Industrial dynamic anomaly detection method and apparatus
First Claim
Patent Images
1. A method for identifying anomalies in an industrial enterprise, the method comprising the steps of:
- during a commissioning procedure;
operating the enterprise;
monitoring enterprise communications;
identifying characteristics of at least a subset of the monitored enterprise communications; and
storing at least a subset of the identified characteristics as allowed characteristics;
after commissioning;
operating the enterprise;
monitoring enterprise communications;
identifying characteristics of at least a subset of the monitored enterprise communications;
comparing identified characteristics to allowed characteristics; and
when an identified characteristic is different than the allowed characteristics, performing a secondary function.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for identifying anomalies in an industrial enterprise, the method comprising the steps of during a commissioning procedure, operating the enterprise, monitoring enterprise communications, identifying characteristics of at least a subset of the monitored enterprise communications and storing at least a subset of the identified characteristics as allowed characteristics, after commissioning, using the stored allowed characteristics to identify enterprise communication anomalies that occur during enterprise operation.
62 Citations
21 Claims
-
1. A method for identifying anomalies in an industrial enterprise, the method comprising the steps of:
-
during a commissioning procedure;
operating the enterprise;
monitoring enterprise communications;
identifying characteristics of at least a subset of the monitored enterprise communications; and
storing at least a subset of the identified characteristics as allowed characteristics;
after commissioning;
operating the enterprise;
monitoring enterprise communications;
identifying characteristics of at least a subset of the monitored enterprise communications;
comparing identified characteristics to allowed characteristics; and
when an identified characteristic is different than the allowed characteristics, performing a secondary function. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for configuring an enterprise to ignore communication anomalies where the enterprise includes at least one interface, the method comprising the steps of:
-
providing an allowed characteristic database that specifies characteristics of communications allowed on the enterprise;
while the enterprise is operating;
monitoring enterprise communications;
identifying characteristics of the monitored communications;
comparing the identified characteristics to the allowed characteristics;
when an identified characteristic is different than the allowed characteristics, indicating the identified characteristic via the interface;
via the interface, receiving an indication that the identified characteristic is an allowed characteristic; and
adding the identified characteristic to the allowed characteristic database. - View Dependent Claims (12, 13)
-
-
14. A method for identifying anomalies in an industrial enterprise, the method comprising the steps of:
-
during a commissioning procedure;
operating the enterprise;
monitoring enterprise communications;
identifying characteristics of at least a subset of the monitored enterprise communications; and
storing at least a subset of the identified characteristics as allowed characteristics;
after commissioning, using the stored allowed characteristics to identify enterprise communication anomalies that occur during enterprise operation. - View Dependent Claims (15, 16, 17)
-
-
18. A method for use with a firewall that applies firewall rules to limit communications on an enterprise network, the method for identifying anomalistic communications that occur within the enterprise and altering the firewall rules, the method comprising the steps of:
-
specifying allowed communication characteristics;
operating the enterprise;
monitoring enterprise communications;
identifying characteristics of at least a subset of the monitored enterprise communications;
comparing the identified characteristics to the allowed communication characteristics; and
when the identified characteristics are different than the allowed characteristics, altering the firewall rules. - View Dependent Claims (19, 20)
-
-
21. An apparatus for identifying anomalies in an industrial enterprise, the apparatus comprising:
-
a processor that is programmed to perform the steps of;
during a commissioning procedure;
operating the enterprise;
monitoring enterprise communications;
identifying characteristics of at least a subset of the monitored enterprise communications; and
storing at least a subset of the identified characteristics as allowed characteristics; and
after the commissioning procedure, using the stored allowed characteristics to identify enterprise communication anomalies that occur during enterprise operations.
-
Specification