METHODS AND SYSTEMS FOR USE IN IDENTIFYING ABNORMAL BEHAVIOR IN A CONTROL SYSTEM

US 20120304007A1
Filed: 05/23/2011
Published: 11/29/2012
Est. Priority Date: 05/23/2011
Status: Active Grant

First Claim

Patent Images

1. A method for use in identifying abnormal behavior in a control system, said method comprising:

receiving, by a computing device, a plurality of operating events associated with a control system, wherein the operating events represent at least one physical operating event;

determining, by the computing device, an actual behavior of the control system based on the operating events;

comparing, by the computing device, the actual behavior to an expected behavior to determine whether the actual behavior differs from the expected behavior, wherein the expected behavior includes a correlation between a plurality of operating events associated with the control system;

receiving, by the computing device, an indication of whether the actual behavior is abnormal from a user when the actual behavior differs from the expected behavior; and

updating, by the computing device, the expected behavior based on the received indication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for use in identifying abnormal behavior in a control system. Operating events associated with a control system are received, and an actual behavior of the control system is determined based on the received operating events. The actual behavior is compared to expected behavior to determine whether the actual behavior differs from the expected behavior. The expected behavior includes a correlation between a plurality of operating events associated with the control system. The expected behavior is updated based on an indication of whether the actual behavior is abnormal from a user.

181 Citations

20 Claims

1. A method for use in identifying abnormal behavior in a control system, said method comprising:
- receiving, by a computing device, a plurality of operating events associated with a control system, wherein the operating events represent at least one physical operating event;
  
  determining, by the computing device, an actual behavior of the control system based on the operating events;
  
  comparing, by the computing device, the actual behavior to an expected behavior to determine whether the actual behavior differs from the expected behavior, wherein the expected behavior includes a correlation between a plurality of operating events associated with the control system;
  
  receiving, by the computing device, an indication of whether the actual behavior is abnormal from a user when the actual behavior differs from the expected behavior; and
  
  updating, by the computing device, the expected behavior based on the received indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method in accordance with claim 1, wherein the control system is an instance of a class of control system, comparing the actual behavior to the expected behavior comprises comparing the actual behavior to a plurality of event flows that are applicable to the class of control system.
  - 3. A method in accordance with claim 1, wherein comparing the actual behavior to the expected behavior comprises comparing the actual behavior to an artificial intelligence event correlation model.
  - 4. A method in accordance with claim 1, wherein updating the expected behavior comprises updating an artificial intelligence event correlation model.
  - 5. A method in accordance with claim 1, further comprising updating the expected behavior to include the determined actual behavior when the user indicates the actual behavior is normal.
  - 6. A method in accordance with claim 1, wherein the control system is associated with a controlled apparatus, receiving the plurality of operating events comprises:
    - receiving an internal operating event from a control device that is configured to control an operation of the controlled apparatus; and
      
      receiving an external operating event from a monitoring device that is configured to monitor an operating environment associated with the controlled apparatus.
  - 7. A method in accordance with claim 1, wherein the operating events are received at a first rate, said method further comprising receiving and logging the operating events at a second rate that is greater than the first rate when the actual behavior differs from the expected behavior.
  - 8. A method in accordance with claim 1, wherein determining the actual behavior based on the operating events comprises determining the actual behavior based on at least one of a power consumption and a temperature.
  - 9. A method in accordance with claim 1, wherein determining the actual behavior based on the operating events comprises determining the actual behavior based on a control message transmitted to a control device by a controller.

