JP2021511590A - Protect your system from harmful communications - Google Patents

Abstract

In some examples, a computer system may receive packet data from a control system that includes equipment controlled by at least one computing device. Computer systems can generate data representations based on packet data. For example, the data representation can represent at least one of the device states or settings. The computer system can perform recognition on the data representation to determine whether the packet information indicates a normal state or an abnormal state. Based on the determination that the received packet information indicates an abnormal condition, the computer system may perform at least one action.

Description

The present disclosure relates to the technical field of computer system security.

Manufacturing facilities, factories, complex facilities, power plants, transportation systems, refineries, industrial control systems and various other operational technology (OT) systems are controlled by computer systems that are relied on to operate the equipment in the desired way. sell. The security of OT systems has traditionally relied on stand-alone OT implementations. However, recently, OT systems have been linked to other computer systems and the Internet, which has increased the need for secure OT systems. For example, OT systems can be exposed to attacks or other destabilizations brought about by electronic communications that can cause harmful, destructive, or abnormal device operation. For example, in some examples, a person or a malicious actor, such as a malicious code, can use electronic communication to malfunction or malfunction the device. In another example, the control settings of the device may be changed unintentionally or by mistake by electronic communication, which can also cause undesired abnormal operation of the device.

Embodiments herein include mechanisms and techniques for protecting control systems from harmful communications. In some examples, the computer system may receive packet data of communication from the control system. The control system may include equipment controlled by at least one computing device. Computer systems can generate data representations based on packet data. For example, the data representation may represent at least one of the device states or settings. The computer system can perform recognition on the data representation to determine whether the packet information indicates a normal state or an abnormal state. Based on the determination that the received packet information indicates an abnormal condition, the computer system may perform at least one action.

A detailed description will be given with respect to the accompanying drawings. In the figure, the number at the left end of the reference number indicates the figure in which the reference number first appears. The use of the same reference number in various figures indicates similar or identical items or features.

FIG. 5 illustrates an exemplary architecture of a computer system capable of detecting and managing communications that can cause abnormal behavior in some embodiments. FIG. 5 is a flow diagram illustrating an exemplary process that can be performed by a security program according to some embodiments. FIG. 5 illustrates an exemplary format of cyclic packets according to some embodiments. It is a figure which shows the exemplary format of the sequential packet by some embodiments. It is a figure which shows the exemplary packet data representation by some embodiments. It is a flow chart which shows the exemplary process by some embodiments. It is a figure which shows the example which emphasizes the time series data by some embodiments. It is a figure which shows the example which emphasizes the time series data by some embodiments. It is a figure which shows the exemplary packet data representation by some embodiments. It is a figure which shows the exemplary packet data representation by some embodiments. It is a figure which shows the example which emphasizes the time series data by some embodiments. It is a figure which shows the exemplary variable field data structure by some embodiments. It is a figure which shows the exemplary pattern data structure by some embodiments. FIG. 5 illustrates an exemplary dashboard graphic user interface according to some embodiments. FIG. 5 is a flow diagram illustrating an exemplary process that can be performed by a security program according to some embodiments.

Some embodiments herein are techniques for systems that determine when an instrument, machine, industrial control network or other operational technology (OT) system receives communications that can cause anomalous operation of the controlled system. And the mechanism. As an example, a service computing device can recognize patterns of communication data by inspecting packets transmitted over a network. The service computing device can determine whether the packet (or the resulting operation of the device) is normal or abnormal based on the recognition result of the communication data. For example, a service computing device can classify communication data as normal or abnormal by analyzing packets described by non-standard protocols and transmitted over the control network of an OT system. Therefore, even if the protocol used by the controlled system is unknown, embodiments herein can distinguish normal communication from harmful communication that can cause the controlled system to malfunction.

Some examples include pattern recognition systems and processes in which a service computing device recognizes patterns of communication data by receiving and inspecting packet data. As an example, packet data can be obtained by mirroring packets transmitted within the control network of the control system. In some cases, the control network is a primary and secondary control computing device between a human-machine interface (HMI) computing device and a primary and secondary control computing device that controls equipment in the control system via the control network. Can include lines.

A service computing device can be configured to generate a data representation from packet data. In some cases, the data representation may include time series data blocks that represent time series data in image or matrix format. The service computing device may generate a data representation to monitor cyclic packets containing at least one of a device set value or state value for machine control. The service computing device can also be configured to generate a data representation to monitor temporary sequential packets whose settings can be updated. The service computing device further extracts a set value, a state value, or an operation value from the payload data of the packet, and a corresponding time series data block including a set value, a state value, and / or a history value of the operation value of the corresponding device. Can be configured to generate. The service computing device can also be configured to perform a pattern recognition process and use time series data blocks to recognize one or more patterns of communication data. The service computing device also statistically aggregates the recognition results and renders and presents a dashboard graphic user interface (GUI) that can display the recognition patterns along with instructions on whether the recognition patterns are normal or abnormal based on the recognition results. Can be configured to.

Some embodiments of the present specification provide security systems and techniques for monitoring the state of communication data by analyzing packets transmitted within the control network of a controlled system. For example, the systems herein can analyze packets described by primitives and / or non-standardized protocols that can be used in OT control systems. As an example, the systems herein can detect attacks that spoof control commands in a control system. For example, if a malicious actor changes the control value of an operating device, conventional security techniques may not be able to detect such change. On the other hand, the security systems and methods herein can analyze packets in control communications to determine if the packets can cause unwanted harmful or anomalous behavior of the controlled device.

In some examples herein, a computer system may recognize patterns of communication data by analyzing packets transmitted within a netturk that connects a human-machine interface to a machine-controlled computer. The computer system can monitor cyclic packets that monitor the state values and set values of the machine control computer and sequential packets that manipulate the set values. The computer system can generate a data representation of received packet data, such as a time-series data block, consisting of historical data representing the state and set values of a machine-controlled computer based on the packet data. Further, the computer system can recognize the pattern of each time series data block and can classify the time series data as normal or abnormal. Further, the computer system herein may include training data that stores time series data blocks along with the pattern numbers of the corresponding patterns. Training data is used to train machine learning models that perform deep learning using time series data blocks with pattern numbers.

