Feature and boundary tuning for threat detection in industrial asset control system

US 10,204,226 B2
Filed: 12/07/2016
Issued: 02/12/2019
Est. Priority Date: 12/07/2016
Status: Active Grant

First Claim

Patent Images

1. A system to protect an industrial asset control system, comprising:

a normal space data source storing, for each of a plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the industrial asset control system;

a threatened space data source storing, for each of the plurality of monitoring nodes, a series of threatened monitoring node values over time that represent a threatened operation of the industrial asset control system; and

a threat detection model creation computer, coupled to the normal space data source and the threatened space data source, to;

(i) receive the series normal monitoring node values and generate a set of normal feature vectors,(ii) receive the series of threatened monitoring node values and generate a set of threatened feature vectors,(iii) automatically calculate at least one potential decision boundary for a threat detection model based on the set of normal feature vectors, the set of threatened feature vectors, and at least one initial algorithm parameter,(iv) automatically evaluate a performance of the at least one potential decision boundary based on a performance metric, and(v) automatically tune the at least one initial algorithm parameter based on a result of said evaluation and re-calculate the at least one potential decision boundary.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to some embodiments, a threat detection model creation computer may receive a series of normal monitoring node values (representing normal operation of the industrial asset control system) and generate a set of normal feature vectors. The threat detection model creation computer may also receive a series of threatened monitoring node values (representing a threatened operation of the industrial asset control system) and generate a set of threatened feature vectors. At least one potential decision boundary for a threat detection model may be calculated based on the set of normal feature vectors, the set of threatened feature vectors, and an initial algorithm parameter. A performance of the at least one potential decision boundary may be evaluated based on a performance metric. The initial algorithm parameter may then be tuned based on a result of the evaluation, and the at least one potential decision boundary may be re-calculated.

Citations

20 Claims

1. A system to protect an industrial asset control system, comprising:
- a normal space data source storing, for each of a plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the industrial asset control system;
  
  a threatened space data source storing, for each of the plurality of monitoring nodes, a series of threatened monitoring node values over time that represent a threatened operation of the industrial asset control system; and
  
  a threat detection model creation computer, coupled to the normal space data source and the threatened space data source, to;
  
  (i) receive the series normal monitoring node values and generate a set of normal feature vectors,(ii) receive the series of threatened monitoring node values and generate a set of threatened feature vectors,(iii) automatically calculate at least one potential decision boundary for a threat detection model based on the set of normal feature vectors, the set of threatened feature vectors, and at least one initial algorithm parameter,(iv) automatically evaluate a performance of the at least one potential decision boundary based on a performance metric, and(v) automatically tune the at least one initial algorithm parameter based on a result of said evaluation and re-calculate the at least one potential decision boundary.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system of claim 1, wherein said automatic evaluation, tuning, and re-calculation are performed until a final tuned algorithm parameter and final decision boundary are determined.
  - 3. The system of claim 1, wherein said automatic evaluation, tuning, and re-calculation are associated with a local feature vector and a local decision boundary.
  - 4. The system of claim 3, wherein extraction of the local feature vector is associated with at least one of:
    - a minimum, a maximum, a mean, a variance, a settling time, a fast Fourier transform spectrum, poles, shallow features, principal component analysis, independent component analysis, k-means clustering, sparse coding, and deep learning features.
  - 5. The system of claim 1, wherein a plurality of local feature vectors and local decision boundaries are combined to form a global feature vector and a global decision boundary, and said automatic evaluation, tuning, and re-calculation are associated with the global feature vector and the global decision boundary.
  - 6. The system of claim 5, wherein at least one of the global feature vector and global decision boundary are associated with a number of weights used for dimensionality reduction, kernel selection, a number of support vectors, a cost associated with normal data, and a cost associated with abnormal data.
  - 7. The system of claim 1, wherein the performance metric comprises a Receiver Operator Characteristic (“
    - ROC”
      
