RU2749252C1 - Method of determining anomaly sources in a cyber-physical system - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: invention relates to a method and system for determining anomaly sources in a cyber-physical system (CPS). According to the method, the values of the CPS indicators are obtained using a forecasting tool for an input window constituting a time interval and contained within the observation period, wherein the input window is determined by the trained forecasting model, wherein the CPS indicators are numerical characteristics of control subjects; by the forecasting tool, using the trained forecasting model and according to the data on the obtained values of the SPC indicators for the input window, the values of the SPC indicators are forecasted for the forecast window constituting a time interval and contained within the observation period; using an anomaly determination tool for the forecast window the total forecast error is determined for the CPS indicators; using the anomaly determination tool, if the total forecast error exceeds the total error threshold, an anomaly in the CPS is determined; using the anomaly determination tool, at least one CPS indicator constituting the source of the anomaly is determined, if the contribution of the forecast error of said at least one CPS indicator to the total forecast error is higher than the contribution of at least one other CPS indicator to the total forecast error.

EFFECT: technical result is determination of anomaly sources in a cyber-physical system.

11 cl, 21 dwg

Description

Technology area

The invention relates to the field of computer security, and more specifically to systems and methods for determining the sources of anomalies in a cyber-physical system.

State of the art

One of the urgent problems of industrial safety is the problem of the safe functioning of technological processes (TP). For example, TP in the petrochemical industry are characterized by a high degree of production hazard, since they operate with flammable and explosive liquids and gases at high temperatures and pressures. The main threats to such TP include unintentional errors or malicious actions in operational management, wear and tear of equipment and units, computer attacks on control systems and information systems, etc.

To counteract these threats, security systems of cyber-physical systems (CPS) are used, for example, production facilities and enterprises. The construction of such systems is traditionally carried out in several stages. When designing an enterprise, an emergency protection system (ESD) is built, which is then integrated with an automated process control system (APCS), but allows manual control. The disadvantages of the ESD system can be attributed to the sufficient inertia of the processes and the presence of the human factor in decision-making. In addition, the ESD operates on the assumption of the correct functioning of instrumentation (instrumentation). In practice, it is not possible to ensure the implementation of the failure-free operation of the instrumentation in full, since the instrumentation periodically fails, tends to temporary failures, and the duplication of all instrumentation is extremely costly and not always technically possible.

Monitoring of individual units, equipment, instrumentation, control loops, etc. can be attributed to the method of controlling the correctness of TP. self-diagnostic systems built into them. In the event of a detected failure, such systems send a signal to the TP operator and, as a rule, involve manual intervention in one or another unit. Despite the obvious advantages of such systems, for example, taking into account the specifics of the functioning of a particular unit, development by an equipment supplier, etc., there are a number of obvious disadvantages. The latter include the aforementioned instrumentation problems, on which separate self-control systems are built. Another drawback of such systems is their locality and isolation from monitoring processes in their entirety. In other words, each of these systems "sees" the process only within the framework of the equipment or unit to which it is attached, without logical and physical correlation between interconnected units and installations. As a result, the detection of one or another anomaly in the technological process often occurs already at the stage of its transition into a state of threat of the correct functioning of one or another equipment and requires an immediate response. In addition, in some cases, such systems, due to the physical features of the instrumentation (for example, waxing of the level gauge with heavy oil products) have a tendency to multiple false alarms, which leads to their forced shutdown by personnel.

It should be noted another traditional method of non-destructive testing of equipment and processes of technological systems (TS), which consists in installing additional control systems external to the equipment and APCS. In fact, with this method of control, a parallel infrastructure is built, including instrumentation, communication lines, data collection and processing servers, etc. Such systems can be integrated with existing APCS and ESD systems, or remain external to them. Despite the obvious advantages of such systems as duplication of diagnostic instrumentation, highly specialized and effective diagnostic methods, practically unlimited capacities for processing diagnostic information, etc., their main disadvantage is the high cost and complexity, and sometimes the impossibility of deployment in real production.

Similar problems are relevant for all cyber-physical systems (CPS) containing sensors and actuators - both for the previously described technological processes that are part of the TS, and for the Internet of things and, in particular, for the industrial Internet of things. For example, due to computer attacks, IoT sensors provide incorrect values, as a result of which IoT computer devices function incorrectly, which can lead to problems such as increased electricity consumption, unauthorized access to information, etc.

A technical problem arises, which consists in creating a system for determining anomalies in a cyber-physical system (CPS), which has certain characteristics, in which the time elapsed from the moment the anomaly appeared in the CPS to the moment of its detection is lower than that of existing analogs.

One of the analogs is the technology proposed in the application US 20140189860, which describes methods for detecting computer attacks by detecting deviations in the functioning of the system from the norm, where various methods are used to detect deviations, and vectors of computer attacks are also determined. Methods of distinguishing anomalies from "noises" causing deviations in a particular case by setting threshold values are also described. However, this technology does not solve the stated technical problem.

Disclosure of the essence of the invention

The first technical result is the implementation of the destination.

The second technical result consists in reducing the type II error when detecting anomalies in the CPS.

According to an embodiment, the method of anomaly sources in a cyber-physical system (CPS) is used, in which: using the forecasting tool, the values of the CPS features are obtained for the input window, which is a time interval and contained within the observation period, while the input window is determined by the trained forecasting model, when this, the signs of CPS are the numerical characteristics of control subjects; using the forecasting tool using the trained forecasting model and, according to the obtained values of the FSC attributes, for the input window, predicting the values of the FSC attributes to the forecast window, which is a time interval and is contained within the observation period; using the means for determining anomalies for the forecast window, determine the general forecast error for the attributes of the CPS; using the means for determining anomalies when the total forecast error exceeds the total error threshold, the anomaly in the CPS is determined; using the means for determining the anomalies, at least one indicator of the CPS is determined, which is the source of the anomaly, if the contribution of the forecast error of the mentioned at least one indicator of the CPS to the total forecast error is higher than the contribution of at least one other indicator of the CPS to the total forecast error.

According to one particular embodiment, if the values of the FSC features arrive in real time, the total forecast error is determined for the forecast window after a time equal to the sum of the forecast horizon and the input window.

According to another particular embodiment, if the values of the FSC features are contained in the initial sample for the historical observation period, the total forecast error is determined for the forecast window based on the data of the initial sample for the historical observation period.

According to another particular embodiment, the cyber-physical system has at least one of the following characteristics: the industry in which the cyber-physical system operates; types of processes that describe the parameters of the CPS, in particular, one of: continuous, conveyor, cyclic; the presence of seasonality and / or trends in the signs of the FSC; inertness of FSC processes; the time of the FSC reaction to changes in the FSC and in the external environment; the level of danger of production for personnel and the environment; the cost of downtime of technological processes due to abnormal situations; type of control, in particular, performed using PID controllers, state machines or a combined method; the type of the subject of control, which is characterized by at least one feature, while the type of the subject of control is one of: a sensor, an actuator, or a PID controller; self-diagnostics data of FSC; the state of the subject of management: working or non-working; interconnection of control subjects at the level of the technical process.

