DOMAIN LEVEL THREAT DETECTION FOR INDUSTRIAL ASSET CONTROL SYSTEM
First Claim
1. A system to protect an industrial asset control system, comprising:
- a plurality of threat nodes each generating a series of current threat node values over time that represent a current operation of the industrial asset control system; and
a threat detection computer, coupled to the plurality of threat nodes, to;
(i) receive the series of current threat node values and generate a set of current feature vectors,(ii) access a threat detection model having at least one decision boundary created using a set of normal feature vectors a set of threatened feature vectors, and(iii) execute the threat detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary.
2 Assignments
0 Petitions
Accused Products
Abstract
A normal space data source stores, for each of a plurality of threat nodes, a series of normal values that represent normal operation of an industrial asset control system, and a threatened space data source stores a series of threatened values. A model creation computer may generate sets of normal and threatened feature vectors. The computer may also calculate and output at least one decision boundary for a threat detection model based on the normal and threatened feature vectors. The plurality of threat nodes may then generate a series of current values from threat nodes that represent a current operation of the asset control system. A threat detection computer may receive the series of current values from threat nodes, generate a set of current feature vectors, execute the threat detection model, and transmit a threat alert signal based on the current feature vectors and at the least one decision boundary.
-
Citations
23 Claims
-
1. A system to protect an industrial asset control system, comprising:
-
a plurality of threat nodes each generating a series of current threat node values over time that represent a current operation of the industrial asset control system; and a threat detection computer, coupled to the plurality of threat nodes, to; (i) receive the series of current threat node values and generate a set of current feature vectors, (ii) access a threat detection model having at least one decision boundary created using a set of normal feature vectors a set of threatened feature vectors, and (iii) execute the threat detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computerized method to protect an industrial asset control system, comprising:
-
retrieving, for each of a plurality of threat nodes, a series of normal threat node values over time that represent normal operation of the industrial asset control system; generating a set of normal feature vectors based on the normal threat node values retrieving, for each of the plurality of threat nodes, a series of threatened threat node values over time that represent a threatened operation of the industrial asset control system; generating a set of threatened feature vectors based on the threatened threat node values; and automatically calculating and outputting at least one decision boundary for a threat detection model based on the set of normal feature vectors and the set of threatened feature vectors. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A non-transitory, computer-readable medium storing instructions that, when executed by a computer processor, cause the computer processor to perform a method to protect an industrial asset control system, the method comprising:
-
receiving, from a plurality of threat nodes, a series of current threat node values over time that represent a current operation of the industrial asset control system; generating, by a threat detection computer based on the received series of current threat node values, a set of current feature vectors; and executing a threat detection model that transmits a threat alert signal based on the set of current feature vectors and at least one decision boundary.
-
Specification