公开(公告)号：US20180159877A1

公开(公告)日：2018-06-07

申请号：US15371723

申请日：2016-12-07

Applicant: General Electric Company

Inventor： Daniel Francis HOLZHAUER ,  Cody Joe BUSHEY ,  Lalit Keshav MESTHA ,  Masoud ABBASZADEH ,  Justin Varkey JOHN

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/142 ,  H04L41/16 ,  H04L43/08 ,  H04L43/10 ,  H04L63/1416 ,  H04L63/1441 ,  H04L67/10 ,  H04L67/12

Abstract: According to some embodiments, streams of monitoring node signal values may be received over time that represent a current operation of an industrial asset control system. A current operating mode of the industrial asset control system may be received and used to determine a current operating mode group from a set of potential operating mode groups. For each stream of monitoring node signal values, a current monitoring node feature vector may be determined. Based on the current operating mode group, an appropriate decision boundary may be selected for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node in the current operating mode. Each generated current monitoring node feature vector may be compared with the selected corresponding appropriate decision boundary, and a threat alert signal may be automatically transmitted based on results of said comparisons.

公开(公告)号：US20180157831A1

公开(公告)日：2018-06-07

申请号：US15478425

申请日：2017-04-04

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Lalit Keshav MESTHA ,  Cody BUSHEY ,  Daniel Francis HOLZHAUER

IPC: G06F21/55 ,  G06N99/00 ,  G06N7/00

CPC classification number: G06F21/552 ,  G06F2221/034 ,  G06N20/00 ,  H04L63/14 ,  H04L63/1425

Abstract: According to some embodiments, a threat detection computer platform may receive a plurality of real-time monitoring node signal values over time that represent a current operation of the industrial asset. For each stream of monitoring node signal values, the platform may generate a current monitoring node feature vector. The feature vector may also be estimated using a dynamic model output with that monitoring node signal values. The platform may then compare the feature vector with a corresponding decision boundary for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node. The platform may detect that a particular monitoring node has passed the corresponding decision boundary and classify that particular monitoring node as being under attack. The platform may then automatically determine if the attack on that particular monitoring node is an independent attack or a dependent attack.

公开(公告)号：US20170310690A1

公开(公告)日：2017-10-26

申请号：US15137311

申请日：2016-04-25

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Jonathan Carl THATCHER ,  Daniel Francis HOLZHAUER ,  Justin Varkey JOHN

IPC: H04L29/06 ,  G06N99/00

CPC classification number: H04L63/1425 ,  G06F21/55 ,  G06F21/552 ,  G06F21/554 ,  G06N99/005 ,  H04L63/1441

Abstract: A normal space data source stores, for each of a plurality of threat nodes, a series of normal values that represent normal operation of an industrial asset control system, and a threatened space data source stores a series of threatened values. A model creation computer may generate sets of normal and threatened feature vectors. The computer may also calculate and output at least one decision boundary for a threat detection model based on the normal and threatened feature vectors. The plurality of threat nodes may then generate a series of current values from threat nodes that represent a current operation of the asset control system. A threat detection computer may receive the series of current values from threat nodes, generate a set of current feature vectors, execute the threat detection model, and transmit a threat alert signal based on the current feature vectors and at the least one decision boundary.

公开(公告)号：US20200067969A1

公开(公告)日：2020-02-27

申请号：US16108742

申请日：2018-08-22

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Lalit Keshav MESTHA

IPC: H04L29/06 ,  G06N7/00 ,  G06N5/04 ,  G06N99/00 ,  G06K9/62

Abstract: A plurality of monitoring nodes may each generate a time-series of current monitoring node values representing current operation of a cyber-physical system. A feature-based forecasting framework may receive the time-series of and generate a set of current feature vectors using feature discovery techniques. The feature behavior for each monitoring node may be characterized in the form of decision boundaries that separate normal and abnormal space based on operating data of the system. A set of ensemble state-space models may be constructed to represent feature evolution in the time-domain, wherein the forecasted outputs from the set of ensemble state-space models comprise anticipated time evolution of features. The framework may then obtain an overall features forecast through dynamic ensemble averaging and compare the overall features forecast to a threshold to generate an estimate associated with at least one feature vector crossing an associated decision boundary.

公开(公告)号：US20190260768A1

公开(公告)日：2019-08-22

申请号：US15899903

申请日：2018-02-20

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Olugbenga ANUBI ,  Justin Varkey JOHN

IPC: H04L29/06

Abstract: In some embodiments, an Unmanned Aerial Vehicle (“UAV”) system may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time that represent operation of the UAV system. An attack detection computer platform may receive the series of current monitoring node values and generate a set of current feature vectors. The attack detection computer platform may access an attack detection model having at least one decision boundary (e.g., created using a set of normal feature vectors a set of attacked feature vectors). The attack detection model may then be executed and the platform may transmit an attack alert signal based on the set of current feature vectors and the at least one decision boundary. According to some embodiments, attack localization and/or neutralization functions may also be provided.