In some examples, the time series data block can be generated as image data representing the historical state and set values of the machine controller and / or the historical arrival of sequential packets as pixel bands. In some examples, a time series data block containing initial and final values of state and set values may be generated separately from the pixel band of historical data. In some examples, time series data blocks can be generated that represent each type of state and set value as a data block that uses different channels. Further, in some examples, time series data blocks can be generated that represent each of the state and set values as pixels using different colors in the image data. In some cases, when generating a time series data block, state values and set values that exceed 8 bits may be divided into high-order bit values and low-order bit values, and multiplied by a constant value to emphasize the high-order bits. A time series data block representing the value of the high-order bit can be generated.

For consideration, some exemplary embodiments are presented in the environment of a computer system that determines whether the communication contains packets that should not be applied to the controlled device. However, embodiments herein are not limited to the particular examples provided, as will be apparent to those skilled in the art in light of the disclosure herein, other types of equipment and systems, other operating environments, and the like. It can be extended to other system architectures, other applications, etc.

FIG. 1 illustrates an exemplary architecture of a computer system 100 capable of detecting and managing communications that can cause anomalous behavior, according to some embodiments. The system 100 includes at least one service computing device 102 capable of communicating with the device control system 104, such as an OT control system or other control system in which the device is controlled by a computer. For example, the service computing device 102 may be connected by one or more networks 106, which network 106 may include redundant communication lines such as line A and line B. In some examples, one or more networks 106 may include a local area network (LAN), in other examples one or more networks 106 may include a wide area network (WAN) such as the Internet. .. Therefore, one or more networks 106 include optical fibers, Ethernet, wired networks including fiber channels, wireless networks such as cellular networks, local wireless networks such as Wi-Fi, and short-range wireless communications such as BLUETOOTH®. It may include a direct wired connection, or any combination thereof. Thus, one or more networks 106 may include both wired and / or wireless communication technologies. The components used for such communication can depend on the type of network, the environment chosen, or at least a portion of both.

The control system 104 further includes at least one primary control computing device 108 and, in some cases, at least one secondary control computing device 110. In the example shown, the control system 104 is a plurality of pairs of primary and secondary computing devices, namely the first primary control computing device 108 (1) and the first secondary control computing device. These pairs include from the first pair containing 110 (1) to the Nth pair containing the Nth primary control computing device 108 (N) and the Nth secondary control computing device 110 (N). Each can execute the control application 112. Each pair of primary computing devices 108 executes a control application 112 that controls one or more devices 114, such as devices in an OT system or other controlled devices, as listed elsewhere herein. it can. Further, each pair of secondary control computing devices 110 may execute a control application 112 that acts as a redundant fallback system in the event of a failure of the primary control computing device 108.

In the example shown, the first pair of control computing devices 108 (1) and 110 (1) execute the control application 112 and perform three devices, namely device A114 (a), device B114 (b), It controls the device C114 (c). Further, the Nth pair of control computing devices 108 (N) and 110 (N) execute the control application 112 to execute three devices (that is, device D114 (d), device E114 (e), and device F114 (that is, device F114 (e)). f)) is controlled. In this example, each device 114 includes a process manager 116 and one or more machines such as a first machine 118 and a second machine 120. Thus, equipment A114 (a) may include process manager 116 (a), first machine 118 (a) and second machine 120 (a), and equipment B114 (b) may include process manager 116 (b). b), the first machine 118 (b) and the second machine 120 (b) may be included, and the equipment C114 (c) is the process manager 116 (c), the first machine 118 (c) and the first. 2. Machine 120 (c) may be included, and equipment D114 (d) may include process manager 116 (d), first machine 118 (d) and second machine 120 (d). Equipment E114 (e) may include a process manager 116 (e), a first machine 118 (e) and a second machine 120 (e), and equipment F114 (f) may include process manager 116 (f). , The first machine 118 (f) and the second machine 120 (f) may be included. The process manager 116 may be a computing device (embedded processor, logic circuit, other processing device, etc.) that receives a command from the control application 112 and controls the machine of each device 114. Alternatively, in another example, the process manager 116 may not be included and the control application 112 may communicate directly with the respective machines 118, 120, such as by directly transmitting control signals.

Further, the control system 104 may include one or more human-machine interface (HMI) computing devices 124 that may be used by a person such as an administrator, system manager, or other user. The HMI computing device 124 may execute a management application (such as a management program 126) for monitoring and / or managing the control system 104 and related equipment 114. Thus, the HMI computing device 124, the primary control computing device 108, the secondary control computing device 110, and in some examples the service computing device 102, may use a wired connection, a wireless connection, or a combination thereof. Communication is possible via one or more networks 106. Further, in some examples, the primary control computing device 108 and the secondary control computing device 110 may be via one or more networks 106, or one or more other networks, separate LANs, direct connections, etc. Can communicate with the device 114 via. Further, an example of the control system 104 is shown in the example of FIG. 1, but a number of alternative configurations and variations will be apparent to those skilled in the art who will benefit from the disclosure herein. Therefore, embodiments herein are not limited to any particular configuration of control system 104.

In some embodiments, the service computing device 102 may include one or more servers, personal computers, or other types of computing devices that can be implemented in any number of ways. For example, in the case of servers, programs, other functional elements, and at least a portion of the data storage mechanism can be implemented on at least one server, such as a stand-alone server, a cluster of servers, a server farm or data center, or a cloud host computer service. However, other computer architectures may be used as additions or alternatives.

In the example shown, the service computing device 102 may include or be associated with one or more processors 130, one or more communication interfaces 132, and one or more computer-readable media 134. Each processor 130 may be a single processing unit or several processing units and may include a single or multiple computing units or a plurality of processing cores. Processor 130 can be implemented as any device that processes signals based on one or more central processing units, microprocessors, microcontrollers, microcontrollers, digital signal processors, state machines, logic circuits, and / or operational instructions. .. For example, the processor 130 may be one or more hardware processors and / or logic circuits of any suitable type specifically programmed or configured to perform the algorithms and processes described herein. Processor 130 may be configured to fetch and execute computer-readable instructions stored on a computer-readable medium 134, which instructions can program processor 130 to perform the functions described herein. ..

The computer-readable medium 134 is a volatile and non-volatile memory and / or removable and non-removable realized by any type of technology for storing information such as computer-readable instructions, data structures, program modules or other data. Can include media. For example, the computer readable medium 134 includes RAM, ROM, EEPROM, flash memory or other memory technology, optical storage, solid state storage, magnetic tape, magnetic disk storage, RAID storage system, object storage system, storage array, network connection storage. , Storage area networks, cloud storage, or other media that can be used to store desired information and can be accessed by computing devices, including but not limited to. Due to the configuration of the service computing device 102, the computer-readable medium 134 is tangible in that, when referred to, the non-transitory computer-readable medium excludes media such as energy, carrier signals, electromagnetic waves and / or the signal itself. It may be a non-temporary medium. In some cases, the computer-readable medium 134 may be in the same position as the service computing device 102, but in another example, the computer-readable medium 134 may be partially separated from the service computing device 102.