According to one of the particular embodiments, when calculating the total forecast error, the errors of each CPS feature are used, which determine the contribution of the forecast error of the mentioned at least one CPS feature to the total forecast error, and for the mentioned errors of each CPS feature, weighting coefficients are used, while: assigned using teaching means a low value of the weighting factor for the feature, if the subject of management, characterized by this feature, provides data with noisy, or invalid data, or is periodically disabled by the user of the FSC; using the teaching tool, a low value is assigned to the weighting factor for a feature in which the occurrence of an anomaly does not affect the operation of the FSC, and a high value to the weighting factor for the feature in which the occurrence of an anomaly affects the operation of the FSC.

According to another particular embodiment, the value of the weighting coefficient of the feature is selected using the learning tool, which depends on the accuracy of predicting the features of the CPS.

According to another of the particular implementations, a neural network is used in the forecasting model.

According to one particular implementation, the neural network is optimized using genetic algorithms.

According to another particular embodiment, a neural network is selected based on the data of the labeled initial sample, using one of the quality metrics: NAB-metric, F1-metric.

According to another particular embodiment, the technical documentation of the FSC or the user's report on the anomalies previously detected by the trained system is obtained, while the weight of the feature is selected using the training tool, depending on the significance of the specified feature and on the basis of the technical documentation of the FSC or the user's report.

According to an embodiment, a system for determining the sources of anomaly in a cyber-physical system (CPS) is used, comprising: a forecasting tool designed to: obtain the values of CPS features for an input window, which is a time interval and contained within the observation period, while the input window is determined by a trained forecasting model , while the signs of the CPS are the numerical characteristics of the subjects of management; predicting the values of the CPS attributes for the forecast window, which is a time interval and contained within the observation period, using the trained forecasting model and according to the obtained values of the CPS attributes for the input window; anomaly determining means for: determining the total forecast error for the forecast window for the CPS signs; determining the anomaly in the FSC when the total forecast error exceeds the total error threshold; determining at least one CPS feature, which is the source of the anomaly, if the contribution of the forecast error of the mentioned at least one CPS feature to the total forecast error is higher than the contribution of at least one other CPS feature to the total forecast error.

Brief Description of Drawings

Additional objects, features and advantages of the present invention will become apparent from a reading of the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

FIG. 1a schematically shows an example of a technological system.

FIG. 1b schematically shows a particular example of the implementation of a technological system.

FIG. 1c presents a possible option for organizing the Internet of Things using the example of wearable devices.

FIG. 1d shows a possible set of device sensors.

FIG. 2 shows a system for training a model for predicting the values of CPS features having certain characteristics, and calculating the error threshold to determine the anomaly in the said CPS.

FIG. 3 shows a method for training a model for predicting the values of CPS features and calculating an error threshold for determining an anomaly in a CPS with certain characteristics.

FIG. 4 shows the system for determining the source of the CPS anomaly.

FIG. 5 shows an example of determining the source of an anomaly in a CPS that has certain characteristics.

FIG. 6 shows an example of the dependence of the values of one feature on time, and also indicates the input window, the forecast window and the forecast horizon.

FIG. 7 shows examples of dependencies of feature values, feature prediction values and general forecast error on time in the vicinity of the time of the anomaly occurrence.

FIG. 8 shows an example of the dynamics of the total forecast error before smoothing and after smoothing.

FIG. 9 shows a data generation system for monitoring a cyber-physical system for the purpose of early detection of anomalies in a graphical user interface (GUI) system, containing a set of GUI elements.

FIG. 10a-10c show a GUI element for selecting a display mode, a GUI element for generating a feature forecast error, and a GUI element for selecting a display order.

FIG. 11a shows a GUI element for prediction error settings.

FIG. 11b GUI for changing forecast errors.

FIG. 12 shows a GUI element for selecting events.

FIG. 13 shows a GUI element for model selection.

FIG. 14 shows a method of generating data for monitoring a cyber-physical system for the purpose of early detection of anomalies in a graphical user interface (GUI) system containing a set of GUI elements.

FIG. 15 is an example of a general purpose computer system with which the present invention may be implemented.

Implementation of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The foregoing description is intended to assist a person skilled in the art for a comprehensive understanding of the invention, which is defined only within the scope of the appended claims.

Control object is a technological object to which external influences (controlling and / or disturbing) are directed in order to change its state, in a particular case, such objects are a device (for example, an electric motor) or a technological process (or part of it).

Technological process (TP) is a process of material production, which consists in a sequential change in the states of a material entity (subject of labor).

Process Control is a set of methods used to control technological parameters in the production of the final product.

The control loop (English control loop) - consists of material entities and control functions necessary for the automated adjustment of the values of the measured technological parameters to the values of the desired settings. The control loop contains sensors and sensors, controllers and actuators.

Process Variable (PV) is the current measured value of a certain part of the TP, which is observed or controlled. The process parameter can be, for example, a sensor measurement.

Setpoint is a supported value of a technological parameter.

Manipulated Variable (MV) is a parameter that is adjusted so that the value of a process parameter is maintained at the setpoint level.

External influence is a way of changing the state of an element to which the influence is directed (for example, an element of a technological system (TS)), in a certain direction, the impact from an element of a TS to another element of a TS is transmitted as a signal.

The state of a control object is a set of its essential properties, expressed by the parameters of states, changed or held under the influence of external influences, including control actions from the control subsystem. A state parameter is one or several numerical values characterizing an essential property of an object; in a particular case, a state parameter is a numerical value of a physical quantity.

The formal state of the control object is the state of the control object corresponding to the technological map and other technological documentation (if we are talking about TP) or the timetable (if we are talking about a device).

Controlling action - purposeful (the purpose of action is to influence the state of the object) legitimate (provided for by TP) external influence from the control subjects of the control subsystem on the control object, leading to a change in the state of the control object or retention of the state of the control object.

Disturbing impact - purposeful or non-purposeful illegitimate (unforeseen by TP) external impact on the state of the control object, including from the side of the control subject.

The subject of control is a device that directs the control action to the control object or transfers the control action to another control subject for transformation before directing it to the object.

A multilevel management subsystem is a set of management subjects that includes several levels.

A cyber-physical system is an information technology concept that implies the integration of computing resources into physical processes. In such a system, sensors, equipment and information systems are connected throughout the entire value chain, which extends beyond a single enterprise or business. These systems interact with each other using standard Internet protocols to predict, self-tune, and adapt to change. Examples of a cyber-physical system are a technological system, the Internet of Things (including wearable devices), and the Industrial Internet of Things.

