Industrial asset cyber-attack detection algorithm verification using secure, distributed ledger

US 11,627,151 B2
Filed: 10/31/2018
Issued: 04/11/2023
Est. Priority Date: 10/31/2018
Status: Active Grant

First Claim

Patent Images

1. A system to facilitate industrial asset cyber-attack detection algorithm verification, comprising:

a verification platform, including;

a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset and including a subset of the industrial asset cyber-attack detection algorithm data, andat least one verification platform computer processor coupled to the data connection and adapted to;

mark the subset of industrial asset cyber-attack detection algorithm data as invalid,store the subset of industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store,record a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger,receive a transaction identifier from the secure, distributed ledger,independently create a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client, the raw trie data comprising a time series stream of sensor data output,mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of the independently created version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata;

receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node;

compare data points of the stream of industrial data to the decision boundary information; and

generate at least one of a global alert signal or a local alert signal based on the result of the comparison.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A verification platform may include a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, including a subset of the industrial asset cyber-attack detection algorithm data. The verification platform may store the subset into a data store (the subset of industrial asset cyber-attack detection algorithm data being marked as invalid) and record a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger. The verification platform may then receive a transaction identifier from the secure, distributed ledger and mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of an independently created version of the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata.

Citations

20 Claims

1. A system to facilitate industrial asset cyber-attack detection algorithm verification, comprising:
- a verification platform, including;
  
  a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset and including a subset of the industrial asset cyber-attack detection algorithm data, andat least one verification platform computer processor coupled to the data connection and adapted to;
  
  mark the subset of industrial asset cyber-attack detection algorithm data as invalid,store the subset of industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store,record a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger,receive a transaction identifier from the secure, distributed ledger,independently create a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client, the raw trie data comprising a time series stream of sensor data output,mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of the independently created version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata;
  
  receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node;
  
  compare data points of the stream of industrial data to the decision boundary information; and
  
  generate at least one of a global alert signal or a local alert signal based on the result of the comparison.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the industrial asset cyber-attack detection algorithm data includes at least one feature-based classification boundary.
  - 3. The system of claim 1, the stream of industrial asset data including a subset of the industrial asset data,the verification platform computer is further adapted to:
    - store the subset of industrial asset data into the data store, the subset of industrial asset data being marked as invalid,record a hash value associated with a compressed representation of the subset of industrial asset data combined with metadata in the secure, distributed ledger,receive a transaction identifier from the secure, distributed ledger, andmark the subset of industrial asset data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of an independently created version of the compressed representation of the subset of industrial asset data combined with metadata.
  - 4. The system of claim 3, wherein the industrial asset sensors are associated with at least one of:
    - (i) an engine, (ii) an aircraft, (iii) a locomotive, (iv) power generation, and (v) a wind turbine.
  - 5. The system of claim 1, further comprising:
    - the data store, wherein the data store is adapted to provide information marked as being valid to a consuming platform.
  - 6. The system of claim 1, wherein the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata comprises a trie.
  - 7. The system of claim 6, wherein the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata comprises a Patricia-Merkle trie.
  - 8. The system of claim 1, wherein the metadata includes at least one of:
    - (i) a pseudo identifier, (ii) a time stamp, (iii) a unique client identifier, and (iv) data shape information.
  - 9. The system of claim 1, wherein the verification platform is associated with at least one of:
    - (i) a single network cloud-hosted topology, (ii) a multiple network cloud-hosted topology, and (iii) a participant hosted intranet environment.
  - 10. The system of claim 1, wherein the secure, distributed ledger comprises blockchain technology.

11. A method associated with industrial asset cyber-attack detection algorithm verification, comprising:
- receiving, at a computer processor of a verification platform, a stream of industrial asset cyber-attack detection algorithm data, the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset and including a subset of the industrial asset cyber-attack detection algorithm data;
  
  marking, by the verification platform, the subset of industrial asset cyber-attack detection algorithm data as invalid;
  
  storing, by the verification platform, the subset of industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store;
  
  recording, by the verification platform, a hash value associated with a compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata in a secure, distributed ledger;
  
  receiving, at the verification platform, a transaction identifier from the secure, distributed ledger;
  
  independently create, by the verification platform, a version of the compressed representation of the subset of the industrial asset cyber-attack detection algorithm data combined with the metadata based on raw trie data received from a verification client, the raw trie data comprising a time series stream of sensor data output,marking the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after using the transaction identifier to verify, at the verification platform, that the recorded hash value matches a hash value associated with the independently created version of the compressed representation of the subset of industrial asset cyber-attack detection algorithm data combined with metadata;
  
