MALICIOUS ATTACK DETECTION AND ANALYSIS

US 20110288692A1
Filed: 05/09/2011
Published: 11/24/2011
Est. Priority Date: 05/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method of characterizing malicious activity in an intelligent utility grid system, the method executable by a computer having at least one processor and at least one memory, comprising:

receiving, by the at least one processor, information-technology (IT) data including IT-related activity from the intelligent grid system;

receiving, by the at least one processor, non-IT data including location-specific event data from a plurality of electronic sources;

pre-processing, by the at least one processor, the non-IT data including;

disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;

applying, by the at least one processor, a plurality of rules to the pre-processed non-IT data to;

associate an undesired event with reference to the IT-related activity; and

determine a probability that the undesired event is indicative of malicious activity; and

applying, by the at least one processor, a risk characterization to the undesired event based on the probability and the IT-related activity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for characterizing malicious activity in an intelligent utility grid system includes a system storage in which to store a database including a plurality of rules. A collector is operable to collect and store in the system storage information-technology (IT) data including IT-related activity from the intelligent grid system. A complex event processing (CEP) bus is operable to receive non-IT data including location-specific event data from a plurality of electronic sources, the CEP bus further operable to disregard the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events. A processor is operable to apply the plurality of rules to the relevant non-IT data to: associate an undesired event with reference to the IT-related activity; and determine a probability that the undesired event is indicative of malicious activity. The processor further applies a risk characterization to the undesired event based on the probability and the IT-related activity.

184 Citations

24 Claims

1. A method of characterizing malicious activity in an intelligent utility grid system, the method executable by a computer having at least one processor and at least one memory, comprising:
- receiving, by the at least one processor, information-technology (IT) data including IT-related activity from the intelligent grid system;
  
  receiving, by the at least one processor, non-IT data including location-specific event data from a plurality of electronic sources;
  
  pre-processing, by the at least one processor, the non-IT data including;
  
  disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;
  
  applying, by the at least one processor, a plurality of rules to the pre-processed non-IT data to;
  
  associate an undesired event with reference to the IT-related activity; and
  
  determine a probability that the undesired event is indicative of malicious activity; and
  
  applying, by the at least one processor, a risk characterization to the undesired event based on the probability and the IT-related activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, where the undesired event has not yet occurred.
  - 3. The method of claim 1, where the risk characterization comprises an engineering risk or a security risk.
  - 4. The method of claim 1, where applying the plurality of rules comprises comparing predetermined criteria to the non-IT data for which one of a plurality of different probability levels is generated.
  - 5. The method of claim 4, where the probability level is generated based on a co-existence of a threat and a corresponding vulnerability found in the IT-related or non-IT data that is exploitable by the threat.
  - 6. The method of claim 4, where the probability level is generated as a sum of:
    - (1) a product of a probability of occurrence of a specific malicious attack and a probability of existence of a vulnerability exploitable by the specific malicious attack; and
      
      (2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard.
  - 7. The method of claim 1, where the non-IT data further includes historical data retrieved from:
    - event logs, geographical locations associated with corresponding parts of the intelligent utility grid system, and from operational data; and
      
      where applying the plurality of rules includes comparing the IT-related activity to the historical data.
  - 8. The method of claim 1, where at least part of the IT-related activity comprises an event message from a smart meter;
    - and applying the risk characterization includes determining an area within the intelligent utility grid system where the malicious activity is occurring.
  - 9. The method of claim 1, where the non-IT data further includes:
    - grid analog measurements comprising phasor measurements; and
      
      a list of high-value targets and corresponding geographic locations.
  - 10. The method of claim 1, where the electronic sources of non-IT data include one or a combination of the following inputs:
    - a weather feed;
      
      a disturbance recorder feed;
      
      a digital fault recorder feed;
      
      a harmonic recorder feed;
      
      a power quality monitor feed;
      
      a device status;
      
      a connectivity state;
      
      a control limit;
      
      US CERT feeds;
      
      GPS feeds;
      
      a Power Management Unit (PMU) feed;
      
      sensor feeds;
      
      load forecasts; and
      
      renewable generation forecasts.

