Malicious attack detection and analysis

US 8,712,596 B2
Filed: 05/09/2011
Issued: 04/29/2014
Est. Priority Date: 05/20/2010
Status: Active Grant

First Claim

Patent Images

1. A method of characterizing malicious activity in an intelligent utility grid system, the method executable by a computer having at least one processor and at least one memory, comprising:

receiving, by the at least one processor, information-technology (IT) data including IT-related activity from the intelligent grid system;

receiving, by the at least one processor, non-IT data including location-specific event data from a plurality of electronic sources;

grid analog measurements comprising phasor measurements; and

a list of high-value targets and corresponding geographic locations;

pre-processing, by the at least one processor, the non-IT data including;

disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;

applying, by the at least one processor, a plurality of rules to the pre-processed non-IT data comprising;

associating an undesired event with the IT-related activity;

determining a probability that the undesired event is indicative of malicious activity including comparing predetermined criteria to the non-IT data to generate one of a plurality of probability levels as a sum of;

(1) a product of a probability of occurrence of an intentional malicious attack and a probability of existence of a vulnerability exploitable by the intentional malicious attack; and

(2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard,where the intentional malicious attack and the unexpected hazard comprise mutually independent events; and

applying, by the at least one processor, a risk characterization to the undesired event based on the probability level and the IT-related activity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for characterizing malicious activity in an intelligent utility grid system includes a system storage in which to store a database including a plurality of rules. A collector is operable to collect and store in the system storage information-technology (IT) data including IT-related activity from the intelligent grid system. A complex event processing (CEP) bus is operable to receive non-IT data including location-specific event data from a plurality of electronic sources, the CEP bus further operable to disregard the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events. A processor is operable to apply the plurality of rules to the relevant non-IT data to: associate an undesired event with reference to the IT-related activity; and determine a probability that the undesired event is indicative of malicious activity. The processor further applies a risk characterization to the undesired event based on the probability and the IT-related activity.

36 Citations

View as Search Results

23 Claims

1. A method of characterizing malicious activity in an intelligent utility grid system, the method executable by a computer having at least one processor and at least one memory, comprising:
- receiving, by the at least one processor, information-technology (IT) data including IT-related activity from the intelligent grid system;
  
  receiving, by the at least one processor, non-IT data including location-specific event data from a plurality of electronic sources;
  
  grid analog measurements comprising phasor measurements; and
  
  a list of high-value targets and corresponding geographic locations;
  
  pre-processing, by the at least one processor, the non-IT data including;
  
  disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;
  
  applying, by the at least one processor, a plurality of rules to the pre-processed non-IT data comprising;
  
  associating an undesired event with the IT-related activity;
  
  determining a probability that the undesired event is indicative of malicious activity including comparing predetermined criteria to the non-IT data to generate one of a plurality of probability levels as a sum of;
  
  (1) a product of a probability of occurrence of an intentional malicious attack and a probability of existence of a vulnerability exploitable by the intentional malicious attack; and
  
  (2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard,where the intentional malicious attack and the unexpected hazard comprise mutually independent events; and
  
  applying, by the at least one processor, a risk characterization to the undesired event based on the probability level and the IT-related activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, where the undesired event has not yet occurred.
  - 3. The method of claim 1, where the risk characterization comprises an engineering risk or a security risk.
  - 4. The method of claim 1, further comprising:
    - generating a risk characterization message having the risk characterization of the undesired event; and
      
      sending the risk characterization message to a system administrator.
  - 5. The method of claim 1, where the probability level is generated based on a co-existence of a threat and a corresponding vulnerability found in the IT-related or non-IT data that is exploitable by the threat.
  - 6. The method of claim 4, where the risk characterization message including the probability level and an area at risk selected from the groups consisting of security, engineering, and communications.
  - 7. The method of claim 1, where the non-IT data further includes historical data retrieved from:
    - event logs, geographical locations associated with corresponding parts of the intelligent utility grid system, and from operational data; and
      
      where applying the plurality of rules includes comparing the IT-related activity to the historical data.
  - 8. The method of claim 1, where at least part of the IT-related activity comprises an event message from a smart meter;
    - and applying the risk characterization includes determining an area within the intelligent utility grid system where the malicious activity is occurring.
  - 9. The method of claim 1, where the electronic sources of non-IT data include one or a combination of the following inputs:
    - a weather feed;
      
      a disturbance recorder feed;
      
      a digital fault recorder feed;
      
      a harmonic recorder feed;
      
      a power quality monitor feed;
      
      a device status;
      
      a connectivity state;
      
      a control limit;
      
      US CERT feeds;
      
      GPS feeds;
      
      a Power Management Unit (PMU) feed;
      
      sensor feeds;
      
      load forecasts; and
      
      renewable generation forecasts.

