公开(公告)号：US10826922B2

公开(公告)日：2020-11-03

申请号：US16679749

申请日：2019-11-11

Applicant: General Electric Company

Inventor： Lalit Keshav Mestha ,  Hema Kumari Achanta ,  Justin Varkey John ,  Cody Joe Bushey

IPC: H04L29/06 ,  G06K9/62 ,  G06F21/56 ,  G06F21/50 ,  G06F21/55 ,  G06F21/57

Abstract: In some embodiments, an industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the industrial asset. A threat detection computer may determine that an attacked monitoring node is currently being attacked. Responsive to this determination, a virtual sensor coupled to the plurality of monitoring nodes may estimate a series of virtual node values for the attacked monitoring node(s) based on information received from monitoring nodes that are not currently being attacked. The virtual sensor may then replace the series of monitoring node values from the attacked monitoring node(s) with the virtual node values. Note that in some embodiments, virtual node values may be estimated for a particular node even before it is determined that the node is currently being attacked.

公开(公告)号：US10819725B2

公开(公告)日：2020-10-27

申请号：US15964644

申请日：2018-04-27

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Lalit Keshav Mestha

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/55

Abstract: In some embodiments, a plurality of monitoring nodes each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. An attack detection computer platform may receive the series of current monitoring node values and generate a set of current feature vectors including a current feature for capturing transients (e.g., local transients and/or global transients). The attack detection computer platform may also access an attack detection model having at least one decision boundary that was created using at least one of a set of normal feature vectors and/or a set of attacked feature vectors. The attack detection model may then be executed such that an attack alert signal is transmitted by the attack detection computer platform, when appropriate, based on the set of current feature vectors (including the current feature to capture transients) and the at least one decision boundary.

公开(公告)号：US10805329B2

公开(公告)日：2020-10-13

申请号：US15977595

申请日：2018-05-11

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Lalit Keshav Mestha

IPC: H04L29/06 ,  G05B23/02 ,  H04L12/24 ,  G05B19/042 ,  H04L29/08

Abstract: An industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time representing current operation of the industrial asset. An abnormality detection computer may determine that at least one abnormal monitoring node is currently being attacked or experiencing a fault. A virtual sensing estimator may continuously execute an adaptive learning process to create or update virtual sensor models for the monitoring nodes. Responsive to an indication that a monitoring node is currently being attacked or experiencing a fault, the virtual sensing estimator may be dynamically reconfigured to estimate a series of virtual node values for the abnormal monitoring node or nodes based on information from normal monitoring nodes and appropriate virtual sensor models. The series of monitoring node values from the abnormal monitoring node or nodes may then be replaced with the virtual node values.

公开(公告)号：US10771495B2

公开(公告)日：2020-09-08

申请号：US15454144

申请日：2017-03-09

Applicant: General Electric Company

Inventor： Lalit Keshav Mestha ,  Olugbenga Anubi ,  Masoud Abbaszadeh

IPC: H04L29/06

Abstract: The example embodiments are directed to a system and method for neutralizing abnormal signals in a cyber-physical system. In one example, the method includes receiving input signals comprising time series data associated with an asset and transforming the input signals into feature values in a feature space, detecting one or more abnormal feature values in the feature space based on a predetermined normalcy boundary associated with the asset, and determining an estimated true value for each abnormal feature value, and performing an inverse transform of each estimated true value to generate neutralized signals comprising time series data and outputting the neutralized signals.

公开(公告)号：US10686806B2

公开(公告)日：2020-06-16

申请号：US15681827

申请日：2017-08-21

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Lalit Keshav Mestha ,  Weizhong Yan

IPC: H04L29/06

Abstract: According to some embodiments, a plurality of monitoring nodes may each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. A node classifier computer, coupled to the plurality of monitoring nodes, may receive the series of current monitoring node values and generate a set of current feature vectors. The node classifier computer may also access at least one multi-class classifier model having at least one decision boundary. The at least one multi-class classifier model may be executed and the system may transmit a classification result based on the set of current feature vectors and the at least one decision boundary. The classification result may indicate, for example, whether a monitoring node status is normal, attacked, or faulty.

