[go: up one dir, main page]

WO2018164767A1 - Neutralisation et détection de cyber-attaque - Google Patents

Neutralisation et détection de cyber-attaque Download PDF

Info

Publication number
WO2018164767A1
WO2018164767A1 PCT/US2018/012858 US2018012858W WO2018164767A1 WO 2018164767 A1 WO2018164767 A1 WO 2018164767A1 US 2018012858 W US2018012858 W US 2018012858W WO 2018164767 A1 WO2018164767 A1 WO 2018164767A1
Authority
WO
WIPO (PCT)
Prior art keywords
asset
feature
signals
time series
computing system
Prior art date
Application number
PCT/US2018/012858
Other languages
English (en)
Inventor
Lalit Keshav MESTHA
Olugbenga Anubi
Masoud Abbaszadeh
Original Assignee
General Electric Company
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US15/454,144 external-priority patent/US10771495B2/en
Application filed by General Electric Company filed Critical General Electric Company
Publication of WO2018164767A1 publication Critical patent/WO2018164767A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • Machine and equipment assets are engineered to perform particular tasks as part of a business process.
  • assets can include, among other things and without limitation, industrial manufacturing equipment on a production line, drilling equipment for use in mining operations, wind turbines that generate electricity on a wind farm, transportation vehicles, and the like.
  • assets may include healthcare machines and equipment that aid in diagnosing patients such as imaging devices (e.g., X-ray or MRI systems), monitoring devices, and the like.
  • Embodiments described herein improve upon the prior art by providing an attack detection and neutralization system and method capable of masking the effects of a cyber- attack on a physical asset such as a machine or equipment.
  • the system may receive an incoming signal sensed from or about a physical asset, filter the signal to detect and remove an attack signature, and output the signal to a control system .
  • the method can be implemented as software that is deployed on a cloud platform such as an Industrial Internet of Things (IloT).
  • IloT Industrial Internet of Things
  • a method including receiving input signals from an asset comprising time series data associated with the asset and transforming the input signals into feature values in a feature space, detecting one or more abnormal feature values in the feature space based on a predetermined normalcy boundary associated with the asset, and determining an estimated true value for each abnormal feature value, and performing an inverse transform of each estimated true value to generate neutralized signals comprising time series data and outputting the neutralized signals.
  • computing system including a receiver configured to receive input signals from an asset comprising time series data associated with the asset, a processor configured to transform the input signals into feature values in a feature space, detect one or more abnormal feature values in the feature space based on a predetermined normalcy boundary associated with the asset, determine an estimated true value for each abnonnal feature value, and perform an inverse transform of each estimated true value to generate neutralized signals comprising time series data, and an output configured to output the neutralized signals.
  • a non-transitory computer readable storage medium having stored therein instructions that when executed cause a processor to perform a method including receiving input signals from an asset comprising time series data associated with the asset and transforming the input signals into feature values in a feature space, detecting one or more abnormal feature values in the feature space based on a predetermined normalcy boundary associated with the asset, and determining an estimated true value for each abnormal feature value, and performing an inverse transform of each estimated true value to generate neutralized signals comprising time series data and outputting the neutralized signals.
  • FIG. 1 is a diagram illustrating a cloud-computing environment associated with industrial systems in accordance with an example embodiment.
  • FIG. 2 is a diagram illustrating a threat neutralizer for filtering input signals in accordance with an example embodiment.
  • FIG. 3 is a diagram illustrating a boundary and performance estimation process for threat detection in accordance with an example embodiment.
  • FIG. 4 is a diagram illustrating a method for neutralizing cyber-based threats in accordance with example embodiments.
  • FIG. 5 is a diagram illustrating an example of a simulated performance of a boundary and performance constrained resilient estimator in accordance with an example embodiment.
  • FIG. 6 is a diagram illustrating a computing device for neutralizing cyber-based threats in accordance with an example embodiment.
  • the example embodiments are directed to a system and method for identifying and neutralizing threats that occur in systems, for example, control systems for industrial manufacturing.
  • the method described herein may achieve resiliency to cyber-attacks to provide uninterrupted, equipment-safe, controlled operation while attacks are in progress.
  • resiliency is the ability of a control system to force signals (or states) required for operational normalcy.
  • a threat e.g. , an infection
  • the method destroys the threat.
  • the example embodiments are directed to a method that extends domain-level security by creating a cyber-based "immune system" specifically desirable to industrial systems.
  • the methods herein are not only able to identify threats, but may also block the threats by automatically neutralizing their effects on the control system even while the attacks are in progress. Neutralization of the affects may be achieved at key signals by estimating true operational states of the system with new boundary and performance constrained resilient estimators (BPRE). Furthermore, true signals for operational normalcy may be computed from estimated states enabling the system to continue to function properly.
  • Tire method and system described herein can deter threats by replicating protection mechanisms adapted by biological sy stems. How the human body fights off pathogens and other infections is a natural wonder. It automatically detects and triggers a self-defense mechanism to fight. The example embodiments replicate a similar kind of automatic detection and trigger functions for masking or otherwise neutralizing the attack signals.
  • the neutralization approach disclosed here can also be used for securing any system, where continuous data stream is available for monitoring purpose.
