Methods and systems for use in identifying abnormal behavior in a control system including independent comparisons to user policies and an event correlation model

US 8,949,668 B2
Filed: 05/23/2011
Issued: 02/03/2015
Est. Priority Date: 05/23/2011
Status: Active Grant

First Claim

Patent Images

1. A method for use in identifying abnormal behavior in a supervisory control and data acquisition (SCADA) system including a learning system, said method comprising:

receiving, by a computing device, a plurality of operating events associated with the SCADA system, wherein the operating events represent at least one physical operating event;

determining, by the computing device, an actual behavior of the SCADA system based on the operating events;

dynamically identifying, by the learning system, at least one correlation between a plurality of past operating events stored in a past event database;

creating an artificial intelligence (AI) event correlation model based on the at least one correlation identified by the learning system;

comparing, by the computing device, the actual behavior of the SCADA system to the AI event correlation model to determine whether the actual behavior differs from the AI event correlation model;

comparing, by the computing device and independent of said comparing the actual behavior of the SCADA system to the AI event correlation model, the actual behavior of the SCADA system to user policies using a complex event processing component;

receiving, by the computing device, an indication of whether the actual behavior is abnormal from a user when the actual behavior differs from the AI event correlation model; and

updating, by the computing device, the AI event correlation model based on the received indication.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for use in identifying abnormal behavior in a control system. Operating events associated with a control system are received, and an actual behavior of the control system is determined based on the received operating events. The actual behavior is compared to expected behavior to determine whether the actual behavior differs from the expected behavior. The expected behavior includes a correlation between a plurality of operating events associated with the control system. The expected behavior is updated based on an indication of whether the actual behavior is abnormal from a user.

Citations

17 Claims

1. A method for use in identifying abnormal behavior in a supervisory control and data acquisition (SCADA) system including a learning system, said method comprising:
- receiving, by a computing device, a plurality of operating events associated with the SCADA system, wherein the operating events represent at least one physical operating event;
  
  determining, by the computing device, an actual behavior of the SCADA system based on the operating events;
  
  dynamically identifying, by the learning system, at least one correlation between a plurality of past operating events stored in a past event database;
  
  creating an artificial intelligence (AI) event correlation model based on the at least one correlation identified by the learning system;
  
  comparing, by the computing device, the actual behavior of the SCADA system to the AI event correlation model to determine whether the actual behavior differs from the AI event correlation model;
  
  comparing, by the computing device and independent of said comparing the actual behavior of the SCADA system to the AI event correlation model, the actual behavior of the SCADA system to user policies using a complex event processing component;
  
  receiving, by the computing device, an indication of whether the actual behavior is abnormal from a user when the actual behavior differs from the AI event correlation model; and
  
  updating, by the computing device, the AI event correlation model based on the received indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method in accordance with claim 1, wherein the SCADA system is an instance of a class of the SCADA system, and comparing the actual behavior to the expected behavior comprises comparing the actual behavior to a plurality of event flows that are applicable to the class of the SCADA system.
  - 3. A method in accordance with claim 1, further comprising updating the AI event correlation model to include the determined actual behavior when the user indicates the actual behavior is normal.
  - 4. A method in accordance with claim 1, wherein the SCADA system is associated with a controlled apparatus, and receiving the plurality of operating events comprises:
    - receiving an internal operating event from a control device that is configured to control an operation of the controlled apparatus; and
      
      receiving an external operating event from a monitoring device that is configured to monitor an operating environment associated with the controlled apparatus.
  - 5. A method in accordance with claim 1, wherein the operating events are received at a first rate, said method further comprising receiving and logging the operating events at a second rate that is greater than the first rate when the actual behavior differs from the AI event correlation model.
  - 6. A method in accordance with claim 1, wherein determining the actual behavior based on the operating events comprises determining the actual behavior based on at least one of a power consumption and a temperature.
  - 7. A method in accordance with claim 1, wherein determining the actual behavior based on the operating events comprises determining the actual behavior based on a control message transmitted to a control device by a controller.

