Method for mitigation of cyber attacks on industrial control systems
First Claim
Patent Images
1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:
- polling specific fields of packet data at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior;
deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications;
generating a value based on the vector indicative of a network behavioral state;
maintaining a network behavior state machine comprising a list of network states and transition counts,wherein the transition count is maintained in accordance to the value;
determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation;
establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous;
determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector;
and, taking protective action according to whether the determined probability is below the established threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a system and method for detecting anomalous behavior in Industrial Control Networks. The system first operates in a learning phase to learn various behaviors, and then in a protection phase to analyze packets to identify anomalous network events, and, for example, raise an alert.
-
Citations
12 Claims
-
1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:
-
polling specific fields of packet data at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior; deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications; generating a value based on the vector indicative of a network behavioral state; maintaining a network behavior state machine comprising a list of network states and transition counts, wherein the transition count is maintained in accordance to the value; determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation; establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous; determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and, taking protective action according to whether the determined probability is below the established threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer system for detecting a potential compromise of cyber security in an industrial network, comprising:
-
memory for storing computer instructions; and
,a computerized processor for executing the computer instructions, the computer instructions comprising; first computer instructions for polling specific fields of packet data at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior; second computer instructions for deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications; third computer instructions for generating a value based on the vector indicative of a network behavioral state; fourth computer instructions for maintaining a network behavior state machine comprising a list of network states and transition counts, wherein the transition counts are maintained in accordance to the value based on the vector indicative of the network behavioral state; fifth computer instructions for determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation; sixth computer instructions for establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous; seventh computer instructions determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
,eighth computer instructions for taking protective action according to whether the determined probability is below the established threshold.
-
-
12. A computer-usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to detect a potential compromise of cyber security in an industrial network, by performing the following steps when such program is executed on the system, the steps comprising:
-
polling specific fields of packet data at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior; deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications; generating a value based on the vector indicative of a network behavioral state; maintaining a network behavior state machine comprising a list of network states and transition counts, wherein the transition counts are maintained in accordance to the value based on the vector indicative of the network behavioral state; determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation; establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous; determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
,taking protective action according to whether the determined probability is below the established threshold.
-
Specification