Malicious attack detection and analysis
First Claim
1. A method of characterizing malicious activity in an intelligent utility grid system, the method executable by a computer having at least one processor and at least one memory, comprising:
- receiving, by the at least one processor, information-technology (IT) data including IT-related activity from the intelligent grid system;
receiving, by the at least one processor, non-IT data including location-specific event data from a plurality of electronic sources;
grid analog measurements comprising phasor measurements; and
a list of high-value targets and corresponding geographic locations;
pre-processing, by the at least one processor, the non-IT data including;
disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;
applying, by the at least one processor, a plurality of rules to the pre-processed non-IT data comprising;
associating an undesired event with the IT-related activity;
determining a probability that the undesired event is indicative of malicious activity including comparing predetermined criteria to the non-IT data to generate one of a plurality of probability levels as a sum of;
(1) a product of a probability of occurrence of an intentional malicious attack and a probability of existence of a vulnerability exploitable by the intentional malicious attack; and
(2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard,where the intentional malicious attack and the unexpected hazard comprise mutually independent events; and
applying, by the at least one processor, a risk characterization to the undesired event based on the probability level and the IT-related activity.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for characterizing malicious activity in an intelligent utility grid system includes a system storage in which to store a database including a plurality of rules. A collector is operable to collect and store in the system storage information-technology (IT) data including IT-related activity from the intelligent grid system. A complex event processing (CEP) bus is operable to receive non-IT data including location-specific event data from a plurality of electronic sources, the CEP bus further operable to disregard the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events. A processor is operable to apply the plurality of rules to the relevant non-IT data to: associate an undesired event with reference to the IT-related activity; and determine a probability that the undesired event is indicative of malicious activity. The processor further applies a risk characterization to the undesired event based on the probability and the IT-related activity.
36 Citations
23 Claims
-
1. A method of characterizing malicious activity in an intelligent utility grid system, the method executable by a computer having at least one processor and at least one memory, comprising:
-
receiving, by the at least one processor, information-technology (IT) data including IT-related activity from the intelligent grid system; receiving, by the at least one processor, non-IT data including location-specific event data from a plurality of electronic sources;
grid analog measurements comprising phasor measurements; and
a list of high-value targets and corresponding geographic locations;pre-processing, by the at least one processor, the non-IT data including;
disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;applying, by the at least one processor, a plurality of rules to the pre-processed non-IT data comprising; associating an undesired event with the IT-related activity; determining a probability that the undesired event is indicative of malicious activity including comparing predetermined criteria to the non-IT data to generate one of a plurality of probability levels as a sum of; (1) a product of a probability of occurrence of an intentional malicious attack and a probability of existence of a vulnerability exploitable by the intentional malicious attack; and (2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard, where the intentional malicious attack and the unexpected hazard comprise mutually independent events; and applying, by the at least one processor, a risk characterization to the undesired event based on the probability level and the IT-related activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for characterizing malicious activity in an intelligent utility grid system, comprising:
-
a system storage in which to store a database including a plurality of rules; a collector operable to collect and store in the system storage information-technology (IT) data including IT-related activity from the intelligent grid system; a complex event processing (CEP) bus operable to receive non-IT data including location-specific event data from a plurality of electronic sources, the CEP bus further operable to disregard the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events, where the non-IT data further includes historical data retrieved from;
event logs, geographical locations associated with corresponding parts of the intelligent utility grid system, and from operational data;a processor operable to apply the plurality of rules to the relevant non-IT data to;
associate an undesired event with the IT-related activity; and
determine a probability that the undesired event is indicative of malicious activity including comparing predetermined criteria to the non-IT data to generate one of a plurality of probability levels as a sum of;(1) a product of a probability of occurrence of a intentional malicious attack and a probability of existence of a vulnerability exploitable by the intentional malicious attack; and (2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard, where the intentional malicious attack and the unexpected hazard comprise mutually independent events; and the processor further to apply a risk characterization to the undesired event based on the probability level and the IT-related activity. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer-readable storage medium comprising a set of instructions for characterizing malicious activity in an intelligent utility grid system executable by a computer having a processor and memory, the computer-readable medium comprising:
-
instructions to receive information-technology (IT) data including IT-related activity from the intelligent grid system; instructions to receive non-IT data including location-specific event data from a plurality of electronic sources;
grid analog measurements comprising phasor measurements; and
a list of high-value targets and corresponding geographic locations;instructions to pre-process the non-IT data including;
disregarding the non-IT data failing to meet a predetermined level of relevance to one of a plurality of risk-related events;instructions to apply a plurality of rules to the pre-processed non-IT data to; associate an undesired event with reference to the IT-related activity; and determine a probability that the undesired event is indicative of malicious activity including comparing predetermined criteria to the non-IT data to generate one of a plurality of probability levels as a sum of; (1) a product of a probability of occurrence of a intentional malicious attack and a probability of existence of a vulnerability exploitable by the intentional malicious attack; and (2) a product of a probability of occurrence of an unexpected hazard and a probability of existence of a vulnerability associated with the unexpected hazard, where the intentional malicious attack and the unexpected hazard comprise mutually independent events; and instructions to apply a risk characterization to the undesired event based on the probability level and the IT-related activity. - View Dependent Claims (19, 20, 21, 22, 23)
-
Specification