公开(公告)号：US20190288847A1

公开(公告)日：2019-09-19

申请号：US15923279

申请日：2018-03-16

Applicant: General Electric Company

Inventor： Benjamin Edward BECKMANN ,  Anilkumar VADALI ,  Lalit Keshav MESTHA ,  Daniel Francis HOLZHAUER ,  John William CARBONE

IPC: H04L9/32 ,  G06F17/30

Abstract: A verification platform may include a data connection to receive a stream of industrial asset data, including a subset of the industrial asset data, from industrial asset sensors. The verification platform may store the subset of industrial asset data into a data store, the subset of industrial asset data being marked as invalid, and record a hash value associated with a compressed representation of the subset of industrial asset data combined with metadata in a secure, distributed ledger (e.g., associated with blockchain technology). The verification platform may then receive a transaction identifier from the secure, distributed ledger and mark the subset of industrial asset data in the data store as being valid after using the transaction identifier to verify that the recorded hash value matches a hash value of an independently created version of the compressed representation of the subset of industrial asset data combined with metadata.

公开(公告)号：US20190230099A1

公开(公告)日：2019-07-25

申请号：US15977558

申请日：2018-05-11

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Masoud ABBASZADEH ,  Annarita GIANI

IPC: H04L29/06 ,  G06N7/00

Abstract: Streams of monitoring node signal values over time, representing a current operation of the industrial asset, are used to generate current monitoring node feature vectors. Each feature vector is compared with a corresponding decision boundary separating normal from abnormal states. When a first monitoring node passes a corresponding decision boundary, an attack is detected and classified as an independent attack. When a second monitoring node passes a decision boundary, an attack is detected and a first decision is generated based on a first set of inputs indicating if the attack is independent/dependent. From the beginning of the attack on the second monitoring node until a final time, the first decision is updated as new signal values are received for the second monitoring node. When the final time is reached, a second decision is generated based on a second set of inputs indicating if the attack is independent/dependent.

公开(公告)号：US20190222596A1

公开(公告)日：2019-07-18

申请号：US15964644

申请日：2018-04-27

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Lalit Keshav MESTHA

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  G06F21/55

Abstract: In some embodiments, a plurality of monitoring nodes each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. An attack detection computer platform may receive the series of current monitoring node values and generate a set of current feature vectors including a current feature for capturing transients (e.g., local transients and/or global transients). The attack detection computer platform may also access an attack detection model having at least one decision boundary that was created using at least one of a set of normal feature vectors and/or a set of attacked feature vectors. The attack detection model may then be executed such that an attack alert signal is transmitted by the attack detection computer platform, when appropriate, based on the set of current feature vectors (including the current feature to capture transients) and the at least one decision boundary.

公开(公告)号：US20180260561A1

公开(公告)日：2018-09-13

申请号：US15453544

申请日：2017-03-08

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Santosh Sambamoorthy VEDA ,  Masoud ABBASZADEH ,  Chaitanya Ashok BAONE ,  Weizhong YAN ,  Saikat RAY MAJUMDER ,  Sumit BOSE ,  Annartia GIANI ,  Olugbenga ANUBI

IPC: G06F21/55

CPC classification number: G06F21/554 ,  G05B23/0275 ,  G06F2221/034 ,  Y04S10/522

Abstract: According to some embodiments, a plurality of heterogeneous data source nodes may each generate a series of current data source node values over time that represent a current operation of an electric power grid. A real-time threat detection computer, coupled to the plurality of heterogeneous data source nodes, may receive the series of current data source node values and generate a set of current feature vectors. The threat detection computer may then access an abnormal state detection model having at least one decision boundary created offline using at least one of normal and abnormal feature vectors. The abnormal state detection model may be executed, and a threat alert signal may be transmitted if appropriate based on the set of current feature vectors and the at least one decision boundary.

公开(公告)号：US20180157771A1

公开(公告)日：2018-06-07

申请号：US15491243

申请日：2017-04-19

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Masoud ABBASZADEH ,  Cody BUSHEY

IPC: G06F17/50

CPC classification number: G06F17/5009 ,  G06F17/5086 ,  G06F2217/16

Abstract: An augmented system model may include a system high fidelity model that generates a first output. The augmented system model may further include a data driven model to receive data associated with the first output and to generate a second output, and a feature space version of the second output may be output from the augmented system model. Monitoring nodes may each generate a series of current monitoring node values over time representing current operation of an industrial asset. A model adaptation element may receive the current monitoring node values, calculate a feature space version of current operation, and compare the feature space version of the second output of the augmented system model with the feature space version of current operation. Parameters of the data driven model may then be adapted based on a result of the comparison.