10. A system for characterizing malicious activity in an intelligent utility grid system, comprising:
- a system storage in which to store a database including a plurality of rules;
  
  a collector operable to collect and store in the system storage information-technology (IT) data including IT-related activity from the intelligent grid system;
  
  a complex event processing (CEP) bus operable to receive non-IT data including location-specific event data from a plurality of electronic sources, the CEP bus further operable to disregard the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events, where the non-IT data further includes historical data retrieved from;
  
  event logs, geographical locations associated with corresponding parts of the intelligent utility grid system, and from operational data;
  
  a processor operable to apply the plurality of rules to the relevant non-IT data to;
  
  associate an undesired event with the IT-related activity; and
  
  determine a probability that the undesired event is indicative of malicious activity including comparing predetermined criteria to the non-IT data to generate one of a plurality of probability levels as a sum of;
  
  (1) a product of a probability of occurrence of a intentional malicious attack and a probability of existence of a vulnerability exploitable by the intentional malicious attack; and
  
  (2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard,where the intentional malicious attack and the unexpected hazard comprise mutually independent events; and
  
  the processor further to apply a risk characterization to the undesired event based on the probability level and the IT-related activity.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, further comprising the CEP bus coupled with one or a combination of the following electronic sources of non-IT data:
    - a Web-crawling device;
      
      a search engine-capable computing device;
      
      a Web-access device;
      
      a GPS device;
      
      a social-media-thread monitoring device;
      
      a thermometer; and
      
      an emergency response communicator.
  - 12. The system of claim 10, where the undesired event has not yet occurred, and where the risk characterization comprises an engineering risk or a security risk.
  - 13. The system of claim 10, where to apply the plurality of rules, the processor is further configured to:
    - generate a risk characterization message having the risk characterization of the undesired event; and
      
      send the risk characterization message to a system administrator.
  - 14. The system of claim 10, where the probability level is generated based on a co-existence of a threat and a corresponding vulnerability found in the IT-related or non-IT data that is exploitable by the threat.
  - 15. The system of claim 10, where the processor applies the plurality of rules by comparing the IT-related activity to the historical data.
  - 16. The system of claim 10, where at least part of the IT-related activity comprises an event message from a smart meter;
    - and the processor applies the risk characterization by determining an area within the intelligent utility grid system where the malicious activity is occurring.
  - 17. The system of claim 10, where the non-IT data further includes:
    - grid analog measurements comprising phasor measurements; and
      
      a list of high-value targets and corresponding geographic locations.

18. A non-transitory computer-readable storage medium comprising a set of instructions for characterizing malicious activity in an intelligent utility grid system executable by a computer having a processor and memory, the computer-readable medium comprising:
- instructions to receive information-technology (IT) data including IT-related activity from the intelligent grid system;
  
  instructions to receive non-IT data including location-specific event data from a plurality of electronic sources;
  
  grid analog measurements comprising phasor measurements; and
  
  a list of high-value targets and corresponding geographic locations;
  
  instructions to pre-process the non-IT data including;
  
  disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;
  
  instructions to apply a plurality of rules to the pre-processed non-IT data to;
  
  associate an undesired event with reference to the IT-related activity; and
  
  determine a probability that the undesired event is indicative of malicious activity including comparing predetermined criteria to the non-IT data to generate one of a plurality of probability levels as a sum of;
  
  (1) a product of a probability of occurrence of a intentional malicious attack and a probability of existence of a vulnerability exploitable by the intentional malicious attack; and
  
  (2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard,where the intentional malicious attack and the unexpected hazard comprise mutually independent events; and
  
  instructions to apply a risk characterization to the undesired event based on the probability level and the IT-related activity.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The computer-readable storage medium of claim 18, where at least part of the IT-related activity comprises an event message from a smart meter;
    - and to apply the risk characterization, the instructions to determine an area within the intelligent utility grid system where the malicious activity is occurring.
  - 20. The computer-readable storage medium of claim 18, where the non-IT data further includes historical data retrieved from:
    - event logs, geographical locations associated with corresponding parts of the intelligent utility grid system, and from operational data; and
      
      to apply the plurality of rules, the instructions further to compare the IT-related activity to the historical data.
  - 21. The computer-readable storage medium of claim 18, where the risk characterization comprises an engineering risk or a security risk.
  - 22. The computer-readable storage medium of claim 18, where the criteria includes one or a combination of:
    - temperature, dollars, social networking statistics.
  - 23. The computer-readable storage medium of claim 22, where the probability level is generated based on a co-existence of a threat and a corresponding vulnerability found in the IT-related or non-IT data that is exploitable by the threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture Global Services Limited (Accenture PLC)
Original Assignee
Accenture Global Services Limited (Accenture PLC)
Inventors
Scott, Anthony David
Primary Examiner(s)
Padmanabhan, Kavita
Assistant Examiner(s)
CUMMINS, PATRICK D

Application Number

US13/103,538
Publication Number

US 20110288692A1
Time in Patent Office

1,086 Days
Field of Search

None
US Class Current

700/297
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H02J 3/00   Circuit arrangements for ac...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Y02E 40/70   Smart grids as climate chan...

Y02E 60/00   Enabling technologies; Tech...

Y04S 10/00   Systems supporting electric...

Y04S 10/22   Flexible AC transmission sy...

Y04S 40/20   Information technology spec...

Malicious attack detection and analysis

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Malicious attack detection and analysis

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links