The computer-readable medium 134 can be used to store any number of functional elements that can be executed by the processor 130. In many embodiments, these functional elements are executable by the processor 130, and when executed, an execution instruction and an execution instruction that programs the processor 130 to perform an action by the service computing device 102 specifically herein. / Or includes a program. The functional elements stored on the computer-readable medium 134 may include the security program 136. The security program 136 may include one or more computer programs, computer-readable instructions, executable code, or a portion thereof that can be executed to cause the processor 130 to perform various tasks as described herein. In the example shown, the security program 136 includes or includes a model building program 138 that can be called to generate and train one or more machine learning models 140 using the training data 142. You can access it. In addition, the security program 136 can be further executed to generate the simulator GUI 146 and / or the time series data data structure (DS) 148, as will be further discussed later.

The model building program 138 may be an executable module of the security program 136 or a part thereof. Alternatively, in another example, the model building program 138 may be a separately executable stand-alone computer program that can be called by the security program 136. The model building program 138 is one or more processors to build and train at least one machine learning model 140 used to recognize packets that can cause anomalous operation of equipment 114 such as machines 118, 120 or process manager 116. 130 can be configured. The security program 136 can then apply the trained machine learning model 140 to the newly received packet to determine whether the packet corresponds to normal or abnormal operating conditions.

Further, the functional elements in the computer-readable medium 134 may include an operating system (not shown in FIG. 1) capable of controlling and managing various functions of the service computing device 102. In some cases, functional elements may be stored in the storage portion of the computer-readable medium 134, loaded into the local memory portion of the computer-readable medium 134, and executed by one or more processors 130. Numerous other software and / or hardware configurations will be apparent to those skilled in the art who will benefit from the disclosure herein.

In addition, the computer-readable medium 134 may store data and data structures used to perform the functions and services described herein. For example, the computer-readable medium 134 can store one or more machine learning models 140 and can also store training data 142 used to train the machine learning model 140. As will be further discussed later, additional data and data structures that can be stored on the computer-readable medium 134 include time series data DS148, recognition result DS150, pattern DS152, and variable field DS154. Further, the computer-readable medium 134 can store the state transition information related to the device 114 in the state transition information DS158. The state transition information may include domain information associated with the device 114 and an operating environment for the device 114 that can be used to determine whether the recognition result 150 corresponds to a normal state or an abnormal state.

The machine learning model 140 can be used by the security program 136 to determine if one or more received packets can cause anomalous operation of the device 114. Examples of machine learning model 140 may include classification models such as random forests, support vector machines, or deep learning networks such as convolutional neural networks. Additional examples of machine learning model 140 include regression models such as predictive models, decision trees, linear regression models, probabilistic models such as Markov models and hidden Markov models, artificial neural networks such as recursive neural networks, and the like. sell. Therefore, embodiments herein are not limited to specific types of machine learning models.

The service computing device 102 may further include or be associated with one or more display devices 160. For example, the security program 136 may generate a simulator GUI 146 for presenting pattern information on the display device 160. Further, the security program 136 may generate a dashboard GUI 162 on the display device 160 for presenting the recognition result and the information related to any identified anomalous packet. The service computing device 102 may also include or maintain other functional elements and data that may include programs, drivers, etc., as well as data that is used or generated by the functional elements. Further, the service computing device 102 can include many other logical, program, and physical components, each of which is merely an example related to the discussion herein.

The communication interface 132 may include one or more interfaces and hardware components to allow communication with various other devices via one or more networks 106 and the like. Thus, the communication interface 132 may include one or more ports that provide connectivity to the network 106 and may be coupled to those ports. For example, the communication interface 132 includes LAN (local area network), WAN (wide area network), Internet, cable network, cellular network, wireless network (for example, Wi-Fi) and wired network (for example, optical fiber, Ethernet, fiber channel). ), Direct connection, and short-range wireless communication such as BLUETOOTH®, as listed below.

Further, the HMI computing device 124, the primary control computing device 108, the secondary control computing device 110, and in some cases the process manager 116 may include configurations and hardware similar to those described above, but in a management program. There are no various functional elements such as 126, control application 112 and various data. For example, in some cases, the HMI computing device 124 is over a network, including a server computing device, a desktop computing device, a laptop computing device, a tablet computing device, a smartphone computing device, a wearable computing device, and the like. It can be any type of computing device that can communicate.

In some examples, the management program 126 running on the HMI computing device 124 may monitor the operating state of the device 114 controlled by the control computing devices 108, 110. For example, the control application 112 controls, for example, a cycling monitoring packet (cyclic packet) 170 including a set value and a state value of the device 114 from the control computing devices 108 and 110 via the line A and the line B, respectively. It may be configured to periodically transmit from the computing devices 108 and 110 to the HMI computing device 124, respectively. In some examples, the cyclic packet 170 may be periodically transmitted at regular intervals. Therefore, the management program 126 on the HMI computing device 124 receives the cyclic packet 170 and presents the information from the cyclic packet 170 on the display device (not shown in FIG. 1) to present the information from the cyclic packet 170 on the HMI computing device 124. Can be used to monitor the status of equipment 114 and control computing device 108 and / or 110.

In some examples, the primary control computing device 108 and the secondary control computing device 110 may each have their own IP address used to communicate with the HMI computing device 124. When the primary control computing device 108 is operating normally, the cyclic packet 170 received by the HMI computing device 124 from the secondary control computing device 110 may be discarded. On the other hand, if the primary control computing device 108 is malfunctioning or has some other type of failure, the HMI computing device 124 may switch to use the IP address of the secondary control computing device 110 for communication, etc. , Switches to receive the cyclic packet 170 from the secondary control computing device 110. Further, in such a situation, the secondary control computing device 110 may take over the control of the device 114 controlled by the primary control computing device 108, and the cyclic packet 170 is sent to each HMI computing device 124. It may continue to be transmitted periodically.

