Industrial dynamic anomaly detection method and apparatus

US 20060236374A1
Filed: 04/13/2005
Published: 10/19/2006
Est. Priority Date: 04/13/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for identifying anomalies in an industrial enterprise, the method comprising the steps of:

during a commissioning procedure;

operating the enterprise;

monitoring enterprise communications;

identifying characteristics of at least a subset of the monitored enterprise communications; and

storing at least a subset of the identified characteristics as allowed characteristics;

after commissioning;

operating the enterprise;

monitoring enterprise communications;

identifying characteristics of at least a subset of the monitored enterprise communications;

comparing identified characteristics to allowed characteristics; and

when an identified characteristic is different than the allowed characteristics, performing a secondary function.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for identifying anomalies in an industrial enterprise, the method comprising the steps of during a commissioning procedure, operating the enterprise, monitoring enterprise communications, identifying characteristics of at least a subset of the monitored enterprise communications and storing at least a subset of the identified characteristics as allowed characteristics, after commissioning, using the stored allowed characteristics to identify enterprise communication anomalies that occur during enterprise operation.

62 Citations

View as Search Results

21 Claims

1. A method for identifying anomalies in an industrial enterprise, the method comprising the steps of:
- during a commissioning procedure;
  
  operating the enterprise;
  
  monitoring enterprise communications;
  
  identifying characteristics of at least a subset of the monitored enterprise communications; and
  
  storing at least a subset of the identified characteristics as allowed characteristics;
  
  after commissioning;
  
  operating the enterprise;
  
  monitoring enterprise communications;
  
  identifying characteristics of at least a subset of the monitored enterprise communications;
  
  comparing identified characteristics to allowed characteristics; and
  
  when an identified characteristic is different than the allowed characteristics, performing a secondary function.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the identified characteristics include at least a subset of communication protocol characteristics, activities associated with the communications and values expressed via the communications.
  - 3. The method of claim 1 wherein the enterprise includes at least one interface, the method further including the steps of, during the commissioning procedure, via the interface, receiving input specifying at least a subset of user specified characteristics and storing the user specified characteristics as allowed characteristics.
  - 4. The method of claim 1 wherein the secondary function includes at least a subset of generating a notice of the identified characteristic, halting transfer of the communication associated with the identified characteristic and identifying the source of the communication associated with the identified characteristic.
  - 5. The method of claim 4 wherein, when a communication source is identified, the method further includes requesting affirmation from the source that the communication was intended.
  - 6. The method of claim 1 for use with a firewall that applies firewall rules to limit communications of the enterprise wherein the secondary function includes altering firewall rules.
  - 7. The method of claim 6 wherein the step of altering the firewall rules includes changing the firewall rules so that communications including the identified characteristic are halted at the firewall.
  - 8. The method of claim 1 wherein the step of comparing includes identifying an anomaly when the identified characteristic is different than the allowed characteristics and wherein the method further includes the step of, prior to performing the secondary function, identifying the general type of anomaly that occurred and identifying a specific secondary function associated with the identified anomaly type.
  - 9. The method of claim 8 further including the step of providing an anomaly type/secondary function database that correlates general anomaly types with secondary functions and wherein the steps of identifying the general type of anomaly and the secondary function include accessing the anomaly type/secondary function database.
  - 10. The method of claim 1 wherein the enterprise includes at least one interface, the method further including the steps of, during the commissioning procedure, via the interface, receiving input specifying at least a subset of user specified characteristics and storing the user specified characteristics as user specified anomalies.

11. A method for configuring an enterprise to ignore communication anomalies where the enterprise includes at least one interface, the method comprising the steps of:
- providing an allowed characteristic database that specifies characteristics of communications allowed on the enterprise;
  
  while the enterprise is operating;
  
  monitoring enterprise communications;
  
  identifying characteristics of the monitored communications;
  
  comparing the identified characteristics to the allowed characteristics;
  
  when an identified characteristic is different than the allowed characteristics, indicating the identified characteristic via the interface;
  
  via the interface, receiving an indication that the identified characteristic is an allowed characteristic; and
  
  adding the identified characteristic to the allowed characteristic database.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11 wherein the identified characteristics include at least a subset of communication protocol characteristics, activities associated with the communications and values expressed via the communications.
  - 13. The method of claim 11 for use with a firewall that applies firewall rules to limit communications on the enterprise, the method further including altering the firewall rules as a function of the received indication.

14. A method for identifying anomalies in an industrial enterprise, the method comprising the steps of:
- during a commissioning procedure;
  
  operating the enterprise;
  
  monitoring enterprise communications;
  
  identifying characteristics of at least a subset of the monitored enterprise communications; and
  
  storing at least a subset of the identified characteristics as allowed characteristics;
  
  after commissioning, using the stored allowed characteristics to identify enterprise communication anomalies that occur during enterprise operation.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14 wherein the step of operating the enterprise includes simulating enterprise operations in software.
  - 16. The method of claim 14 wherein using the stored allowed characteristics to identify enterprise communications includes:
    - operating the enterprise;
      
      monitoring enterprise communications;
      
      identifying characteristics of at least a subset of the monitored enterprise communications;
      
      comparing identified characteristics to allowed characteristics; and
      
      when an identified characteristic is different than the allowed characteristics, performing a secondary function.
  - 17. The method of claim 14 for use with a firewall that applies firewall rules to limit communications on the enterprise wherein, when an anomaly is identified, the method further including the step of altering the firewall rules.

18. A method for use with a firewall that applies firewall rules to limit communications on an enterprise network, the method for identifying anomalistic communications that occur within the enterprise and altering the firewall rules, the method comprising the steps of:
- specifying allowed communication characteristics;
  
  operating the enterprise;
  
  monitoring enterprise communications;
  
  identifying characteristics of at least a subset of the monitored enterprise communications;
  
  comparing the identified characteristics to the allowed communication characteristics; and
  
  when the identified characteristics are different than the allowed characteristics, altering the firewall rules.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18 wherein the step of altering the firewall rules includes changing the rules so that the firewall halts communications having the identified characteristics.
  - 20. The method of claim 18 wherein the step of specifying allowed communication characteristics includes monitoring enterprise communication characteristics during a commissioning procedure and storing the characteristics for subsequent use.

21. An apparatus for identifying anomalies in an industrial enterprise, the apparatus comprising:
- a processor that is programmed to perform the steps of;
  
  during a commissioning procedure;
  
  operating the enterprise;
  
  monitoring enterprise communications;
  
  identifying characteristics of at least a subset of the monitored enterprise communications; and
  
  storing at least a subset of the identified characteristics as allowed characteristics; and
  
  after the commissioning procedure, using the stored allowed characteristics to identify enterprise communication anomalies that occur during enterprise operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Original Assignee
Rockwell Automation Technologies Incorporated (Allen-Bradley Co., Inc.)
Inventors
Hartman, Justin

Application Number

US11/104,750
Publication Number

US 20060236374A1
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Industrial dynamic anomaly detection method and apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

62 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Industrial dynamic anomaly detection method and apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links