The Internet of Things (English Internet of Things, IoT) is a computing network of physical objects ("things") equipped with built-in technologies for interacting with each other or with the external environment. The Internet of Things includes technologies such as wearable devices, electronic vehicle systems, smart cars, smart cities, industrial systems, and more.

The Industrial Internet of Things (IIoT) is a subcategory of the Internet of Things that also includes consumer-facing applications such as wearable devices, smart home technologies, and self-driving cars. The hallmarks of both concepts are devices with integrated sensors, machines and infrastructure that transmit data over the Internet and are controlled by software ¹ ( ¹ https://www.hpe.com/en/en/what-is/industrial-iot. html).

A technological system (TS) is a functionally interconnected set of control subjects of a multi-level control subsystem and a control object (TP or device), which implements a change in the state of the control object through a change in the states of control subjects. The structure of the technological system is formed by the main elements of the technological system (interconnected subjects of management of the multilevel subsystem of management and the object of management), as well as the connections between these elements. In the case when the object of control in a technological system is a technological process, the ultimate goal of control is: through a change in the state of the control object, change the state of the object of labor (raw materials, workpieces, etc.). In the case when the object of control in the technological system is a device, the ultimate goal of control is to change the state of the device (vehicle, space object). The functional relationship of vehicle elements implies the relationship between the states of these elements. In this case, there may not be a direct physical connection between the elements, for example, there is no physical connection between the actuators and the technological operation, but, for example, the cutting speed is functionally related to the spindle speed, despite the fact that these state parameters are not physically connected.

The state of the subject of control is a set of its essential properties, expressed by the parameters of states that are changed or held under the influence of external influences.

The essential properties (respectively, the essential parameters of the state) of the subject of control are the properties that directly affect the essential properties of the state of the control object. In this case, the essential properties of the control object are properties that have a direct impact on the controlled factors (accuracy, safety, efficiency) of the vehicle functioning. For example, the compliance of the cutting modes with the formally specified modes, the movement of the train in accordance with the schedule, the keeping of the reactor temperature within the permissible limits. Depending on the factors being controlled, the parameters of the state of the control object and, accordingly, the parameters of the states of the control subjects that exert a control effect on the control object are selected.

The state of an element of a technological system is the state of the subject of control, the object of control.

The real state of an element of a technological system is the state of an element of a technological system at some point in time of the impact on the control object, determined by measuring the parameters of states and intercepting signals (traffic) between the elements of the vehicle. Condition parameters are measured, for example, using sensors installed in the vehicle.

The real state of a technological system is a set of interconnected real states of the elements of a technological system.

Cybernetic block is an element of a cyber-physical control system that controls the process of functioning of an element of a technological system.

The state space is a way of formalizing changes in the states of a dynamic system (technological system or cyber-physical system).

A computer attack (also a cyber attack, from the English cyber attack) is a purposeful impact on information systems and information and telecommunication networks by software and hardware tools, carried out in order to violate the security of information in these systems and networks (see "The main directions of state policy in the field of ensuring safety of automated control systems for production and technological processes of critical infrastructure of the Russian Federation "(approved by the President of the Russian Federation 03.02.2012 N 803).

FIG. 1a schematically depicts an example of a process system 100 that includes elements 110a and 110b, where the elements of the vehicle are: a control object 110a; control subjects 110b, forming a multi-level control subsystem 120; horizontal ties 130a and vertical ties 130b. The subjects of control 110b are grouped into levels 140.

FIG. 1b schematically shows a particular example of the implementation of the technological system 100 '. The control object 110a 'is a TP or a device, control actions are sent to the control object 110a', which are generated and implemented by an automated control system (ACS) 120 ', three levels 140' are distinguished in the ACS, consisting of control subjects 110b ', interconnected as horizontally by horizontal ties (ties within a level, not shown in the figure), and vertically by vertical ties 130b '(ties between levels). Relationships are functional, i.e. in general, a change in the state of the subject of control 110b 'at one level causes a change in the states of the associated control subjects 110b' at this level and other levels. Information about a change in the state of the subject of control is transmitted in the form of a signal along horizontal and vertical links established between the subjects of control, i.e. information about a change in the state of the considered subject of management is an external influence in relation to other subjects of management 110b '. Levels 140 'in ACS 120' are allocated in accordance with the assignment of control subjects 110b '. The number of levels can vary depending on the complexity of the 120 'automated control system. Simple systems can contain one or several lower levels. For physical connection of TS elements (110a, 110b) and TS 100 subsystems, wired networks, wireless networks, integrated circuits are used, for logical communication between TS elements (110a, 110b) and TS 100 subsystems, Ethernet, industrial Ethernet, and industrial networks are used. At the same time, industrial networks and protocols are used of various types and standards: Profibus, FIP, ControlNet, Interbus-S, DeviceNet, P-NET, WorldFIP, LongWork, Modbus, etc.

The upper level (the level of supervisory control and data acquisition, SCADA) is the level of dispatch and operator control, includes at least the following control subjects 110b ': controllers, control computers, human-machine interfaces , HMI) (in Fig. 1b are depicted within the framework of one subject of SCADA control). The level is designed to track the states of the vehicle elements (110a ', 110b'), obtain and accumulate information about the state of the vehicle elements (110a ', 110b') and, if necessary, correct them.

The middle level (CONTROL level) is the level of controllers, includes at least the following control subjects: programmable logic controllers (PLC), counters, relays, regulators. Control subjects 110b 'of the "PLC" type receive information from control subjects of the "control and measuring equipment" type and control subjects 110b' of the "sensors" type about the state of the control object 110a '. Control subjects of the "PLC" type develop (create) a control action in accordance with the programmed control algorithm on the control subjects of the "executive mechanisms" type. The executive mechanisms directly implement it (applied to the control object) at the lower level. An actuator is a part of an executive device (equipment). Controllers such as PID controllers (proportional-integral-derivative controller - PID controller) are devices in a closed-loop control loop.

The lower level (Input / Output level) is the level of such control subjects as: sensors and sensors, instrumentation (instrumentation) that control the state of the control object 110a ', as well as actuators. The actuators directly affect the state of the control object 110a 'to bring it into conformity with the formal state, i.e. a state corresponding to a technological assignment, a technological map or other technological documentation (if we are talking about a TP) or a movement schedule (if we are talking about a device). At this level, the signals from the control subjects 110b 'of the "sensors" type are coordinated with the inputs of the control subjects of the middle level, and the control actions generated by the control subjects 110b' of the "PLC" type are coordinated with the control subjects 110b 'of the "actuators" type, which implement them. An actuator is a part of an actuator. The actuator moves the regulator in accordance with the signals from the regulator or control device. Actuators are the last link in the automatic control chain and generally consist of blocks:

• amplification devices (contactor, frequency converter, amplifier, etc.);

• an actuator (electric, pneumatic, hydraulic drive) with feedback elements (position sensors of the output shaft, signaling of end positions, manual drive, etc.);

• regulating body (valves, valves, dampers, dampers, etc.).

