METHOD FOR MITIGATION OF CYBER ATTACKS ON INDUSTRIAL CONTROL SYSTEMS

US 20170054751A1
Filed: 08/20/2015
Published: 02/23/2017
Est. Priority Date: 08/20/2015
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a potential compromise of cyber security in a network utilizing a protocol for controlling an industrial process, comprising:

establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation;

establishing a threshold representing the probability below which a sequence of network states is anomalous;

determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and

,taking protective action according to whether the determine(probability is below the established threshold.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for detecting a potential compromise of cyber security in an industrial network are disclosed. These methods and systems comprise elements of hardware and software for establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation; establishing a threshold representing tile probability below which a sequence of network states is anomalous; determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and, taking protective action according to whether the determined probability is below the established threshold.

35 Citations

View as Search Results

13 Claims

1. A method for detecting a potential compromise of cyber security in a network utilizing a protocol for controlling an industrial process, comprising:
- establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation;
  
  establishing a threshold representing the probability below which a sequence of network states is anomalous;
  
  determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and
  
  ,taking protective action according to whether the determine(probability is below the established threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities comprises:
    - analyzing a series of packets representing normal network behavior, to determine a temporal sequence of network states; and
      
      ,computing the probability of a first network state being followed temporally by a second network state, according to the number of times that the first network state is followed temporally by the second network state in the determined temporal sequence of network states.
  - 3. The method of claim 1, wherein the particular stream of packets comprises packets received in monitoring the operation of the industrial network for potential cyberattack.
  - 4. The method of claim 1, wherein the industrial network utilizes the Modbus protocol.
  - 5. The method of claim 1, wherein the industrial network utilizes Distributed Network Protocol 3 (DNP3).
  - 6. The method of claim 1, wherein the sequence of network states derived from a particular stream of packets includes k successive network states, where k is greater than two.
  - 7. The method of claim 1, wherein the taking protective action comprises raising an alert.
  - 8. The method of claim 1, wherein the taking protective action comprises blocking a packet.
  - 9. The method of claim 1, wherein the taking protective action comprises disabling a node in the network.
  - 10. The method of claim 1, wherein the analyzing a series of packets representing normal network behavior, to determine a temporal sequence of network states comprises determining a network state according to the combination of Modbus source, Modbus destination, and Modbus function fields in the analyzed packet.
  - 11. The method of claim 1, wherein the alert comprises forensic data.

12. A computer system for detecting a potential compromise of cyber security in an industrial network, comprising:
- a storage medium for storing computer components; and
  
  ,a computerized processor for executing the computer components comprising;
  
  a first computer component for establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation;
  
  a second computer component for establishing a threshold representing the probability below which a sequence of network states is anomalous;
  
  a third computer component for determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network;
  
  behavior; and
  
  ,a fourth computer component for taking protective action according to whether the determined probability is below the established threshold.

13. A computer-usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system to detecting a potential compromise of cyber security in an industrial network, by performing the following steps when such program is executed on the system, the steps comprising:
- establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation;
  
  establishing a threshold representing the probability below which a sequence of network states is anomalous;
  
  determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and
  
  ,taking protective action according to whether the determined probability is below the established threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Cyberx Israel Limited
Inventors
SCHNEIDER, Omer, GILLER, Nir

Granted Patent

US 10,015,188 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G05B 23/0254   based on a quantitative mod...

G06F 21/55   Detecting local intrusion o...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 67/12   specially adapted for propr...

METHOD FOR MITIGATION OF CYBER ATTACKS ON INDUSTRIAL CONTROL SYSTEMS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

35 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR MITIGATION OF CYBER ATTACKS ON INDUSTRIAL CONTROL SYSTEMS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links