Further, in the management program 126, the operator issues an instruction to the primary control computing device 108 (or the secondary control computing device 110 when the primary control computing device 108 is blocked) by the sequential operation packet (sequential packet) 172. Can be used to manually control equipment 114, such as by allowing transmission to. For example, the sequential packet 172 may include instructions for setting or changing the operating values of one or more target devices 114, such as one of the machines 118 and 120. The control computing device 108 or 110 may receive and read the sequential packet 172 and then transmit the corresponding control signal to the target device 114 to change the behavior of the target device 114.

The security program 136 executed on the service computing device 102 may receive packet data 176 from the line A and the line B by mirroring the communication data from both the line A and the line B or by various other techniques. .. In some cases, the received packet data 176 may include both cyclic packet 170 and sequential packet 172. As described above, the cyclic packet 170 used for monitoring the set value and the state value of the device 114 controlled by the control computing devices 108 and 110 is, for example, at regular intervals via the line A and the line B. Can be transmitted periodically at. As an example, the security program 136 can receive the first packet arriving from either line A or line B and discard the packet arriving later from either line A or line B. Further, the sequential packet 172 instructing the setting of the set value of the target device 114 may be transmitted via either the line A or the line B. Therefore, the security program 136 can receive and inspect all sequential packets 172 arriving by both line A and line B.

As mentioned above, when the security program 136 receives the packet data 176, the security program 136 generates a data representation from the packet data 176 and uses the machine learning model 140 to make one of the packets anomalous the device 114. You can decide if there is a possibility of responding to the operation. Details of the process executed by the security program 136 will be described later with reference to FIG. 2, for example. Information about the packet pattern corresponding to the abnormal operation of the control system 104 can be instructed and / or updated by the simulator GUI 146. Further, the result determined by the security program 136 may be shown on the dashboard GUI 162 on the display device 160.

Further, in some examples, the security program 136 may perform one or more actions or other actions based on the analysis result of the packet data 176. In some examples, if the security program 136 determines that a packet can cause anomalous operation of the device 114, the security program 136 communicates information to the HMI computing device 124 to provide a management program. The modification instruction may be sent to 126 as additional sequential packets 172 to the affected control computing devices 108,110. As another example, if the security program 136 determines that a packet can cause anomalous operation of the device 114, the security program 136 communicates directly with the control computing devices 108, 110 and the control computing device. Can be modified to correct abnormal operation by changing one or more operating parameters of the device. Further, in this example, the service computing device 102 is shown to be a computing device separate from the HMI computing device 124, but in another example, the service computing device 102 is an HMI computing device. The same computing device as device 124 may be used, and therefore the security functions described herein can be performed by HMI computing device 124.

FIGS. 2, 5 and 12 include flow diagrams illustrating exemplary processes according to some embodiments. A process is shown in a logical flow diagram as a set of blocks representing a series of operations, some or all of which can be implemented in hardware, software, or a combination thereof. In a software shunt, a block may represent a computer execution instruction stored on one or more computer-readable media that, when executed by one or more processors, programs the processor to perform the listed operations. In general, computer execution instructions include routines, programs, objects, components, data structures, etc. that perform a particular function or implement a particular data type. The order in which the blocks are shown should not be construed as a limitation. Any number of indicated blocks may be combined in any order and / or in parallel with the execution of the process or alternative process, and not all blocks may necessarily be executed. For consideration, the process is referred to with respect to the environments, frameworks and systems set forth in the examples herein, but the process can be performed in a wide variety of other environments, frameworks and systems.

FIG. 2 is a flow chart illustrating an exemplary process 200 for detecting packets corresponding to abnormal operation of equipment according to some embodiments. Process 200 may be executed, at least in part, by a security program 136 running on service computing device 102 or other suitable computing device.

At 202, the security program receives packet data 176 from the control system 104. As mentioned above, the packet data 176 can be mirrored from the control system 104 to the service computing device 102. The formats of cyclic packets and sequential packets received by the security program 136 from the control system 104 will be further described later with reference to FIG. As mentioned above, the security program may discard cyclic packets received from the secondary control computing device when the primary control computing device is operating normally.

At 204, the security program can generate a time series data block from the received packet data as a data representation of the received packet data. The process of generating time series data blocks will be further described later. In some examples, the security program 136 can access the variable field data structure 154 to determine the placement of pixels and the like when generating time series data blocks, as described below.

At 206, the security program may store the time series data blocks in the time series data DS148 and provide the time series data blocks for recognition.

At 208, the security program can use the machine learning model 140 to recognize patterns in the received time series data blocks. For example, the security program 136 classifies the pattern of the time series data block so as to correspond to the pattern indicating the normal or abnormal operation of the control system, so that the machine learning model 140 for recognizing the pattern of the communication data by deep learning. Can be used. In some cases, recognition may include associating a time series data block with a particular pattern number from a plurality of patterns included in pattern DS152.

At 210, the security program can modify the pattern recognition results by using the pattern recognition time series results. For example, if the pattern has to be changed from A to B and from B to C according to field experience, and the recognition pattern is changed from A to D and from D to C, then the pattern of D is C. Is modified to.

At 212, the security program may store time series data blocks in training data 142 along with related pattern numbers and results (or modification results). By adding this information to the training data 142, the training data is constantly updated and the machine learning model 140 can be periodically retrained and updated.

At 214, the security program may store the recognition result in the recognition result data structure 150.

At 216, the security program may determine whether the operation corresponding to the received packet data 176 is harmful or can result in anomalous operation of the device. For example, the security program 136 may apply a set of logical rules for comparing the recognition result with the state transition information in the state transition information DS158 and determining whether the operation is malicious, harmful, or abnormal. .. For example, the state transition information is based on the knowledge of the device and the environment in which the device operates, and may include the state transition information of the recognition pattern.

At 218, the security program can generate and present the dashboard GUI 162 from the recognition results, from the determination as to whether the operation is harmful or abnormal, and from the pattern information obtained from the pattern data structure 152.

At 220, the security program may optionally receive one or more changes via the dashboard GUI 162. For example, the user may determine that the result classified as anomalous is actually normal or vice versa. Thus, the user may change the normal or abnormal symbol in the dashboard and the security program 136 may update the pattern DS152 accordingly.

At 222, the security program can generate the simulator GUI 148 in response to a user instruction or the like. As will be further described later, the simulator GUI 148 may include pattern data from the pattern data structure 152. As shown in 224, the user can change the pattern data, such as by adding a pattern to the pattern DS.

At 224, the security program may receive the additional pattern received via the simulator GUI 148 and store the additional pattern in the pattern DS.