Depending on the conditions of use, the actuators may be structurally different from each other. The main blocks of executive devices usually include executive mechanisms and regulatory bodies.

In a particular example, the actuator is generally referred to as an actuator.

ACS 120a 'is an automatic enterprise management system.

FIG. 1c presents a possible option for organizing the Internet of Things using the example of wearable devices. The system contains many different computer devices of the user 151. Among the devices of the user 151 may be, for example: smartphone 152, tablet 153, laptop 154, wearable devices such as augmented reality glasses 155, fitness tracker, smart watch 156 (eng. smart watch) and others. User devices 151 contain many different sensors 157a-157n, such as heart rate monitor 2001 and pedometer 2003.

It is worth noting that the sensors 157a-157n may reside on one user device 151 or on several. Moreover, some sensors can be located on several devices at the same time. Some of the sensors can be presented in several copies. For example, a Bluetooth module can be found on all devices, and a smartphone can contain two or more microphones required for noise cancellation and determining the distance to the sound source.

FIG. 1d shows a possible set of device sensors 151. Among the sensors 157a-157n there may be, for example, the following:

• heart rate monitor (heart rate sensor) 2001 to determine the user's pulse rate. In one embodiment, a heart rate monitor may include electrodes and measure an electrocardiogram;

• oxygen saturation sensor 2002;

• pedometer 2003;

• 2004 fingerprint sensor;

• 2005 gesture sensor, used to recognize user gestures;

• camera aimed at the user's eyes 2006, which serves to determine the user's eye movement, as well as to authenticate the user's identity by the iris or retina of the eye;

• 2007 user's body temperature sensor (for example, having direct contact with the user's body or non-contact);

• microphone 2008;

• ultraviolet radiation sensor 2009;

• receiver of geolocation system 2010, for example, receiver GPS, GLONASS, BeiDou, Galileo, DORIS, IRNSS, QZSS, etc .;

• O8M-module2011;

• Bluetooth module 2012;

• Wi-Fi 2013 module;

• camera 2014 aimed at the environment surrounding the user's device;

• ambient temperature sensor 2015;

• barometer 2016, required to measure atmospheric pressure and determine the altitude above sea level in accordance with atmospheric pressure;

• geomagnetic sensor 2017 (electronic compass), required to determine the cardinal points and azimuth;

• sensor for determining air humidity 2018;

• 2019 illumination level sensor, required to determine the color temperature and illumination;

• proximity sensor 2020, used to determine the distance to various objects in the vicinity;

• image depth sensor 2021, used to obtain a three-dimensional image of space;

• accelerometer 2022, used to measure acceleration in space;

• gyroscope 2023, required to determine the position in space;

• Hall sensor 2024 (magnetic field), to determine the strength of the magnetic field;

• dosimeter-radiometer 2025, to determine the level of radiation;

• NFC 2026 module;

• LTE module 2027.

FIG. 2 shows a system for training a model for predicting the values of features of a cyber-physical system (CPS) with certain characteristics (that is, when training a forecasting model, the characteristics of a CPS are taken into account), and calculating an error threshold to determine an anomaly in the said CPS 201. Cyber-physical system 200 is presented in simplified version. Examples of the cyber-physical system 200 are the previously described technological system 100 (see Fig. 1a-1b), the Internet of things (see Fig. 1c-1d), the industrial Internet of things. For definiteness, further in the application, the TS will be considered as the main example of the FSC 200.

System 201 comprises teaching means 211 and an associated calculator 212. As previously mentioned in connection with FIG. 1a-1b FSC contains many subjects of control, such as sensors, actuators, PID controllers. The data of the aforementioned subjects is transmitted in raw form to the PLC. In this case, an analog signal can be used. Then the PLC performs data processing and converts the data into digital form, after which it transmits the SCADA system 110b 'and the considered system 201. Thus, the training tool 211 receives an initial sample containing the values of the FSC 200 features for the historical observation period of the FSC (that is, telemetry data FSC), in which the proportion of anomalies does not exceed the specified value (for example, no more than 1%). FSC signs are the numerical characteristics of control subjects - sensors, actuators, PID controllers. The training tool 211, based on the initial sample and taking into account the characteristics of the CPS, forms a training sample that includes the values of at least one of the received CPS signs for the observation period not exceeding the historical observation period. In this case, in a particular implementation example, at least one moment of time is included in the training sample at which the anomaly occurs. The formation of a training sample can include the stages of clearing the data of the original sample from noise, gaps in data, outliers in the values of features, invalid data sets, transfer to a uniform time grid, exclusion from the original sample of features that cause false alarms (for example, readings of a faulty sensor). In a particular example of implementation, the formation of a training sample can occur using the technical documentation of the FSC (for example, describing the possible states and technical characteristics of sensors and actuators), as well as on the basis of data provided by the users of the FSC (for example, about known faulty sensors).

Then the training tool 211 builds a model for predicting the values of the CPS attributes at each time point of the forecast window according to the data on the values of the CPS attributes at each time point of the input window. That is, the input window and the forecast window are time intervals that are within the observation period and are selected in accordance with the characteristics of the CPS. And the values of the FSC features are stored at a specified frequency within the observation period. For example, if the values of the FSC features are saved every second, then the times mentioned above also differ every second. The distance between the input window and the forecast window is the forecast horizon (for example, from the end of the input window to the beginning of the forecast window), which also depends on the characteristics of the CPS. In a particular example of implementation, the input window and the forecast window may overlap. In another particular example of implementation, the input window and the forecast window do not intersect. The forecast horizon can take both non-negative values (forecast for the future) and negative values (for example, codec analysis).

The trainer 211 then trains the prediction model on the training set data. Then, the calculator 212, using the trained prediction model, predicts the values of the CFC features at each time point of the observation period. The calculator 212 determines the overall forecast error (that is, for the predicted values of the CPS features), for example, as the average error or the weighted average error between the observed feature values and the predicted feature values, calculated at each time point in the forecast window. Then, using the training tool 211, the total error threshold is calculated depending on the characteristics of the FSC, so that the excess of the calculated threshold by the total prediction error means an anomaly in the FSC. In a particular example of implementation - as a quantile of a given accuracy of the total forecast error, for example, at a 99% significance level.

An anomaly in the FSC may arise, for example, due to a computer attack, due to interference in the operation of a vehicle or TP of a person, due to a failure or deviation of the technological process associated with periods of mode change, due to the transfer of control loops to manual mode, or due to incorrect readings of the sensors, as well as for other reasons known from the prior art.

