公开(公告)号：US11159540B2

公开(公告)日：2021-10-26

申请号：US16144136

申请日：2018-09-27

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Justin John ,  Austars Raymond Schnore, Jr.

IPC: H04L29/06 ,  H04L12/26

Abstract: A cyber-physical system may have a plurality of system nodes including a plurality of monitoring nodes each generating a series of current monitoring node values over time that represent current operation of the cyber-physical system. According to some embodiments, a watermarking computer platform may randomly inject a watermarking signal into an injection subset of the system nodes. The watermarking computer platform may then receive current monitoring node values over time and generate a current watermarking feature vector based on the current monitoring node values. The watermarking computer platform might comprise a dedicated watermarking abnormality detection platform or a unified abnormality detection platform (e.g., that also uses data-drive feature vectors). The injection subset may be associated with a randomly selected subset of the system nodes and/or magnitudes of watermarking signals that are randomly selected.

公开(公告)号：US20210126943A1

公开(公告)日：2021-04-29

申请号：US16666807

申请日：2019-10-29

Applicant: GENERAL ELECTRIC COMPANY

Inventor： Subhrajit Roychowdhury ,  Masoud Abbaszadeh ,  Mustafa Tekin Dokucu

IPC: H04L29/06 ,  G06K9/62

Abstract: An industrial asset may have monitoring nodes that generate current monitoring node values. A dynamic, resilient estimator may split a temporal monitoring node space into normal and one or more abnormal subspaces associated with different kinds of attack vectors. According to some embodiments, a neutralization model is constructed and trained for each attack vector using supervised learning and the associated abnormal subspace. In other embodiments, a single model is created using out-of-range values for abnormal monitoring nodes. Responsive to an indication of a particular abnormal monitoring node or nodes, the system may automatically invoke the appropriate neutralization model to determine estimated values of the particular abnormal monitoring node or nodes (e.g., by selecting the correct model or using out-of-range values). The series of current monitoring node values from the abnormal monitoring node or nodes may then be replaced with the estimated values.

公开(公告)号：US10826932B2

公开(公告)日：2020-11-03

申请号：US16108742

申请日：2018-08-22

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Lalit Keshav Mestha

IPC: H04L29/06 ,  G06N7/00 ,  G06N5/04 ,  G06K9/62 ,  G06N20/00

Abstract: A plurality of monitoring nodes may each generate a time-series of current monitoring node values representing current operation of a cyber-physical system. A feature-based forecasting framework may receive the time-series of and generate a set of current feature vectors using feature discovery techniques. The feature behavior for each monitoring node may be characterized in the form of decision boundaries that separate normal and abnormal space based on operating data of the system. A set of ensemble state-space models may be constructed to represent feature evolution in the time-domain, wherein the forecasted outputs from the set of ensemble state-space models comprise anticipated time evolution of features. The framework may then obtain an overall features forecast through dynamic ensemble averaging and compare the overall features forecast to a threshold to generate an estimate associated with at least one feature vector crossing an associated decision boundary.

公开(公告)号：US10452845B2

公开(公告)日：2019-10-22

申请号：US15453544

申请日：2017-03-08

Applicant: General Electric Company

Inventor： Lalit Keshav Mestha ,  Santosh Sambamoorthy Veda ,  Masoud Abbaszadeh ,  Chaitanya Ashok Baone ,  Weizhong Yan ,  Saikat Ray Majumder ,  Sumit Bose ,  Annartia Giani ,  Olugbenga Anubi

IPC: G06F21/55 ,  G05B23/02

Abstract: According to some embodiments, a plurality of heterogeneous data source nodes may each generate a series of current data source node values over time that represent a current operation of an electric power grid. A real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, may receive the series of current data source node values and generate a set of current feature vectors. The threat detection computer may then access an abnormal state detection model having at least one decision boundary created offline using at least one of normal and abnormal feature vectors. The abnormal state detection model may be executed, and a threat alert signal may be transmitted if appropriate based on the set of current feature vectors and the at least one decision boundary.

公开(公告)号：US12034741B2

公开(公告)日：2024-07-09

申请号：US17236638

申请日：2021-04-21

Applicant: General Electric Company

Inventor： Weizhong Yan ,  Zhaoyuan Yang ,  Masoud Abbaszadeh ,  Yuh-Shyang Wang ,  Fernando Javier D'Amato ,  Hema Kumari Achanta

IPC: H04L9/40 ,  G06N5/04 ,  G06N20/00 ,  G06F21/55

CPC classification number: H04L63/1416 ,  G06N5/04 ,  G06N20/00 ,  G06F21/55 ,  H04L63/1425 ,  H04L63/1441 ,  H04L63/20

Abstract: A method for detecting a cyberattack on a control system of a wind turbine includes providing a plurality of classification models of the control system. The method also includes receiving, via each of the plurality of classification models, a time series of operating data from one or more monitoring nodes of the wind turbine. The method further includes extracting, via the plurality of classification models, a plurality of features using the time series of operating data. Each of the plurality of features is a mathematical characterization of the time series of operating data. Moreover, the method includes generating an output from each of the plurality of classification models and determining, using a decision fusion module, a probability of the cyberattack occurring on the control system based on a combination of the outputs. Thus, the method includes implementing a control action when the probability exceeds a probability threshold.