At 226, the security program may generate simulated time series data blocks using the patterns in pattern DS152. For example, the newly received pattern can be used to generate a time series data block similar to the one generated based on the received packet data 176. The security program 136 can access the variable field DS154 when constructing the simulated time series data block to determine the pixel position and the like. Simulated time series data blocks and related pattern numbers from pattern DS152 can be added to training data 142.

At 228, in some examples, based on the recognition results of conventional recognition techniques such as clustering and differential extraction to classify images, the security program adds pattern numbers to the time series data blocks in the time series data DS148. Then, a time series data block having a pattern number can be generated. The time series data block with the pattern number can be added to the training data 142 which will be used later as part of the training data 142 which updates the machine learning model 140.

At 230, the security program 136 may periodically call the model building program to train and / or update the machine learning model 140. For example, when new training data 142 is accumulated, the model building program can be used cyclically to retrain the machine learning model 140 with more recent training data 142.

FIG. 3A shows an exemplary format 300 of cyclic packet 170 according to some embodiments. As mentioned above, the cyclic packet 170 can be used to monitor machine state and set values, as well as process manager signals controlled by a control computing device. The cyclic packet 170 has a SIP 302 representing a source IP address (for example, the IP address of each control computing device), a DIP 304 representing a destination IP address (for example, the IP address of the HMI computing device), and a source port number. Includes a Sport 306 representing, a DPort 308 representing a destination port number, and a command name 309.

Further, the cyclic packet 170 may be one or more such as a first machine 310, a second machine 312 ..., a third machine 314, and a first process manager 316, ..., a third process manager 318. Contains control information for the machine and one or more process managers. The information provided for each machine may include a state value 320, a first set value 322, a second set value 324 and a third set value 326. Further, the information provided for each process manager may include a first signal 330, a second signal 332 and a third signal 334. Further, although exemplary packet formats and information are provided with respect to FIG. 3A, a number of other variations will be apparent to those skilled in the art who will benefit from the disclosure herein.

FIG. 3B shows an exemplary format 350 of sequential packet 172 according to some embodiments. As mentioned above, the sequential packet 172 can be used to set the value of the machine in the device. Sequential packet 172 includes, in this example, control information that can be transmitted to one of the control computing devices that control the device, for example, to set values for machine settings and / or process manager signal settings. The sequential packet 172 represents a SIP 302 representing a source IP address (for example, an IP address of an HMI computing device), a DIP 304 representing a destination IP address (for example, an IP address of each control computing device), and a source port number. Includes Sport 306, DPort 308 representing destination port number, and command name 305.

Further, the sequential packet 172 may include a write / read instruction 352 that directs the write or read to be performed. Further, the sequential packet 172 may include a machine indicator 354 indicating which machine in the device the value should be written to or read, a set value number 356 representing the set value number, and a set value 358 indicating the new value. Further, the sequential packet 172 represents a process manager indicator 360, a signal number (eg, 1, 2, or 3 in some examples) indicating to which process manager of the device the signal value should be written or read. It may include signal number 362 and signal value 364 representing the signal value applied to the process manager.

FIG. 4 shows an exemplary time series data block 400 as a data representation according to some embodiments. In some examples, the time series data block 400 uses packet data received by the security program from the control system 104 as described above with respect to FIGS. 1 and 2 to provide security program 136 (not shown in FIG. 4). Is a data representation generated by. For example, a security program can create a time series data block 400 using set values, state values, and operation data extracted from cyclic packet 170, which can be created by each control computing device at each device 114 ( The state values and set values applied to (not shown in FIG. 4) can be shown. In addition, the security program can use sequential packets 172 to create a time series data block 400, which is a value applied by the control computing device to the machine or process manager in each device. Can be shown. In some examples, the security program may generate the time series data block 400 according to the placement information shown in the variable field data structure 154 described above with respect to FIGS. 1 and 2 and further described below with respect to FIG.

In the example shown, the security program generates a time series data block 400 from the received packet information as image data 402 composed of a plurality of pixels. Therefore, in this example, the time series data block 400 is an image representing received packet information. This image can be used in the recognition process described above with respect to FIGS. 1 and 2. In an alternative example, the received packet data can be represented as a matrix as a time series data block 400, as will be further described later. For example, an image has a height of 1D, a width of 2D, RGB colors represented as a 3D matrix, and a size limited to 3. In some cases, the matrix can have an unlimited size in the third dimension. Other variations will be apparent to those skilled in the art who will benefit from the disclosure herein.

In the time-series data block 400 of FIG. 4, the image data 402 shows older data toward the lower 404 of the time-series data block 400 and newer data at the upper 406 of the time-series data block 400. This order may be reversed in other examples, or, as an alternative, the information may be represented in chronological order horizontally rather than vertically. Further, as shown by 408, the time series data block 400 is vertically divided into a plurality of time intervals corresponding to 1 pixel each, and the vertical interval of 1 pixel represents one cycle.

The time-series data block 400 includes, for example, a first pixel band 410 representing the time-series data of the state values corresponding to the state values 320 described above with respect to FIG. Further, the second pixel band 412 may represent the time series data of the set value 1322 of FIG. 3, and the third pixel band 414 may represent the time series data of the set value 2324 of FIG. Further, pixel 420 and pixel 422 represent the arrival of a sequential packet that manipulates the setting value 2, and pixel 424 and pixel 426 represent the arrival of a sequential packet that manipulates the setting value 1. For each arrival pixel, a transition 430 may be represented on the corresponding pixel band. The pixel bands 410, 412 and 414, which represent the time series data of the state values and the set values 1 and 2, can have a width of 1 pixel or more, respectively, and in some examples, they may be colored and extracted from the packet. It may have other graphical effects or patterns that correspond to the values given. As an example, the widths of pixel bands 410, 421 and 414 can correspond to the bit widths of state values and set values 1 and 2, respectively. In this example, the set value 3326 and / or the pixel bands of signals 1-3 330 to 334 in FIG. 3 are not included in the time series data block 400, but in other examples packets containing such parameters Included if received.

As mentioned above, for example, with respect to FIG. 2, the security program attaches a pattern number to the time series data block 400, and the time series data block 400 having the added pattern number is used to train the machine learning model. Can be stored as part of the training data used by the model building program. The security program can use the time series data block 400 as an input to the machine learning model to recognize the patterns in the time series data block 400. As an example, the machine learning model may be based on other types of machine learning models, as listed above, but may also be based on deep learning algorithms such as CNN (Convolutional Neural Network).