In a particular implementation example, the system 201 additionally contains a remote server 213, which can perform part of the functions of the training tool 211 and the calculation tool 212: building the forecasting model and training the forecasting model, as well as predicting the values of the CPS attributes for the observation period, determining the total forecast error and calculating the threshold total forecast error. In another particular example of implementation, the training tool 211 and the calculator 212 can be located on the remote server 213. Since the remote server 213 can have significantly greater computing capabilities than the training tool 211 and the calculator 212, the execution of these functions by the remote server 213 will improve the speed and quality of system 201.

Thus, the system 201 allows you to train the forecasting model, determine the size of the input window and the forecast window, as well as the threshold of the total forecast error, which can be used in the system and method for determining the source of the anomaly in the CPS (see Fig. 4-5).

In a particular implementation example, the FSC features include at least one of:

• sensor measurement (sensor technological parameter);

• controlled parameter of the actuator;

• setting of the actuator;

• input signals or output signal of the PID controller, internal parameters of the PID controller.

In another particular example of implementation, the initial sample contains time points with known FSC anomalies, while the mentioned time points with known FSC anomalies are included in the training sample. That is, the initial sample will also contain information about the times of occurrence of known anomalies in the FSC (marking). This will train the forecasting model and determine the total error threshold more accurately.

In another particular example of implementation, when forming a training sample, the time points of the occurrence of CPS anomalies are marked. In another particular example of implementation, a test sample is formed from the initial sample, according to which the forecast quality is estimated and, if the forecast quality assessment does not satisfy the specified criteria, the forecasting model is trained again until the forecast quality assessment satisfies the specified criteria (so that there was no retraining). If the assessment of the forecast quality does not satisfy the given criteria, another forecasting model can be chosen. In a particular example, the forecast quality is determined, for example, by one of the quality metrics: NAB-metric (eng. Numenta Anomaly Benchmark) ² ( ² Lavin and S. Ahmad, "Evaluating Real-time Anomaly Detection Algorithms - the Numenta Anomaly Benchmark," in 14th International Conference on Machine Learning and Applications (IEEE ICMLA'15), 2015.http: //arxiv.org/abs/1510.03336), F1 metrics.

In a particular implementation example, a cyber-physical system has at least one of the following characteristics:

• the industry in which the cyber-physical system operates;

• types of processes that describe the parameters of the CPS, in particular, one of: continuous, conveyor, cyclic (for example, for cyclic processes, an observation period can be selected that is a multiple of the period of one cycle);

• the presence of seasonality and / or trends in the signs of the FSC;

• inertness of FSC processes;

• time of the FSC reaction to changes in the FSC and in the external environment;

• the level of danger of production for personnel and the environment;

• cost of downtime of technological processes due to abnormal situations;

• type of control, in particular, performed using PID controllers, state machines or a combined method;

• the type of the subject of control, which is characterized by at least one feature, while the type of the subject of control is one of: a sensor, an actuator or a PID controller;

• data of self-diagnostics of FSC;

• serviceable status of the subject of management (serviceable or defective);

• the interconnection of the subjects of management at the level of the technical process.

As an example of FSC, one can cite enterprises of the petrochemical industry, their individual units and installations. The FSC of such enterprises may have one or more of the following characteristics of the FSC:

• high value of the period of time of continuous operation of technological processes (for example, from a year);

• high response time of TP (for example, more than one minute), therefore, when building a forecasting model, choose a longer observation period for the type of CPS, characterized by a long response time of the CPS parameters to changes in other CPS parameters and external factors;

• availability of seasonality of TP;

• high level of hazard of production for personnel and the environment. Accordingly, when constructing a forecasting model, a low threshold of the total error for the CPS, characterized by a high level of production hazard, is selected in order to detect a larger number of anomalies. That is, the total error threshold can be calculated as a quantile of a given accuracy of the total forecast error, a quantile of a lower order (for example, 0.90). In this case, false positives are likely to occur, however, this will not affect the production process in any way, but will allow at the stage of analysis of the type of encoding-decoding of data using the constructed model to identify more anomalies and, with the participation of the CPS user, refine the value of the error threshold in such a way as to filter out false positives and leave all important analyzed anomalies;

• high cost of downtime in the TP.

Primary oil refining technological processes are characterized by the presence of control systems made on the principles of PID control (cascade) and containing a large number (usually more than a hundred) self-regulating control loops, interconnected both by the designed and embedded control logic and by the physics of the process, and controlling such quantities as temperature, pressure, liquid levels, etc. The specificity of such a design of the control system makes it possible to implement a whole range of methods for monitoring the process, including neural networks, methods for analyzing the integrity of firmware of PID regulators and analyzing the correctness of their settings, etc. The presence of such specific factors of oil refining as high paraffin content liquid components of the process, high processing temperatures (usually about 350 degrees Celsius), coke formation and coking in units and others, cause such features of these parameters as the presence of strong noise, gaps, emissions in the instrumentation data, filling lack of trend components in regulation data, invalidity of some instrumentation data sets, etc. In addition, the features of the control system based on PID controllers include such factors as the periodic transfer of PID controllers to manual mode, which is used both for normal control of installations and in emergency situations (which have a significant impact on these parameters). Thus, in the given example, the characteristics of the FSC affect the values of the characteristics of the FSC, the construction of a forecasting model, and the determination of the general forecast error.

Therefore, the described method makes it possible to achieve the stated technical results, to reduce the error of the second kind when detecting anomalies in the FSC. In addition, the stated technical problem will be solved, which consists in creating a system for determining anomalies in the CPS, which has certain characteristics, in which the time elapsed from the moment the anomaly in the CPS appears until the moment of its detection is lower than that of existing analogues.

Thus, in one particular example of implementation, a low threshold of the total error is chosen for the type of FSC, characterized by a high level of production hazard for personnel and the environment. In another particular example of implementation, a longer observation period is chosen for the CPS, which is characterized by a long reaction time of the CPS signs to changes in other CPS signs and external factors.

In another particular example of implementation, when calculating the total forecast error for the errors of each CPS feature, weights are used, while:

a) assign a low value to the weighting factor for the feature if the subject of management, characterized by this feature, provides data with noisy or invalid data or is periodically disabled by the user of the FSC;

b) assign a low value to the weighting factor for a feature in which the occurrence of an anomaly does not affect the operation of the FSC, and a high value to the weighting factor for a feature in which the occurrence of an anomaly affects the operation of the FSC.

The values of the weighting coefficients of features equal to one are characteristic for the main implementation option (equivalent to the absence of weighting coefficients).

