Domain level threat detection for industrial asset control system

US 9,998,487 B2
Filed: 04/25/2016
Issued: 06/12/2018
Est. Priority Date: 04/25/2016
Status: Active Grant

First Claim

Patent Images

1. A system to protect an industrial asset control system, comprising:

a plurality of threat nodes each generating a series of current threat node values over time that represent a current operation of the industrial asset control system;

a threat detection computer, coupled to the plurality of threat nodes, to;

(i) receive the series of current threat node values and generate a set of current feature vectors,(ii) access a threat detection model having at least one decision boundary created using a set of normal feature vectors and a set of threatened feature vectors, and(iii) execute the threat detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary;

a normal space data source, for each of the plurality of threat nodes, of a series of normal threat node values over time that represent normal operation of the industrial asset control system;

a threatened space data source, for each of the plurality of threat nodes, of a series of threatened threat node values over time that represent a threatened operation of the industrial asset control system; and

a threat detection model creation computer, coupled to the normal space data source and the threatened space data source, to;

(i) receive the series normal threat node values and generate the set of normal feature vectors,(ii) receive the series of threatened threat node values and generate the set of threatened feature vectors, and(iii) automatically calculate and output the at least one decision boundary for the threat detection model based on the set of normal feature vectors and the set of threatened feature vectors.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A normal space data source stores, for each of a plurality of threat nodes, a series of normal values that represent normal operation of an industrial asset control system, and a threatened space data source stores a series of threatened values. A model creation computer may generate sets of normal and threatened feature vectors. The computer may also calculate and output at least one decision boundary for a threat detection model based on the normal and threatened feature vectors. The plurality of threat nodes may then generate a series of current values from threat nodes that represent a current operation of the asset control system. A threat detection computer may receive the series of current values from threat nodes, generate a set of current feature vectors, execute the threat detection model, and transmit a threat alert signal based on the current feature vectors and at the least one decision boundary.

22 Citations

View as Search Results

21 Claims

1. A system to protect an industrial asset control system, comprising:
- a plurality of threat nodes each generating a series of current threat node values over time that represent a current operation of the industrial asset control system;
  
  a threat detection computer, coupled to the plurality of threat nodes, to;
  
  (i) receive the series of current threat node values and generate a set of current feature vectors,(ii) access a threat detection model having at least one decision boundary created using a set of normal feature vectors and a set of threatened feature vectors, and(iii) execute the threat detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary;
  
  a normal space data source, for each of the plurality of threat nodes, of a series of normal threat node values over time that represent normal operation of the industrial asset control system;
  
  a threatened space data source, for each of the plurality of threat nodes, of a series of threatened threat node values over time that represent a threatened operation of the industrial asset control system; and
  
  a threat detection model creation computer, coupled to the normal space data source and the threatened space data source, to;
  
  (i) receive the series normal threat node values and generate the set of normal feature vectors,(ii) receive the series of threatened threat node values and generate the set of threatened feature vectors, and(iii) automatically calculate and output the at least one decision boundary for the threat detection model based on the set of normal feature vectors and the set of threatened feature vectors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein at least one of the set of normal feature vectors and the set of threatened feature vectors are associated with at least one of:
    - (i) principal components, (ii) statistical features, (iii) deep learning features, (iv) frequency domain features, (v) time series analysis features, (vi) logical features, (vii) geographic or position based locations, and (viii) interaction features.
  - 3. The system of claim 1, wherein the threat detection model including the at least one decision boundary is dynamically adapted based on at least one of:
    - (i) a transient condition, (ii) a steady state model of the industrial asset control system, and (iii) data sets obtained while operating the system as in self-learning systems from incoming data stream.
  - 4. The system of claim 1, wherein the threat detection model is associated with at least one of:
    - (i) an actuator attack, (ii) a controller attack, (iii) a threat node attack, (iv) a plant state attack, (v) spoofing, (vi) financial damage, (vii) unit availability, (viii) a unit trip, (ix) a loss of unit life, and (x) asset damage requiring at least one new part.
  - 5. The system of claim 4, wherein info nation from each of the plurality of threat nodes is normalized and an output is expressed as a weighted linear combination of basis functions.
  - 6. The system of claim 5, wherein natural basis vectors are obtained using covariance of a threat node data matrix.
  - 7. The system of claim 1, wherein the threat nodes are associated with at least one of:
    - (i) critical sensor nodes, (ii) actuator nodes, (iii) controller nodes, and (iv) key software nodes.
  - 8. The system of claim 1, wherein the threat detection model including the at least one decision boundary is associated with at least one of:
    - (i) a line, i) a hyperplane, and (iii) a non-linear boundary separating normal space and threatened space.
  - 9. The system of claim 1, wherein the threat detection model including the at least one decision boundary is a multi-class decision boundary separating normal space, threatened space, and degraded operation space.
  - 10. The system of claim 1, wherein at least one of the series of normal threat node values and the series of threatened threat node values are associated with a high fidelity equipment model.
  - 11. The system of claim 1, wherein at least one decision boundary exists in a multi-dimensional space and is associated with at least one of:
    - (i) a dynamic model, (ii) design of experiment data, (iii) machine learning techniques, (iv) a support vector machine, (v) a full factorial process, (vi) Taguchi screening, (vii) a central composite methodology, (viii) a Box-Behnken methodology, (ix) real-world operating conditions, (x) a full-factorial design, (xi) a screening design, and (xii) a central composite design.
  - 12. The system of claim 1, wherein the plurality of threatened threat node values were generated from a set of potential threat vectors in accordance with a risk priority number analysis including at least one of:
    - (i) a level of expertise, (ii) an amount of time, (iii) a level of ease, and (iv) an amount of damage.
  - 13. The system of claim 1, wherein the threat detection model is associated with decision boundaries and at least one of:
    - (i) feature mapping, and (ii) feature parameters.
  - 14. The system of claim 1, wherein at least one of the normal and threatened threat node values are obtained by running design of experiments on an industrial control system associated with at least one of:
    - (i) a power turbine, (ii) a jet engine, (iii) a locomotive, and (iv) an autonomous vehicle.

