公开(公告)号：US20210037044A1

公开(公告)日：2021-02-04

申请号：US16525807

申请日：2019-07-30

Applicant: GENERAL ELECTRIC COMPANY

Inventor： Hema K, Achanta ,  Masoud ABBASZADEH ,  Weizhong YAN ,  Mustafa Tekin DOKUCU

IPC: H04L29/06 ,  H04L12/24 ,  G06K9/62 ,  G06N3/08

Abstract: According to some embodiments, a system, method and non-transitory computer-readable medium are provided to protect a cyber-physical system having a plurality of monitoring nodes comprising: a normal space data source storing, for each of the plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the cyber-physical system; a situational awareness module including an abnormal data generation platform, wherein the abnormal data generation platform is operative to generate abnormal data to represent abnormal operation of the cyber-physical system using values in the normal space data source and a generative model; a memory for storing program instructions; and a situational awareness processor, coupled to the memory, and in communication with the situational awareness module and operative to execute the program instructions to: receive a data signal, wherein the received data signal is an aggregation of data signals received from one or more of the plurality of monitoring nodes, wherein the data signal includes at least one real-time stream of data source signal values that represent a current operation of the cyber-physical system; determine, via a trained classifier, whether the received data signal is a normal signal or an abnormal signal, wherein the trained classifier is trained with the generated abnormal data and normal data; localize an origin of an anomaly when it is determined the received data signal is the abnormal signal; receive the determination and localization at a resilient estimator module; execute the resilient estimator module to generate a state estimation for the cyber-physical system. Numerous other aspects are provided.

公开(公告)号：US20200244677A1

公开(公告)日：2020-07-30

申请号：US16261931

申请日：2019-01-30

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Walter YUND ,  Daniel Francis HOLZHAUER

IPC: H04L29/06 ,  G06N5/02 ,  G05B19/4155

Abstract: A cyber-physical system may have monitoring nodes that generate a series of current monitoring node values over time that represent current operation of the system. A hierarchical abnormality localization computer platform accesses a multi-level hierarchy of elements, and elements in a first level of the hierarchy are associated with elements in at least one lower level of the hierarchy and at least some elements may be associated with monitoring nodes. The computer platform may then determine, based on feature vectors and a decision boundary, an abnormality status for a first element in the highest level of the hierarchy. If the abnormality status indicates an abnormality, the computer platform may determine an abnormality status for elements, associated with the first element, in at least one level of the hierarchy lower than the level of the first element. These determinations may be repeated until an abnormality is localized to a monitoring node.

公开(公告)号：US20190230106A1

公开(公告)日：2019-07-25

申请号：US15977595

申请日：2018-05-11

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Lalit Keshav MESTHA

IPC: H04L29/06 ,  G05B23/02 ,  H04L12/24

CPC classification number: H04L63/1425 ,  G05B19/0428 ,  G05B23/0229 ,  G05B23/0297 ,  H04L41/06 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/1466 ,  H04L67/12

Abstract: An industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time representing current operation of the industrial asset. An abnormality detection computer may determine that at least one abnormal monitoring node is currently being attacked or experiencing a fault. A virtual sensing estimator may continuously execute an adaptive learning process to create or update virtual sensor models for the monitoring nodes. Responsive to an indication that a monitoring node is currently being attacked or experiencing a fault, the virtual sensing estimator may be dynamically reconfigured to estimate a series of virtual node values for the abnormal monitoring node or nodes based on information from normal monitoring nodes and appropriate virtual sensor models. The series of monitoring node values from the abnormal monitoring node or nodes may then be replaced with the virtual node values.

公开(公告)号：US20180316701A1

公开(公告)日：2018-11-01

申请号：US15497974

申请日：2017-04-26

Applicant: General Electric Company

Inventor： Daniel Francis HOLZHAUER ,  Masoud ABBASZADEH ,  Lalit Keshav MESTHA ,  Justin Varkey JOHN ,  Cody BUSHY

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1416 ,  H04L63/1433

Abstract: A system to protect a fleet of industrial assets may include a communication port to exchange information with a plurality of remote industrial assets. An industrial fleet protection system may receive information from the plurality of remote industrial assets or a cloud-based security platform and calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector. The industrial fleet protection system may then compare the current fleet-wide operation feature vector with a fleet-wide decision boundary (e.g., separating normal from abnormal operation of the industrial fleet). The system may then automatically transmit a response (e.g., a cyber-attack threat alert or an adjustment to a decision boundary of an industrial asset) when a result of the comparison indicates abnormal operation of the industrial fleet.

公开(公告)号：US20180262525A1

公开(公告)日：2018-09-13

申请号：US15454219

申请日：2017-03-09

Applicant: General Electric Company

Inventor： Weizhong YAN ,  Masoud ABBASZADEH ,  Lalit Keshav MESTHA

IPC: H04L29/06 ,  G05B13/04 ,  G05B13/02

CPC classification number: H04L63/1441 ,  G05B13/0265 ,  G05B13/041 ,  G06N20/00 ,  H04L63/1425 ,  Y04S40/24

Abstract: According to some embodiments, a plurality of heterogeneous data source nodes may each generate a series of data source node values over time associated with operation of an electric power grid control system. An offline abnormal state detection model creation computer may receive the series of data source node values and perform a feature extraction process to generate an initial set of feature vectors. The model creation computer may then perform feature selection with a multi-model, multi-disciplinary framework to generate a selected feature vector subset. According to some embodiments, feature dimensionality reduction may also be performed to generate the selected feature subset. At least one decision boundary may be automatically calculated and output for an abnormal state detection model based on the selected feature vector subset.

