Method for mitigation of cyber attacks on industrial control systems

US 10,015,188 B2
Filed: 08/20/2015
Issued: 07/03/2018
Est. Priority Date: 08/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:

polling specific fields of packet data at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior;

deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications;

generating a value based on the vector indicative of a network behavioral state;

maintaining a network behavior state machine comprising a list of network states and transition counts,wherein the transition count is maintained in accordance to the value;

determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation;

establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous;

determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector;

and, taking protective action according to whether the determined probability is below the established threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a system and method for detecting anomalous behavior in Industrial Control Networks. The system first operates in a learning phase to learn various behaviors, and then in a protection phase to analyze packets to identify anomalous network events, and, for example, raise an alert.

Citations

12 Claims

1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:
- polling specific fields of packet data at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior;
  
  deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications;
  
  generating a value based on the vector indicative of a network behavioral state;
  
  maintaining a network behavior state machine comprising a list of network states and transition counts,wherein the transition count is maintained in accordance to the value;
  
  determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation;
  
  establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous;
  
  determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector;
  
  and, taking protective action according to whether the determined probability is below the established threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the specific fields of packet data are obtained from packets received in monitoring the operation of the industrial network for potential cyber attack.
  - 3. The method of claim 1, wherein the industrial network utilizes the Modbus protocol.
  - 4. The method of claim 1, wherein the industrial network utilizes Distributed Network Protocol 3 (DNP3).
  - 5. The method of claim 1, wherein each said sequence of network states is derived from a particular stream of packets, and includes k successive network states, where k is greater than two.
  - 6. The method of claim 1, wherein the taking protective action comprises raising an alert.
  - 7. The method of claim 1, wherein the taking protective action comprises blocking a packet.
  - 8. The method of claim 1, wherein the taking protective action comprises disabling a node in the network.
  - 9. The method of claim 1, wherein the specific fields of packet data which are polled include one or more of Modbus source, Modbus destination, and Modbus function fields in the analyzed packet.
  - 10. The method of claim 1, wherein the alert comprises forensic data.

11. A computer system for detecting a potential compromise of cyber security in an industrial network, comprising:
- memory for storing computer instructions; and
  
  ,a computerized processor for executing the computer instructions, the computer instructions comprising;
  
  first computer instructions for polling specific fields of packet data at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior;
  
  second computer instructions for deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications;
  
  third computer instructions for generating a value based on the vector indicative of a network behavioral state;
  
  fourth computer instructions for maintaining a network behavior state machine comprising a list of network states and transition counts, wherein the transition counts are maintained in accordance to the value based on the vector indicative of the network behavioral state;
  
  fifth computer instructions for determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation;
  
  sixth computer instructions for establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous;
  
  seventh computer instructions determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
  
  ,eighth computer instructions for taking protective action according to whether the determined probability is below the established threshold.

12. A computer-usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to detect a potential compromise of cyber security in an industrial network, by performing the following steps when such program is executed on the system, the steps comprising:
- polling specific fields of packet data at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior;
  
  deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications;
  
  generating a value based on the vector indicative of a network behavioral state;
  
  maintaining a network behavior state machine comprising a list of network states and transition counts, wherein the transition counts are maintained in accordance to the value based on the vector indicative of the network behavioral state;
  
  determining a transition probability corresponding to the transition counts,wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation;
  
  establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous;
  
  determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
  
  ,taking protective action according to whether the determined probability is below the established threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Cyberx Israel Limited (Microsoft Corporation)
Inventors
Schneider, Omer, Giller, Nir
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US14/830,776
Publication Number

US 20170054751A1
Time in Patent Office

1,048 Days
Field of Search

726 6
US Class Current
CPC Class Codes

G05B 23/0254   based on a quantitative mod...

G06F 21/55   Detecting local intrusion o...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/12   specially adapted for propr...

Method for mitigation of cyber attacks on industrial control systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method for mitigation of cyber attacks on industrial control systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links