SYSTEMS AND METHODS FOR IDENTIFYING COMPROMISED DEVICES WITHIN INDUSTRIAL CONTROL SYSTEMS
First Claim
1. A computer-implemented method for identifying compromised devices within industrial control systems, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- monitoring network traffic within a network that facilitates communication for an industrial control system that includes at least one industrial device;
creating, based at least in part on the network traffic, a message protocol profile for the industrial device that describes;
a network protocol used to communicate with the industrial device via the network;
normal communication patterns of the industrial device;
detecting at least one message within the network that involves the industrial device and at least one other computing device included in the industrial control system;
determining, by comparing the message with the message protocol profile for the industrial device, that the message represents an anomaly that is suspiciously inconsistent with the normal communication patterns of the industrial device;
determining, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for identifying compromised devices within industrial control systems may include (1) monitoring network traffic within a network that facilitates communication for an industrial control system that includes an industrial device, (2) creating, based at least in part on the network traffic, a message protocol profile for the industrial device that describes (A) a network protocol used to communicate with the industrial device and (B) normal communication patterns of the industrial device, (3) detecting at least one message that involves the industrial device and at least one other computing device included in the industrial control system, (4) determining, by comparing the message with the message protocol profile, that the message represents an anomaly, and then (5) determining, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for identifying compromised devices within industrial control systems, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
monitoring network traffic within a network that facilitates communication for an industrial control system that includes at least one industrial device; creating, based at least in part on the network traffic, a message protocol profile for the industrial device that describes; a network protocol used to communicate with the industrial device via the network; normal communication patterns of the industrial device; detecting at least one message within the network that involves the industrial device and at least one other computing device included in the industrial control system; determining, by comparing the message with the message protocol profile for the industrial device, that the message represents an anomaly that is suspiciously inconsistent with the normal communication patterns of the industrial device; determining, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for identifying compromised devices within industrial control systems, the system comprising:
-
a monitoring module, stored in memory, that monitors network traffic within a network that facilitates communication for an industrial control system that includes at least one industrial device; a profiling module, stored in memory, that creates, based at least in part on the network traffic, a message protocol profile for the industrial device that describes; a network protocol used to communicate with the industrial device via the network; normal communication patterns of the industrial device; a detection module, stored in memory, that detects at least one message within the network that involves the industrial device and at least one other computing device; a determination module, stored in memory, that; determines, by comparing the message with the message protocol profile for the industrial device, that the message represents an anomaly that is suspiciously inconsistent with the normal communication patterns of the industrial device; determines, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised; at least one physical processor that executes the monitoring module, the profiling module, the detection module, and the determination module. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
monitor network traffic within a network that facilitates communication for an industrial control system that includes at least one industrial device; create, based at least in part on the network traffic, a message protocol profile for the industrial device that describes; a network protocol used to communicate with the industrial device via the network; normal communication patterns of the industrial device; detect at least one message within the network that involves the industrial device and at least one other computing device included in the industrial control system; determine, by comparing the message with the message protocol profile for the industrial device, that the message represents an anomaly that is suspiciously inconsistent with the normal communication patterns of the industrial device; determine, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised.
-
Specification