公开(公告)号：US10785237B2

公开(公告)日：2020-09-22

申请号：US15977558

申请日：2018-05-11

Applicant: General Electric Company

Inventor： Lalit Keshav Mestha ,  Masoud Abbaszadeh ,  Annarita Giani

IPC: H04L29/06 ,  G06N7/00 ,  G06K9/62

Abstract: Streams of monitoring node signal values over time, representing a current operation of the industrial asset, are used to generate current monitoring node feature vectors. Each feature vector is compared with a corresponding decision boundary separating normal from abnormal states. When a first monitoring node passes a corresponding decision boundary, an attack is detected and classified as an independent attack. When a second monitoring node passes a decision boundary, an attack is detected and a first decision is generated based on a first set of inputs indicating if the attack is independent/dependent. From the beginning of the attack on the second monitoring node until a final time, the first decision is updated as new signal values are received for the second monitoring node. When the final time is reached, a second decision is generated based on a second set of inputs indicating if the attack is independent/dependent.

公开(公告)号：US10417415B2

公开(公告)日：2019-09-17

申请号：US15478425

申请日：2017-04-04

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Lalit Keshav Mestha ,  Cody Bushey ,  Daniel Francis Holzhauer

IPC: G06F21/55 ,  G06N20/00 ,  H04L29/06

Abstract: According to some embodiments, a threat detection computer platform may receive a plurality of real-time monitoring node signal values over time that represent a current operation of the industrial asset. For each stream of monitoring node signal values, the platform may generate a current monitoring node feature vector. The feature vector may also be estimated using a dynamic model output with that monitoring node signal values. The platform may then compare the feature vector with a corresponding decision boundary for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node. The platform may detect that a particular monitoring node has passed the corresponding decision boundary and classify that particular monitoring node as being under attack. The platform may then automatically determine if the attack on that particular monitoring node is an independent attack or a dependent attack.