Feature and boundary tuning for threat detection in industrial asset control system
First Claim
1. A system to protect an industrial asset control system, comprising:
- a normal space data source storing, for each of a plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the industrial asset control system;
a threatened space data source storing, for each of the plurality of monitoring nodes, a series of threatened monitoring node values over time that represent a threatened operation of the industrial asset control system; and
a threat detection model creation computer, coupled to the normal space data source and the threatened space data source, to;
(i) receive the series normal monitoring node values and generate a set of normal feature vectors,(ii) receive the series of threatened monitoring node values and generate a set of threatened feature vectors,(iii) automatically calculate at least one potential decision boundary for a threat detection model based on the set of normal feature vectors, the set of threatened feature vectors, and at least one initial algorithm parameter,(iv) automatically evaluate a performance of the at least one potential decision boundary based on a performance metric, and(v) automatically tune the at least one initial algorithm parameter based on a result of said evaluation and re-calculate the at least one potential decision boundary.
2 Assignments
0 Petitions
Accused Products
Abstract
According to some embodiments, a threat detection model creation computer may receive a series of normal monitoring node values (representing normal operation of the industrial asset control system) and generate a set of normal feature vectors. The threat detection model creation computer may also receive a series of threatened monitoring node values (representing a threatened operation of the industrial asset control system) and generate a set of threatened feature vectors. At least one potential decision boundary for a threat detection model may be calculated based on the set of normal feature vectors, the set of threatened feature vectors, and an initial algorithm parameter. A performance of the at least one potential decision boundary may be evaluated based on a performance metric. The initial algorithm parameter may then be tuned based on a result of the evaluation, and the at least one potential decision boundary may be re-calculated.
-
Citations
20 Claims
-
1. A system to protect an industrial asset control system, comprising:
-
a normal space data source storing, for each of a plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the industrial asset control system; a threatened space data source storing, for each of the plurality of monitoring nodes, a series of threatened monitoring node values over time that represent a threatened operation of the industrial asset control system; and a threat detection model creation computer, coupled to the normal space data source and the threatened space data source, to; (i) receive the series normal monitoring node values and generate a set of normal feature vectors, (ii) receive the series of threatened monitoring node values and generate a set of threatened feature vectors, (iii) automatically calculate at least one potential decision boundary for a threat detection model based on the set of normal feature vectors, the set of threatened feature vectors, and at least one initial algorithm parameter, (iv) automatically evaluate a performance of the at least one potential decision boundary based on a performance metric, and (v) automatically tune the at least one initial algorithm parameter based on a result of said evaluation and re-calculate the at least one potential decision boundary. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computerized method to protect an industrial asset control system, comprising:
-
receiving, by a threat detection model creation computer, a series of normal monitoring node values and generating a set of normal feature vectors, wherein the series of normal monitoring node values over time represent normal operation of the industrial asset control system; receiving, by the threat detection model creation computer, a series of threatened monitoring node values and generating set of threatened feature vectors, wherein the series of threatened monitoring node values over time represent a threatened operation of the industrial asset control system; calculating at least one potential decision boundary for a threat detection model based on the set of normal feature vectors, the set of threatened feature vectors, and at least one initial algorithm parameter; evaluating a performance of the at least one potential decision boundary based on a performance metric; and tuning the at least one initial algorithm parameter based on a result of said evaluation and re-calculating the at least one potential decision boundary. - View Dependent Claims (18)
-
-
19. A non-transient, computer-readable medium storing instructions to be executed by a processor to perform a method of protecting an industrial asset control system, the method comprising:
-
receiving a series of normal monitoring node values and generating a set of normal feature vectors, wherein the series of normal monitoring node values over time represent normal operation of the industrial asset control system; receiving a series of threatened monitoring node values and generating set of threatened feature vectors, wherein the series of threatened monitoring node values over time represent a threatened operation of the industrial asset control system; calculating at least one potential decision boundary for a threat detection model based on the set of normal feature vectors, the set of threatened feature vectors, and at least one initial algorithm parameter; evaluating a performance of the at least one potential decision boundary based on a performance metric; and tuning the at least one initial algorithm parameter based on a result of said evaluation and re-calculating the at least one potential decision boundary. - View Dependent Claims (20)
-
Specification