10. A system for use in identifying abnormal behavior in a control system, said system comprising:
- a storage device configured to store an expected behavior associated with a control system, wherein the expected behavior includes a correlation between a plurality of operating events;
  
  a communications unit configured to receive a plurality of operating events representing at least one physical operating event associated with the control system; and
  
  a processor unit coupled to said storage device and said communications unit, wherein said processor unit is programmed to;
  
  determine an actual behavior of the control system based on the operating events;
  
  compare the actual behavior to the expected behavior to determine whether the actual behavior differs from the expected behavior; and
  
  update the expected behavior based on an indication from a user of whether the actual behavior is abnormal.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. A system in accordance with claim 10, wherein said processor unit is programmed to compare the actual behavior to the expected behavior at least in part by comparing the actual behavior to a plurality of event flows that are applicable to the control system.
  - 12. A system in accordance with claim 11, wherein said processor unit is further programmed to compare the actual behavior to the expected behavior at least in part by comparing the actual behavior to an artificial intelligence event correlation model.
  - 13. A system in accordance with claim 10, wherein said communications unit is configured to receive a plurality of operating events at least in part by:
    - receiving an internal operating event from a control device that is configured to control an operation of the controlled apparatus; and
      
      receiving an external operating event from a monitoring device that is configured to monitor an operating environment associated with the controlled apparatus.
  - 14. A system in accordance with claim 10, wherein said communications unit is configured to receive a plurality of operating events at least in part by receiving at least one of a temperature, a sound pressure level, a structural load, and a vibration level.
  - 15. A system in accordance with claim 10, wherein the control system is located in a physical facility, and wherein said communications unit is configured to receive a plurality of operating events at least in part by receiving data representing a movement of a person within the physical facility.
  - 16. A system in accordance with claim 10, wherein said communications unit is configured to receive a plurality of operating events at least in part by receiving an event from at least one of an intrusion detection system and an advanced persistent threat monitoring system.
  - 17. A system in accordance with claim 10, wherein said processor unit is further programmed to determine whether the actual behavior differs from the expected behavior at least in part by comparing the actual behavior to an expected behavior that includes a correlation between a power consumption and a state of a controlled machine.

18. One or more computer readable media having computer-executable components, said components comprising:
- an event processor component that when executed by at least one processor unit causes the at least one processor unit to;
  
  receive a plurality of operating events including one or more physical operating events associated with a control system;
  
  a complex event processing component that when executed by at least one processor unit causes the at least one processor unit to;
  
  compare an actual behavior that is based on the operating events to an expected behavior that is based on one or more user-defined policies to determine whether the actual behavior differs from the expected behavior; and
  
  a machine learning component that when executed by at least one processor unit causes the at least one processor unit to;
  
  compare the actual behavior to an artificial intelligence event correlation model that is based on a plurality of past operating events to determine whether the actual behavior differs from the expected behavior; and
  
  a decision support component that when executed by at least one processor unit causes the at least one processor unit to;
  
  transmit an abnormal behavior notification when the actual behavior differs from the expected behavior.
- View Dependent Claims (19, 20)
- - 19. One or more computer readable media in accordance with claim 18, wherein said decision support component further causes the at least one processor unit to execute a predetermined corrective action when the actual behavior is abnormal, wherein the corrective action includes at least one of isolating a portion of the control system and disabling a portion of the control system.
  - 20. One or more computer readable media in accordance with claim 18, wherein the control system is located in a physical facility, and wherein said machine learning component further causes the at least one processor unit to create the artificial intelligence event correlation model based at least in part on past operating events representing a movement of a physical object within the physical facility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Hanks, Carl J., Ayyagari, Arun, Dorris, Steven A.

Granted Patent

US 8,949,668 B2
Time in Patent Office

Days
Field of Search
US Class Current

714/26
CPC Class Codes

G05B 23/0216   Human interface functionali...

G05B 23/0229   knowledge based, e.g. exper...

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/12   specially adapted for propr...

H04L 69/40   for recovering from a failu...

METHODS AND SYSTEMS FOR USE IN IDENTIFYING ABNORMAL BEHAVIOR IN A CONTROL SYSTEM

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR USE IN IDENTIFYING ABNORMAL BEHAVIOR IN A CONTROL SYSTEM

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links