Telemetry analysis system for physical process anomaly detection

US 10,148,686 B2
Filed: 02/10/2017
Issued: 12/04/2018
Est. Priority Date: 02/10/2016
Status: Active Grant

First Claim

Patent Images

1. A security system for detecting a security anomaly associated with a physical process within an industrial control system (ICS) comprising:

an industrial control network including a plurality of endpoint devices, and at least one programmable logic controller that communicates with the endpoint devices through the industrial control network, the endpoint devices producing telemetry data and transmitting the telemetry data on the industrial control network; and

a telemetry analytics engine server configured to;

receive the telemetry data from the endpoint devices and cluster the telemetry data into logical endpoint device groupings according to a location of each logical endpoint device in the industrial control network, each grouping representing a sub network of the industrial control network that corresponds to a different separate section of the industrial control network, andreceive security data from at least one external data source, the security data being based on one or more of device log data, network log data, or security alert data;

the telemetry analytics engine server further comprising;

an anomaly detection processor configured to analyze the clustered telemetry data to detect anomalies that indicate a potential security compromise;

a root cause analysis processor configured to execute a correlation process between the security data received from the at least one external data source, and data that is output from the anomaly detection processor;

the telemetry analytics engine server identifying the root cause of the potential security compromise with respect to the industrial control system and providing an anomaly alert to a human machine interface (HMI).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and apparatus, including computer programs encoded on computer storage media, for analyzing telemetry data from physical process sensors to detect anomalies within the physical process. A telemetry analytics system is disclosed as a process level anomaly detection system based on operational telemetrics and domain-specific knowledge that protects cyber physical system (CPS) devices against zero-day exploits not detectable through traditional system log or network packet inspection. The telemetry analytics system operates as a security component comparable to intrusion detection or anti-virus/anti-malware that generates alerts upon detecting anomalies in the sensor and/or activity data ingested from system or network data sources.

24 Citations

View as Search Results

13 Claims

1. A security system for detecting a security anomaly associated with a physical process within an industrial control system (ICS) comprising:
- an industrial control network including a plurality of endpoint devices, and at least one programmable logic controller that communicates with the endpoint devices through the industrial control network, the endpoint devices producing telemetry data and transmitting the telemetry data on the industrial control network; and
  
  a telemetry analytics engine server configured to;
  
  receive the telemetry data from the endpoint devices and cluster the telemetry data into logical endpoint device groupings according to a location of each logical endpoint device in the industrial control network, each grouping representing a sub network of the industrial control network that corresponds to a different separate section of the industrial control network, andreceive security data from at least one external data source, the security data being based on one or more of device log data, network log data, or security alert data;
  
  the telemetry analytics engine server further comprising;
  
  an anomaly detection processor configured to analyze the clustered telemetry data to detect anomalies that indicate a potential security compromise;
  
  a root cause analysis processor configured to execute a correlation process between the security data received from the at least one external data source, and data that is output from the anomaly detection processor;
  
  the telemetry analytics engine server identifying the root cause of the potential security compromise with respect to the industrial control system and providing an anomaly alert to a human machine interface (HMI).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein the endpoint devices are one or more sensors that monitor the physical process.
  - 3. The system of claim 1 further comprising an event correlation system comprising one or more computers and that receives the anomaly alert from the telemetry analytics engine server.
  - 4. The system of claim 1 wherein the anomaly detection processor executes a model based anomaly detection process to identify anomalies in the telemetry data.
  - 5. The system of claim 4 wherein physical process semantics data is provided as an input to the model based anomaly detection process, the physical process semantics data including data that relates to expected operation of the industrial control network.
  - 6. The system of claim 1 wherein the anomaly detection processor executes a data driven anomaly detection process that executes one or more machine learning processes to identify anomalies in the telemetry data.
  - 7. The system of claim 6 wherein domain specific knowledge is provided as an input to the data driven anomaly detection process the domain specific knowledge including behavioral attributes and contextual attributes of the industrial control network.
  - 8. The system of claim 1 wherein the correlation process executed by the root cause analysis engine determines whether the root cause of the anomaly is one of a cyber-attack, a human error, a process failure, or a system fault.
  - 9. The system of claim 1 wherein the anomaly detection processor uses a stateless anomaly detection mechanism to identify an anomaly as a one-time deviation, based on a monitored value in the clustered telemetry data being above or below a threshold value.
  - 10. The system of claim 1 wherein the anomaly detection processor uses a stateful anomaly detection mechanism to identify an anomaly based on a series of deviations that have occurred during a predetermined monitoring time window.
  - 11. The system of claim 10 wherein the anomaly detection processor identifies the anomaly based on the series of deviations including a number of deviated samples that is greater than a number of normal samples.
  - 12. The system of claim 10 wherein the anomaly detection processor identifies the anomaly based on the series of deviations including a number of deviated samples that is greater than a threshold value.
  - 13. The system of claim 10 wherein the anomaly detection processor identifies the anomaly based on a mean sample value of the series of deviations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Solutions Limited (Accenture PLC)
Original Assignee
Accenture Global Solutions Limited (Accenture PLC)
Inventors
Hassanzadeh, Amin, Mulchandani, Shaan, Salem, Malek Ben, Chen, Chien An
Primary Examiner(s)
Harris, Christopher C

Application Number

US15/429,900
Publication Number

US 20170230410A1
Time in Patent Office

662 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 41/0631   using root cause analysis; ...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Y04S 40/00   Systems for electrical powe...

Y04S 40/20   Information technology spec...

Telemetry analysis system for physical process anomaly detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Telemetry analysis system for physical process anomaly detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others