  • the neutralization methods described herein may be implemented as software such as an application or a service and may be incorporated within an industrial system such as a control system, a computer, a server, a cloud platform, a machine, an equipment, an aircraft, a locomotive, and the like. While progress with machine and equipment automation has been made over the last several decades, and assets have become 'smarter,' the intelligence of any individual asset pales in comparison to intelligence that can be gained when multiple smart devices are connected together, for example, in the cloud. As described herein, an asset is used to refer to equipment and/or a machine used in fields such as energy, healthcare, transportation, heavy manufacturing, chemical production, printing and publishing, electronics, textiles, and the like.
  • Aggregating data collected from or about multiple assets can enable users to improve business processes, for example by improving effectiveness of asset maintenance or improving operational performance if appropriate industrial-specific data, collection and modeling technology is developed and applied.
  • an asset can be outfitted with one or more sensors configured to monitor respective operations or conditions thereof. Data from the sensors can be added to the cloud platform. By bringing such data into a cloud-based environment, new software applications and control systems informed by industrial process, tools and expertise can be constructed, and new physics-based analytics specific to an industrial environment can be created. Insights gained through analysis of such data can lead to enhanced asset designs, enhanced software algorithms for operating the same or similar assets, better operating efficiency, and the like.
  • the example embodiments provide a neutralization process that is capable of filtering signals that are transmitted from the edge to the cloud platform back- end, as well as transmitting in other situations.
  • Assets described herein can include or can be a portion of an Industrial Internet of Things (IIoT).
  • IIoT Industrial Internet of Things
  • an IIoT connects assets including machines and equipment, such as turbines, jet engines, healthcare machines, locomotives, oil rigs, and the like, to the Internet and/or a cloud, or to each other in some meaningful way such as through one or more networks.
  • the examples described herein can include using a "cloud" or remote or distributed computing resource or service.
  • the cloud can be used to receive, relay, transmit, store, analyze, or otherwise process information for or about one or more assets.
  • a cloud computing system includes at least one processor circuit, at least one database, and a plurality of users or assets that are in data communication with the cloud computing system.
  • the cloud computing system can further include or can be coupled with one or more other processor circuits or modules configured to perform a specific task, such as to perform tasks related to asset maintenance, analytics, data storage, security, or some other function.
  • a given machine or equipment based asset may need to be configured with novel interfaces and communication protocols to send and receive data to and from distributed computing resources.
  • Assets may have strict requirements for cost, weight, security, performance, signal interference, and the like, in which case enabling such an interface is rarely as simple as combining the asset with a general-purpose computing device.
  • embodiments provide a cloud platform that can receive and deploy applications from many different fields of industrial technologies. In order for these applications to successfully consume data from machines and equipment also connected to the cloud, the embodiments provide a threat neutralization method that can be
  • the PredixTM platform available from GE is a novel embodiment of an Asset Management Platform (AMP) technology enabled by state of the art cutting edge tools and cloud computing techniques that enable incorporation of a manufacturer's asset knowledge with a set of development tools and best practices that enables asset users to bridge gaps between software and operations to enhance capabilities, foster innovation, and ultimately provide economic value.
  • AMP Asset Management Platform
  • a manufacturer of assets can be uniquely situated to leverage its understanding of assets themselves, models of such assets, and industrial operations or applications of such assets, to create new value for industrial customers through asset insights.
  • FIG. 1 illustrates a cloud computing environment associated with industrial systems in accordance with an example embodiment.
  • FIG. 1 illustrates generally an example of portions of an asset management platform (AMP) 100.
  • AMP asset management platform
  • one or more porti ons of an AMP can reside in a cloud computing system 120, in a local or sandboxed environment, or can be distributed across multiple locations or devices.
  • the AMP 100 can be configured to perform any one or more of data acquisition, data analysis, or data exchange with local or remote assets, or with other task-specific processing devices.
  • the AMP 100 includes an asset community (e.g. , gas turbines, wind turbines, healthcare machines, industrial systems, manufacturing systems, oil rigs, etc.) that is communicatively- coupled with the cloud computing system 120.
  • asset community e.g. , gas turbines, wind turbines, healthcare machines, industrial systems, manufacturing systems, oil rigs, etc.
  • a machine module 110 receives information from, or senses informati on about, at least one asset member of the asset community, and configures the received information for exchange with the cloud computing system 120.
  • the machine module 110 is coupled to the cloud computing system 120 or to an enterprise computing system 130 via a communication gateway 105.
  • the communication gateway 105 may include or may use a wired or wireless communication channel that extends at least from the machine module 1 10 to the cloud computing system 120.
  • the cloud computing system 120 may include several layers, for example, a data infrastructure layer, a cloud foundry layer, and modules for providing various functions. In FIG.
  • the cloud computing system 120 includes an asset module 121 , an analytics module 122, a data acquisition module 123, a data security module 124, and an operations module 125, but the embodiments are not limited thereto.
  • Each of the modules includes or uses a dedicated circuit, or instructions for operating a general purpose processor circuit, to perform the respective functions.
  • the modules 121-125 are communicatively coupled in the cloud computing system 120 such that information from one module can be shared with another.
  • the modules 121-125 are co-located at a designated datacenter or other facility, or the modules 121-125 can be distributed across multiple different locations.
  • An interface device 140 (e.g. , user device, workstation, tablet, laptop, appliance, kiosk, and the like) can be configured for data communication with one or more of the machine module 1 10, the gateway 105, and the cloud computing system 120.
