Industrial asset cyber-attack detection algorithm verification using secure, distributed ledger
First Claim
1. A system to facilitate industrial asset cyber-attack detection algorithm verification, comprising:
- a verification platform, including;
a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset and including a subset of the industrial asset cyber-attack detection algorithm data, andat least one verification platform computer processor coupled to the data connection and adapted to;
mark the subset of industrial asset cyber-attack detection algorithm data as invalid,store the subset of industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store,record a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger,receive a transaction identifier from the secure, distributed ledger,independently create a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client, the raw trie data comprising a time series stream of sensor data output,mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of the independently created version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata;
receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node;
compare data points of the stream of industrial data to the decision boundary information; and
generate at least one of a global alert signal or a local alert signal based on the result of the comparison.
2 Assignments
0 Petitions
Accused Products
Abstract
A verification platform may include a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, including a subset of the industrial asset cyber-attack detection algorithm data. The verification platform may store the subset into a data store (the subset of industrial asset cyber-attack detection algorithm data being marked as invalid) and record a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger. The verification platform may then receive a transaction identifier from the secure, distributed ledger and mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of an independently created version of the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata.
-
Citations
20 Claims
-
1. A system to facilitate industrial asset cyber-attack detection algorithm verification, comprising:
a verification platform, including; a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset and including a subset of the industrial asset cyber-attack detection algorithm data, and at least one verification platform computer processor coupled to the data connection and adapted to; mark the subset of industrial asset cyber-attack detection algorithm data as invalid, store the subset of industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store, record a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger, receive a transaction identifier from the secure, distributed ledger, independently create a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client, the raw trie data comprising a time series stream of sensor data output, mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of the independently created version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata; receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node; compare data points of the stream of industrial data to the decision boundary information; and generate at least one of a global alert signal or a local alert signal based on the result of the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method associated with industrial asset cyber-attack detection algorithm verification, comprising:
-
receiving, at a computer processor of a verification platform, a stream of industrial asset cyber-attack detection algorithm data, the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset and including a subset of the industrial asset cyber-attack detection algorithm data; marking, by the verification platform, the subset of industrial asset cyber-attack detection algorithm data as invalid; storing, by the verification platform, the subset of industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store; recording, by the verification platform, a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger; receiving, at the verification platform, a transaction identifier from the secure, distributed ledger; independently create, by the verification platform, a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client, the raw trie data comprising a time series stream of sensor data output, marking the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify, at the verification platform, that the recorded hash value matches a hash value associated with the independently created version of the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata; receiving decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node; comparing data points of the stream of industrial data to the decision boundary information; and generating at least one of a global alert signal or a local alert signal based on the result of the comparison. - View Dependent Claims (12, 13, 14)
-
-
15. A system to facilitate industrial asset cyber-attack detection algorithm verification, comprising:
a verification client, including; a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset and including a subset of the industrial asset cyber-attack detection algorithm data, and a verification client computer processor coupled to the data connection and adapted to; create a Patricia-Merkle trie from the subset of the industrial asset cyber-attack detection algorithm data and metadata, determine a hash trie value associated with the Patricia-Merkle trie, receive a pseudo identifier from a verification engine, and transmit raw Patricia-Merkle trie data to a verification server along with metadata, the verification engine, including; a verification engine computer processor adapted to; receive the hash value from the verification client, transmit a pseudo identifier to the verification client, record the received hash trie value in a secure, distributed ledger, receive a transaction identifier from the secure, distributed ledger, and transmit the pseudo identifier and transaction identifier to the verification server, and the verification server, including; a verification server computer processor adapted to; receive the subset of the industrial asset cyber-attack detection algorithm data and metadata from the verification client, receive the pseudo identifier and transaction identifier from the verification engine, mark the subset of industrial asset cyber-attack detection algorithm data as invalid, store the subset of the industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store, independently create a Patricia-Merkle trie from the received subset of the industrial asset cyber-attack detection algorithm data and metadata, the industrial asset cyber-attack detection algorithm data comprising a time series stream of sensor data output, retrieve the recorded hash value from the secure, distributed ledger, mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after verifying that the recorded hash value matches a hash value associated with the independently created Patricia-Merkle trie; receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node; compare data points of the stream of industrial data to the decision boundary information; and generate at least one of a global alert signal or a local alert signal based on the result of the comparison. - View Dependent Claims (16, 17, 18, 19, 20)
Specification