By recognizing patterns within the time series data block 400 using machine learning models, security programs can recognize patterns of communication data by analyzing packets of non-standardized protocols transmitted within control system 104. .. In some examples, the security program may limit the time for recognizing a pattern to include a pixel in which each time series data block 400 represents the arrival of sequential packet 172. Further, the security program outputs a machine learning model that classifies communication data so as to correspond to the normal or abnormal operation of the device by comparing the recognition result with the defined normal or abnormal operation information in the pattern data structure 152. Based on, the dashboard GUI can be presented with the classification information.

FIG. 5 is a flow diagram illustrating an exemplary process 500 for generating time series data blocks in some embodiments. In some examples, process 500 is one of service computing device 102 or other suitable computing device by executing security program 136 to perform at least some of the operations shown in process 500. It can be executed by the above processors.

At 502, the security program may receive packets from the control system 104, eg, as described above with respect to FIGS. 1 and 2.

At 504, the security program can determine whether the received packet is a cyclic packet or a sequential packet. If the packet is a cyclic packet, the process goes to 506, otherwise the process goes to 514.

At 506, the security program may determine if the cyclic packet is a new cyclic packet. For example, when a packet is a cyclic packet, the packet can consist of multiple packets. Therefore, the security program can determine if a packet of a particular cycle is new. If new, the process proceeds to 508, otherwise the process omits 508.

At 508, the security program may add one row (corresponding to one cycle, i.e., time interval) to the bottom of the time series data block.

At 510, the security program can extract variable fields from the payload of the packet.

At 512, the security program specified the extracted values in a preset field in the top row of the time-series data block (eg, column 910 in the variable field DS154 described below with respect to FIG. 9) with reference to the variable field DS154. Can be added to). For example, the variable field DS154 may indicate the location of a packet field that must be extracted as a set or state value.

If 514 determines that the packet is a sequential packet of 504, the security program can extract the field of action target from the payload of the packet. For example, this can be determined based on the destination IP address (DIP304) as described above with respect to FIG. 3B.

At 516, the security program can add the arrival notification to the preset field in the top row of the time series data structure, and at the same time, refer to the variable field data structure to determine the position of the packet field to be extracted as a set value or state value. it can.

At 518, when the number of rows in the time series data block exceeds the threshold value, the time series data is stored in the time series data DS148, and the bottom row of the time series data is deleted. When adding one row to the time series data block 401 in step 1104, the time series data block generator 101 may duplicate the current top row of the time series data block 401 as the new top row. If the time series data block generator 101 does not receive a packet, the data in the previous row is used as the data in the new row.

FIG. 6A shows exemplary time series data 600 according to some embodiments. The example of FIG. 6A is a diagram showing an example of generating one vertical interval (that is, one cycle) on the pixel bands 410 to 414 of FIG. 4, and the pixel bands 410 to 414 are the time series data of FIG. 4, respectively. It represents the time series data of the state value 320, the set value 1 322, and the set value 2 324 in the block 400. For example, one pixel of full-color image data typically has 8-bit data for each of the red, green, and blue colors in the case of a total of 24-bit color data. Further, one pixel of grayscale image data may typically have 8-bit data representing luminance. The time-series data block 400 has a plurality of pixels in the pixel bands 410 to 414 of FIG. 4 in order to represent one vertical interval of the state value 320, the set value 1 and the set value 2 so as to have a width exceeding 8 bits, respectively. Can include one vertical spacing.

FIG. 6A shows the state value 320, by dividing the state value and the set value exceeding 8 bits into the value of the upper bit and the value of the lower bit and generating a time series data block representing the value of the upper bit multiplied by the constant value. An example of a technique for expressing the set value 1 322 and the set value 2 324 so as to have a width exceeding 8 bits is shown. In this example, the initial value extracted from the packet is divided into two values including the high-order bit 602 and the low-order 8-bit 604. The value of the high-order bit 602 can be emphasized by multiplying it by a constant value (eg, 8 in this example) to generate the value of the high-order bit 606. The multiplication high-order bit 606 is combined with the value of the low-order bit 604 to generate a plurality of pixels 608.

FIG. 6B shows Example 620 generating time series data according to some embodiments. In the example of FIG. 6A, the technique shown is to characterize because the values of both the low-order bit and the high-order bit can be small when the value is carried from the value of the low-order bit to the value of the high-order bit. It may not be enough. Therefore, to articulate the features, some examples herein may include the process of adding pixels that represent the carry or magnitude relationship between the value of the high-order bits and the value of the low-order bits. The process of FIG. 6B first involves splitting the state values 320 over 8 bits and the set values 322 and 324 into different values for the lower 8 bits 622 and the upper bits 624. Pixels 626 representing the values of the lower 8 bits 622 can then be generated directly. Further, when the value of the high-order bit 624 is larger than zero, the pixel 628 representing the carry may be generated by reaching the maximum value (0xFF), and when the value of the high-order bit is larger than the constant value, the value of the high-order bit May be multiplied by a constant value (ie, 32 in this example) to generate pixels 630, 632 and 634 representing the magnitude relationship. Finally, this process combines these pixels into multiple pixel data 640. The security program can then generate pixel bands 410, 412 and 414, which are represented as the width of multiple pixels. Therefore, the security program can emphasize the characteristics of the time series data block 400 generated using the above process in order to improve the accuracy of pattern recognition.

FIG. 7A shows an exemplary time series data block 700 according to some embodiments. The example of FIG. 7A includes an alternative process that emphasizes features within the time series data block 700. This example can emphasize the initial and final values of the state values 320 and / or the set values 322 and 324. In this example, the time series data block 700 includes a pixel band 702 representing the time series setting value 1 and a pixel band 704 representing the time series setting value 2. In this case, the time series data block 700 includes a pixel 706 representing the initial value of the set value 1 and a pixel 708 representing the initial value of the set value 2. Further, the time series data block 700 includes a pixel 710 representing the final value of the set value 1 and a pixel 712 representing the final value of the set value 2. Therefore, the time series data block 700 emphasizes the initial and final values of the state values 320 and / or the set values 322 and 324.