15. A computerized method to protect an industrial asset control system, comprising:
- using a processor toreceive from a plurality of threat nodes a series of current threat node values over time that represent a current operation of the industrial asset control system and generate a set of current feature vectors;
  
  retrieve, for each of the plurality of threat nodes, a series of normal threat node values over time that represent normal operation of the industrial asset control system;
  
  generate a set of normal feature vectors based on the normal threat node values;
  
  retrieve, for each of the plurality of threat nodes, a series of threatened threat node values over time that represent a threatened operation of the industrial asset control system;
  
  generate a set of threatened feature vectors based on the threatened threat node values;
  
  automatically calculate and output at least one decision boundary for a threat detection model based on the set of normal feature vectors and the set of threatened feature vectors; and
  
  execute the threat detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The method of claim 15, wherein the at least one decision boundary exists in a multi-dimensional space and is associated with at least one of:
    - (i) a dynamic model, (ii) design of experiment data, (iii) machine learning techniques, (iv) a support vector machine, (v) a full factorial process, (vi) Taguchi screening, (vii) a central composite methodology, (viii) a Box-Behnken methodology, (ix) real-world operating conditions, (x) a full-factorial design, (xi) a screening design, and (xii) a central composite design.
  - 17. The method of claim 15, wherein at least one of the set of normal feature vectors and the set of threatened feature vectors are associated with at least one of:
    - (i) principal components, (ii) statistical features, (iii) deep learning features, (iv) frequency domain features, (v) time series analysis features, (vi) logical features, (vii) geographic or position based locations, and (viii) interaction features.
  - 18. The method of claim 15, wherein the plurality of threatened, node values were generated from a set of potential threat vectors in accordance with a risk priority number analysis including at least one of:
    - (i) a level of expertise, (ii) an amount of time, (iii) a level of ease, and (iv) an amount of damage.
  - 19. The method of claim 15, wherein at least one decision boundary is dynamically adapted based on at least one of:
    - (i) a transient condition, (ii) a steady state model of the industrial asset control system, and (iii) data sets obtained while operating the system as in self-learning systems from incoming data streams.
  - 20. The method of claim 15,. wherein information from each of the plurality of threat nodes is normalized and output is expressed as a weighted linear combination of basis functions.
  - 21. The method of claim 20, wherein natural basis vectors are obtained using covariance of a threat node data matrix.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Infrastructure Technology, LLC (General Electric Company)
Original Assignee
General Electric Company
Inventors
Mestha, Lalit Keshav, Thatcher, Jonathan Carl, Holzhauer, Daniel Francis, John, Justin Varkey
Primary Examiner(s)
Okeke, Izunna

Application Number

US15/137,311
Publication Number

US 20170310690A1
Time in Patent Office

778 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06N 20/00   Machine learning

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

Domain level threat detection for industrial asset control system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Domain level threat detection for industrial asset control system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links