  • the interface device 140 can be used to monitor or control one or more assets.
  • the interface device 140 may be used to develop and upload applications to the cloud computing system 120.
  • the interface device 140 may be used to access analytical applications deployed on the cloud computing system 120.
  • information about the asset community may be presented to an operator at the interface device 140.
  • the information about the asset community may include information from the machine module 1 10, information from the cloud computing system 120, and the like.
  • the interface device 140 can include options for optimizing one or more members of the asset community based on analytics performed at the cloud computing system 120.
  • FIG. 1 includes the asset community with multiple wind turbine assets, including the wind turbine 101.
  • wind turbines are merely used in this example as a non-limiting example of a type of asset that can be a part of, or in data communication with, the first AMP 100.
  • assets include gas turbines, steam turbines, heat recovery steam generators, balance of plant, healthcare machines and equipment, aircraft, locomotives, oil rigs, manufacturing machines and equipment, textile processing machines, chemical processing machines, mining equipment, and the like.
  • FIG. 1 further includes the device gateway 105 configured to couple the asset community to the cloud computing system ! 20.
  • the device gateway 105 can further couple the cloud computing system 120 to one or more other assets or asset communities, to the enterprise computing system 130, or to one or more other devices.
  • the AMP 100 thus represents a scalable industrial solution that extends from a physical or virtual asset (e.g., the wind turbine 101 ) to a remote cloud computing system 120.
  • the cloud computing system 120 optionally includes a local, system, enterprise, or global computing infrastructure that can be optimized for industrial data workloads, secure data communication, and compliance with regulatory- requirements.
  • the cloud computing system 120 can include the operations module 125.
  • the operations module 125 can include sendees that developers can use to build or test Industrial Internet applications, and the operations module 125 can include services to implement Industrial Internet applications, such as in coordination with one or more other AMP modules.
  • the operations module 125 includes a microservices marketplace where developers can publish their sen/ices and/or retrieve sendees from third parties.
  • the operations module 125 can include a development framework for
  • the development framework can offer developers a consistent look and feel and a contextual user experience in web or mobile applications. Developers can add and make accessible their applications (sendees, data, analytics, etc.) via the cloud computing system 120.
  • Information from an asset, about the asset, or sensed by an asset itself may be communicated from the asset to the data acquisition module 123 in the cloud computing system 120.
  • an external sensor can be used to sense information about a function of an asset, or to sense information about an environment conditi on at or near an asset.
  • the external sensor can be configured for data communication with the device gateway 105 and the data acquisition module 123, and the cloud computing system 120 can be configured to use the sensor information in its analysis of one or more assets, such as using the analytics module 122.
  • an operational model can optionally be updated, such as for subsequent use in optimizing the first wind turbine 101 or one or more other assets, such as one or more assets in the same or different asset community.
  • information about the wind turbine 101 can be analyzed at the cloud computing system 120 to inform selection of an operating parameter for a remotely located second wind turbine that belongs to a different asset community.
  • the cloud computing system 120 may include a Software-Defined Infrastructure (SDI) that serves as an abstraction layer above any specified hardware, such as to enable a data center to evolve over time with minimal disruption to overlying applications.
  • SDI Software-Defined Infrastructure
  • the SDI enables a shared infrastructure with policy-based provisioning to facilitate dynamic automation, and enables SLA mappings to underlying infrastructure. This configuration can be useful when an application requires an underlying hardware configuration.
  • the prov isioning management and pooling of resources can be done at a granular level, thus allowing optimal resource allocation.
  • the asset cloud computing system 120 may be based on Cloud Foundry (CF), an open source PaaS that supports multiple developer frameworks and an ecosystem, of application sendees.
  • CF Cloud Foundry
  • Cloud Foundry can make it faster and easier for application developers to build, test, deploy, and scale applications. Developers thus gain access to the vibrant CF ecosystem and an ever-growing library of CF services. Additionally, because it is open source, CF can be customized for IIoT workloads.
  • the cloud computing system 120 can include a data services module that can facilitate application development.
  • the data services module can enable developers to bring data into the cloud computing system 120 and to make such data available for various applications, such as applications that execute at the cloud, at a machine module, or at an asset or other location.
  • the data services module can be configured to cleanse, merge, or map data before ultimately storing it in an appropriate data store, for example, at the cloud computing system 120, A special emphasis may be placed on time series data, as it is the data format that most sensors use.
  • Security can be a concern for data sendees that exchange data between the cloud computing system 120 and one or more assets or other components.
  • Some options for securing data transmissions include using Virtual Private Networks (VPN) or an SSL/TLS model
  • the AMP 100 can support two-way TLS, such as between a machine module and the security module 124.
  • two-way TLS may not be supported, and the security module 124 can treat client devices as OAuth users.
  • the security module 124 can allow enrollment of an asset (or other device) as an OAuth client and transparently use OAuth access tokens to send data to protected endpoints.
  • the threat detection and neutralization system and method may be implemented within the security module 124 stored on the cloud computing system 120, within the asset, within an intermediate device between the asset and a control system, and the like.
  • the threat detection and neutralization method may also or instead be implemented elsewhere such as within an asset, within the cloud computing system 120, within another device within the system, and the like.