FIG. 7B shows an exemplary data block 720 according to some embodiments. The example of FIG. 7B includes an alternative process of highlighting features using different channel data such as state values and RGB color data for each of the set values 1 and 2. In this example, the time series data block 720 has three types of data, such as RGB (red, green, blue), as the three channels of data for each pixel. The time series data block 720 uses different combinations of channels for different types of data to represent pixel bands. For example, the time-series data block 720 includes a pixel band 722 representing a time-series state value, a pixel band 724 representing a time-series setting value 1, and a pixel band 726 representing a time-series setting value 2. In this case, the pixel band 722 representing the time series state value uses the color channel 1 (eg red), and the pixel band 724 representing the time series setting value 1 uses the color channels 2 and 3 (eg green, blue). The pixel band 726 representing the time series setting value 2 may use the color channel 2 (eg, green). Therefore, the time-series data block 720 emphasizes features by each type of data value, which improves the accuracy of pattern recognition herein.

FIG. 8 shows Example 800 of time series data according to some embodiments. In this example, the security program can generate one vertical (periodic) interval of pixel bands representing the time series data of the state values 320 and the set values 322 and 324 in the time series data block. For example, a time series data block, such as a time series data block 410, represents one vertical (periodic) interval of state values 320 and / or set values 322,324 based on 1 byte of data for each value. For example, the state value 320 and the set values 322 and 324 are represented as 4-bit (eg, 0xC) values, respectively, and as shown in FIG. 8, 0xCC 802 and 0xC0 804 in the payload of the cyclic packet 300. When described as a left-aligned value such as, the left-aligned value can be divided into three values: upper 4-bit 806, middle 4-bit 808, and lower 4-bit 810. Each of these three values is multiplied by a constant value (such as 8 in this example) and can be represented as three 1-byte independent values such as 0xC0 812, 814 and 816, respectively. The security program represents each value less than 8 bits as a 1-byte independent value, and thus the features of the time series data block can be emphasized using the process described above, thereby increasing the accuracy of pattern recognition herein. It will be improved.

FIG. 9 shows an exemplary variable field data structure 154 according to some embodiments. The variable field data structure 154 is used to specify the variable field of the instrument and may represent image data or matrix data. The variable field data structure 154 includes a device identifier 902, a machine 904 included in each device, a process manager 906 included in each device, a value type 908 of each machine and process manager, and each time. It includes a pixel (or column) position 910 from the left side in the series data block and a byte (or packet) position 912 from the left side in the packet payload with each value. For example, the device A 114 (a) includes and controls the machine 118 (a), the machine 120 (a) and the process manager 116 (a). Each machine 118 (a), 120 (a) includes a state value, set values 1 to 4, operating values of set values 1 and 2, and another operating value. Further, the process manager 116 (a) includes signals 1 to 3. Similarly, the device B 114 (b) includes and controls the machine 118 (b), the machine 120 (b) and the process manager 116 (b). Each machine 118 (b) and 120 (b) includes a state value, set values 1 to 4, operating values of set values 1 to 2, and another operating value. Further, the process manager 116 (b) includes signals 1 to 3. Similarly, the device C114 (c) includes and controls the machine 118 (c), the machine 120 (c) and the process manager 116 (c). Each machine 118 (c), 120 (c) includes a state value, set values 1 to 4, operating values of set values 1 to 2, and another operating value. Further, the process manager 116 (c) includes signals 1 to 3.

As mentioned above, column 910 of the variable field data structure 154 indicates a preset field (pixel or column) in the top row of each time series data block. The information in the variable field data structure 154 that specifies the variable field may be modifiable by the simulator GUI described above with respect to FIGS. 1 and 2. With the information contained in the variable field data structure 154, the security program determines the position of the teaching value in each packet, as shown in FIG. 9, and uses the information to specify the variable field for time-series data. You can generate blocks.

FIG. 10 shows an exemplary pattern data structure (DS) 152 according to some embodiments. The example of FIG. 10 shows an exemplary format of pattern DS152, which contains a list of patterns by pattern number 1002 and, as shown by 1004, normal or abnormal information for each of the listed patterns. Further, the pattern DS152 is a state value, set value 1-4, set value 1-2 by each device 114 listed according to the machines 118, 120 or the process manager 116, as shown in each of the listed patterns. Includes operating values of, other operating values and / or actions 1006 of signals 1-3.

Information 1008 in action 1006 may include whether the specified value increases or decreases, the initial value, the final value, the initial and final cycles of change, and / or how the value changes. The information in pattern DS152 can be displayed in the simulator GUI146 described above with respect to FIGS. 1 and 2. Further, the information in the pattern DS152 may be manually modified or added by the user via the simulator GUI and / or automatically created based on the real time series data block. Therefore, the security program allows the user to change the designation of "normal" or "abnormal" 1004 for each pattern 1002 by manually changing the information in the pattern table or file 117 via the simulator GUI. it can. The security program can generate time series data blocks as specified by the pattern information recorded in pattern DS152. Further, the model building program can create the machine learning model 140 based on the combination of training data obtained from the running simulation, the pattern in the pattern data structure 152, and the information obtained from the actual operating environment.

FIG. 11 shows an exemplary dashboard GUI 162 with some embodiments. In the example of FIG. 11, the dashboard GUI 162 includes a first table 1102 displaying currently recognized patterns 1104 and a second table 1106 displaying previously recognized statistical patterns 1108.

The first table 1102, which displays the currently recognized patterns 1104, shows the patterns number 1110 of the currently recognized patterns and the patterns for each of the devices A to C and for each of the corresponding machines 118, 120 and process manager 116. Displays an instruction 1112 as to whether is normal or abnormal. A second table 1106 displaying previously recognized statistical patterns 1108 shows, for each pattern, pattern number 1120, operation pattern and value 1122, normal or abnormal indication 1124, realization number 1126, frequency 1128, recent time. It may include 1130, and the actually detected pattern 1108. The user updates the normal or abnormal indication of a specific pattern by the column 1124 indicating the display of normal or abnormal according to each pattern, and the updated information is reflected in the pattern data structure. Therefore, the dashboard GUI 162 allows the user to manually change normal or abnormal information after execution and display statistical information such as realization values.

FIG. 12 is a flow diagram illustrating an exemplary process 1200 that can be performed by security program 136 according to some embodiments. In the above example, a system that recognizes a pattern using packet data as input data is disclosed. As shown by the example of FIG. 12, the systems and processes herein may use data other than packet data in some examples. FIG. 12 shows a flow of recognizing a pattern using time series data 1202 received from a data source 1204 such as a sensor, a camera, a microphone, a storage device, an information technology device, a meteorological observation device, and a medical record. In this example, block 202 is modified from receiving packet data to receiving data, as generally shown in 1206. In other situations, the process of recognizing anomalous data in FIG. 12 is generally the same as described above with respect to FIG.