公开(公告)号：US20190230106A1

公开(公告)日：2019-07-25

申请号：US15977595

申请日：2018-05-11

Applicant: General Electric Company

Inventor： Masoud ABBASZADEH ,  Lalit Keshav MESTHA

IPC: H04L29/06 ,  G05B23/02 ,  H04L12/24

CPC classification number: H04L63/1425 ,  G05B19/0428 ,  G05B23/0229 ,  G05B23/0297 ,  H04L41/06 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1441 ,  H04L63/1466 ,  H04L67/12

Abstract: An industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time representing current operation of the industrial asset. An abnormality detection computer may determine that at least one abnormal monitoring node is currently being attacked or experiencing a fault. A virtual sensing estimator may continuously execute an adaptive learning process to create or update virtual sensor models for the monitoring nodes. Responsive to an indication that a monitoring node is currently being attacked or experiencing a fault, the virtual sensing estimator may be dynamically reconfigured to estimate a series of virtual node values for the abnormal monitoring node or nodes based on information from normal monitoring nodes and appropriate virtual sensor models. The series of monitoring node values from the abnormal monitoring node or nodes may then be replaced with the virtual node values.

公开(公告)号：US20190212710A1

公开(公告)日：2019-07-11

申请号：US16354926

申请日：2019-03-15

Applicant: General Electric Company

Inventor： Cody Joe BUSHEY ,  Lalit Keshav MESTHA ,  Daniel Francis HOLZHAUER

IPC: G05B13/04 ,  G05B17/02

CPC classification number: G05B13/04 ,  G05B17/02

Abstract: According to some embodiments, a validation platform computer may interpret at least one received data packet to identify a control command for a controller of an industrial asset control system. The at least data packet being might be received, for example, from a network associated with a current operation of the industrial asset control system. The control command may then be introduced into an industrial asset simulation executing in parallel with the industrial asset control system. A simulated result of the control command from the industrial asset simulation may be validated, and, upon validation of the simulated result, it may be arranged for the control command to be provided to the controller of the industrial asset control system. Additionally, in some embodiments failed validation of a simulated result will prompt a threat-alert signal as well as prevent the command (e.g., data packet) from continuing to the controller.

公开(公告)号：US20180316701A1

公开(公告)日：2018-11-01

申请号：US15497974

申请日：2017-04-26

Applicant: General Electric Company

Inventor： Daniel Francis HOLZHAUER ,  Masoud ABBASZADEH ,  Lalit Keshav MESTHA ,  Justin Varkey JOHN ,  Cody BUSHY

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/1416 ,  H04L63/1433

Abstract: A system to protect a fleet of industrial assets may include a communication port to exchange information with a plurality of remote industrial assets. An industrial fleet protection system may receive information from the plurality of remote industrial assets or a cloud-based security platform and calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector. The industrial fleet protection system may then compare the current fleet-wide operation feature vector with a fleet-wide decision boundary (e.g., separating normal from abnormal operation of the industrial fleet). The system may then automatically transmit a response (e.g., a cyber-attack threat alert or an adjustment to a decision boundary of an industrial asset) when a result of the comparison indicates abnormal operation of the industrial fleet.

公开(公告)号：US20180262525A1

公开(公告)日：2018-09-13

申请号：US15454219

申请日：2017-03-09

Applicant: General Electric Company

Inventor： Weizhong YAN ,  Masoud ABBASZADEH ,  Lalit Keshav MESTHA

IPC: H04L29/06 ,  G05B13/04 ,  G05B13/02

CPC classification number: H04L63/1441 ,  G05B13/0265 ,  G05B13/041 ,  G06N20/00 ,  H04L63/1425 ,  Y04S40/24

Abstract: According to some embodiments, a plurality of heterogeneous data source nodes may each generate a series of data source node values over time associated with operation of an electric power grid control system. An offline abnormal state detection model creation computer may receive the series of data source node values and perform a feature extraction process to generate an initial set of feature vectors. The model creation computer may then perform feature selection with a multi-model, multi-disciplinary framework to generate a selected feature vector subset. According to some embodiments, feature dimensionality reduction may also be performed to generate the selected feature subset. At least one decision boundary may be automatically calculated and output for an abnormal state detection model based on the selected feature vector subset.

公开(公告)号：US20180159879A1

公开(公告)日：2018-06-07

申请号：US15484282

申请日：2017-04-11

Applicant: General Electric Company

Inventor： Lalit Keshav MESTHA ,  Justin Varkey JOHN ,  Weizhong YAN ,  David Joseph HARTMAN

IPC: H04L29/06 ,  G06N99/00 ,  G06F17/16 ,  G06N3/04

CPC classification number: H04L63/1425 ,  G06N3/0454 ,  G06N3/084 ,  G06N7/005 ,  G06N20/00 ,  G06N20/10

Abstract: A threat detection model creation computer receives normal monitoring node values and abnormal monitoring node values. At least some received monitoring node values may be processed with a deep learning model to determine parameters of the deep learning model (e.g., a weight matrix and affine terms). The parameters of the deep learning model and received monitoring node values may then be used to compute feature vectors. The feature vectors may be spatial along a plurality of monitoring nodes. At least one decision boundary for a threat detection model may be automatically calculated based on the computed feature vectors, and the system may output the decision boundary separating a normal state from an abnormal state for that monitoring node. The decision boundary may also be obtained by combining feature vectors from multiple nodes. The decision boundary may then be used to detect normal and abnormal operation of an industrial asset.