Anomaly detection system for detecting anomaly in multiple control systems

US 9,360,855 B2
Filed: 05/08/2012
Issued: 06/07/2016
Est. Priority Date: 05/13/2011
Status: Active Grant

First Claim

Patent Images

1. An anomaly detection system for detecting an anomaly in a plurality of control systems, the anomaly detection system comprising:

a plurality of analysis devices that are associated with the respective control systems and that acquire an event occurring in an associated control system and analyze the event to determine whether there is an anomaly, wherein;

a first analysis device among the plurality of analysis devices determines whether an event occurring in the associated control system is to be indicated to a second analysis device among the plurality of analysis devices; and

the second analysis device determines that there is an anomaly on condition that the event indicated by the first analysis device has correlation with an event indicated by an analysis device other than the first analysis device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An anomaly detection system for detecting an anomaly in a plurality of control systems comprises a plurality of analysis devices that are associated with the respective control systems and that acquire an event occurring in an associated control system and analyze the event to determine whether there is an anomaly. A first analysis device among the plurality of analysis devices determines whether an event occurring in the associated control system is to be indicated to a second analysis device among the plurality of analysis devices, and the second analysis device determines that there is an anomaly on condition that the event indicated by the first analysis device has correlation with an event indicated by an analysis device other than the first analysis device.

19 Citations

View as Search Results

14 Claims

1. An anomaly detection system for detecting an anomaly in a plurality of control systems, the anomaly detection system comprising:
- a plurality of analysis devices that are associated with the respective control systems and that acquire an event occurring in an associated control system and analyze the event to determine whether there is an anomaly, wherein;
  
  a first analysis device among the plurality of analysis devices determines whether an event occurring in the associated control system is to be indicated to a second analysis device among the plurality of analysis devices; and
  
  the second analysis device determines that there is an anomaly on condition that the event indicated by the first analysis device has correlation with an event indicated by an analysis device other than the first analysis device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The anomaly detection system according to claim 1, wherein each of the plurality of analysis devices comprises a standardization unit that converts a data format for an event occurring in the associated control system into a data format for the second analysis device, thereby standardizing the event.
  - 3. The anomaly detection system according to claim 2, wherein the standardization unit of the first analysis device converts the data format for an event occurring in the associated control system into a standard data format for the plurality of control systems, thereby standardizing the event.
  - 4. The anomaly detection system according to claim 1, wherein each of the plurality of analysis devices comprises a concealment unit that conceals a portion of data describing an event occurring in the associated control system.
  - 5. The anomaly detection system according to claim 4, whereinthe concealment unit of the first analysis device stores a conversion table that shows correspondence between unconcealed data and concealed data,the second analysis device provides the first analysis device with anomaly information including concealed data included in a concealed event received from the first analysis device when the second analysis device determines that there is an anomaly;
    - andthe concealment unit of the first analysis device converts the concealed data included in the anomaly information provided by the second analysis device into unconcealed data with reference to the conversion table, and identifies the anomaly that occurred in the associated control system.
  - 6. The anomaly detection system according to claim 4, wherein the second analysis device requests the first analysis device to indicate an unconcealed event if an event indicated by the first analysis device has correlation with an event indicated by an analysis device other than the first analysis device, receives an unconcealed event from the first analysis device, and determines that there is an anomaly on condition that the unconcealed event indicated by the first analysis device has correlation with the event indicated by the analysis device other than the first analysis device.
  - 7. The anomaly detection system according to claim 1, wherein;
    - the second analysis device indicates an anomaly to at least some of the plurality of analysis devices, andat least one of the plurality of analysis devices to which the anomaly has been indicated increase a frequency of monitoring the associated control system.
  - 8. The anomaly detection system according to claim 1, wherein the first analysis device dynamically changes an analysis device that is selected as the second analysis device from among the plurality of analysis devices.
  - 9. The anomaly detection system according to claim 8, wherein the first analysis device selects a new second analysis device after event indication to a same second analysis device has continued for a certain period or longer.
  - 10. The anomaly detection system according to claim 8, wherein the first analysis device gives a higher priority to an analysis device with a short response time when selecting the second analysis device from the plurality of analysis devices.
  - 11. The anomaly detection system according to any one of claims 1, wherein;
    - the first analysis device comprises an analysis unit that acquires events occurring in the associated control system and analyzes the events to determine whether the control system has an anomaly,the second analysis device comprises an analysis control unit that determines whether any of the plurality of control systems has an anomaly,the analysis unit of the first analysis device acquires an event occurring in the associated control system and determines whether or not to indicate the event to the second analysis device, and transfers the event to the analysis control unit of the second analysis device if the analysis unit determines that the event is to be indicated to the second analysis device,the analysis control unit of the second analysis device detects correlation between events from a plurality of first analysis devices, and determines that there is an anomaly on condition that the events has correlation, and indicates the anomaly to the analysis unit of the first analysis device if the analysis control unit determines that there is an anomaly, andthe analysis unit of the first analysis device reports the anomaly indicated by the second analysis device to an administrator of the associated control system.
  - 12. The anomaly detection system according to any one of claims 1, wherein;
    - the second analysis device indicates an anomaly to the first analysis device if the second analysis device determines that there is an anomaly, andthe first analysis device reports the anomaly indicated by the second analysis device to the administrator of the control system.
  - 13. The anomaly detection system according to any one of claims 1, wherein the second analysis device determines that there is an anomaly on condition that a change in events indicated by the first analysis device has correlation with a change in events indicated by an analysis device other than the first analysis device.

14. An anomaly detecting method for detecting an anomaly in a plurality of control systems, comprising:
- providing a plurality of analysis devices, wherein the plurality of analysis devices are associated with the respective control systems and that acquire an event occurring in an associated control system and analyze the event to determine whether there is an anomaly, the method comprising;
  
  determining, by a first analysis device among the plurality of analysis devices, whether an event occurring in the associated control system is to be indicated to a second analysis device among the plurality of analysis devices; and
  
  determining by the second analysis device that there is an anomaly on condition that the event indicated by the first analysis device has correlation with an event indicated by an analysis device other than the first analysis device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Akiyama, Kazuhito, Kudo, Michiharu, Uramoto, Naohiko
Primary Examiner(s)
Patel, Ramesh

Application Number

US14/117,278
Publication Number

US 20150293516A1
Time in Patent Office

1,491 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G05B 19/058   Safety, monitoring

G05B 2219/14036   Detection of fault in proce...

G05B 23/0221   Preprocessing measurements,...

Anomaly detection system for detecting anomaly in multiple control systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

19 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection system for detecting anomaly in multiple control systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links