  • Raw data may be provided to the cloud computing system 120 via the assets included in the asset community and accessed by applications deployed on the cloud computing system 120.
  • an asset may transmit sensor data to the cloud computing system 120 and prior to the cloud computing system 120 storing the sensor data, the sensor data may be filtered using the threat detection and neutralization method described herein.
  • FIG. 2 illustrates a threat neutralize!- 230 for filtering input signals in accordance with an example embodiment.
  • the threat neutraiizer 230 may be implemented within an asset or a device associated therewith, within a control system or a device associated with or coupled to the control system, within a cloud platform, within an intermediate device, and the like. There is no limitation on a location of the threat neutraiizer 230.
  • the threat neutraiizer 230 may receive signals that have been sensed from or about an asset such as a gas turbine, a wind turbine, a locomotive, an aircraft, a healthcare machine, an industrial manufacturing machine, drilling machinery/equipment, mining machinery/equipment, and the like.
  • the threat neutraiizer receives at least one input signal 210 that includes time series data.
  • the time series data may include measurements or other readings captured at various time intervals. Examples of time series data include speed, intensity, acceleration, weight, force, thrust, and the like.
  • the threat neutralize!- 230 may automatically detect and neutralize the effects of an attack within an input signal 210 just as a human immune system is capable of detecting and neutralizing an infection or other disease.
  • the threat neutralize!' 230 may be included in a general system such as a cyber-physical system, a software system, a bio-mechanical system, a network system, a communication system, and/or the like, which contains access to continuous stream of data in the form of time series signals.
  • the time series signals may be generated from output sensor nodes [e.g., physical and/or virtual sensors), actuator nodes ⁇ e.g. , hard and/or soft actuators generated from open or closed loop system), controller nodes (e.g., controller node signals), reference nodes (e.g., reference signals), and the like.
  • logical signals may also be considered as time series signals.
  • a total number of signals that may be used for providing immunity to a system may be equal to a total number of nodes that exist in sensors, actuators, controllers and reference nodes, or it may be more or less nodes. Some or all combinations of these nodes can be used for monitoring and neutralization.
  • the threat neutralizer 230 includes multiple
  • BPRE Boundary and Performance constrained Resilient Estimator
  • inverse feature transform 235 an inverse feature transform 235, which are further described herein.
  • the BPRE 233 is designed to compute an estimate of the tme value of the feature vector under adversarial attacks.
  • the computational elements inside the threat neutralizer 230 may thus act as a filter to remove attack signatures present in each node.
  • an output signal 240 (or neutralized signals) may contain true estimates of signals at these nodes for use with the rest of the system for operational normalcy.
  • y corresponds to a sensed signal
  • u corresponds to an actuator signal
  • c corresponds to a control node signal
  • r corresponds to a reference signal.
  • Feature Transform For a given scenario, time series signals (e.g., -45 seconds) may be captured and pre-processed. These signals may be processed by the feature transform 231 into feature extraction algorithms (e.g., principal component analysis) to reduce the dimensionality or order of the system. For example, time series data from sensor nodes may be converted into feature vectors. The procedure is same for all other signals. When principal components are used as features as in the current implementation, weights become the features in reduced dimensions within the feature space. In the pre-processing step performed by the feature transform 231 , temporal normalization of node data may be performed. As an example, when principal components are used as features, the normalized output may be expressed as a weighted linear combination of basis functions. In this feature extraction algorithm, weights are considered as features for y.
  • the forward and inverse feature transforms can be written as:
  • each feature may be computed during forward transform using Equation 1 shown above.
  • y 0 average sensor output, w , PCA feature), and basis vector.
  • weight (tme feature), y is the estimated sensor output in original time space, the true signal for normalcy under attack which is obtained by estimating true feature from boundary and performance constrained resilient estimator and solving the inverse feature transform equation in Equation 1, unit 235.
  • the basis vectors can be obtained using ensemble data set from the system collected over time (i.e., historical data) or with perturbations on a virtual model (e.g. , digital twin) of the asset.
  • System Identification (Dynamic Modeling): Under normal operation, features are extracted from overlapping batch of a time series data by the Feature Transform unit 231. The process may be continued by the Feature Transform unit 231 over each overlapping batch resulting in a new time series of feature evolution in the feature space. Then, the feature time series are used for performing system identification (i.e., dynamic modeling). A selected subset of the features may be used for dynamic modeling using state space system identification methods. For example, in a gas turbine system, out of 15 PCA features for each sensor node, 5 PCA features may be used.
  • the dynamic models are in the state space format.
  • the dynamic modeler may use multivariate vector autoregressive model (VAR) for fitting dynamic models into feature time series data. If this approach is not adequate, another model may be used such as a tuned feature-based digital twin model, or a static model computed from feature evolution data or a priori to obtain various matrices representing state space form, (i.e., system, matrix, control matrix, output matrix and feedforward matrix; i.e., ⁇ A, B, C) matrices), in the example of a gas turbine system, the time-series evolution of the features may be modeled using the following state-space dynamics:
  • Equation 2 e(k) is the attack component of the " 'measured" feature vector, y(k).
  • x(k) is the 'true" feature vector to be determined.
  • System matrix, A, control vector, h, and output matrix, C are computed offline using experimental and simulated data and may be updated in real-time using real-time features obtained from actual sensor measurements.