8. A system for use in identifying abnormal behavior in a supervisory control and data acquisition (SCADA) system, said system comprising:
- a learning system configured to dynamically identify at least one correlation between a plurality of past operating events stored in a past event database;
  
  a storage device configured to store an artificial intelligence (AI) event correlation model associated with the SCADA system, wherein the AI event correlation model is based on the at least one correlation identified by the learning system;
  
  a communications unit configured to receive a plurality of operating events representing at least one physical operating event associated with the SCADA system; and
  
  a processor unit coupled to said storage device and said communications unit, wherein said processor unit is programmed to;
  
  determine an actual behavior of the SCADA system based on the operating events;
  
  compare the actual behavior to the AI event correlation model to determine whether the actual behavior differs from the AI event correlation model; and
  
  compare, independent of said comparing the actual behavior to the AI event correlation model, the actual behavior to user policies using a complex processing component;
  
  update the AI event correlation model based on an indication from a user of whether the actual behavior is abnormal.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A system in accordance with claim 8, wherein said processor unit is programmed to compare the actual behavior to the AI event correlation model at least in part by comparing the actual behavior to a plurality of event flows that are applicable to the SCADA system.
  - 10. A system in accordance with claim 8, wherein said communications unit is configured to receive a plurality of operating events at least in part by:
    - receiving an internal operating event from a control device that is configured to control an operation of the controlled apparatus; and
      
      receiving an external operating event from a monitoring device that is configured to monitor an operating environment associated with the controlled apparatus.
  - 11. A system in accordance with claim 8, wherein said communications unit is configured to receive a plurality of operating events at least in part by receiving at least one of a temperature, a sound pressure level, a structural load, and a vibration level.
  - 12. A system in accordance with claim 8, wherein the SCADA system is located in a physical facility, and wherein said communications unit is configured to receive a plurality of operating events at least in part by receiving data representing a movement of a person within the physical facility.
  - 13. A system in accordance with claim 8, wherein said communications unit is configured to receive a plurality of operating events at least in part by receiving an event from at least one of an intrusion detection system and an advanced persistent threat monitoring system.
  - 14. A system in accordance with claim 8, wherein said processor unit is further programmed to determine whether the actual behavior differs from the AI event correlation model at least in part by comparing the actual behavior to an AI event correlation model that includes a correlation between a power consumption and a state of a controlled machine.

15. One or more non-transitory computer readable media having computer-executable components, said components comprising:
- an event processor component that when executed by at least one processor unit causes the at least one processor unit to;
  
  receive a plurality of operating events including one or more physical operating events associated with a supervisory control and data acquisition (SCADA) system;
  
  a complex event processing component that when executed by at least one processor unit causes the at least one processor unit to;
  
  compare an actual behavior that is based on the operating events to one or more user-defined policies to determine whether the actual behavior differs from the one or more use-defined policies; and
  
  a machine learning component that when executed by at least one processor unit causes the at least one processor unit to;
  
  dynamically identify at least one correlation between a plurality of past operating events stored in a past event database;
  
  compare, independent of the comparison made by the complex event processing component, the actual behavior to an artificial intelligence event correlation model that is generated based on the at least one identified correlation to determine whether the actual behavior differs from the AI event correlation model; and
  
  a decision support component that when executed by at least one processor unit causes the at least one processor unit to;
  
  transmit an abnormal behavior notification when the actual behavior differs from the AI event correlation model.
- View Dependent Claims (16, 17)
- - 16. One or more non-transitory computer readable media in accordance with claim 15, wherein said decision support component further causes the at least one processor unit to execute a predetermined corrective action when the actual behavior is abnormal, wherein the corrective action includes at least one of isolating a portion of the SCADA system and disabling a portion of the SCADA system.
  - 17. One or more non-transitory computer readable media in accordance with claim 15, wherein the SCADA system is located in a physical facility, and wherein said machine learning component further causes the at least one processor unit to create the artificial intelligence event correlation model based at least in part on past operating events representing a movement of a physical object within the physical facility.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Boeing Co.
Original Assignee
The Boeing Co.
Inventors
Hanks, Carl J., Dorris, Steven A., Ayyagari, Arun
Primary Examiner(s)
SCHELL, JOSEPH O

Application Number

US13/113,529
Publication Number

US 20120304007A1
Time in Patent Office

1,352 Days
Field of Search

714/26, 714/48, 714/47.1, 714/47.2, 706/14, 706/15, 706/16, 706/25, 706/45
US Class Current

714/26
CPC Class Codes

G05B 23/0216   Human interface functionali...

G05B 23/0229   knowledge based, e.g. exper...

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 67/12   specially adapted for propr...

H04L 69/40   for recovering from a failu...

Methods and systems for use in identifying abnormal behavior in a control system including independent comparisons to user policies and an event correlation model

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for use in identifying abnormal behavior in a control system including independent comparisons to user policies and an event correlation model

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links