Systems and methods for identifying compromised devices within industrial control systems

US 9,967,274 B2
Filed: 11/25/2015
Issued: 05/08/2018
Est. Priority Date: 11/25/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for identifying compromised devices within industrial control systems, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

monitoring network traffic within a network that facilitates communication for an industrial control system that includes at least one industrial device;

creating, based at least in part on the network traffic, a message protocol profile for the industrial device that describes;

a network protocol used to communicate with the industrial device via the network;

normal communication patterns of the industrial device; and

one or more valid opcodes for the industrial device;

detecting at least one message within the network that involves the industrial device and at least one other computing device included in the industrial control system;

identifying at least one opcode in the message;

determining, by comparing the opcode identified in the message with the valid opcodes for the industrial device described in the message protocol profile, that the message represents an anomaly that is suspiciously inconsistent with the normal communication patterns of the industrial device; and

determining, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for identifying compromised devices within industrial control systems may include (1) monitoring network traffic within a network that facilitates communication for an industrial control system that includes an industrial device, (2) creating, based at least in part on the network traffic, a message protocol profile for the industrial device that describes (A) a network protocol used to communicate with the industrial device and (B) normal communication patterns of the industrial device, (3) detecting at least one message that involves the industrial device and at least one other computing device included in the industrial control system, (4) determining, by comparing the message with the message protocol profile, that the message represents an anomaly, and then (5) determining, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised. Various other methods, systems, and computer-readable media are also disclosed.

63 Citations

View as Search Results

20 Claims

1. A computer-implemented method for identifying compromised devices within industrial control systems, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- monitoring network traffic within a network that facilitates communication for an industrial control system that includes at least one industrial device;
  
  creating, based at least in part on the network traffic, a message protocol profile for the industrial device that describes;
  
  a network protocol used to communicate with the industrial device via the network;
  
  normal communication patterns of the industrial device; and
  
  one or more valid opcodes for the industrial device;
  
  detecting at least one message within the network that involves the industrial device and at least one other computing device included in the industrial control system;
  
  identifying at least one opcode in the message;
  
  determining, by comparing the opcode identified in the message with the valid opcodes for the industrial device described in the message protocol profile, that the message represents an anomaly that is suspiciously inconsistent with the normal communication patterns of the industrial device; and
  
  determining, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising, in response to determining that the other computing device has likely been compromised, performing at least one security action with respect to the other computing device.
  - 3. The method of claim 2, wherein the security action comprises at least one of:
    - raising an alarm that notifies at least one additional computing device that the other computing device has been compromised;
      
      quarantining the other computing device from the industrial network to prevent the other computing device from communicating with any additional computing devices within the industrial control system;
      
      shutting down the other computing device to prevent the other computing device from communicating with any additional computing devices within the industrial control system;
      
      blocking all messages between the other computing device and any additional computing devices within the industrial control system; and
      
      replacing the other computing device within the industrial network by transferring at least one computing task of the other computing device to at least one additional computing device within the industrial control system.
  - 4. The method of claim 1, wherein monitoring the network traffic within the network comprises:
    - detecting messages within the network that originate from or are destined for the industrial device; and
      
      identifying parameters included in fields of the messages.
  - 5. The method of claim 4, wherein creating the message protocol profile for the industrial device comprises building a baseline representation of the normal communication patterns of the industrial device from the parameters included in the fields of the messages.
  - 6. The method of claim 5, wherein:
    - detecting the messages within the network that originate from or are destined for the industrial device comprises creating a grouping of messages that have certain characteristics in common with respect to the industrial device; and
      
      building the baseline representation of the normal communication patterns of the industrial device comprises building the baseline representation of the normal communication patterns of the industrial device by;
      
      analyzing the grouping of messages; and
      
      inserting a representation of the parameters identified in the fields of the messages into the baseline representation.
  - 7. The method of claim 6, wherein detecting the message within the network that involves the industrial device and the other computing device comprises determining that the message and the grouping of messages share the certain characteristics in common.
  - 8. The method of claim 7, wherein determining that the message represents the anomaly comprises:
    - identifying at least one parameter included in at least one field of the message; and
      
      determining that the parameter identified in the field of the message is suspiciously inconsistent with the baseline representation of the normal communication patterns of the industrial device.
  - 9. The method of claim 4, wherein building the baseline representation of the normal communication patterns of the industrial device comprises forming, based at least in part on the parameters identified in the fields of the messages, a set of policy rules that represent a reference for the normal communication patterns of the industrial device.
  - 10. The method of claim 9, wherein forming the set of policy rules comprises weighting, within a mathematical formula that facilitates calculating a risk score for computing devices communicating with the industrial device, a numerical value that represents a level of risk associated with violating at least one policy rule within the set of policy rules.
  - 11. The method of claim 4, wherein the parameters included in the fields of the messages comprise at least one of:
    - an opcode included in a message originating from or destined for the industrial device;
      
      a size of a message originating from or destined for the industrial device;
      
      a structure of a message originating from or destined for the industrial device;
      
      a sequence number of a message originating from or destined for the industrial device;
      
      a counter that identifies a certain number of messages originating from or destined for the industrial device; and
      
      a transaction identifier included in a message originating from or destined for the industrial device.

