公开(公告)号：US20210081270A1

公开(公告)日：2021-03-18

申请号：US16574493

申请日：2019-09-18

Applicant: GENERAL ELECTRIC COMPANY

Inventor： Masoud ABBASZADEH ,  Mustafa Tekin DOKUCU ,  Justin Varkey JOHN

IPC: G06F11/07 ,  H04L29/06 ,  G06N20/00 ,  G06K9/62 ,  G06F17/18

Abstract: An industrial asset may have a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time representing current operation of the industrial asset. An abnormality detection computer may determine that an abnormal monitoring node is currently being attacked or experiencing a fault. An autonomous, resilient estimator may continuously execute an adaptive learning process to create or update virtual sensor models for that monitoring node. Responsive to an indication that a monitoring node is currently being attacked or experiencing a fault, a level of neutralization may be automatically determined. The autonomous, resilient estimator may then be dynamically reconfigured to estimate a series of virtual node values based on information from normal monitoring nodes, appropriate virtual sensor models, and the determined level of neutralization. The series of monitoring node values from the abnormal monitoring node or nodes may then be replaced with the virtual node values.

公开(公告)号：US20200169574A1

公开(公告)日：2020-05-28

申请号：US16201461

申请日：2018-11-27

Applicant: General Electric Company

Inventor： Weizhong YAN ,  Masoud ABBASZADEH ,  Matthew NIELSEN ,  Justin Varkey JOHN

IPC: H04L29/06

Abstract: Systems and methods may be associated with a cyber-physical system, and a blueprint repository data store may contain electronic files that represent behavior-based asset monitoring parameters for different cyber-physical system asset types. A behavior-based asset monitoring creation computer platform may receive an indication of an asset type of the cyber-physical system. The behavior-based asset monitoring creation computer platform may then search the blueprint repository data store and retrieve an electronic file representing behavior-based asset monitoring parameters for the asset type of the cyber-physical system to be monitored. The behavior-based asset monitoring creation computer platform may also receive, from the remote operator device, adjustments to the retrieved behavior-based asset monitoring parameters and automatically configure, based on the adjusted behavior-based asset monitoring parameters, at least a portion of settings for an abnormal detection model. The abnormal detection model may then be created about output to be executed by an abnormal detection platform.

公开(公告)号：US20180316701A1

公开(公告)日：2018-11-01

申请号：US15497974

申请日：2017-04-26

Applicant: General Electric Company

Inventor： Daniel Francis HOLZHAUER ,  Masoud ABBASZADEH ,  Lalit Keshav MESTHA ,  Justin Varkey JOHN ,  Cody BUSHY

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1416 ,  H04L63/1433

Abstract: A system to protect a fleet of industrial assets may include a communication port to exchange information with a plurality of remote industrial assets. An industrial fleet protection system may receive information from the plurality of remote industrial assets or a cloud-based security platform and calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector. The industrial fleet protection system may then compare the current fleet-wide operation feature vector with a fleet-wide decision boundary (e.g., separating normal from abnormal operation of the industrial fleet). The system may then automatically transmit a response (e.g., a cyber-attack threat alert or an adjustment to a decision boundary of an industrial asset) when a result of the comparison indicates abnormal operation of the industrial fleet.

公开(公告)号：US20180159879A1

公开(公告)日：2018-06-07

申请号：US15484282

申请日：2017-04-11

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Justin Varkey JOHN ,  Weizhong YAN ,  David Joseph HARTMAN

IPC: H04L29/06 ,  G06N99/00 ,  G06F17/16 ,  G06N3/04

CPC classification number: H04L63/1425 ,  G06N3/0454 ,  G06N3/084 ,  G06N7/005 ,  G06N20/00 ,  G06N20/10

Abstract: A threat detection model creation computer receives normal monitoring node values and abnormal monitoring node values. At least some received monitoring node values may be processed with a deep learning model to determine parameters of the deep learning model (e.g., a weight matrix and affine terms). The parameters of the deep learning model and received monitoring node values may then be used to compute feature vectors. The feature vectors may be spatial along a plurality of monitoring nodes. At least one decision boundary for a threat detection model may be automatically calculated based on the computed feature vectors, and the system may output the decision boundary separating a normal state from an abnormal state for that monitoring node. The decision boundary may also be obtained by combining feature vectors from multiple nodes. The decision boundary may then be used to detect normal and abnormal operation of an industrial asset.

公开(公告)号：US20180159877A1

公开(公告)日：2018-06-07

申请号：US15371723

申请日：2016-12-07

Applicant: General Electric Company

Inventor： Daniel Francis HOLZHAUER ,  Cody Joe BUSHEY ,  Lalit Keshav MESTHA ,  Masoud ABBASZADEH ,  Justin Varkey JOHN

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/142 ,  H04L41/16 ,  H04L43/08 ,  H04L43/10 ,  H04L63/1416 ,  H04L63/1441 ,  H04L67/10 ,  H04L67/12

Abstract: According to some embodiments, streams of monitoring node signal values may be received over time that represent a current operation of an industrial asset control system. A current operating mode of the industrial asset control system may be received and used to determine a current operating mode group from a set of potential operating mode groups. For each stream of monitoring node signal values, a current monitoring node feature vector may be determined. Based on the current operating mode group, an appropriate decision boundary may be selected for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node in the current operating mode. Each generated current monitoring node feature vector may be compared with the selected corresponding appropriate decision boundary, and a threat alert signal may be automatically transmitted based on results of said comparisons.

公开(公告)号：US20170310690A1

公开(公告)日：2017-10-26

申请号：US15137311

申请日：2016-04-25

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Jonathan Carl THATCHER ,  Daniel Francis HOLZHAUER ,  Justin Varkey JOHN

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F21/552 ,  G06F21/554 ,  G06N99/005 ,  H04L63/1441

Abstract: A normal space data source stores, for each of a plurality of threat nodes, a series of normal values that represent normal operation of an industrial asset control system, and a threatened space data source stores a series of threatened values. A model creation computer may generate sets of normal and threatened feature vectors. The computer may also calculate and output at least one decision boundary for a threat detection model based on the normal and threatened feature vectors. The plurality of threat nodes may then generate a series of current values from threat nodes that represent a current operation of the asset control system. A threat detection computer may receive the series of current values from threat nodes, generate a set of current feature vectors, execute the threat detection model, and transmit a threat alert signal based on the current feature vectors and at the least one decision boundary.