Generic framework to detect cyber threats in electric power grid
First Claim
1. A system to protect an electric power grid, comprising:
- a plurality of heterogeneous data source nodes each generating a series of current data source node values over time that represent a current operation of the electric power grid; and
a real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, to;
(i) receive the series of current data source node values and generate a set of current feature vectors,(ii) access an abnormal state detection model having at least one decision boundary created offline using a set of feature vectors,(iii) execute the abnormal state detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary;
wherein the set of feature vectors includes at least one of;
(i) normal feature vectors, and (ii) abnormal feature vectors and the real-time threat detection computer executes the abnormal state detection model; and
wherein the system further comprises;
a normal space data source storing, for each of the plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid;
an abnormal space data source storing, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid; and
an offline abnormal state detection model creation computer, coupled to the normal space data source and the abnormal space data source, to;
(i) receive the series of normal data source node values and generate the set of normal feature vectors,(ii) receive the series of abnormal data source node values and generate the set of abnormal feature vectors, and(iii) automatically calculate and output the at least one decision boundary for the abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors.
2 Assignments
0 Petitions
Accused Products
Abstract
According to some embodiments, a plurality of heterogeneous data source nodes may each generate a series of current data source node values over time that represent a current operation of an electric power grid. A real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, may receive the series of current data source node values and generate a set of current feature vectors. The threat detection computer may then access an abnormal state detection model having at least one decision boundary created offline using at least one of normal and abnormal feature vectors. The abnormal state detection model may be executed, and a threat alert signal may be transmitted if appropriate based on the set of current feature vectors and the at least one decision boundary.
14 Citations
18 Claims
-
1. A system to protect an electric power grid, comprising:
-
a plurality of heterogeneous data source nodes each generating a series of current data source node values over time that represent a current operation of the electric power grid; and a real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, to; (i) receive the series of current data source node values and generate a set of current feature vectors, (ii) access an abnormal state detection model having at least one decision boundary created offline using a set of feature vectors, (iii) execute the abnormal state detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary; wherein the set of feature vectors includes at least one of;
(i) normal feature vectors, and (ii) abnormal feature vectors and the real-time threat detection computer executes the abnormal state detection model; andwherein the system further comprises; a normal space data source storing, for each of the plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid; an abnormal space data source storing, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid; and an offline abnormal state detection model creation computer, coupled to the normal space data source and the abnormal space data source, to; (i) receive the series of normal data source node values and generate the set of normal feature vectors, (ii) receive the series of abnormal data source node values and generate the set of abnormal feature vectors, and (iii) automatically calculate and output the at least one decision boundary for the abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computerized method to protect an electric power grid, comprising:
-
retrieving, for each of a plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid; generating, offline, a set of normal feature vectors based on the normal data source node values; retrieving, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid; generating a set of abnormal feature vectors based on the abnormal data source node values; automatically calculating and outputting, by an offline abnormal state detection model creation computer, at least one decision boundary for an abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors; wherein the offline abnormal state detection model creation computer operates at a frequency between approximately once every six hours and once every eight hours; and wherein the method further comprises executing the offline abnormal state detection model and transmitting a threat alert signal based on the set of normal feature vectors and the set of abnormal feature vectors and the at least one decision boundary. - View Dependent Claims (15, 16)
-
-
17. A non-transitory, computer-readable medium storing instructions that, when executed by a computer processor, cause the computer processor to perform a method associated with protection of an electric power grid, the method comprising:
-
receiving, from a plurality of heterogeneous data source nodes, a series of current data source node values over time that represent a current operation of the electric power grid; accessing, by a real-time threat detection computer, an abnormal state detection model having at least one decision boundary created offline using a set of feature vectors; executing the abnormal state detection model and transmitting a threat alert signal based on the set of current feature vectors and the at least one decision boundary; wherein the set of feature vectors includes at least one of;
(i) normal feature vectors, and (ii) abnormal feature vectors and the real-time threat detection computer executes the abnormal state detection model; andwherein the method further comprises; storing, for each of the plurality of heterogeneous data source nodes, a series of normal data source node values over time that represent normal operation of the electric power grid; storing, for each of the plurality of data source nodes, a series of abnormal data source node values over time that represent an abnormal operation of the electric power grid; receiving the series of normal data source node values and generate the set of normal feature vectors; receive the series of abnormal data source node values and generate the set of abnormal feature vectors, and automatically calculate and output the at least one decision boundary for the abnormal state detection model based on the set of normal feature vectors and the set of abnormal feature vectors. - View Dependent Claims (18)
-
Specification