      ) metric.
  - 8. The system of claim 7, wherein the ROC metric is associated with at least one of:
    - true positives, true negatives, false positives, false negatives, an area under curve value, a ROC accuracy, a positive predictive value, a false discovery rate, a false omission rate, a negative predictive value, a prevalence, a true positive rate, a false positive rate, a positive likelihood ratio, a negative likelihood ratio, a false negative rate, a true negative rate, and a diagnostic odds ratio.
  - 9. The system of claim 1, wherein the performance metric is associated with a speed of threat detection.
  - 10. The system of claim 1, wherein the algorithm parameter is automatically selected from a set of potential algorithm parameters.
  - 11. The system of claim 1, wherein the initial algorithm parameter is associated with at least one of:
    - a type of feature, a number of local features, a number of global features, a method of dimensionality reduction, a principal component analysis, a principal component regression, a Fisher discriminator analysis, a support vector machine, a boundary construction method, boundary method specific tuners, a kernel function, a box constrain, a cost, and an input batch size.
  - 12. The system of claim 1, wherein at least one of the series of normal monitoring node values and the series of threatened monitoring node values are associated with a high fidelity equipment model.
  - 13. The system of claim 1, wherein at least one of said automatic calculation, evaluation, and tuning are performed based at least in part on an online update received from a remote industrial asset control system information source.
  - 14. The system of claim 1, further comprising:
    - a plurality of real-time monitoring node signal inputs to receive streams of monitoring node signal values over time that represent a current operation of the industrial asset control system; and
      
      a threat detection computer platform, coupled to the plurality of real-time monitoring node signal inputs and the threat detection model creation computer, to;
      
      (i) receive the streams of monitoring node signal values,(ii) for each stream of monitoring node signal values, generate a current monitoring node feature vector,(iii) select an appropriate decision boundary for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node in the current cooperating mode,(iv) compare each generated current monitoring node feature vector with the selected corresponding appropriate decision boundary, and(v) automatically transmit a threat alert signal based on results of said comparisons.
  - 15. The system of claim 14, wherein the threat alert signal transmission is performed using at least one of:
    - a cloud-based system, an edge-based system, a wireless system, a wired system, a secured network, and a communication system.
  - 16. The system of claim 14, wherein the threat is associated with at least one of:
    - an actuator attack, a controller attack, a monitoring node attack, a plant state attack, spoofing, financial damage, unit availability, a unit trip, a loss of unit life, and asset damage requiring at least one new part.

17. A computerized method to protect an industrial asset control system, comprising:
- receiving, by a threat detection model creation computer, a series of normal monitoring node values and generating a set of normal feature vectors, wherein the series of normal monitoring node values over time represent normal operation of the industrial asset control system;
  
  receiving, by the threat detection model creation computer, a series of threatened monitoring node values and generating set of threatened feature vectors, wherein the series of threatened monitoring node values over time represent a threatened operation of the industrial asset control system;
  
  calculating at least one potential decision boundary for a threat detection model based on the set of normal feature vectors, the set of threatened feature vectors, and at least one initial algorithm parameter;
  
  evaluating a performance of the at least one potential decision boundary based on a performance metric; and
  
  tuning the at least one initial algorithm parameter based on a result of said evaluation and re-calculating the at least one potential decision boundary.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein said evaluation, tuning, and re-calculation are performed until a final tuned algorithm parameter and final decision boundary are determined.

19. A non-transient, computer-readable medium storing instructions to be executed by a processor to perform a method of protecting an industrial asset control system, the method comprising:
- receiving a series of normal monitoring node values and generating a set of normal feature vectors, wherein the series of normal monitoring node values over time represent normal operation of the industrial asset control system;
  
  receiving a series of threatened monitoring node values and generating set of threatened feature vectors, wherein the series of threatened monitoring node values over time represent a threatened operation of the industrial asset control system;
  
  calculating at least one potential decision boundary for a threat detection model based on the set of normal feature vectors, the set of threatened feature vectors, and at least one initial algorithm parameter;
  
  evaluating a performance of the at least one potential decision boundary based on a performance metric; and
  
  tuning the at least one initial algorithm parameter based on a result of said evaluation and re-calculating the at least one potential decision boundary.
- View Dependent Claims (20)
- - 20. The medium of claim 19, wherein said evaluation, tuning, and re-calculation are performed until a final tuned algorithm parameter and final decision boundary are determined.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Infrastructure Technology, LLC (GE Vernova, Inc.)
Original Assignee
General Electric Company
Inventors
Bushey, Cody Joe, Mestha, Lalit Keshav, John, Justin Varkey, Holzhauer, Daniel Francis
Primary Examiner(s)
Revak, Christopher A

Application Number

US15/371,905
Publication Number

US 20180157838A1
Time in Patent Office

797 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/57   Certifying or maintaining t...

G06N 20/00   Machine learning

G06N 20/10   using kernel methods, e.g. ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

Feature and boundary tuning for threat detection in industrial asset control system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Feature and boundary tuning for threat detection in industrial asset control system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links