Generic framework to detect cyber threats in electric power grid

US 10,452,845 B2
Filed: 03/08/2017
Issued: 10/22/2019
Est. Priority Date: 03/08/2017
Status: Active Grant

First Claim

Patent Images

1. A system to protect an electric power grid, comprising:

a plurality of heterogeneous data source nodes each generating a series of current data source node values over time that represent a current operation of the electric power grid; and

a real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, to;

(i) receive the series of current data source node values and generate a set of current feature vectors,(ii) access an abnormal state detection model having at least one decision boundary created offline using a set of feature vectors,(iii) execute the abnormal state detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary;

wherein the set of feature vectors includes at least one of;

(i) normal feature vectors, and (ii) abnormal feature vectors and the real-time threat detection computer executes the abnormal state detection model; and

wherein the system further comprises;

a normal space data source storing, for each of the plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid;

an abnormal space data source storing, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid; and

an offline abnormal state detection model creation computer, coupled to the normal space data source and the abnormal space data source, to;

(i) receive the series of normal data source node values and generate the set of normal feature vectors,(ii) receive the series of abnormal data source node values and generate the set of abnormal feature vectors, and(iii) automatically calculate and output the at least one decision boundary for the abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to some embodiments, a plurality of heterogeneous data source nodes may each generate a series of current data source node values over time that represent a current operation of an electric power grid. A real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, may receive the series of current data source node values and generate a set of current feature vectors. The threat detection computer may then access an abnormal state detection model having at least one decision boundary created offline using at least one of normal and abnormal feature vectors. The abnormal state detection model may be executed, and a threat alert signal may be transmitted if appropriate based on the set of current feature vectors and the at least one decision boundary.

14 Citations

View as Search Results

18 Claims

1. A system to protect an electric power grid, comprising:
- a plurality of heterogeneous data source nodes each generating a series of current data source node values over time that represent a current operation of the electric power grid; and
  
  a real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, to;
  
  (i) receive the series of current data source node values and generate a set of current feature vectors,(ii) access an abnormal state detection model having at least one decision boundary created offline using a set of feature vectors,(iii) execute the abnormal state detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary;
  
  wherein the set of feature vectors includes at least one of;
  
  (i) normal feature vectors, and (ii) abnormal feature vectors and the real-time threat detection computer executes the abnormal state detection model; and
  
  wherein the system further comprises;
  
  a normal space data source storing, for each of the plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid;
  
  an abnormal space data source storing, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid; and
  
  an offline abnormal state detection model creation computer, coupled to the normal space data source and the abnormal space data source, to;
  
  (i) receive the series of normal data source node values and generate the set of normal feature vectors,(ii) receive the series of abnormal data source node values and generate the set of abnormal feature vectors, and(iii) automatically calculate and output the at least one decision boundary for the abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1, wherein at least one of the heterogeneous data source nodes is associated with at least one of:
    - (i) social media data, (ii) wireless network data, (iii) weather data, (iv) information technology inputs, (v) critical sensor nodes of the electric power grid, (vi) actuator nodes of the electric power grid, (vii) controller nodes of the electric power grid, and (viii) key software nodes of the electric power grid.
  - 3. The system of claim 2, wherein information from each of the plurality of heterogeneous data source nodes is normalized and an output is expressed as a weighted linear combination of basis functions.
  - 4. The system of claim 1, wherein the real-time threat detection computer is further to generate:
    - (i) a spoof indication, (ii) a system event indication, (iii) a location indication, (iv) an importance indication, and (v) an early warning indication.
  - 5. The system of claim 1, wherein at least one of the set of normal feature vectors and the set of abnormal feature vectors are associated with at least one of:
    - (i) principal components, (ii) statistical features, (iii) deep learning features, (iv) frequency domain features, (v) time series analysis features, (vi) logical features, (vii) geographic or position based locations, (viii) interaction features, (ix) range, and (x) current value.
  - 6. The system of claim 1, wherein the abnormal state detection model is associated with at least one of:
    - (i) an actuator attack, (ii) a controller attack, (iii) a data source node attack, (iv) a plant state attack, (v) spoofing, (vi) physical damage, (vii) unit availability, (viii) a unit trip, (ix) a loss of unit life, (x) asset damage requiring at least one new part, (xi) a stealthy attack not detectable by alarms, (xii) a load alternating attack, (xiii) a topology change attack, (xiv) a stability compromise attack, and (xv) a frequency compromise attack.
  - 7. The system of claim 1, wherein the abnormal state detection model including the at least one decision boundary is associated with at least one of:
    - (i) a line, (ii) a hyperplane, and (iii) a non-linear boundary separating normal space and abnormal space.
  - 8. The system of claim 1, wherein the offline abnormal state detection model creation computer operates at a frequency between approximately once every six hours and once every eight hours.
  - 9. The system of claim 1, wherein the offline abnormal state detection model creation computer is associated with multi-modal, multi-disciplinary feature discovery.
  - 10. The system of claim 1, wherein the abnormal space data source stores both random abnormal data and targeted abnormal data.
  - 11. The system of claim 1, wherein the offline abnormal state detection model creation computer is associated with a power system model with static network information including at least one of:
    - (i) network topology, (ii) impedance of power lines, (iii) transformer information, (iv) generator data, (v) load data, and (vi) bus information.
  - 12. The system of claim 11, wherein the power system model is a full differential-algebraic equation representation augmented with dynamic data including at least one of:
    - (i) a sub-transient model for a generator asset, (ii) a motor model for a load, and (iii) a model for a high-power electronic device.
  - 13. The system of claim 11, wherein the offline abnormal state detection model creation computer uses a complex network theory analysis to distinguish a random event from a targeted event.