  • Boundary and Performance Constrained Resilient Estimator The example embodiments attempt to estimate true states using a modified resilient estimator called Boundary and Performance Constrained Resilient Estimator (BPRE) 233.
  • BPRE Boundary and Performance Constrained Resilient Estimator
  • ⁇ A b , C' a model represented by the operator, ⁇ A b , C'
  • the BPRE. 233 is designed to estimate the true value of the feature vector under adversarial attacks.
  • the BPRE 233 is a resilient estimator that may solve the following optimization problem:
  • x.% is the feature vector in the current time step is the feature vector in the previous time step
  • the first constraint in the optimization may ensure that the final estimate falls within the safety envelop with some factor of safety given by e which can be an arbitrary positive number, or something more intuitive like the distance of the farthest support vector from the multi-dimensional decision boundary.
  • the BPRE 233 may compute a threat/attack boundary and also compute a performance constramed resilient estimator from the normal data values received historically from the asset.
  • Equation 3 illustrates conceptually an example of a boundary and performance estimation process for threat detection in accordance with an example embodiment.
  • a graphical view 300 of the boundary constraint is shown with inner margin boundary 306 specified by- positive e.
  • Negative e represents outer margin boundary 308.
  • the "score" function in Equation 3 depends on a particular algorithm used to learn the safety envelop. For instance: [0053] Equation 4 defines the safety envelop obtained using a support vector machine (SVM) with kernel function ⁇ (.).
  • SVM support vector machine
  • the second constraint is related to achieving normal performance by the system.
  • the ensuing solution may satisfy an implicit invariance relationship inherent to the system that was operating normally and is shown graphically in FIG.
  • the invariance relation is captured by the singular vectors corresponding to the smallest singular values of the feature covariance of data matrix.
  • the invariance relation is captured by the linear inequality l ⁇ VY ⁇ u, where (l,u) are the minimum and maximum values in the matrix VY and the columns of V are the singular vectors of Y T Y corresponding to the smallest singular values.
  • the feature vectors corresponding to normal operating signals 301a are not considered potential threats while the feature vectors positioned outside the boundasy 304 are considered threats 301b or attack signals. These points outside the boundary- may also be referred to as attack points 30 lb. These attack points may be due to cvberattacks moving the previously normal feature vectors represented by points anywhere near or on the normal performance region 302 to anywhere to the attack region designated by points 301b.
  • the BPRE estimator 233 can find an estimate of the feature vector along performance constraints inside the boundary 304 that preserves the normal operation of the asset with respect to the control system or other device connected to the asset.
  • Equation 3 contains two weighted objectives.
  • the first objective involves a qr-norm (q 6 ⁇ 0, 1,2 , ... ⁇ ) of the error between observed and modeled features.
  • q 0 is ideal for this problem., it results in an NP-hard problem.
  • the measured, as well as estimated "true" feature vectors may then be transformed into time series signal by inverting the feature transform.
  • Equation 3 An example of solving for the boundary and performance constraint shown above in Equation 3 is described as follows. It should be appreciated that the following equations are just one example, and many examples are possible. Often it will be useful to normalize sensor signals to some nominal operating condition temporally and spatially before performing feature transform. Consider, for example, temporal normalization of monitoring node data that may be performed as follows at every sample along a time axis:
  • y N is the normalized signal
  • ⁇ 'UN is the un-normalized signal
  • y nom is the sensor signal for nominal operating condition
  • y nom is a temporal average of a time series signal for normal operating conditions.
  • a temporal average is computed for a batch length (e.g., 45 seconds).
  • De-normalization involves obtaining the sensor signals in original un-normalized space by inverting the equation above.
  • Feature transform involves transforming signals from a Hilbert space (H) to a finite dimensional Euclidean space. In order to facilitate easy inversion, this transformation may be done via orthogonal functional basis set. For the signal the feature, is given by:
  • a labeled data set may be generated that consists of attack and normal scenarios.
  • the data set may be generated from realistic runs on high fidelity industry standard models.
  • the different normal and attack scenarios may be selected by the system domain experts.
  • a decision boundary that separates attack from safe is constructed using various kernel methods.
  • the BPRE may combine concepts from compressed sensing with (he binary classifier decision function to estimate the "true" features of the time series signals. The objective is to find the features that best explains the measurement and are also classified as "normal” by the decision function. Normal features represent safe operation with reasonable operational performance.
  • the approach successfully fuses domain knowledge with compressed sensing.
  • Another merit of this approach is that the domain knowledge, in the form of the decision function, can be updated online whenever new knowledge becomes available.
  • feature transform is done independently for each monitoring node. These nodal features are referred to as local features.
  • the local features from all monitoring nodes are then stacked into one big vector, on which further dimensionality reduction is carried out to obtain what is referred to as global features.
  • the local features capture time-related signatures from the signals from each monitoring nodes while the global features capture cross-relational signatures among monitoring nodes.
  • the two-level feature transform is described by the following:
  • n the number of monitoring nodes, the ith local feature vector.
  • the ith local base matrix the global features vector, the global basis matrix, and the numbers of local and
  • the decision function based on the score above may be:
  • Equation 15 may be written as:
  • the resilient estimator may be cast as the following optimization problem, as one example solution:
  • Equation 17 the subscript k is used to indicate the time dependence of the local features.
