APPARATUS AND METHOD FOR DETECTING ANOMALITY SIGN IN CONTROLL SYSTEM

US 20140298399A1
Filed: 06/26/2013
Published: 10/02/2014
Est. Priority Date: 03/29/2013
Status: Active Grant

First Claim

Patent Images

1. An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the apparatus comprising:

an information collection module configured to collect system information, network information, security event information or transaction information in interworking with the control equipments, network equipments, security equipments or server equipments;

storage module that stores the information collected by the information collection module; and

an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security policy to detect whether there is an abnormality sign in the control system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the apparatus includes an information collection module configured to collect system information, network information, security event information or transaction information in interworking with a control equipments, network equipments, security equipments or server equipments. The apparatus includes storage module that stores the information collected by the information collection module. The apparatus includes an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security policy to detect whether there is an abnormality sign in the control system.

Citations

12 Claims

1. An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the apparatus comprising:
- an information collection module configured to collect system information, network information, security event information or transaction information in interworking with the control equipments, network equipments, security equipments or server equipments;
  
  storage module that stores the information collected by the information collection module; and
  
  an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security policy to detect whether there is an abnormality sign in the control system.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, wherein the system information comprises a usage rate of central processing units (CPUs) in the respective equipments in the control system, a state of process activities, a size of files being processed by the respective equipments or an occupancy rate of central processing units of the files in the respective equipments in the control system.
  - 3. The apparatus of claim 1, wherein the security event information comprises a source address of a medium to access any equipment in the control system, a destination address, a source port number or a destination port number.
  - 4. The apparatus of claim 1, wherein the network information comprises an amount of traffics generated from the respective equipments in the control system, the number of transmitted packets, the number of connection requests, the number of simultaneous connection requests, the duration time of network connection or the number of rejected connection requests.
  - 5. The apparatus of claim 1, wherein the abnormality detection module is configured to analyze the correlation between the collected information and the prescribed security policy based on a policy, profiling or context recognition.
  - 6. The apparatus of claim 1, wherein the information collection module comprises:
    - a system information manager configured to collect the system information from the respective equipments in the control system for the management thereof;
      
      a component manager configured to collect information on network nodes and end systems connected to a network in interworking with the respective equipments in the control system and the other end systems which exchange authenticated data for the management thereof;
      
      a security event information manager configured to manage a security event information including a connection attempt of unauthorized users, an alarm for an excess of maximum connections, an alarm for an excess of maximum simultaneous connections, an alarm for an excess of minimum idle times or maximum idle times, an alarm for a buffer overflow or a buffer underflow, an alarm for a deformed PDU or a modulated PDU, an alarm for a power loss, an alarm for a power supply, an alarm for a communication media loss, an alarm for communication media connection, an alarm for a door open, an alarm for sensors exceeding the limit value, an alarm for an excess of the largest traffic cycle settings, an alarm for an excess of maximum traffic volume settings, or an alarm to imply that a synchronization is out of the required precision; and
      
      a control facility profiling configured to manage information including detection of the connection status or the disconnection status of end systems to a network, detection of status of network nodes that are newly added, or detection of new paths.

7. A method for detecting an abnormality sign in a control system, the control system comprising control equipments, network equipments, security equipments or server equipments, the method comprising:
- collecting system information, network information, security event information or transaction information in interworking with the control equipments, network equipments, security equipments or server equipments;
  
  deriving, in response to a request to detect the abnormality sign, a correlation between the collected information and a prescribed security policy; and
  
  detecting whether there is the abnormality sign based on the derived correlation.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein said collecting the information comprises:
    - collecting the system information including a usage rate of central processing units (CPUs) in the respective equipments in the control system, a state of process activities, a size of files being processed by the respective equipments or an occupancy rate of central processing units of the files in the respective equipments in the control system.
  - 9. The method of claim 7, wherein said collecting the information comprises:
    - collecting the security event information including a source address of a medium to access any equipment in the control system, a destination address, a source port number or a destination port number.
  - 10. The method of claim 7, wherein the security event information comprises a connection attempt of unauthorized users, an alarm for an excess of maximum connections, an alarm for an excess of maximum simultaneous connections, an alarm for an excess of minimum idle times or maximum idle times, an alarm for a buffer overflow or a buffer underflow, an alarm for a deformed PDU or a modulated PDU, an alarm for a power loss, an alarm for a power supply, an alarm for a communication media loss, an alarm for communication media connection, an alarm for a door open, an alarm for sensors exceeding the limit value, an alarm for an excess of the largest traffic cycle settings, an alarm for an excess of maximum traffic volume settings, or an alarm to imply that a synchronization is out of the required precision.
  - 11. The method of claim 7, wherein said collecting the information comprises:
    - collecting the network information including an amount of traffics generated from the respective equipments in the control system, the number of transmitted packets, the number of connection requests, the number of simultaneous connection requests, the duration time of network connection or the number of rejected connection requests.
  - 12. The method of claim 7, wherein said deriving the correlation comprises:
    - analyzing the correlation between the collected information and the prescribed security policy based on a policy, profiling, or context recognition to derive the correlation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
HEO, Youngjun, SOHN, Seon-Gyoung, KANG, Dong Ho, KIM, Byoung-Koo, NA, Jung-Chan, KIM, Ik Kyun

Granted Patent

US 9,130,983 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

APPARATUS AND METHOD FOR DETECTING ANOMALITY SIGN IN CONTROLL SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR DETECTING ANOMALITY SIGN IN CONTROLL SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links