In another particular example of implementation, the training sample additionally contains features of at least one other FSC, which has at least a predetermined number of the same characteristics as the current FSC. Thus, the system 201 will be able to more accurately train the forecasting model and determine the error threshold from data from several QPSs with the same characteristics.

In one particular implementation, exponential smoothing is applied to the overall prediction error. This is necessary in order to reduce the value of the type I error.

In a particular implementation example, the forecasting model is a neural network. In another particular example of implementation, the forecasting model contains a set of models, that is, an ensemble that makes a decision by averaging the results of individual models from the set. In another particular implementation example, a neural network is optimized using genetic algorithms. In another particular implementation example, a neural network is selected using one of the quality metrics: NAB metric, F1 metric.

In another particular example of implementation, when calculating the total forecast error for the errors of each CPS feature, weights are used, and the value of the weighting coefficient of the feature is determined by how accurately the values of this CPS feature are predicted (for example, according to the previous model forecasting results). In this case, the weighted error with certain weighting factors can be considered as the forecast error.

In a particular example of implementation, when forming a training sample, the technical documentation of the FSC is used (a priori information, which describes the possible states and technical characteristics of sensors and actuators). This will make it possible to build a better model by using the technical documentation of the CFS to adjust the parameters of the model (the choice of weight coefficients when calculating the total forecast error, the choice of the observation period, changing the threshold of the total error, etc.).

In another particular example, the implementation can use the user report (also - the operator, the user report is a posteriori information) to improve the quality of the model or to build a new model in the future by using the user report to adjust the model parameters.

The value of the weighting coefficient of the attribute can be assigned by the training tool 211, depending on the significance of the indicated attribute and on the basis of the technical documentation of the FSC or the user's report. For example, if a certain sensor often fails or gives false readings, it can be assigned a low value of the weighting factor or even zero, as a result of which its readings will not affect the prediction model and the value of the error threshold for determining the anomaly in the FSC.

In a particular example of implementation, a register of FSC attributes is built using the training tool 211 using the technical documentation of the FSC or a user report, while the register contains, in particular, a description of the attribute, the physical dimension of the attribute, if the attribute describes the physical size of the CFS object, the passport measurement accuracy of the attribute, the weighting factor of the feature and the name of the object, which is described by the mentioned feature. At the same time, a forecasting model is built taking into account the register of CPS signs, using it to adjust the parameters of the model.

In another particular example of implementation, when constructing a training sample, the values of the FSC attributes are not included in the observation period at the points in time at which it is known that the values of the FSC attributes are abnormal, in particular, the time periods in which commissioning or diagnostic measures are carried out at the FSC, time periods manual control of the FSC.

In a particular example of implementation, the construction of the forecasting model by the training tool 211 occurs as follows. First, a neural network architecture template is selected. For example, multilayer perceptron, convolutional neural network, recurrent neural network, or others. Next, a description of the selected architecture is formed:

• optimizer and its parameters;

• initial values of weights and shifts;

• maximum number of layers;

• for each layer:

список возможных типов слоя, состоящий по меньшей мере из подмножества следующих слоев: Dense, Convolutional, GRU, LSTM, Dropout;

a list of possible layer types, consisting of at least a subset of the following layers: Dense, Convolutional, GRU, LSTM, Dropout;

функция активации: линейная, ReLU, Tanh, сигмоида, Softmax и др.;

activation function: linear, ReLU, Tanh, sigmoid, Softmax, etc .;

возможный размер слоя (число нейронов в слое).

the possible size of the layer (the number of neurons in the layer).

Then the neural network architecture is optimized using the optimizer. In a particular implementation example, the neural network architecture is optimized using genetic algorithms. A quality metric is also used to select the best architecture. In a particular implementation example, one of the following quality metrics is used: NAB metric, F1 metric.

FIG. 3 shows a method for training a model for predicting the values of features of a cyber-physical system (CPS) and calculating the error threshold for determining an anomaly in a CPS with certain characteristics. At step 310, an initial sample is obtained containing the values of the FSC features for the historical observation period of the FSC. In a particular example of implementation in the original sample, the proportion of anomalies does not exceed a given value. Then, at step 320, based on the initial sample and taking into account the characteristics of the CPS, a training sample is formed, including the values of at least one of the mentioned CPS signs, for the observation period not exceeding the historical observation period. In a particular example of implementation, the training sample includes at least one point in time at which the anomaly occurs. At step 330, a model is built for predicting the values of the CPS attributes at each time point of the forecast window based on the data of the values of the mentioned CPS attributes at each time point of the input window, while the input window and the forecast window are within the observation period and are selected depending on the characteristics of the CPS, and the distance between the input window and the forecast window is equal to the forecast horizon, which is selected depending on the characteristics of the CPS. Then, at step 340, the prediction model is trained on the training set data.

At step 350, using the trained prediction model, predicting the values of the CPS features at each time point of the observation period is performed. Then, at step 360, the total forecast error obtained using the constructed forecasting model at each point in time of the observation period is determined. At step 370, a total error threshold is calculated depending on the characteristics of the FSC, such that exceeding the calculated threshold by the total prediction error indicates an anomaly in the FSC. It should be noted that particular examples of implementation previously disclosed in relation to the system 201 shown in FIG. 2 are also applicable to that described in FIG. 3 way. For example, in one of the particular examples of implementation, at step 320a, a technical documentation of the FSC or a user report on previously detected anomalies is obtained. Then, at step 330a, using the training tool 211, a register of FSC features is built using the technical documentation of the FSC or a user report, while the register contains, in particular, a description of the feature, the physical dimension of the feature, if the feature describes the physical size of the KPS object, the passport measurement accuracy of the feature , the weighting coefficient of the feature and the name of the object, which is described by the mentioned feature, while building a forecasting model (step 330) taking into account the register of CPS features. Other particular examples of implementation have been listed earlier, in FIG. 2.

FIG. 4 shows a system for determining the source of an anomaly in a cyber-physical system. The system for determining the source of the anomaly 220 comprises a predictor 221 and a means for determining an anomaly 222. The predictor 221 is designed to obtain the values of the CPS attributes for the input window, which is determined by the trained forecasting model, and also predicts the values of the CPS indicators for the forecast window using the trained forecasting model and according to the obtained values of the FSC features for the input window. FSC signs are the numerical characteristics of sensors, actuators, PID controllers. The input window and the forecast window are the time intervals specified in the trained forecasting model, while the input window contains the feature values, which are used to predict the feature values for the forecast window. That is, they are determined by the system and method described in FIG. 2-3. The input window and the forecast window are within the observation period and are selected in accordance with the characteristics of the CPS. The distance between the input and the forecast window is the forecast horizon (for example, from the end of the input window to the beginning of the forecast window), which also depends on the characteristics of the CPS. The forecast horizon can take both non-negative values (forecast for the future) and negative values. In a particular example of implementation, the input window and the forecast window can intersect (the forecast horizon is negative). In another particular example of implementation, the input window and the forecast window do not intersect (the forecast horizon is positive).