公开(公告)号：US11916940B2

公开(公告)日：2024-02-27

申请号：US17228191

申请日：2021-04-12

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Matthew Christian Nielsen ,  Weizhong Yan ,  Justin Varkey John

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/1425 ,  H04L63/1416

Abstract: According to some embodiments, a system, method, and non-transitory computer readable medium are provided comprising a plurality of real-time monitoring nodes to receive streams of monitoring node signal values over time that represent a current operation of the cyber physical system; and a threat detection computer platform, coupled to the plurality of real-time monitoring nodes, to: receive the monitoring node signal values; compute an anomaly score; compare the anomaly score with an adaptive threshold; and detect that one of a particular monitoring node and a system is outside a decision boundary based on the comparison, and classify that particular monitoring node or system as anomalous. Numerous other aspects are provided.

公开(公告)号：US20220345468A1

公开(公告)日：2022-10-27

申请号：US17236638

申请日：2021-04-21

Applicant: General Electric Company

Inventor： Weizhong Yan ,  Zhaoyuan Yang ,  Masoud Abbaszadeh ,  Yuh-Shyang Wang ,  Fernando Javier D'Amato ,  Hema Kumari Achanta

IPC: H04L29/06 ,  G06N20/00 ,  G06N5/04

Abstract: A method for detecting a cyberattack on a control system of a wind turbine includes providing a plurality of classification models of the control system. The method also includes receiving, via each of the plurality of classification models, a time series of operating data from one or more monitoring nodes of the wind turbine. The method further includes extracting, via the plurality of classification models, a plurality of features using the time series of operating data. Each of the plurality of features is a mathematical characterization of the time series of operating data. Moreover, the method includes generating an output from each of the plurality of classification models and determining, using a decision fusion module, a probability of the cyberattack occurring on the control system based on a combination of the outputs. Thus, the method includes implementing a control action when the probability exceeds a probability threshold.

公开(公告)号：US11343266B2

公开(公告)日：2022-05-24

申请号：US16436093

申请日：2019-06-10

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Hema K. Achanta ,  Mustafa Tekin Dokucu ,  Matthew Nielsen ,  Justin Varkey John

IPC: H04L9/40 ,  H04L29/06 ,  H04L41/28 ,  H04L41/16

Abstract: Methods and systems for self-certifying secure operation of a cyber-physical system having a plurality of monitoring nodes. In an embodiment, an artificial intelligence (AI) watchdog computer platform obtains, using the output of a local features extraction process of time series data of a plurality of monitoring nodes of a cyber-physical system and a global features extraction process, global features extraction data. The AI watchdog computer platform then obtains reduced dimensional data, generates an updated decision boundary, compares the updated decision boundary to a certification manifold, determines based on the comparison that the updated decision boundary is certified, and determines, based on an anomaly detection process, whether the cyber-physical system is behaving normally or abnormally.

公开(公告)号：US20220086176A1

公开(公告)日：2022-03-17

申请号：US17470311

申请日：2021-09-09

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Justin John ,  Austars Raymond Schnore, JR.

IPC: H04L29/06

Abstract: A cyber-physical system may have a plurality of system nodes including a plurality of monitoring nodes each generating a series of current monitoring node values over time that represent current operation of the cyber-physical system. According to some embodiments, a watermarking computer platform may randomly inject a watermarking signal into an injection subset of the system nodes. The watermarking computer platform may then receive current monitoring node values over time and generate a current watermarking feature vector based on the current monitoring node values. The watermarking computer platform might comprise a dedicated watermarking abnormality detection platform or a unified abnormality detection platform (e.g., that also uses data-drive feature vectors). The injection subset may be associated with a randomly selected subset of the system nodes and/or magnitudes of watermarking signals that are randomly selected.

公开(公告)号：US11252169B2

公开(公告)日：2022-02-15

申请号：US16374067

申请日：2019-04-03

Applicant: General Electric Company

Inventor： Weizhong Yan ,  Masoud Abbaszadeh

IPC: H04L29/06 ,  G06N20/00

Abstract: A Cyber-Physical System (“CPS”) may have monitoring nodes that generate a series of current monitoring node values representing current operation of the CPS. A normal space data source may store, for each monitoring node, a series of normal monitoring node values representing normal operation of the CPS. An abnormal data generation platform may utilize information in the normal space data source and a generative model to create generated abnormal to represent abnormal operation of the CPS. An abnormality detection model creation computer may receive the normal monitoring node values (and generate normal feature vectors) and automatically calculate and output an abnormality detection model including information about a decision boundary created via supervised learning based on the normal feature vectors and the generated abnormal data.