METHOD FOR MITIGATION OF CYBER ATTACKS ON INDUSTRIAL CONTROL SYSTEMS
First Claim
1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:
- polling specific fields of packet data, obtained from packets, at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior;
deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications;
generating a value based on the vector indicative of a network behavioral state;
maintaining a network behavior state machine comprising a list of network states and transition counts, wherein the transition count is maintained in accordance to the value;
determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation;
establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous;
determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
,taking protective action according to whether the determined probability is below the established threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for detecting a potential compromise of cyber security in an industrial network are disclosed. These methods and systems comprise elements of hardware and software for establishing a baseline of site-acceptable network behavior comprising a list of network states and transition probabilities, wherein a transition probability denotes an estimated probability of a first network state being followed temporally by a second network state during normal network operation; establishing a threshold representing tile probability below which a sequence of network states is anomalous; determining a probability for the occurrence of a sequence of network states as obtained from a particular stream of packets, according to the baseline of site-acceptable network behavior; and, taking protective action according to whether the determined probability is below the established threshold.
8 Citations
1 Claim
-
1. A method for detecting a potential compromise of cyber security in an industrial network utilizing a protocol for controlling an industrial process, comprising:
-
polling specific fields of packet data, obtained from packets, at a fixed frequency for a plurality of programmable logic controllers (PLCs), to establish network behavior; deriving a vector based on the specific packet data fields, wherein the specific packet data fields represent the protocol which signifies particular network communications; generating a value based on the vector indicative of a network behavioral state; maintaining a network behavior state machine comprising a list of network states and transition counts, wherein the transition count is maintained in accordance to the value; determining a transition probability corresponding to the transition counts, wherein the transition probability denotes an estimated probability of a first network state being followed temporally by a second network state, during normal network operation; establishing, for the network behavior state machine, a threshold representing the probability below which a sequence of network states is anomalous; determining, by the network behavior state machine, a probability for the occurrence of a sequence of network states, according to the derived vector; and
,taking protective action according to whether the determined probability is below the established threshold.
-
Specification