公开(公告)号：US20180159877A1

公开(公告)日：2018-06-07

申请号：US15371723

申请日：2016-12-07

Applicant: General Electric Company

Inventor： Daniel Francis HOLZHAUER ,  Cody Joe BUSHEY ,  Lalit Keshav MESTHA ,  Masoud ABBASZADEH ,  Justin Varkey JOHN

IPC: H04L29/06 ,  H04L29/08 ,  H04L12/26

CPC classification number: H04L63/1425 ,  H04L41/142 ,  H04L41/16 ,  H04L43/08 ,  H04L43/10 ,  H04L63/1416 ,  H04L63/1441 ,  H04L67/10 ,  H04L67/12

Abstract: According to some embodiments, streams of monitoring node signal values may be received over time that represent a current operation of an industrial asset control system. A current operating mode of the industrial asset control system may be received and used to determine a current operating mode group from a set of potential operating mode groups. For each stream of monitoring node signal values, a current monitoring node feature vector may be determined. Based on the current operating mode group, an appropriate decision boundary may be selected for each monitoring node, the appropriate decision boundary separating a normal state from an abnormal state for that monitoring node in the current operating mode. Each generated current monitoring node feature vector may be compared with the selected corresponding appropriate decision boundary, and a threat alert signal may be automatically transmitted based on results of said comparisons.

公开(公告)号：US20180157831A1

公开(公告)日：2018-06-07

申请号：US15478425

申请日：2017-04-04

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Lalit Keshav MESTHA ,  Cody BUSHEY ,  Daniel Francis HOLZHAUER

IPC: G06F21/55 ,  G06N99/00 ,  G06N7/00

CPC classification number: G06F21/552 ,  G06F2221/034 ,  G06N20/00 ,  H04L63/14 ,  H04L63/1425

Abstract: According to some embodiments, a threat detection computer platform may receive a plurality of real-time monitoring node signal values over time that represent a current operation of the industrial asset. For each stream of monitoring node signal values, the platform may generate a current monitoring node feature vector. The feature vector may also be estimated using a dynamic model output with that monitoring node signal values. The platform may then compare the feature vector with a corresponding decision boundary for that monitoring node, the decision boundary separating a normal state from an abnormal state for that monitoring node. The platform may detect that a particular monitoring node has passed the corresponding decision boundary and classify that particular monitoring node as being under attack. The platform may then automatically determine if the attack on that particular monitoring node is an independent attack or a dependent attack.

公开(公告)号：US20240427904A1

公开(公告)日：2024-12-26

申请号：US18762999

申请日：2024-07-03

Applicant: General Electric Company

Inventor： Georgios BOUTSELIS ,  Masoud ABBASZADEH

IPC: G06F21/57 ,  G06F16/2457

Abstract: The present application describes techniques for node selection and ranking for, e.g., attack detection and localization in cyber-physical systems, without relying on digital twins, computer models of assets, or operational domain expertise. The described techniques include obtaining an input dataset of values for a plurality of nodes (e.g., sensors, actuators, controllers, software nodes) of industrial assets, computing a plurality of principal components (PCs) for the input dataset according to variance of values for each node, computing a set of common weighted PCs based on the plurality of PCs according to variance of each PC, and ranking each node based on the node's contribution to the set of common weighted PCs.

公开(公告)号：US20220329613A1

公开(公告)日：2022-10-13

申请号：US17228191

申请日：2021-04-12

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Matthew Christian NIELSEN ,  Weizhong YAN ,  Justin Varkey JOHN

IPC: H04L29/06

Abstract: According to some embodiments, a system, method, and non-transitory computer readable medium are provided comprising a plurality of real-time monitoring nodes to receive streams of monitoring node signal values over time that represent a current operation of the cyber physical system; and a threat detection computer platform, coupled to the plurality of real-time monitoring nodes, to: receive the monitoring node signal values; compute an anomaly score; compare the anomaly score with an adaptive threshold; and detect that one of a particular monitoring node and a system is outside a decision boundary based on the comparison, and classify that particular monitoring node or system as anomalous. Numerous other aspects are provided.

公开(公告)号：US20220327204A1

公开(公告)日：2022-10-13

申请号：US17228162

申请日：2021-04-12

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Weizhong YAN ,  Justin Varkey JOHN ,  Matthew Christian NIELSEN

IPC: G06F21/55 ,  G06N20/00

Abstract: According to some embodiments, a system, method and non-transitory computer readable medium are provided comprising a plurality of real-time monitoring nodes to receive streams of monitoring node signal values over time that represent a current operation of the cyber physical system; a local status determination module comprising an ensemble of local agents, the module adapted to determine an anomaly status for one or more nodes; a global status determination module comprising an ensemble of global agents, the module adapted to determine an anomaly status for the cyber physical system; a threat detection computer platform comprising a memory and a computer processor, the threat detection computer platform coupled to the plurality of real-time monitoring nodes and adapted to: receive the monitoring node signal values, generate feature vectors from the received monitoring node signal values; compare via the local status determination module the feature vectors with at least one decision boundary associated with a local abnormal detection model; compare via the global status determination module the feature vectors with at least one decision boundary associated with a global abnormal detection model; and transmit an abnormal alert signal from the local status determination module and the global status determination module based on a result of each comparison. Numerous other aspects are provided.