PatentsDB

Systems and methods for detecting anomolies in network communication

US2022103591A1 · US · A1

Patent metadata
FieldValue
Publication numberUS-2022103591-A1
Application numberUS-202017038852-A
CountryUS
Kind codeA1
Filing dateSep 30, 2020
Priority dateSep 30, 2020
Publication dateMar 31, 2022
Grant date

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

  1. Title

    What the patent document calls the invention.

  2. Abstract

    A short plain-language summary of the technical disclosure.

  3. Assignees and inventors

    Who owns or filed the patent and who is credited as inventor.

  4. Key dates

    Filing, priority, publication, and grant dates set the timeline.

  5. First independent claim

    The legal scope of protection — read this for what is actually claimed.

  6. CPC / IPC classifications

    Technology tags used to group this patent with similar filings.

  7. Citations and related patents

    Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Systems and method for detecting anomalies in network communication in an industrial automation system. An anomaly detection system, a decentralized system, may identify IoT devices within the network communication and corresponding communication metrics. Using the communication metrics between the identified IoT devise, the anomaly detection system may generate a social network model that is indicative of expected network communication properties. By analyzing social network metrics and the overall entropy of the network communication in real time, the anomaly detection system may identify anomalies that may be associated with potential network vulnerabilities.

First claim

Opening claim text (preview).

1 . A non-transitory computer-readable medium, comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to: receive data associated with network communication from a plurality of devices in an industrial automation system; identify one or more communication patterns within the network communication based on the data; identify one or more devices of the plurality of devices based on one or more identifiers associated with the one or more communication patterns; determine one or more communication metrics between the one or more devices using the one or more communication patterns; generate a network model based the one or more devices and the one or more communication metrics, wherein the network model is representative of one or more expected properties of the network communication of the one or more devices; perform an analysis of the network communication using one or more network metrics based on the network model with respect to time; detect one or more anomalies in the network communication using the analysis; and send a notification to a computing device in response to detecting the one or more anomalies. 2 . The non-transitory computer-readable medium of claim 1 , wherein the computer-executable instructions are configured to cause the one or more processors to: receive an input from the computing device, wherein the input is indicative of: a first anomaly of the one or more anomalies as a network vulnerability; and a command configured to prevent a first device of the plurality of devices from accessing the network communication, wherein the first device is associated with the first anomaly; and dynamically update a machine-learning model based on the input. 3 . The non-transitory computer-readable medium of claim 1 , wherein the computer-executable instructions cause the one or more processors to: classify a first anomaly of the one or more anomalies as a network vulnerability based on a correlation between the first anomaly and a second anomaly part of a machine-learning model; and send a command configured to prevent a first device of the plurality of devices from accessing the network communication, wherein the first device is associated with the first anomaly. 4 . The non-transitory computer-readable medium of claim 1 , wherein the one or more identifiers comprise one or more MAC addresses, one or more IP addresses, one or more types of devices, one or more user roles, one or more geolocations, or any combination thereof. 5 . The non-transitory computer-readable medium of claim 1 , wherein the one or more network metrics comprise a density component, a centrality component, a modality component, an entropy component, or any combination thereof. 6 . The non-transitory computer-readable medium of claim 5 , wherein the entropy component is indicative of a level of uncertainty associated with the network communication. 7 . The non-transitory computer-readable medium of claim 1 , wherein the one or more communication metrics comprise a number of messages per unit time, a data volume, a duration of communication, a number of connections to the one or more devices, a source error rate, a destination error rate, or any combination thereof. 8 . A method, comprising: receiving, via a processor, data associated with network communication from a plurality of devices in an industrial automation system; identifying, via the processor, one or more communication patterns within the network communication based on the data; identifying, via the processor, one or more devices of the plurality of devices based on one or more identifiers associated with the one or more communication patterns; determining, via the processor, one or more communication metrics between the one or more devices using the one or more communication patterns; generating, via the processor, a network model based the one or more devices and the one or more communication metrics, wherein the network model is representative of one or more expected properties of the network communication of the one or more devices; performing, via the processor, an analysis of the network communication using one or more network metrics based on the network model with respect to time; detecting, via the processor, one or more anomalies in the network communication using the analysis; and sending, via the processor, a notification to a computing device in response to detecting the one or more anomalies. 9 . The method of claim 8 , comprising receiving one or more annotations from the computing device, wherein the one or more annotations comprise one or more indications of one or more types of the one or more anomaly. 10 . The method of claim 9 , wherein the one or more types corresponds to a safety threat, a network threat, a data quality issue, or any combination thereof. 11 . The method of claim 8 , comprising receiving one or more annotations from the computing device, wherein the one or more annotations comprise one or more commands configured to prevent a first device of the plurality of devices from accessing the network communication. 12 . The method of claim 8 , wherein the one or more identifiers comprise one or more MAC addresses, one or more IP addresses, one or more types of devices, one or more user roles, one or more geolocations, or any combination thereof. 13 . The method of claim 8 , wherein the one or more network metrics comprise a density component, a centrality component, a modality component, an entropy component, or any combination thereof. 14 . The method of claim 13 , wherein the entropy component is indicative of a level of uncertainty associated with the network communication. 15 . The method of claim 8 , the one or more communication metrics comprise a number of messages per unit time, a data volume, a duration of communication, a number of connections to the one or more devices, a source error rate, a destination error rate, or any combination thereof. 16 . A non-transitory computer-readable medium, comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to: receive data associated with network communication from a plurality of devices in an industrial automation system; identify one or more anomalies within the data based on a comparison between the data and a network model representative of one or more expected properties of the network communication of one or more devices of the plurality of devices; retrieve at least one annotation associated with the one or more anomalies, wherein the at least one annotation corresponds to one or more commands configured to adjust a first operation of a first device of the one or more devices; and send the one or more commands to the first device. 17 . The non-transitory computer-readable medium of claim 16 , wherein the at least one annotation is previously provided by at least one user for at least one anomaly similar to the one or more anomalies. 18 . The non-transitory computer-readable medium of claim 16 , wherein the at least one annotation for the one or more anomalies corresponds to a type of anomaly. 19 . The non-transitory computer-readable medium of claim 18 , wherein the type of anomaly corresponds to a safety anomaly, a network threat anomaly, or a data quality anomaly. 20 . The non-transitory computer-readable medium of claim 16 , wherein the one or more commands are configured to cause the first device to op

Assignees

Inventors

Classifications

  • H04L63/1425Primary

    Traffic logging, e.g. anomaly detection · CPC title

  • H04L63/1441

    Countermeasures against malicious traffic (countermeasures against attacks on cryptographic mechanisms H04L9/002) · CPC title

  • H04L63/1433Primary

    Vulnerability analysis · CPC title

  • G05B19/4155

    characterised by program execution, i.e. part program or machine function execution, e.g. selection of a program · CPC title

  • G06N20/00

    Machine learning · CPC title

Patent family

Related publications grouped by family.

View patent family 77951538

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US2022103591A1 cover?
Systems and method for detecting anomalies in network communication in an industrial automation system. An anomaly detection system, a decentralized system, may identify IoT devices within the network communication and corresponding communication metrics. Using the communication metrics between the identified IoT devise, the anomaly detection system may generate a social network model that is i…
Who is the assignee on this patent?
Rockwell Automation Tech Inc
What technology area does this patent fall under?
Primary CPC classification H04L63/1425. Mapped technology areas include Electricity.
When was this patent published?
Publication date Thu Mar 31 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?
We list 9 related publications on this page (citations in our corpus or others sharing the same primary CPC).