The exemplary processes described herein are merely examples of the processes provided for review. Many other modifications will be apparent to those skilled in the art in light of the disclosure herein. Further, the disclosure herein provides some examples of systems, architectures and environments suitable for carrying out the process, but embodiments herein are not limited to the particular examples illustrated and discussed. .. In addition, this disclosure provides various exemplary embodiments as described and shown in the drawings. However, this disclosure is not limited to the embodiments described and illustrated herein, but may be extended to other embodiments as known or known to those of skill in the art.

The various instructions, processes and techniques described herein can be considered in the general context of computer-executed instructions, such as programs stored on computer-readable media and executed by a processor herein. In general, a program includes routines, modules, objects, components, data structures, executable code, etc. for performing a particular task or achieving a particular abstract data type. These programs and the like may be executed as native code, and may be downloaded and executed in a virtual machine or other just-in-time compilation execution environment. Typically, the functionality of the program can be combined or distributed as needed in various embodiments. The realization of these programs and techniques may be stored in a computer storage medium or transmitted by some form of communication medium.

Although the content has been described in a language specific to structural features and / or methodological acts, it should be understood that the content defined in the appended claims is not necessarily limited to the particular features or acts mentioned. More precisely, certain features and actions are disclosed as exemplary forms that realize the claims.

100 System 102 Service Computing Device 106 Line 108 Primary Control Computing Device 110 Secondary Control Computing Device 112 Control Application 114 Equipment 116 Process Manager 124 HMI Computing Device 126 Management Program 130 Processor 132 Communication Interface 134 Computer Readable Media 136 Security Program 138 Model Building Program 140 Machine Learning Model 142 Training Data 146 Simulator GUI
148 Time Series Data DS
150 Recognition result DS
152 pattern DS
154 Variable field DS
158 State transition information DS
160 Display 162 Dashboard GUI
170 Cyclic packet 172 Sequential packet 176 Packet data

Claims (15)

It ’s a system,
With one or more processors
When the execution instruction is executed by the one or more processors, the execution instruction is provided with one or more non-transitory computer-readable media for maintaining the execution instruction.
The operation of receiving packet data from a control system that includes equipment controlled by at least one computing device,
An operation of generating a data representation representing at least one of the state or settings of the device based on the packet data.
An operation of executing the recognition of the data representation to determine whether the packet information indicates a normal state or an abnormal state, and
A system that configures the one or more processors to perform an operation that executes at least one action and an operation that includes the operation based on the determination that the received packet information indicates the abnormal state. The operation further comprises an operation of generating the data representation as an image containing a plurality of pixels, wherein the plurality of pixels.
Device setting values extracted from the packet data, or
The system according to claim 1, which is defined based on at least one of the device state values extracted from the packet data. The system according to claim 1, wherein the data representation is a time-series data block representing packet information of a plurality of packets received from one or more control computing devices in the control system over a period of time. An operation that performs recognition on the data representation compares one or more features of the data representation with one or more features of the plurality of data representations of a previously received packet so that the received packet is in the normal state. The system according to claim 1, further comprising an operation of determining whether to indicate the above-mentioned abnormal state. The above operation further
Including the operation of training a machine learning model based on a plurality of data representations of previously received data packets, the plurality of data representations are associated with either the normal state or the abnormal state.
The system according to claim 1, wherein the operation of performing the recognition on the data representation uses the machine learning model to determine whether the pattern of the data representation indicates the normal state or the abnormal state. The above operation further
Operations that generate multiple simulated data representations based on patterns received through the graphic user interface, and
The system of claim 5, wherein the simulated data representation comprises an operation that includes the simulated data representation along with the plurality of data representations used to train the machine learning model. The above operation further
The operation of memorizing the data representation and the instruction of the identified pattern, and
The system according to claim 1, further comprising an operation that includes the stored data representation together with the plurality of data representations when training the machine learning model. The above operation further
An operation that determines that the received packet data corresponds to a cyclic packet periodically received from one or more device control computing devices.
Based on the determination that the received packet data corresponds to the cyclic packet, the value extracted from the packet data is added to the end of the data representation, and the value extracted from the previously received packet data is added to the data. The system of claim 1, comprising an operation of removing from another end of the expression. The above operation further
An operation that determines that the received packet data corresponds to a sequential packet received from a surveillance computing device in the control system.
The system according to claim 1, comprising an operation of adding an arrival notification of the sequential packet to the data representation. The operation of generating a data representation representing at least one of the state or settings of the device based on the packet data further
An operation of extracting a value exceeding 8 bits corresponding to either the state of the device or the setting.
The operation of dividing the extracted value into the first value of the high-order bit and the second value of the low-order bit,
The operation of multiplying the first value by a constant and
The system of claim 1, comprising the operation of generating the data representation having the multiplied first value and the second value. The above operation further
An operation of presenting a graphical user interface that displays a recognition pattern of the data representation with a normal or abnormal indication associated with the state of the device or at least one of the settings of the device.
An operation of receiving input via the graphical user interface and abnormally changing the normal instruction or normally changing the abnormal instruction.
The system of claim 1, comprising an operation of associating the change with the recognition pattern in the pattern data structure. The system of claim 1, wherein the operation further comprises generating the data representation as a matrix containing a plurality of columns or rows, respectively, corresponding to various values of at least one of the settings or states of the device. .. The operation that executes at least one of the actions is
An operation of transmitting a communication including an instruction of the detected abnormal state to a computing device that monitors the operation of the control system, and
The system according to claim 1, further comprising at least one of an operation of transmitting a control communication for causing the control computing device to change the setting of the device to the control computing device. A step of receiving packet data from a control system, including equipment controlled by at least one computing device, by one or more processors.
A step of generating a data representation that represents at least one of the device states or settings based on the packet data.
A step of performing recognition on the data representation to determine whether the packet information indicates a normal state or an abnormal state.
A method comprising the step of performing at least one action based on the determination that the received packet information indicates the abnormal condition. When an instruction is stored on one or more non-transitory computer-readable media and the instruction is executed by one or more processors.
Receive packet data from a control system that includes equipment controlled by at least one computing device.
Based on the packet data, a data representation representing at least one of the state or settings of the device is generated.
Recognition is performed on the data representation to determine whether the packet information indicates a normal state or an abnormal state.
One or more non-transitory computer-readable media that program the one or more processors in the system to perform at least one action based on the determination that the received packet information indicates the anomalous condition.

Images