  receiving decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node;
  
  comparing data points of the stream of industrial data to the decision boundary information; and
  
  generating at least one of a global alert signal or a local alert signal based on the result of the comparison.
- View Dependent Claims (12, 13, 14)
- - 12. The method of claim 11, wherein the compressed representation of the subset of industrial data combined with metadata comprises a Patricia-Merkle trie.
  - 13. The method of claim 11, wherein the metadata comprises at least one of:
    - (i) a pseudo identifier, (ii) a time stamp, (iii) a unique client identifier, and (iv) data shape information.
  - 14. The method of claim 11, wherein the secure, distributed ledger comprises blockchain technology.

15. A system to facilitate industrial asset cyber-attack detection algorithm verification, comprising:
- a verification client, including;
  
  a data connection to receive a stream of industrial asset cyber-attack detection algorithm data, the industrial asset cyber-attacked detection algorithm data comprising at least time-series sensor data from one or more monitoring nodes of an industrial asset and including a subset of the industrial asset cyber-attack detection algorithm data, anda verification client computer processor coupled to the data connection and adapted to;
  
  create a Patricia-Merkle trie from the subset of the industrial asset cyber-attack detection algorithm data and metadata,determine a hash trie value associated with the Patricia-Merkle trie,receive a pseudo identifier from a verification engine, andtransmit raw Patricia-Merkle trie data to a verification server along with metadata,the verification engine, including;
  
  a verification engine computer processor adapted to;
  
  receive the hash value from the verification client,transmit a pseudo identifier to the verification client,record the received hash trie value in a secure, distributed ledger,receive a transaction identifier from the secure, distributed ledger, andtransmit the pseudo identifier and transaction identifier to the verification server, andthe verification server, including;
  
  a verification server computer processor adapted to;
  
  receive the subset of the industrial asset cyber-attack detection algorithm data and metadata from the verification client,receive the pseudo identifier and transaction identifier from the verification engine,mark the subset of industrial asset cyber-attack detection algorithm data as invalid,store the subset of the industrial asset cyber-attack detection algorithm data and the corresponding marking as being invalid into a data store,independently create a Patricia-Merkle trie from the received subset of the industrial asset cyber-attack detection algorithm data and metadata, the industrial asset cyber-attack detection algorithm data comprising a time series stream of sensor data output,retrieve the recorded hash value from the secure, distributed ledger,mark the subset of industrial asset cyber-attack detection algorithm data in the data store as being valid after verifying that the recorded hash value matches a hash value associated with the independently created Patricia-Merkle trie;
  
  receive decision boundary information from an abnormal detection model, the decision boundary information representing a boundary between normal operating values and abnormal operating values, the abnormal operating values occurring during a cyber-attack, the abnormal detection algorithm receiving a stream of industrial data generated by a monitoring node;
  
  compare data points of the stream of industrial data to the decision boundary information; and
  
  generate at least one of a global alert signal or a local alert signal based on the result of the comparison.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the metadata includes at least one of:
    - (i) the pseudo identifier, (ii) a time stamp, (iii) a unique client identifier, and (iv) data shape information.
  - 17. The system of claim 15, wherein the verification platform is associated with at least one of:
    - (i) a single network cloud-hosted topology, (ii) a multiple network cloud-hosted topology, and (iii) a participant hosted intranet environment.
  - 18. The system of claim 15, wherein the secure, distributed ledger comprises blockchain technology.
  - 19. The system of claim 15, further comprising:
    - the data store, wherein the data store is adapted to provide information marked as being valid to a consuming platform.
  - 20. The system of claim 19, further comprising:
    - the consuming platform adapted to utilize information marked as being valid in the data store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GE Infrastructure Technology, LLC (General Electric Company)
Original Assignee
General Electric Company
Inventors
Holzhauer, Daniel Francis, Mestha, Lalit, John, Justin
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Nguyen, Nhan Huu

Application Number

US16/176,293
Publication Number

US 20200137090A1
Time in Patent Office

1,623 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3239   involving non-keyed hash fu...

H04L 9/50   using hash chains, e.g. blo...

H04W 12/009   specially adapted for netwo...

Y04S 40/20   Information technology spec...

Industrial asset cyber-attack detection algorithm verification using secure, distributed ledger

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Industrial asset cyber-attack detection algorithm verification using secure, distributed ledger

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links