Domain level threat detection for industrial asset control system
First Claim
1. A system to protect an industrial asset control system, comprising:
- a plurality of threat nodes each generating a series of current threat node values over time that represent a current operation of the industrial asset control system;
a threat detection computer, coupled to the plurality of threat nodes, to;
(i) receive the series of current threat node values and generate a set of current feature vectors,(ii) access a threat detection model having at least one decision boundary created using a set of normal feature vectors and a set of threatened feature vectors, and(iii) execute the threat detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary;
a normal space data source, for each of the plurality of threat nodes, of a series of normal threat node values over time that represent normal operation of the industrial asset control system;
a threatened space data source, for each of the plurality of threat nodes, of a series of threatened threat node values over time that represent a threatened operation of the industrial asset control system; and
a threat detection model creation computer, coupled to the normal space data source and the threatened space data source, to;
(i) receive the series normal threat node values and generate the set of normal feature vectors,(ii) receive the series of threatened threat node values and generate the set of threatened feature vectors, and(iii) automatically calculate and output the at least one decision boundary for the threat detection model based on the set of normal feature vectors and the set of threatened feature vectors.
2 Assignments
0 Petitions
Accused Products
Abstract
A normal space data source stores, for each of a plurality of threat nodes, a series of normal values that represent normal operation of an industrial asset control system, and a threatened space data source stores a series of threatened values. A model creation computer may generate sets of normal and threatened feature vectors. The computer may also calculate and output at least one decision boundary for a threat detection model based on the normal and threatened feature vectors. The plurality of threat nodes may then generate a series of current values from threat nodes that represent a current operation of the asset control system. A threat detection computer may receive the series of current values from threat nodes, generate a set of current feature vectors, execute the threat detection model, and transmit a threat alert signal based on the current feature vectors and at the least one decision boundary.
22 Citations
21 Claims
-
1. A system to protect an industrial asset control system, comprising:
-
a plurality of threat nodes each generating a series of current threat node values over time that represent a current operation of the industrial asset control system; a threat detection computer, coupled to the plurality of threat nodes, to; (i) receive the series of current threat node values and generate a set of current feature vectors, (ii) access a threat detection model having at least one decision boundary created using a set of normal feature vectors and a set of threatened feature vectors, and (iii) execute the threat detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary; a normal space data source, for each of the plurality of threat nodes, of a series of normal threat node values over time that represent normal operation of the industrial asset control system; a threatened space data source, for each of the plurality of threat nodes, of a series of threatened threat node values over time that represent a threatened operation of the industrial asset control system; and a threat detection model creation computer, coupled to the normal space data source and the threatened space data source, to; (i) receive the series normal threat node values and generate the set of normal feature vectors, (ii) receive the series of threatened threat node values and generate the set of threatened feature vectors, and (iii) automatically calculate and output the at least one decision boundary for the threat detection model based on the set of normal feature vectors and the set of threatened feature vectors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computerized method to protect an industrial asset control system, comprising:
using a processor to receive from a plurality of threat nodes a series of current threat node values over time that represent a current operation of the industrial asset control system and generate a set of current feature vectors; retrieve, for each of the plurality of threat nodes, a series of normal threat node values over time that represent normal operation of the industrial asset control system; generate a set of normal feature vectors based on the normal threat node values; retrieve, for each of the plurality of threat nodes, a series of threatened threat node values over time that represent a threatened operation of the industrial asset control system; generate a set of threatened feature vectors based on the threatened threat node values; automatically calculate and output at least one decision boundary for a threat detection model based on the set of normal feature vectors and the set of threatened feature vectors; and execute the threat detection model and transmit a threat alert signal based on the set of current feature vectors and the at least one decision boundary. - View Dependent Claims (16, 17, 18, 19, 20, 21)
Specification