments by converting process behavior chains into numerical vectors. By applying NLP techniques like Word2Vec and Doc2Vec to telemetry data, they successfully identified malicious patterns that traditional EDR solutions often overlook. This approach allows security teams to detect complex, multi-stage OT attacks without relying on static signatures or massive manual rule sets.

Operational Technology (OT) environments are notoriously difficult to secure. Unlike standard IT infrastructure, where patching and frequent updates are the norm, OT systems often run on legacy software that cannot be easily modified or updated without risking operational downtime. This reality forces security teams to rely on signature-based detection, which is fundamentally ill-equipped to handle modern, living-off-the-land (LotL) attacks. When an adversary uses native tools like PowerShell or WScript to execute malicious payloads, traditional EDR solutions often flag the activity as benign because the individual components appear legitimate.

The research presented at DEF CON 2025 shifts the focus from static file analysis to behavioral sequences. By treating process execution chains as sentences and individual process behaviors as words, the researchers used Natural Language Processing (NLP) to model the "language" of an attack. This allows for the detection of malicious intent based on the context of the entire chain rather than the individual actions.

Modeling Attack Behaviors as Sequences

The core of this research involves transforming raw telemetry data—such as Windows Event Logs and EDR feedback—into a format that machine learning models can process. The researchers utilized Word2Vec to create numerical representations of process behaviors. By mapping these behaviors into a multi-dimensional vector space, they can identify clusters of activity that correspond to known attack patterns.

For example, a standard administrative task might look identical to a malicious one if you only inspect the final command. However, when you analyze the parent-child relationship—such as a browser process spawning a shell, which then modifies a registry key—the sequence becomes distinct. The researchers used Doc2Vec to extend this logic, allowing them to represent entire attack chains as single vectors. This is particularly effective for identifying variants of malware that might change their file hashes but maintain the same behavioral footprint.

The Challenge of False Positives in OT

One of the biggest hurdles in OT security is the high volume of false positives. Many OT-specific applications perform actions that look suspicious to an IT-centric EDR, such as direct memory access or unusual network traffic patterns. If a security tool is too aggressive, it risks shutting down critical infrastructure.

The researchers addressed this by training their model on a massive dataset of over 50,000 samples, including both benign OT-specific behaviors and known malicious activity. By focusing on the "chain of suspicious behaviors," the model can distinguish between a legitimate maintenance script and a CaddyWiper deployment. The model effectively acts as an automated ASR rule generator, identifying the specific sequence of events that should be blocked in a given environment.

Practical Application for Pentesters

For those of us performing red team engagements or penetration tests in OT environments, this research highlights a critical blind spot in current defensive tooling. When you are testing an OT network, you are likely using LotL techniques to avoid detection. If you are using PsExec to move laterally, you are relying on the fact that the blue team’s EDR is tuned to ignore "administrative" tools.

This research suggests that defenders are moving toward behavioral modeling that will eventually make these techniques much noisier. If you are currently testing these environments, you should start mapping your attack chains against the MITRE ATT&CK for ICS framework. Understanding how your specific sequence of commands—such as T1547 (Boot or Logon Autostart Execution) followed by T1071 (Application Layer Protocol)—looks to a behavioral model will help you refine your tradecraft.

Defensive Implications

Defenders should view this as a path toward reducing the manual burden of writing and maintaining ASR rules. Instead of manually creating rules for every new threat, security teams can use this behavioral modeling to automatically generate rules that block the sequence of an attack. This is a significant improvement over the current state of the art, where defenders are constantly playing catch-up with new malware variants.

The most important takeaway for the security community is that static signatures are dying. As we move toward more automated, AI-driven detection, the focus will shift entirely to behavioral context. If you are a researcher or a developer, start looking at how your tools interact with the OS at a granular level. The parent-child process relationship is no longer just a debugging detail; it is the primary signal that will determine whether your next engagement is successful or if you are caught in the first five minutes. The future of detection is not in the file; it is in the flow.