12. A system for identifying compromised devices within industrial control systems, the system comprising:
- a monitoring module, stored in memory, that monitors network traffic within a network that facilitates communication for an industrial control system that includes at least one industrial device;
  
  a profiling module, stored in memory, that creates, based at least in part on the network traffic, a message protocol profile for the industrial device that describes;
  
  a network protocol used to communicate with the industrial device via the network;
  
  normal communication patterns of the industrial device; and
  
  one or more valid opcodes for the industrial device;
  
  a detection module, stored in memory, that;
  
  detects at least one message within the network that involves the industrial device and at least one other computing device; and
  
  identifies at least one opcode in the message;
  
  a determination module, stored in memory, that;
  
  determines, by comparing the opcode identified in the message with the valid opcodes for the industrial device described in the message protocol profile, that the message represents an anomaly that is suspiciously inconsistent with the normal communication patterns of the industrial device; and
  
  determines, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised; and
  
  at least one physical processor that executes the monitoring module, the profiling module, the detection module, and the determination module.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, further comprising a security module, stored in memory, that performs at least one security action with respect to the other computing device in response to the determination that the other computing device has likely been compromised.
  - 14. The system of claim 13, wherein the security action comprises at least one of:
    - raising an alarm that notifies at least one additional computing device that the other computing device has been compromised;
      
      quarantining the other computing device from the industrial network to prevent the other computing device from communicating with any additional computing devices within the industrial control system;
      
      shutting down the other computing device to prevent the other computing device from communicating with any additional computing devices within the industrial control system;
      
      blocking all messages between the other computing device and any additional computing devices within the industrial control system; and
      
      replacing the other computing device within the industrial network by transferring at least one computing task of the other computing device to at least one additional computing device within the industrial control system.
  - 15. The system of claim 12, wherein the monitoring module:
    - detects messages within the network that originate from or are destined for the industrial device; and
      
      identifies parameters included in fields of the messages.
  - 16. The system of claim 15, wherein the profiling module builds a baseline representation of the normal communication patterns of the industrial device from the parameters included in the fields of the messages.
  - 17. The system of claim 16, wherein:
    - the monitoring module creates a grouping of messages that have certain characteristics in common with respect to the industrial device; and
      
      the profiling module builds the baseline representation of the normal communication patterns of the industrial device by;
      
      analyzing the grouping of messages; and
      
      inserting a representation of the parameters identified in the fields of the messages into the baseline representation.
  - 18. The system of claim 17, wherein the determination module determines that the message and the grouping of messages share the certain characteristics in common.
  - 19. The system of claim 15, wherein the parameters included in the fields of the messages comprise at least one of:
    - an opcode included in a message originating from or destined for the industrial device;
      
      a size of a message originating from or destined for the industrial device;
      
      a structure of a message originating from or destined for the industrial device;
      
      a sequence number of a message originating from or destined for the industrial device;
      
      a counter that identifies a certain number of messages originating from or destined for the industrial device; and
      
      a transaction identifier included in a message originating from or destined for the industrial device.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- monitor network traffic within a network that facilitates communication for an industrial control system that includes at least one industrial device;
  
  create, based at least in part on the network traffic, a message protocol profile for the industrial device that describes;
  
  a network protocol used to communicate with the industrial device via the network;
  
  normal communication patterns of the industrial device; and
  
  one or more valid opcodes for the industrial device;
  
  detect at least one message within the network that involves the industrial device and at least one other computing device included in the industrial control system;
  
  identify at least one opcode in the message;
  
  determine, by comparing the opcode identified in the message with the valid opcodes for the industrial device described in the message protocol profile, that the message represents an anomaly that is suspiciously inconsistent with the normal communication patterns of the industrial device; and
  
  determine, based at least in part on the message representing the anomaly, that the other computing device has likely been compromised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Corrales, Ignacio Bermudez, Tongaonkar, Alok
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US14/952,344
Publication Number

US 20170149811A1
Time in Patent Office

895 Days
Field of Search
US Class Current
CPC Class Codes

G05B 19/4185   characterised by the networ...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Systems and methods for identifying compromised devices within industrial control systems

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for identifying compromised devices within industrial control systems

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others