METHOD FOR MITIGATION OF CYBER ATTACKS ON INDUSTRIAL CONTROL SYSTEMS
First Claim
1. A method for detecting a potential compromise of cyber security in a network utilizing a protocol for controlling an industrial process, comprising:
- establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation;
establishing a threshold representing the probability below which a sequence of network states is anomalous;
determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and
,taking protective action according to whether the determine(probability is below the established threshold.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for detecting a potential compromise of cyber security in an industrial network are disclosed. These methods and systems comprise elements of hardware and software for establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation; establishing a threshold representing tile probability below which a sequence of network states is anomalous; determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and, taking protective action according to whether the determined probability is below the established threshold.
35 Citations
13 Claims
-
1. A method for detecting a potential compromise of cyber security in a network utilizing a protocol for controlling an industrial process, comprising:
-
establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation; establishing a threshold representing the probability below which a sequence of network states is anomalous; determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and
,taking protective action according to whether the determine(probability is below the established threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer system for detecting a potential compromise of cyber security in an industrial network, comprising:
-
a storage medium for storing computer components; and
,a computerized processor for executing the computer components comprising; a first computer component for establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation; a second computer component for establishing a threshold representing the probability below which a sequence of network states is anomalous; a third computer component for determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network;
behavior; and
,a fourth computer component for taking protective action according to whether the determined probability is below the established threshold.
-
-
13. A computer-usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to detecting a potential compromise of cyber security in an industrial network, by performing the following steps when such program is executed on the system, the steps comprising:
-
establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation; establishing a threshold representing the probability below which a sequence of network states is anomalous; determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and
,taking protective action according to whether the determined probability is below the established threshold.
-
Specification