11. A system for characterizing malicious activity in an intelligent utility grid system, comprising:
- a system storage in which to store a database including a plurality of rules;
  
  a collector operable to collect and store in the system storage information-technology (IT) data including IT-related activity from the intelligent grid system;
  
  a complex event processing (CEP) bus operable to receive non-IT data including location-specific event data from a plurality of electronic sources, the CEP bus further operable to disregard the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;
  
  a processor operable to apply the plurality of rules to the relevant non-IT data to;
  
  associate an undesired event with reference to the IT-related activity; and
  
  determine a probability that the undesired event is indicative of malicious activity; and
  
  the processor further to apply a risk characterization to the undesired event based on the probability and the IT-related activity.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, further comprising the CEP bus coupled with one or a combination of the following electronic sources of non-IT data:
    - a Web-crawling device;
      
      a search engine-capable computing device;
      
      a Web-access device;
      
      a GPS device;
      
      a social-media-thread monitoring device;
      
      a thermometer; and
      
      an emergency response communicator.
  - 13. The system of claim 11, where the undesired event has not yet occurred, and where the risk characterization comprises an engineering risk or a security risk.
  - 14. The system of claim 11, where to apply the plurality of rules, the processor compares predetermined criteria to the non-IT data for which one of a plurality of different probability levels is generated.
  - 15. The system of claim 14, where the probability level is generated based on a co-existence of a threat and a corresponding vulnerability found in the IT-related or non-IT data that is exploitable by the threat.
  - 16. The system of claim 11, where the non-IT data further includes historical data from retrieved from:
    - event logs, geographical location associated with corresponding parts of the intelligent utility grid system, and from operational data; and
      
      where the processor applies the plurality of rules by comparing the IT-related activity to the historical data.
  - 17. The system of claim 11, where at least part of the IT-related activity comprises an event message from a smart meter;
    - and the processor applies the risk characterization by determining an area within the intelligent utility grid system where the malicious activity is occurring.
  - 18. The system of claim 11, where the non-IT data further includes:
    - grid analog measurements comprising phasor measurements; and
      
      a list of high-value targets and corresponding geographic locations.

19. A computer-readable storage medium comprising a set of instructions for characterizing malicious activity in an intelligent utility grid system executable by a computer having a processor and memory, the computer-readable medium comprising:
- instructions to receive information-technology (IT) data including IT-related activity from the intelligent grid system;
  
  instructions to receive non-IT data including location-specific event data from a plurality of electronic sources;
  
  instructions to pre-process the non-IT data including;
  
  disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;
  
  instructions to apply a plurality of rules to the pre-processed non-IT data to;
  
  associate an undesired event with reference to the IT-related activity; and
  
  determine a probability that the undesired event is indicative of malicious activity; and
  
  instructions to apply a risk characterization to the undesired event based on the probability and the IT-related activity.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The computer-readable storage medium of claim 19, where at least part of the IT-related activity comprises an event message from a smart meter;
    - and to apply the risk characterization, the instructions to determine an area within the intelligent utility grid system where the malicious activity is occurring.
  - 21. The computer-readable storage medium of claim 19, where the non-IT data further includes historical data retrieved from:
    - event logs, geographical locations associated with corresponding parts of the intelligent utility grid system, and from operational data; and
      
      to apply the plurality of rules, the instructions further to compare the IT-related activity to the historical data.
  - 22. The computer-readable storage medium of claim 19, where the risk characterization comprises an engineering risk or a security risk.
  - 23. The computer-readable storage medium of claim 19, where to apply the plurality of rules, the instructions further to compare predetermined criteria to the non-IT data for which one of a plurality of different probability levels is generated, where the criteria includes one or a combination of:
    - temperature, dollars, social networking statistics.
  - 24. The computer-readable storage medium of claim 23, where the probability level is generated based on a co-existence of a threat and a corresponding vulnerability found in the IT-related or non-IT data that is exploitable by the threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services GmbH (Accenture PLC)
Inventors
Scott, Anthony David

Granted Patent

US 8,712,596 B2
Time in Patent Office

Days
Field of Search
US Class Current

700/297
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H02J 3/00   Circuit arrangements for ac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Y02E 40/70   Smart grids as climate chan...

Y02E 60/00   Enabling technologies; Tech...

Y04S 10/00   Systems supporting electric...

Y04S 10/22   Flexible AC transmission sy...

Y04S 40/20   Information technology spec...

MALICIOUS ATTACK DETECTION AND ANALYSIS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

184 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

MALICIOUS ATTACK DETECTION AND ANALYSIS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links