  • the optimization problem above is NP-hard mainly due to the index minimization objective. This type of objective has been shown to be able to identify attack signals. While, the constraint s(g) ⁇ 0 improves the overall estimation problem by appending domain-level knowledge, it introduces additional complexity because it is in general non-convex. In what follows, a new problem composed of a convex relaxation of the objective and a local approximation of the kernel decision function is described.
  • Qi and qi are parameters that are determined locally at each time step.
  • Hie convex LHS is approximated with quadratic and the non-convex RHS is approximated with linear function.
  • a local binary classification problem is then solved with two requirements: preserve the label of the current measurement and reproduce the labels of the support vectors as much as possible with more emphasis placed on the ones closest to the current operating point.
  • the local classification problem considered may be:
  • Equation 25 only involves online computation of the in v erse of a smaller diagonal matrix.
  • the matrix P can in general be indefinite - since there is nothing saying otherwise.
  • Tire MMMD feature discovery framework may be used to identify knowledge-based, shallow and/or deep learning features. Note that the MMMD feature discovery framework may be associated with feature engineering (e.g., associated with analysis such as batch selection, basis vector computation, feature extraction, dimensionality reduction, etc.) and engineered and dynamic system feature vectors. Knowledge-based feature engineering may use domain or engineering knowledge of the system to create features from different sensor
  • the knowledge-based features might also utilize analysis of the system, such as basis vector decomposition, state estimation, observability matrices, topology matrices, system plant matrices, frequency domain features and system poles and zeros. These analyses may represent a characterization of the system through steady-state, transient, and small signal behaviors.
  • the feature extraction process may be further associated with a shallow feature learning technique, such as unsupervised learning, k-means clustering, manifold learning, non-linear embedding, an isomap method, LLE, PCA as described above in one example, Non-linear PCA, 1CA (Independent Component Analysis), neural networks, a SOM (Self- Organizing Map) method, genetic programming, and/or sparse coding.
  • a numerical inversion algorithm may be used to convert true features to their equivalent time series form when the features are not well defined as in the PCA case described above. Furthermore, smoothing of the time series signal from previous batches may be required while performing continuous updates.
  • FIG. 4 illustrates a method 400 for neutralizing cyber-based threats in accordance with example embodiments.
  • the method 400 may be performed by the neutralizer 230 shown in FIG. 2.
  • the method includes receiving input signals from an asset including time series data associated with the asset and transforming the input signals into feature values in a feature space.
  • the asset may be a physical asset such as machinery or equipment in the field of healthcare, industry', manufacturing, transportation, energy, etc.
  • Hie input signals may include signals related to a physical asset included within an Industrial Internet of Things (IIoT). Examples of input signals include measured parameters from the asset, control signals, reference signals, and the like.
  • the method may transform the input signals from the time domain into the frequency domain.
  • the input signals may be transformed into frequency values such as frequency vectors.
  • the feature vectors may have at least two dimensions (e.g. , magnitude, location, time, etc.) and be graphed in a multidimensional feature space.
  • the method includes detecting one or more abnormal feature values in the feature space based on a predetermined normalcy boundary associated with the asset.
  • the normalcy boundary may be determined based on historical data (/. e. , normal and/or abnormal) data previously received from the asset.
  • the normalcy boundary may be continually updated based on newly received sensor data from the asset.
  • the abnormal values may be identified based on the position of feature vector in the feature space with respect to the normalcy boundary, also referred to as an attack boundary.
  • the values plotted inside the boundary may be determined as normal while the values plotted outside the boundary may be determined as abnormal or threats.
  • the detected abnormal feature values may correspond to an attack signal associated with the asset.
  • the method includes determining estimated true feature values (i.e., true feature vector) for each abnormal feature value (i.e., abnormal feature vector). For example, an estimated true feature values in a true feature vector may be determined by masking a portion of the feature vector associated with an attack signal such that the resulting feature vector with feature values is located within the predetermined normalcy boundary in the feature space. In this example, the true feature vector may be an estimate of the true features of normal signal with the attack signal removed. In some examples, prior to determining the true value for a feature vector, the method may include determining that an observability condition (Not shown in Figures) associated with the feature space is satisfied prior to estimating the true value.
  • an observability condition Not shown in Figures
  • the method includes performing an inverse transform of each estimated true feature vector to generate neutralized signals comprising time series data and outputting the neutralized signals, in 450.
  • the neutralized signals may be output to a control system or another device associated with the asset.
  • FIG. 5 illustrates an example 500 of the simulated performance of a boundary and performance constrained resilient estimator as described above.
  • 45 seconds of a time series signal is shown for six sensor nodes (sensors 1 to 6).
  • the top (red) signal corresponds to output of sensors during an attack when sensor 510 was subjected to a bias attack.
  • the middle (green) signal of each graph corresponds to the normal operational condition prior to the attack while the bottom (blue) signal of each graph corresponds to neutralized signals obtained after processing through techniques described in the example embodiments.
  • FIG. 5 shows, neutralized signals generated by BPRE algorithm are inside the attack boundary and is very close to the operational normalcy.
  • FIG. 5 illustrates an example of results of the BPRE algorithm in the presence of a sensor attack.
  • FIG. 6 illustrates a computing device 600 for neutralizing cyber-based threats in accordance with an example embodiment.
  • the computing device 600 may correspond to the neutralizer 230 shown in FIG. 2, or another device.
  • the computing device 600 may be implemented within a control system, a cloud environment, and/or the like.