公开(公告)号：US10678912B2

公开(公告)日：2020-06-09

申请号：US15351809

申请日：2016-11-15

Applicant: General Electric Company

Inventor： Lalit Keshav Mestha ,  Cody Joe Bushey ,  Daniel Francis Holzhauer

IPC: H04L29/06 ,  G06F21/55 ,  G05B23/02

Abstract: Operation of an industrial asset control system may be simulated or monitored under various operating conditions to generate a set of operating results. Subsets of the operating results may be used to calculate a normalization function for each of a plurality of operating conditions. Streams of monitoring node signal values over time may be received that represent a current operation of the industrial asset control system. A threat detection platform may then dynamically calculate normalized monitoring node signal values based at least in part on a normalization function in an operating mode database. For each stream of normalized monitoring node signal values, a current monitoring node feature vector may be generated and compared with a corresponding decision boundary for that monitoring node, the decision boundary separating normal and abnormal states for that monitoring node. A threat alert signal may then be automatically transmitted based on results of those comparisons.

公开(公告)号：US10476902B2

公开(公告)日：2019-11-12

申请号：US15497974

申请日：2017-04-26

Applicant: General Electric Company

Inventor： Daniel Francis Holzhauer ,  Masoud Abbaszadeh ,  Lalit Keshav Mestha ,  Justin Varkey John ,  Cody Bushy

IPC: H04L29/06

Abstract: A system to protect a fleet of industrial assets may include a communication port to exchange information with a plurality of remote industrial assets. An industrial fleet protection system may receive information from the plurality of remote industrial assets or a cloud-based security platform and calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector. The industrial fleet protection system may then compare the current fleet-wide operation feature vector with a fleet-wide decision boundary (e.g., separating normal from abnormal operation of the industrial fleet). The system may then automatically transmit a response (e.g., a cyber-attack threat alert or an adjustment to a decision boundary of an industrial asset) when a result of the comparison indicates abnormal operation of the industrial fleet.

公开(公告)号：US09998487B2

公开(公告)日：2018-06-12

申请号：US15137311

申请日：2016-04-25

Applicant: General Electric Company

Inventor： Lalit Keshav Mestha ,  Jonathan Carl Thatcher ,  Daniel Francis Holzhauer ,  Justin Varkey John

IPC: G06F21/55 ,  H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F21/552 ,  G06F21/554 ,  G06N99/005 ,  H04L63/1441

Abstract: A normal space data source stores, for each of a plurality of threat nodes, a series of normal values that represent normal operation of an industrial asset control system, and a threatened space data source stores a series of threatened values. A model creation computer may generate sets of normal and threatened feature vectors. The computer may also calculate and output at least one decision boundary for a threat detection model based on the normal and threatened feature vectors. The plurality of threat nodes may then generate a series of current values from threat nodes that represent a current operation of the asset control system. A threat detection computer may receive the series of current values from threat nodes, generate a set of current feature vectors, execute the threat detection model, and transmit a threat alert signal based on the current feature vectors and at the least one decision boundary.

公开(公告)号：US11036194B2

公开(公告)日：2021-06-15

申请号：US16354926

申请日：2019-03-15

Applicant: General Electric Company

Inventor： Cody Joe Bushey ,  Lalit Keshav Mestha ,  Daniel Francis Holzhauer

IPC: G05B13/04 ,  G05B17/02

Abstract: According to some embodiments, a validation platform computer may interpret at least one received data packet to identify a control command for a controller of an industrial asset control system. The at least data packet being might be received, for example, from a network associated with a current operation of the industrial asset control system. The control command may then be introduced into an industrial asset simulation executing in parallel with the industrial asset control system. A simulated result of the control command from the industrial asset simulation may be validated, and, upon validation of the simulated result, it may be arranged for the control command to be provided to the controller of the industrial asset control system. Additionally, in some embodiments failed validation of a simulated result will prompt a threat-alert signal as well as prevent the command (e.g., data packet) from continuing to the controller.

公开(公告)号：US11005873B2

公开(公告)日：2021-05-11

申请号：US16511463

申请日：2019-07-15

Applicant: General Electric Company

Inventor： Daniel Francis Holzhauer ,  Cody Joe Bushey ,  Lalit Keshav Mestha ,  Masoud Abbaszadeh ,  Justin Varkey John

IPC: H04L29/06 ,  H04L12/24 ,  H04L12/26 ,  H04L29/08

Abstract: According to some embodiments, streams of monitoring node signal values may be received over time that represent a current operation of an industrial asset control system. A current operating mode of the industrial asset control system may be received and used to determine a current operating mode group from a set of potential operating mode groups. For each stream of monitoring node signal values, a current monitoring node feature vector may be determined. Based on the current operating mode group, an appropriate decision boundary may be selected for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node in the current operating mode. Each generated current monitoring node feature vector may be compared with the selected corresponding appropriate decision boundary, and a threat alert signal may be automatically transmitted based on results of said comparisons.