LIVE SERVICE ANOMALY DETECTION SYSTEM FOR PROVIDING CYBER PROTECTION FOR THE ELECTRIC GRID

US 20120284790A1
Filed: 05/02/2012
Published: 11/08/2012
Est. Priority Date: 09/11/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method of improving security in an electrical grid network, comprising:

configuring a lifecycle map associated with an operation in the electrical grid network, the lifecycle map including at least a start configuration, a final configuration, and a plurality of valid events arranged to link the start configuration and the final configuration, the start configuration and the final configuration corresponding to particular states of the electrical grid network;

monitoring at least one of messages and device configurations in the electrical grid network to detect one or more live events associated with the operation; and

comparing the plurality of live events to the lifecycle map to identify an anomaly in the live events.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method of improving security in an electrical grid network. The method includes configuring a lifecycle map associated with an operation in the electrical grid network, the lifecycle map including at least a start configuration, a final configuration, and a plurality of valid events arranged to link the start configuration and the final configuration, the start configuration and the final configuration corresponding to particular states of the electrical grid network. The method also includes monitoring at least one of messages and device configurations in the electrical grid network to detect one or more live events associated with the operation and comparing the plurality of live events to the lifecycle map to identify an anomaly in the live events.

97 Citations

View as Search Results

20 Claims

1. A method of improving security in an electrical grid network, comprising:
- configuring a lifecycle map associated with an operation in the electrical grid network, the lifecycle map including at least a start configuration, a final configuration, and a plurality of valid events arranged to link the start configuration and the final configuration, the start configuration and the final configuration corresponding to particular states of the electrical grid network;
  
  monitoring at least one of messages and device configurations in the electrical grid network to detect one or more live events associated with the operation; and
  
  comparing the plurality of live events to the lifecycle map to identify an anomaly in the live events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - reporting the anomaly; and
      
      responsive to the reporting, changing configuration in at least one device to prevent an occurrence of a second operation in the electrical grid network.
  - 3. The method of claim 1, wherein the comparing includes:
    - detecting the anomaly if either (1) the plurality of live events does not include a corresponding live event for each of the plurality of valid events occurring in a path in the lifecycle map from the first configuration to the final configuration, or (2) at least one of the live events does not have a corresponding one of the valid events.
  - 4. The method of claim 3, wherein the detecting the anomaly comprises:
    - determining a first live event in the plurality of live events corresponding to a state transition to the final configuration; and
      
      determining whether all of the valid events in a path from the start configuration to the final configuration have a corresponding event in the plurality of live events by traversing the lifecycle map in reverse from the final configuration.
  - 5. The method of claim 1, wherein the monitoring comprises:
    - receiving live messages to or from a device in the electrical grid network; and
      
      parsing the received live messages in real-time to detect one of the live events associated with the final configuration.
  - 6. The method of claim 5, wherein the received live messages include messages generated corresponding to other messages in the electrical grid network or configuration changes in devices in the electrical grid network.
  - 7. The method of claim 5, wherein the messages include messages to or from smart meters or smart power generators in the electrical grid network at end-user premises.
  - 8. The method of claim 5, wherein the messages include messages to or from the device located in at least one of electricity distribution substations, electricity transmission substations, electricity generation plant or a control center for the electrical grid network.

9. A system for improving security and resiliency of an electrical grid network, comprising:
- a processor;
  
  a memory coupled to the processor;
  
  a process lifecycle map creator configured to be executed by the processor and further configured to configure, in the memory, a lifecycle map associated with an operation in the electrical grid network, wherein the lifecycle map includes at least a start configuration, a final configuration, and a plurality of valid events arranged to directly or indirectly link the start configuration and the final configuration, wherein the start configuration and the final configuration correspond to particular states of the electrical grid network;
  
  an event monitor configured to be executed by the processor and further configured to monitor at least one of messages and device configurations in the electrical grid network to detect a plurality of live events associated with the operation;
  
  an event comparing module configured to be executed by the processor and further configured to compare the plurality of live events to the lifecycle map to identify an anomaly in the plurality of live events; and
  
  an alerting module configured to be executed by the processor and further configured to report, based upon the comparing, the anomaly associated with the operation.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, further comprising:
    - a configuration module configured to be executed by the processor and further configured to, responsive to the reporting, change configuration in at least one device to prevent an occurrence of a second operation in the electrical grid network.
  - 11. The system of claim 9, wherein the event comparing module is further configured to:
    - detect the anomaly if either (1) the plurality of live events does not include a corresponding live event for each of the plurality of valid events occurring in a path in the lifecycle map from the first configuration to the final configuration, or (2) at least one of the live events does not have a corresponding one of the valid events.
  - 12. The system of claim 11, wherein the detecting the anomaly comprises:
    - determining a first live event in the plurality of live events corresponding to a state transition to the final configuration; and
      
      determining whether all of the valid events in a path from the start configuration to the final configuration have a corresponding event in the plurality of live events by traversing the lifecycle map in reverse from the final configuration.
  - 13. The system of claim 9, wherein the event monitor is further configured to:
    - receive live messages to or from a device in the electrical grid network; and
      
      parse the received live messages in real-time to detect one of the live events associated with the final configuration.
  - 14. The system of claim 13, wherein the received live messages include messages generated corresponding to other messages in the electrical grid network or configuration changes in devices in the electrical grid network.
  - 15. The system of claim 13, wherein the messages include messages to or from smart meters or smart power generators in the electrical grid network at end-user premises.
  - 16. The system of claim 13, wherein the messages include messages to or from the device located in at least one of electricity distribution substations, electricity transmission substations, electricity generation plant or a control center for the electrical grid network.

17. A computer readable storage medium storing instructions thereon, the instructions, when executed by a processor, are configure to perform a method comprising:
- configuring a lifecycle map associated with an operation in the electrical grid network, wherein the lifecycle map includes at least a start configuration, a final configuration, and a plurality of valid events arranged to directly or indirectly link the start configuration and the final configuration, wherein the start configuration and the final configuration correspond to particular states of the electrical grid network;
  
  monitoring at least one of messages and device configurations in the electrical grid network to detect a plurality of live events associated with the operation; and
  
  comparing the plurality of live events to the lifecycle map to identify an anomaly in the plurality of live events.
- View Dependent Claims (18, 19, 20)
- - 18. The computer readable storage medium of claim 17, further comprising reporting the anomaly.
  - 19. The computer readable storage medium of claim 18, further comprising responsive to the reporting, changing configuration in at least one device to prevent an occurrence of a second operation in the electrical grid network.
  - 20. The computer readable storage medium of claim 19, wherein the monitoring comprises:
    - receiving live messages to or from a device in the electrical grid network; and
      
      parsing the received live messages in real-time to detect one of the live events associated with the final configuration.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Decision-Zone Inc.
Original Assignee
Decision-Zone Inc.
Inventors
BHARGAVA, Rajeev

Application Number

US13/462,543
Publication Number

US 20120284790A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 11/3612   by runtime analysis perform...

G06Q 10/063   Operations research, analys...

G06Q 10/06316   Sequencing of tasks or work

LIVE SERVICE ANOMALY DETECTION SYSTEM FOR PROVIDING CYBER PROTECTION FOR THE ELECTRIC GRID

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

97 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

LIVE SERVICE ANOMALY DETECTION SYSTEM FOR PROVIDING CYBER PROTECTION FOR THE ELECTRIC GRID

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others