14. A computerized method to protect an electric power grid, comprising:
- retrieving, for each of a plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid;
  
  generating, offline, a set of normal feature vectors based on the normal data source node values;
  
  retrieving, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid;
  
  generating a set of abnormal feature vectors based on the abnormal data source node values;
  
  automatically calculating and outputting, by an offline abnormal state detection model creation computer, at least one decision boundary for an abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors;
  
  wherein the offline abnormal state detection model creation computer operates at a frequency between approximately once every six hours and once every eight hours; and
  
  wherein the method further comprises executing the offline abnormal state detection model and transmitting a threat alert signal based on the set of normal feature vectors and the set of abnormal feature vectors and the at least one decision boundary.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, wherein the offline abnormal state detection model creation computer is associated with multi-modal, multi-disciplinary feature discovery.
  - 16. The method of claim 14, wherein the abnormal space data source stores both random abnormal data and targeted abnormal data.

17. A non-transitory, computer-readable medium storing instructions that, when executed by a computer processor, cause the computer processor to perform a method associated with protection of an electric power grid, the method comprising:
- receiving, from a plurality of heterogeneous data source nodes, a series of current data source node values over time that represent a current operation of the electric power grid;
  
  accessing, by a real-time threat detection computer, an abnormal state detection model having at least one decision boundary created offline using a set of feature vectors;
  
  executing the abnormal state detection model and transmitting a threat alert signal based on the set of current feature vectors and the at least one decision boundary;
  
  wherein the set of feature vectors includes at least one of;
  
  (i) normal feature vectors, and (ii) abnormal feature vectors and the real-time threat detection computer executes the abnormal state detection model; and
  
  wherein the method further comprises;
  
  storing, for each of the plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid;
  
  storing, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid;
  
  receiving the series of normal data source node values and generate the set of normal feature vectors;
  
  receive the series of abnormal data source node values and generate the set of abnormal feature vectors, andautomatically calculate and output the at least one decision boundary for the abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors.
- View Dependent Claims (18)
- - 18. The system of claim 17, wherein at least one of the heterogeneous data source nodes is associated with at least one of:
    - (i) social media data, (ii) wireless network data, (iii) weather data, (iv) information technology inputs, (v) critical sensor nodes of the electric power grid, (vi) actuator nodes of the electric power grid, (vii) controller nodes of the electric power grid, and (viii) key software nodes of the electric power grid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Digital Holdings LLC (GE Aerospace)
Original Assignee
General Electric Company
Inventors
Mestha, Lalit Keshav, Veda, Santosh Sambamoorthy, Abbaszadeh, Masoud, Baone, Chaitanya Ashok, Yan, Weizhong, Ray Majumder, Saikat, Bose, Sumit, Giani, Annartia, Anubi, Olugbenga
Primary Examiner(s)
Li, Meng

Application Number

US15/453,544
Publication Number

US 20180260561A1
Time in Patent Office

958 Days
Field of Search
US Class Current
CPC Class Codes

G05B 23/0275   Fault isolation and identif...

G06F 21/554   involving event detection a...

G06F 2221/034   Test or assess a computer o...

Y04S 10/52   Outage or fault management,...

Y04S 40/20   Information technology spec...

Generic framework to detect cyber threats in electric power grid

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Generic framework to detect cyber threats in electric power grid

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links