Anomaly detection tool 222 is designed to determine the total forecast error for the CPS features for the forecast window, determine the anomaly in the CPS when the total forecast error exceeds the total error threshold (that is, the total error threshold value), and also to determine at least one CPS feature, which is the source of the anomaly if the contribution of the forecast error of the mentioned at least one CPS feature (from among all the CPS features from the mentioned list of features) to the total forecast error is higher than the contribution of other CPS features (from all the CPS features from the mentioned list of features) to the total error forecast. For example, 5 CPS features are determined with the largest forecast error among all the CPS features from the mentioned list of features. In a particular implementation example, the common error threshold is a quantile of a given accuracy of the total forecast error, for example, at a 99% significance level.

In a particular example of implementation, the values of the CPS attributes are received in real time, therefore, for the forecast window, the total forecast error is determined after a time equal to the sum of the forecast horizon and the input window, that is, when the real values of the CPS attributes are obtained at each time of the forecast window.

In another special case, if the values of the CPS features are contained in the initial sample for the historical observation period (that is, for the entire period of time during which the observation was carried out), the total forecast error is determined for the forecast window based on the data of the initial sample for the historical observation period.

In a particular implementation example, the FSC features include at least one of: sensor measurement (sensor technological parameter); controlled parameter of the actuator; setting of the actuator; input signals or output signal of the PID controller.

In a particular implementation example, a cyber-physical system has at least one of the following characteristics:

• the industry in which the cyber-physical system operates;

• types of processes that describe the parameters of the CPS, in particular, one of: continuous, conveyor, cyclic;

• the presence of seasonality and / or trends in the signs of the FSC;

• inertness of FSC processes;

• time of the FSC reaction to changes in the FSC and in the external environment;

• the level of danger of production for personnel and the environment;

• cost of downtime of technological processes due to abnormal situations;

• type of control, in particular, performed using PID controllers, state machines or a combined method;

• the type of the subject of control, which is characterized by at least one feature, while the type of the subject of control is one of: a sensor, an actuator or a PID controller;

• data of self-diagnostics of FSC;

• health status of the subject of management;

• the interconnection of the subjects of management at the level of the technical process.

In a particular implementation example, the forecasting model is a neural network. In another particular example of implementation, the forecasting model contains a set of models, that is, an ensemble that makes a decision by averaging the results of individual models from the set. In another particular implementation example, a neural network is optimized using genetic algorithms. In another particular implementation example, a neural network is selected using one of the quality metrics: NAB metric, F1 metric.

In another particular example of implementation, when calculating the total forecast error for the errors of each CPS feature, weights are used, while:

a) assign a low value to the weighting factor for the feature if the subject of management, characterized by this feature, provides data with noisy, or invalid data, or is periodically disabled by the user of the FSC;

b) assign a low value to the weighting factor for a feature in which the occurrence of an anomaly does not affect the operation of the FSC, and a high value to the weighting factor for a feature in which the occurrence of an anomaly affects the operation of the FSC.

In one particular implementation, exponential smoothing is applied to the overall prediction error. This is necessary to reduce the Type I error.

In another particular example of implementation, when calculating the total forecast error for the errors of each CPS attribute, weighting coefficients are used, and the value of the weighting coefficient of the attribute is determined by how accurately the values of this CPS attribute are predicted. In this case, the error weighted with certain weighting factors can be considered as the forecast error.

In another particular example of implementation, the technical documentation of the FSC or the user's report on the anomalies previously detected by the trained system is obtained, while the weight of the feature is selected using the training tool 211 depending on the significance of the specified attribute and on the basis of the technical documentation of the FSC or the user's report.

FIG. 5 shows an example of a method for determining the source of an anomaly in a cyber-physical system with certain characteristics. At step 510, the values of the FSC features are obtained for the input window, which is determined by the trained prediction model (used in the system and method, which are presented in Fig. 3-4). Then, at step 520, using the trained forecasting model and according to the data of the obtained values of the FSC attributes for the input window, the values of the FSC attributes for the forecast window are predicted. Then, at step 530, for the forecast window, the total forecast error for the CFC features is determined and, if the total forecast error exceeds the total error threshold, at step 540, an anomaly in the CFC is determined. As a result, at step 550, at least one CFC feature is determined, which is the source of the anomaly, if the contribution of the forecast error of the mentioned at least one CFC feature to the total forecast error is higher than the contribution of other CFC features to the total forecast error. For example, 5 CPS features are determined with the largest forecast error among all the CPS features from the mentioned list of features.

In a particular example of implementation, the values of the CPS attributes are received in real time, therefore, for the forecast window, the total forecast error is determined after a time equal to the sum of the forecast horizon and the input window, that is, when the real values of the CPS attributes are obtained at each time of the forecast window.

In another particular case, if the values of the CPS attributes are contained in the initial sample for the historical observation period, the total forecast error is determined for the forecast window based on the data of the initial sample for the historical observation period.

In a particular implementation example, the FSC features include at least one of: sensor measurement (sensor technological parameter); controlled parameter of the actuator; setting of the actuator; input signals or output signal of the PID controller.

In a particular implementation example, a cyber-physical system has at least one of the following characteristics:

• the industry in which the cyber-physical system operates;

• types of processes that describe the parameters of the CPS, in particular, one of: continuous, conveyor, cyclic;

• the presence of seasonality and / or trends in the signs of the FSC;

• inertness of FSC processes;

• time of the FSC reaction to changes in the FSC and in the external environment;

• the level of danger of production for personnel and the environment;

• cost of downtime of technological processes due to abnormal situations;

• type of control, in particular, performed using PID controllers, state machines or a combined method;

• the type of the subject of control, which is characterized by at least one feature, while the type of the subject of control is one of: a sensor, an actuator or a PID controller;

• data of self-diagnostics of FSC;

• health status of the subject of management;

• the interconnection of the subjects of management at the level of the technical process.

In a particular implementation example, the forecasting model is a neural network. In another particular example of implementation, the forecasting model contains a set of models, that is, an ensemble that makes a decision by averaging the results of individual models from the set. In another particular implementation example, a neural network is optimized using genetic algorithms. In another particular implementation example, a neural network is selected using one of the quality metrics: NAB metric, F1 metric.

In another particular example of implementation, when calculating the total forecast error for the errors of each CPS feature, weights are used, while:

a) assign a low value to the weighting factor for the feature if the subject of management, characterized by this feature, provides data with noisy, or invalid data, or is periodically disabled by the user of the FSC;

b) assign a low value to the weighting factor for a feature in which the occurrence of an anomaly does not affect the operation of the FSC, and a high value to the weighting factor for a feature in which the occurrence of an anomaly affects the operation of the FSC.

