Mitigating automated attacks in a computer network environment
US-2020228566-A1 · Jul 16, 2020 · US
Attack detection and countermeasure identification system
US12524530B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12524530-B2 |
| Application number | US-202218089373-A |
| Country | US |
| Kind code | B2 |
| Filing date | Dec 27, 2022 |
| Priority date | Dec 27, 2021 |
| Publication date | Jan 13, 2026 |
| Grant date | Jan 13, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method is disclosed which comprises accessing a detector model that is trained in parallel with an operator model and an attacker model using a reinforcement learning technique based on iteratively simulating scenarios of operation of an environment to generate training data and learning weights of the models based on the simulated training data. The simulating of a scenario is based on the last learned weights of the models. The method further comprises, during operation of the environment, applying the detector model to an operator action, a prior observation of state of the environment from prior to taking the operator action, and a current observation of the environment from after taking the operator action, to detect whether an attack on the environment has occurred.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method performed by one or more computing systems to support responding to a cyberattack on a physical infrastructure system via a computer network environment, the method comprising: accessing a specification of the physical infrastructure system that includes components having a plurality of states; running scenarios, comprising virtual simulations of the physical infrastructure system that output machine learning model training data, to modify a current state of the physical infrastructure system corresponding to the plurality of states, wherein running a scenario includes: modifying the current state of the physical infrastructure system based on an operator action, wherein a modification to the plurality of states includes a simulated change to a physical infrastructure topology; modifying the modified current state of the physical infrastructure system based on an attacker action to generate a new state; and detecting within the scenario whether an attack on the physical infrastructure system has occurred based on the operator action, the current state, and the new state; and training an operator model and a detector model based on the operator action, the attacker action, and a detection of whether an attack on the physical infrastructure system has occurred, wherein the operator model is trained to identify an effective operator action given a particular current state of the physical infrastructure system and the detector model is trained to detect an attack on the physical infrastructure system and said training modifies weights assigned to the operation action and the attacker action as associated with the particular current state and the detection of the attack respectively. 2 . The method of claim 1 , further comprising: training an attacker model in parallel with training the operator model and the detector model, based on the operator actions, the attacker actions, and the detections of the scenarios, wherein the attacker model is trained to identify effective attacks on the physical infrastructure system. 3 . The method of claim 1 , wherein the running a scenario generates an operator reward for each operator action as an indication of effectiveness of the operator action, an attacker reward for each attacker action as an indication of effectiveness of the attacker action, and a detector reward as an indication of effectiveness of the detection, and wherein the training the operator model and the detector model step factors in the operator reward, the attacker reward, and the detector reward. 4 . The method of claim 1 , further comprising: receiving a current state of a non-simulated, real environment of a physical infrastructure system, an operator action to modify the current state, and a new state after modification of the current state; and applying the detector model to the operator action, the current state, and the new state to detect whether an attack has occurred on the non-simulated, real environment of the physical infrastructure system. 5 . The method of claim 4 , further comprising: applying the operator model to identify an effective operator action when an attack is detected. 6 . The method of claim 1 , wherein the running scenarios and the training are performed iteratively, wherein the running employs the operator model, an attacker model, and the detector model that was last trained, respectively, to generate operator actions, to generate an attacker action, and to detect an attack. 7 . The method of claim 1 , wherein the physical infrastructure system is a power grid system includes generators, loads, substations, and lines. 8 . The method of claim 1 , wherein the computer network environment is an information technology (IT) environment. 9 . A processing system configured to support responding to a cyberattack on a physical infrastructure system via a computer network environment, the system comprising: at least one processor; and at least one non-transitory computer-readable storage medium storing instructions, execution of which by the at least one processor causes the processing system to perform operations comprising: accessing a specification of the physical infrastructure system that includes components having a plurality of states; running scenarios, comprising virtual simulations of the physical infrastructure system that output machine learning model training data, to modify a current state of the physical infrastructure system corresponding to the plurality of states, wherein running a scenario includes: modifying the current state of the physical infrastructure system based on an operator action, wherein a modification to the plurality of states includes a simulated change to a physical infrastructure topology; modifying the modified current state of the physical infrastructure system based on an attacker action to generate a new state; and detecting within the scenario whether an attack on the physical infrastructure system has occurred based on the operator action, the current state, and the new state; and training an operator model and a detector model based on the operator action, the attacker action, and a detection of whether an attack on the physical infrastructure system has occurred, wherein the operator model is trained to identify an effective operator action given a particular current state of the physical infrastructure system and the detector model is trained to detect an attack on the physical infrastructure system and said training modifies weights assigned to the operation action and the attacker action as associated with the particular current state and the detection of the attack respectively. 10 . The system of claim 9 , the operations further comprising: training an attacker model in parallel with training the operator model and the detector model, based on the operator actions, the attacker actions, and the detections of the scenarios, wherein the attacker model is trained to identify effective attacks on the physical infrastructure system. 11 . The system of claim 9 , wherein the running a scenario generates an operator reward for each operator action as an indication of effectiveness of the operator action, an attacker reward for each attacker action as an indication of effectiveness of the attacker action, and a detector reward as an indication of effectiveness of the detection, and wherein the training the operator model and the detector model step factors in the operator reward, the attacker reward, and the detector reward. 12 . The system of claim 9 , the operations further comprising: receiving a current state of a non-simulated, real environment of a physical infrastructure system, an operator action to modify the current state, and a new state after modification of the current state; and applying the detector model to the operator action, the current state, and the new state to detect whether an attack has occurred on the non-simulated, real environment of the physical infrastructure system. 13 . The system of claim 12 , the operations further comprising: applying the operator model to identify an effective operator action when an attack is detected. 14 . The system of claim 9 , wherein the running scenarios and the training are performed iteratively, wherein the running employs the operator model, an attacker model, and the detector model that was last trained, respectively, to generate operator actions, to generate an attacker action, and to detect an attack. 15 . The system of claim 9 , wherein the physical infrastructure system is a power grid system and th
Assignees
Inventors
Classifications
Reinforcement learning · CPC title
Test or assess a computer or a system · CPC title
Machine learning · CPC title
Probabilistic graphical models, e.g. probabilistic networks · CPC title
- G06F21/554Primary
involving event detection and direct action · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12524530B2 cover?
- A method is disclosed which comprises accessing a detector model that is trained in parallel with an operator model and an attacker model using a reinforcement learning technique based on iteratively simulating scenarios of operation of an environment to generate training data and learning weights of the models based on the simulated training data. The simulating of a scenario is based on the l…
- Who is the assignee on this patent?
- L Livermore Nat Security Llc, Lawrence Livermore Nat Security
- What technology area does this patent fall under?
- Primary CPC classification G06F21/554. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jan 13 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).