Method for mitigation of cyber attacks on industrial control systems
First Claim
Patent Images
1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:
- polling specific fields of packet data, obtained from packets, at a fixed frequency, for a plurality of programmable logic controllers (PLCs), to establish network behavior;
determining a protocol type from the specific packet data fields;
deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications, including communications using a stateful protocol as the determined protocol type;
generating a value based on the vector indicative of a network behavioral state;
maintaining a network behavior state machine comprising a list of network states and transition counts in accordance with the stateful protocol, wherein the transition count is maintained in accordance to the value;
determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation;
establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous;
determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
,taking protective action according to whether the determined probability is below the established threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for detecting a potential compromise of cyber security in an industrial network are disclosed. These methods and systems comprise elements of hardware and software for generating and analyzing vectors indicative of network behavioral states to establish thresholds for anomalous behavior in the industrial network.
24 Citations
1 Claim
-
1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:
-
polling specific fields of packet data, obtained from packets, at a fixed frequency, for a plurality of programmable logic controllers (PLCs), to establish network behavior; determining a protocol type from the specific packet data fields; deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications, including communications using a stateful protocol as the determined protocol type; generating a value based on the vector indicative of a network behavioral state; maintaining a network behavior state machine comprising a list of network states and transition counts in accordance with the stateful protocol, wherein the transition count is maintained in accordance to the value; determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation; establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous; determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
,taking protective action according to whether the determined probability is below the established threshold.
-
Specification