  • the computing device 600 may perform the method 400 of FIG. 4.
  • the computing device 600 includes a receiver 610, a processor 620, an output 630, and a storage device 640.
  • the device 600 may include other components such as a display, an input unit, and the like.
  • the receiver 610 and the output 630 may include a signal receiver/transmitter, a transceiver, a network interface, and the like, and may transmit and receive data over a network such as the Internet, a private network, a public network, and the like, and may transmit and receive data via a wired connection.
  • the receiver 610 and the transmitter 630 may be a wireless communicator, a wired communicator, or a combination thereof.
  • the processor 620 may include one or more processing devices each including one or more processing cores. In some examples, the processor 620 is a multicore processor or a plurality of multicore processors. Also, the processor 620 may be fixed or it may be reconfigurable.
  • the storage device 640 is not limited to any particular storage device and may include any known memory device such as RAM, ROM, hard disk, and the like.
  • the receiver 610 may receive input signals from an asset comprising time series data associated with the asset.
  • the input signals may include time series data sensed by sensors associated with an Industrial Internet of Tilings ( ⁇ ).
  • the asset may he a physical asset such as a wind turbine, a gas turbine, an oil rig, mining equipment, an aircraft, a locomotive, a manufacturing system, a healthcare system, a chemical processing system, and the like.
  • the time series data may be sensed by one or more sensors attached to or fixed about the asset.
  • the time series data may include virtual data sensed from a digital twin representing the physical asset in virtual space. Examples of time series data include sensed minimums, maximums, ranges, magnitudes, direction, location, and the like.
  • the processor 620 may transform the input signals into feature values in a feature space. For example, the processor 620 may convert the time series signals in a time domain into feature vectors in a feature domain.
  • the feature vectors may represent multiple features of an object using a multi-dimensional vector. In some embodiments, the feature vector includes two dimensions, but is not limited thereto.
  • the processor 620 may detect one or more abnormal feature values in the feature space based on a predetermined normalcy boundary associated with the asset. For example, the processor 620 may define a normalcy boundary based on historical data received from, the asset. The normalcy boundary may be generated based on a typical value or pattern of the input signal from the asset that is received. In some embodiments, the processor 620 may update the normalcy boundary based on currently sensed data associated with the asset. Accordingly, the computing device 600 may correspond to an intelligent system that continues to learn from incoming sensor data.
  • the abnormal feature values may be feature vectors that fall outside of the normalcy boundary.
  • the abnormal feature values may have values that correspond to the normal behavior pattern previously established for the input signals.
  • the processor 620 may determine that the abnormal feature values correspond to an attack or a threat that has infiltrated the asset.
  • the processor 620 may determine an estimated true value for each abnormal feature value. For example, the processor 620 may determine an estimated true value for a feature value by masking a portion of the feature value associated with an attack signal such that the resulting feature value is located within the predetermined normalcy boundary in the feature space.
  • the processor 620 may further determine that an observability condition associated with the abnormal feature values is satisfied prior to estimating the true value for the abnormal feature values.
  • the processor 620 may perform an inverse transform of each estimated true value to generate neutralized signals comprising time series data and control the output 630 to output the neutralized signals to a device or software such as a control system, a cloud, another component, and the like.
  • the example embodiments are aimed at going beyond detecting
  • the threat neutralizer described herein provides an automated accommodation when cyber disruptions, such as stealthy attacks occur to an industrial system . Attacks have become very sophisticated. According to cybersecurity experts of control systems, sophisticated malware and viruses may sitting inside the industrial control system software remained undetected for as many as 443 days in 2016, whereas the same for IT systems 146 days in 2015. They are challenging to detect because they are multi-prong and current fault detection systems are unable to find them. Also, fault detection systems do not estimate true states for operational normalcy. Hie boundary and performance constrained resilient estimator included within the threat neutralizer is able to automatically find true estimates of signals and hence provide adjustments to system, operations in response to ongoing attacks while maintaining the operations expected for performance. The threat neutralizer is able to self-detect attacks and then nullify the attack signatures by finding true value of signals, mechanistically the same way as human immune system does to destroy pathogens. Thus, learning from the human body is accomplished here.
  • the non-transitory computer-readable media may be, but is not limited to, a fixed drive, diskette, optical disk, magnetic tape, flash memory, semiconductor memory such as read-only memory (ROM), and/or any transmitting/receiving medium such as the Internet, cloud storage, the internet of things, or other communication network or link.
  • the article of manufacture containing the computer code may be made and/or used by executing the code directly from one medium, by copying the code from one medium to another medium, or by transmitting the code over a network.
  • the computer programs may include machine instructions for a programmable processor, and may be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly /machine language .
  • machine -readable medium and “computer-readable medium” refer to any computer program product, apparatus, cloud storage, internet of things, and/or device (e.g., magnetic discs, optical disks, memory, programmable logic devices (PLDs)) used to provide machine instructions and/or data, to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal.
  • PLDs programmable logic devices
  • machine -readable medium and “computer-readable medium,” however, do not include transitory signals.
  • machine -readable signal refers to any signal that may be used to provide machine instructions and/or any other kind of data to a programmable processor,

