ANOMALY DETECTION SYSTEM, ANOMALY DETECTION METHOD, AND PROGRAM FOR THE SAME

US 20130245793A1
Filed: 01/26/2012
Published: 09/19/2013
Est. Priority Date: 03/28/2011
Status: Active Grant

First Claim

Patent Images

1. An anomaly detection system for detecting an anomaly in a network, the system comprising:

a plurality of industrial control systems (ICSs) connected to the network; and

an integrated analyzer for receiving an operating status of each ICS as monitoring data, specifying an ICS suspected of having an anomaly, and performing anomaly determination,wherein the system comprises, in each ICS;

a receiving unit for receiving data from another ICS;

a sending unit for sending data to the other ICS, and sending the monitoring data to the integrated analyzer;

a security policy including data recording and generation rules; and

a wrapper for controlling and sending the data to the other ICS, with reference to the security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anomaly detection system for detecting an anomaly within a network as a first embodiment in order to provide an anomaly detection system, anomaly detection method, and program for the same. An anomaly detection system which has a plurality of industrial control systems (hereinafter “ICS”s) which are connected to the network, an integrated analyzer which receives the operational status of each ICS as monitoring data in order to identify an ICS for which an anomaly is suspected so as to perform an anomaly assessment, a receiving unit provided for each ICS which receives data from other ICSs, a transmission unit which transmits data to other ICSs and transmits the monitoring data to the integrated analyzer, a security policy which includes recording of data and generation rules, and a wrapper which refers to the security policy in order to control the data so as to transmit the same to other ICSs.

22 Citations

View as Search Results

9 Claims

1. An anomaly detection system for detecting an anomaly in a network, the system comprising:
- a plurality of industrial control systems (ICSs) connected to the network; and
  
  an integrated analyzer for receiving an operating status of each ICS as monitoring data, specifying an ICS suspected of having an anomaly, and performing anomaly determination,wherein the system comprises, in each ICS;
  
  a receiving unit for receiving data from another ICS;
  
  a sending unit for sending data to the other ICS, and sending the monitoring data to the integrated analyzer;
  
  a security policy including data recording and generation rules; and
  
  a wrapper for controlling and sending the data to the other ICS, with reference to the security policy.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, further comprisingmeans for the integrated analyzer to send a notification to shift to a pseudo normal mode, to the wrapper of the specified ICS,wherein the system comprises, in the wrapper:
    - a data controller for controlling the data sent to the other ICS;
      
      a data recorder for recording the data from the sending unit as pattern data, with reference to the security policy; and
      
      a data generator for generating sending data from the recorded data, with reference to the security policy, andwherein the system comprises, in response to reception of the notification to shift to the pseudo normal mode;
      
      means for the data recorder to record the data from the sending unit as real data;
      
      means for the data generator to generate the sending data from the pattern data; and
      
      means for the data controller to send the generated sending data to the other ICS.
  - 3. The system according to claim 2, further comprisingmeans for the integrated analyzer to send a notification to stop operation to the specified ICS, in the case where the specified ICS is determined to have an anomaly.
  - 4. The system according to claim 2, further comprisingmeans for the integrated analyzer to send a notification to shift to a normal mode to the specified ICS, in the case where the specified ICS is determined to have no anomaly.
  - 5. The system according to claim 4, further comprising:
    - means for the ICS receiving the notification to shift to the normal mode, to send the real data recorded in the pseudo normal mode to the other ICS simultaneously; and
      
      means for the ICS receiving the notification to shift to the normal mode, to delete the real data after completing the simultaneous sending.
  - 6. The system according to claim 5, further comprisingmeans for the other ICS to replace the data sent from the specified ICS in the pseudo normal mode, with the simultaneously sent real data.

7. A method for detecting an anomaly in a computer system connected via a network, the method comprising:
- a plurality of industrial control systems (ICSs) connected to the network; and
  
  an integrated analyzer for receiving an operating status of each ICS as monitoring data, specifying an ICS suspected of having an anomaly, and performing anomaly determination,wherein the method comprises, in each ICS;
  
  receiving data from another ICS;
  
  sending data to the other ICS, and sending the monitoring data to the integrated analyzer;
  
  a security policy including data recording and generation rules; and
  
  a step of controlling and sending the data to the other ICS, with reference to the security policy.

8. A computer program for detecting an anomaly in a plurality of industrial control systems (ICSs) connected to a network, the program comprising:
- an integrated analyzer for receiving an operating status of each ICS as monitoring data, specifying an ICS suspected of having an anomaly, and performing anomaly determination; and
  
  a security policy provided in each ICS and including data recording and generation rules, the program causing a computer of each ICS to execute;
  
  a function of receiving data from an other ICS;
  
  a function of sending data to the other ICS, and sending the monitoring data to the integrated analyzer; and
  
  a function of controlling and sending the data to the other ICS, with reference to the security policy.
- View Dependent Claims (9)
- - 9. A computer-readable recording medium storing the computer program of claim 8.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Akiyama, Kazuhito, Kudo, Michiharu, Wilson, John D., Mishina, Takuya

Granted Patent

US 9,529,690 B2
Time in Patent Office

Days
Field of Search
US Class Current

700/79
CPC Class Codes

G05B 11/01   electric

G05B 23/0262   Confirmation of fault detec...

G05B 23/027   Alarm generation, e.g. comm...

G06F 11/3466   Performance evaluation by t...

G06F 21/554   involving event detection a...

G06F 3/121   Facilitating exception or e...

G06F 3/1229   Printer resources managemen...

G06F 3/1273   Print job history, e.g. log...

G06F 3/1288   in client-server-printer de...

H04L 63/1425   Traffic logging, e.g. anoma...

H04N 1/00127   Connection or combination o...

ANOMALY DETECTION SYSTEM, ANOMALY DETECTION METHOD, AND PROGRAM FOR THE SAME

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

ANOMALY DETECTION SYSTEM, ANOMALY DETECTION METHOD, AND PROGRAM FOR THE SAME

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links