A method for learning aspects of messages in an industrial control system is provided. The method includes obtaining a plurality of messages. The method includes starting at a first message field, proceeding via recursion to each next message field, and identifying message values at that message field as constant when constant in messages in a group, as random when random in messages in a group, as length when expressive of a shared length of messages in a group, as opcode when correlated with a shared structure of messages in a group, and otherwise as parameter. The method includes subdividing message groups into subgroups according to the identified message values at that message field, with the recursion applied to each subgroup. A method and system for monitoring messages in an industrial control system is provided.