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

Les modes de réalisation de la présente invention concernent un système et un procédé destinés à neutraliser des signaux anormaux dans un système cyber-physique. Dans un exemple, le procédé consiste : à recevoir des signaux d'entrée comprenant des données chronologiques associées à un actif et à transformer les signaux d'entrée en valeurs de caractéristiques dans un espace de caractéristiques, à détecter au moins une valeur de caractéristiques anormales dans l'espace de caractéristiques sur la base d'une limite d'état normal prédéterminée associée à l'actif, et à déterminer une valeur réelle estimée pour chaque valeur de caractéristique anormale, et à réaliser une transformée inverse de chaque valeur réelle estimée afin de générer des signaux neutralisés comprenant des données chronologiques et à émettre les signaux neutralisés.
PCT/US2018/012858 2017-03-09 2018-01-09 Neutralisation et détection de cyber-attaque WO2018164767A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15/454,144 2017-03-09
US15/454,144 US10771495B2 (en) 2017-03-02 2017-03-09 Cyber-attack detection and neutralization

Publications (1)

Publication Number Publication Date
WO2018164767A1 true WO2018164767A1 (fr) 2018-09-13

Family

ID=63447975

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/012858 WO2018164767A1 (fr) 2017-03-09 2018-01-09 Neutralisation et détection de cyber-attaque

Country Status (1)

Country Link
WO (1) WO2018164767A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111176224A (zh) * 2018-11-13 2020-05-19 罗克韦尔自动化技术公司 使用数字孪生的工业安全监视配置
CN115001866A (zh) * 2022-08-01 2022-09-02 成都市以太节点科技有限公司 一种基于免疫机制的安全防护方法、电子设备及存储介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130020265A (ko) * 2011-08-19 2013-02-27 고려대학교 산학협력단 통계적 공정 관리도를 이용하여 이상증후를 탐지하는 방법
US20140082730A1 (en) * 2012-09-18 2014-03-20 Kddi Corporation System and method for correlating historical attacks with diverse indicators to generate indicator profiles for detecting and predicting future network attacks
US20140298098A1 (en) * 2013-03-29 2014-10-02 Viviware, Inc. Data-agnostic anomaly detection
US20150295943A1 (en) * 2014-04-14 2015-10-15 Cyber Sense Ltd. System and method for cyber threats detection
WO2016022705A1 (fr) * 2014-08-05 2016-02-11 AttackIQ, Inc. Plateforme de validation de posture de cyber-sécurité

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20130020265A (ko) * 2011-08-19 2013-02-27 고려대학교 산학협력단 통계적 공정 관리도를 이용하여 이상증후를 탐지하는 방법
US20140082730A1 (en) * 2012-09-18 2014-03-20 Kddi Corporation System and method for correlating historical attacks with diverse indicators to generate indicator profiles for detecting and predicting future network attacks
US20140298098A1 (en) * 2013-03-29 2014-10-02 Viviware, Inc. Data-agnostic anomaly detection
US20150295943A1 (en) * 2014-04-14 2015-10-15 Cyber Sense Ltd. System and method for cyber threats detection
WO2016022705A1 (fr) * 2014-08-05 2016-02-11 AttackIQ, Inc. Plateforme de validation de posture de cyber-sécurité

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111176224A (zh) * 2018-11-13 2020-05-19 罗克韦尔自动化技术公司 使用数字孪生的工业安全监视配置
CN115001866A (zh) * 2022-08-01 2022-09-02 成都市以太节点科技有限公司 一种基于免疫机制的安全防护方法、电子设备及存储介质

Similar Documents

Publication Publication Date Title
US10771495B2 (en) Cyber-attack detection and neutralization
US10931687B2 (en) Cyber-attack detection, localization, and neutralization for unmanned aerial vehicles
US10728282B2 (en) Dynamic concurrent learning method to neutralize cyber attacks and faults for industrial asset monitoring nodes
US11475124B2 (en) Anomaly forecasting and early warning generation
US10819725B2 (en) Reliable cyber-threat detection in rapidly changing environments
US11146579B2 (en) Hybrid feature-driven learning system for abnormality detection and localization
US12099571B2 (en) Feature extractions to model large-scale complex control systems
US11468164B2 (en) Dynamic, resilient virtual sensing system and shadow controller for cyber-attack neutralization
US11487598B2 (en) Adaptive, self-tuning virtual sensing system for cyber-attack neutralization
US10417415B2 (en) Automated attack localization and detection
US10805324B2 (en) Cluster-based decision boundaries for threat detection in industrial asset control system
EP3373552A1 (fr) Découverte de caractéristique multi modale et multidisciplinaire pour détecter des cyber-menaces dans un réseau d'alimentation électrique
US11729190B2 (en) Virtual sensor supervised learning for cyber-attack neutralization
EP4388430B1 (fr) Système et procédé de protection contre les cyberattaques incitées par la vulnérabilité pour des actifs industriels
US11005870B2 (en) Framework to develop cyber-physical system behavior-based monitoring
US11411983B2 (en) Dynamic, resilient sensing system for automatic cyber-attack neutralization
US20210084056A1 (en) Replacing virtual sensors with physical data after cyber-attack neutralization
Efiong et al. CyberSCADA network security analysis model for intrusion detection systems in the smart grid
WO2018164767A1 (fr) Neutralisation et détection de cyber-attaque
Eltanbouly Multimodal intrusion detection system for cyber physical systems
Maurya et al. Evasion attack against multivariate singular spectrum analysis based IDS
Belaissaoui et al. Cybersecurity-Based Machine Learning for Cyber-Physical Systems
Vavra et al. COMPARATIVE STUDY OF FEATURE SELECTION TECHNIQUES RESPECTING NOVELTY DETECTION IN THE INDUSTRIAL CONTROL SYSTEM ENVIRONMENT.
Lu et al. Generative adversarial networks based industrial protocol construction in the fog computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18763085

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18763085

Country of ref document: EP

Kind code of ref document: A1