System and method of anomaly detection
US-8941484-B2 · Jan 27, 2015 · US
Method For Intrusion Detection In Industrial Automation And Control System
US2016149944A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2016149944-A1 |
| Application number | US-201514945692-A |
| Country | US |
| Kind code | A1 |
| Filing date | Nov 19, 2015 |
| Priority date | Nov 21, 2014 |
| Publication date | May 26, 2016 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A method and system for automatic signalling an alert when a possible intrusion occurs in an industrial automation and control system, based on security events which occur in the industrial automation and control system or are externally fed into the system. The method includes the steps of: (a) determining a correlation of a first and second security event and storing the correlation in an event database, wherein the correlation includes a probability that the first security event is followed by the second security event within a normalised time period, (b) identifying a candidate event as the first security event, based on event information of the candidate event, upon occurrence of the candidate event, (c) classifying the candidate event as anomalous when the probability exceeds a predetermined threshold and no second security event follows the candidate event within the normalised time period, and (d) signalling the alert indicating the candidate event.
First claim
Opening claim text (preview).
1 . A method for automatic signalling an alert when a possible intrusion occurs in an industrial automation and control system, comprising: (a) determining a correlation of a first E 1 and second security event E 2 and storing the correlation in an event database, wherein the correlation includes a probability P E1,E2 that the first security event is directly followed by the second security event within a normalised time period, (b) identifying a candidate event as the first security event, based on event information of the candidate event, upon occurrence of the candidate event, (c) classifying the candidate event as anomalous when the probability P E1,E2 exceeds a predetermined threshold and no second security event follows the candidate event within the normalised time period, and (d) signalling the alert indicating the candidate event. 2 . The method according to claim 1 , further comprising: accumulating the correlation of the first and second security event upon their re-occurrence, and updating the event database. 3 . The method according to claim 1 , wherein the predetermined threshold P thres is 0.8, preferably 0.9. 4 . The method according to claim 1 , wherein the probability P E1,E2 is a distributed probability. 5 . The method according to claim 1 , wherein the probability P E1,E2 increases with elapsed time since the occurrence of the first security event. 6 . The method according to claim 1 , wherein the event information comprises a provider identification and an event identification. 7 . A system for automatic signalling when a possible intrusion occurs in an industrial automation and control system, adapted to (a) determine a correlation of a first E 1 and second security event E 2 and store the correlation in an event database, wherein the correlation includes a probability P E1,E2 that the first security event is followed by the second security event within a normalised time period, (b) identify a candidate event as the first security event, based on event information of the candidate event, upon occurrence of the candidate event, (c) classify the candidate event as anomalous when the probability P E1,E2 exceeds a predetermined threshold and no second security event follows the candidate event within the normalised time period, and (d) signal the alert indicating the candidate event. 8 . The system according to claim 7 , further adapted to accumulate the correlation of the first and second security even upon their re-occurrence, and updating the event database. 9 . The system according to claim 7 , wherein the predetermined threshold P thres is 0.8, preferably 0.9. 10 . The system according to claim 7 , wherein the probability P E1,E2 is a distributed probability. 11 . The system according to claim 7 , wherein the probability P E1,E1 increases with elapsed time since the occurrence of the first security event. 12 . The system according to claim 7 , wherein the event information comprises a provider identification and an event identification.
Assignees
Inventors
Classifications
involving event detection and direct action · CPC title
involving simulating, designing, planning or modelling of a network · CPC title
Safe mode, secure program, environment in case of error, intrusion · CPC title
Updating · CPC title
Event management; Broadcasting; Multicasting; Notifications · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2016149944A1 cover?
- A method and system for automatic signalling an alert when a possible intrusion occurs in an industrial automation and control system, based on security events which occur in the industrial automation and control system or are externally fed into the system. The method includes the steps of: (a) determining a correlation of a first and second security event and storing the correlation in an eve…
- Who is the assignee on this patent?
- Abb Technology Ag
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu May 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).