公开(公告)号：US20190228110A1

公开(公告)日：2019-07-25

申请号：US16018649

申请日：2018-06-26

Applicant: General Electric Company

Inventor： Weizhong YAN ,  Lalit Keshav MESTHA

IPC: G06F17/50 ,  G06N3/04 ,  G06N3/08

Abstract: A data source may provide a plurality of time-series measurements that represent normal operation of a cyber-physical system (e.g., in substantially real-time during online operation of the cyber-physical system). A stateful, nonlinear embedding computer may receive the plurality of time-series measurements and execute stateful, nonlinear embedding to project the plurality of time-series measurements to a lower-dimensional latent variable space. In this way, redundant and irrelevant information may be reduced, and temporal and spatial dependence among the measurements may be captured. The output of the stateful, nonlinear embedding may be utilized to automatically identify underlying system characteristics of the cyber-physical system. In some embodiments, a stateful generative adversarial network may be used to achieve stateful embedding.

公开(公告)号：US20190222595A1

公开(公告)日：2019-07-18

申请号：US15958285

申请日：2018-04-20

Applicant: General Electric Company

Inventor： Annarita GIANI ,  Masoud ABBASZADEH ,  Lalit Keshav MESTHA

IPC: H04L29/06 ,  G06K9/62 ,  G06F21/50 ,  G05B19/048 ,  G06F11/00

CPC classification number: H04L63/1425 ,  G05B19/048 ,  G06F11/006 ,  G06F21/50 ,  G06F2201/86 ,  G06K9/6267 ,  G06K9/6297 ,  H04L63/14

Abstract: According to some embodiments, a plurality of monitoring nodes may each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. A node classification computer may determine, for each monitoring node, a classification result indicating whether each monitoring node is in a normal or abnormal state. A disambiguation engine may receive the classification results from the node classification computer and associate a Hidden Markov Model (“HMM”) with each monitoring node. For each node in an abnormal state, the disambiguation engine may execute the HMM associated with that monitoring node to determine a disambiguation result indicating if the abnormal state is a result of an attack or a fault and output a current status of each monitoring node based on the associated classification result and the disambiguation result.

公开(公告)号：US20180188720A1

公开(公告)日：2018-07-05

申请号：US15397103

申请日：2017-01-03

Applicant: General Electric Company

Inventor： Cody Joe BUSHEY ,  Lalit Keshav MESTHA ,  Daniel Francis HOLZHAUER

IPC: G05B23/02 ,  G05B13/04

CPC classification number: G05B13/04 ,  G05B17/02

Abstract: According to some embodiments, a validation platform computer may interpret at least one received data packet to identify a control command for a controller of an industrial asset control system. The at least data packet being might be received, for example, from a network associated with a current operation of the industrial asset control system. The control command may then be introduced into an industrial asset simulation executing in parallel with the industrial asset control system. A simulated result of the control command from the industrial asset simulation may be validated, and, upon validation of the simulated result, it may be arranged for the control command to be provided to the controller of the industrial asset control system. Additionally, in some embodiments failed validation of a simulated result will prompt a threat-alert signal as well as prevent the command (e.g., data packet) from continuing to the controller.

公开(公告)号：US20200097651A1

公开(公告)日：2020-03-26

申请号：US16142841

申请日：2018-09-26

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Hema ACHANTA ,  Olugbenga ANUBI

IPC: G06F21/55 ,  G16H40/63

Abstract: According to some embodiments, a system, method and non-transitory computer-readable medium are provided comprising one or more heterogeneous data source nodes generating data associated with operation of the medical device; an abnormal state detection, prediction and correction module to receive data from one or more heterogeneous data source nodes; a memory for storing program instructions; and an abnormal state processor, coupled to the memory, and in communication with the abnormal state detection, prediction and correction module and operative to execute program instructions to: receive data from one or more heterogeneous data source nodes; receive a decision manifold separating a normal operating space from an abnormal operating space; perform a feature extraction process on the received data to generate at least one feature vector; determine, via the abnormal state detection, prediction and correction module, whether the feature vector maps to the normal operating space or the abnormal operating space in the decision manifold; and generate, via the abnormal state detection, prediction and correction module, a corrected value for the feature vector to map the feature vector to the normal operating space when it is determined that the feature vector maps to the abnormal operating space. Numerous other aspects are provided.

公开(公告)号：US20190230119A1

公开(公告)日：2019-07-25

申请号：US15986996

申请日：2018-05-23

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Olugbenga ANUBI ,  Hema ACHANTA

IPC: H04L29/06 ,  G05B23/02 ,  G06F15/18

CPC classification number: H04L63/1466 ,  G05B23/0297 ,  G06F21/50 ,  G06N20/00 ,  H04L63/14 ,  H04L63/1416

Abstract: Input signals may be received from monitoring nodes of the industrial asset, each input signal comprising time series data representing current operation. A neutralization engine may transform the input signals into feature vectors in feature space, each feature vector being associated with one of a plurality of overlapping batches of received input signals. A dynamic decision boundary may be generated based on the set of feature vectors, and an abnormal state of the asset may be detected based on the set of feature vectors and a predetermined static decision boundary. An estimated neutralized value for each abnormal feature value may be calculated based on the dynamic decision boundary and the static decision boundary such that a future set of feature vectors will be moved with respect to the static decision boundary. An inverse transform of each estimated neutralized value may be performed to generate neutralized signals comprising time series data that are output.