In one particular implementation, exponential smoothing is applied to the overall prediction error. This is necessary to reduce the Type I error.

In one particular implementation example, when calculating the total forecast error for the errors of each FSC attribute, weighting coefficients are used, and the value of the weighting coefficient of the attribute is determined by how accurately the values of this FSC attribute are predictable. In this case, the error weighted with certain weighting factors can be considered as the forecast error.

In another particular example of implementation, the technical documentation of the FSC or the user's report on the anomalies previously detected by the trained system is obtained, while the weight of the feature is selected using the training tool 211 depending on the significance of the specified attribute and on the basis of the technical documentation of the FSC or the user's report.

An example of the operation of the described systems and methods of FIG. 2-5. After receiving the initial sample containing the values of the CPS features for the historical observation period of the CPS - T ₀ , a training sample is formed - for the observation period T ₁ ⊆T ₀ (that is, the observation period T ₁ is a subset of T ₀ ). The training set consists of m CPS features at each observation time point x _t (vector of CPS feature values) of the observation period T ₁ :

t≥0 is time, and m> 0 is the number of features.

- окно прогноза (так, что длина окна положительна), т.е. период времени, на который прогнозируют значения признаков по данным значений признаков за период времени L. При этом L,

.The input time window for the mentioned features is L (so that the window length is positive), h is the forecast horizon,

- forecast window (so that the window length is positive), i.e. the period of time for which the values of the characteristics are predicted according to the data of the values of the characteristics for the period L.

...

и горизонт прогноза h. В общем случае, входное окно L и окно прогноза

могут как пересекаться, так и не пересекаться. Применительно к представленному примеру далее рассматривается работа системы и способа обучения модели прогнозирования значений признаков КФС и вычисления порога ошибки R для определения аномалии и обладающей определенными характеристиками КФС по Фиг. 2-3. Обучающая выборка, сформированная на основании исходной выборки и с учетом характеристик КФС, включает значения признаков КФС за период наблюдения (например, весь интервал с 16:00 до 16:08). С использованием обучающей выборки выполняют построение модели прогнозирования значений параметров КФС, в каждый момент времени окна прогноза

по данным значений признаков КФС в каждый момент времени входного окна L. Входное окно L и окно прогноза

находятся внутри периода наблюдения и выбираются в зависимости от характеристик КФС. Горизонт прогноза h также выбирают в зависимости от характеристик КФС. Прогнозные значения признаков вычисляются по формуле:FIG. 6 shows an example of the dependence of the values of one feature on time, as well as the input window L, the forecast window

and forecast horizon h. In general, the input window L and the forecast window

may or may not intersect. With regard to the presented example, the operation of the system and the method of training the predictive model of the values of the CPS attributes and calculating the error threshold R to determine the anomaly and having certain characteristics of the CPS according to FIG. 2-3. The training sample, formed on the basis of the initial sample and taking into account the characteristics of the CPS, includes the values of the CPS signs for the observation period (for example, the entire interval from 16:00 to 16:08). Using the training sample, a model for predicting the values of the CPS parameters is built, at each time point of the forecast window

according to the values of the CPS attributes at each time point of the input window L. The input window L and the forecast window

are within the observation period and are selected depending on the characteristics of the CPS. The forecast horizon h is also chosen depending on the characteristics of the CPS. The predicted values of the characteristics are calculated using the formula:

F (⋅) - forecasting model.

The forecasting model is trained on the data of the entire training set. Then predict the values of the FSC attributes at each time point of the observation period. This can be done by moving the input window and the forecast horizon in such a way as to ultimately obtain the predicted values of the CPS attributes at each time point of the observation period. After that, the total forecast error for the CPS parameters is determined at each time point of the forecast window. In a particular example of implementation, the total forecast error at time t is the average error:

может быть определена как ошибка прогноза признака с номером

в момент времени t≥0. В еще одном частном примере реализации порог общей ошибки прогноза R может быть вычислен как квантиль заданной точности от общей ошибки прогноза

(например, квантиль порядка 0,95). Таким образом, аномалия возникнет при

. Кроме того, к общей ошибке прогноза может быть применено экспоненциальное сглаживание.Difference

can be defined as a forecast error for characteristic number

at time t≥0. In another particular example of implementation, the threshold of the total forecast error R can be calculated as a quantile of a given accuracy of the total forecast error

(for example, the quantile is of the order of 0.95). Thus, an anomaly occurs when

... In addition, exponential smoothing can be applied to the overall forecast error.

. Для окна прогноза определяют общую ошибку прогноза для признаков КФС и при превышении общей ошибкой прогноза порога общей ошибки, определяют аномалию в КФС. После чего определяют по меньшей мере один признак КФС, являющийся источником аномалии, если вклад этого признака КФС в общую ошибку прогноза выше чем вклад других признаков КФС в общую ошибку прогноза.With reference to the presented example, the operation of a system and a method for determining the source of an anomaly in a CPS having certain characteristics according to FIG. 4-5. Depending on the implementation example, the values of the FSC signs are received either in real time to determine the source of the anomaly in the FSC at the current time, or for the historical observation period for retrospective determination of the source of the anomaly in the FSC. For illustration, an example of an implementation is considered below, in which the values of the CPS features are received in real time. Thus, the values of the CPS features come out of the input window L (which is determined by the trained forecasting model, see Figs. 2-3). Then, using the trained forecasting model and according to the obtained values of the CPS features for the input window L, the values of the CPS features are predicted for the forecast window

... For the forecast window, the general forecast error for the CPS signs is determined, and when the total forecast error exceeds the total error threshold, the anomaly in the CPS is determined. After that, at least one CPS indicator is determined, which is the source of the anomaly, if the contribution of this CPS indicator to the total forecast error is higher than the contribution of other CPS indicators to the total forecast error.

FIG. 7 shows examples of dependencies of feature values, feature prediction values and general forecast error on time in the vicinity of the time of the anomaly occurrence. The first two graphs show the dynamics of changes in the values of features, i.e. real values obtained from the respective control subjects (sensors, actuators and PID controllers), as well as the dynamics of their predicted values obtained using the systems and methods described in FIG. 2-5. The lower graph shows the dynamics of the total forecast error (for both signs) and the moment it exceeds the total error threshold, which means the occurrence of an anomaly.

In one particular implementation, exponential smoothing is applied to the overall prediction error. This is necessary to reduce the Type I error.

FIG. 8 shows an example of the dynamics of the total forecast error before smoothing and after smoothing. The graph shows that in the first case, using the system and method according to FIG. 4-5, the anomaly detection means 222 would determine the anomaly due to the total error exceeding the total error threshold, and in the second case, the anomaly is not determined, which is more true due to the reduction of short-term error deviations. That is, the smoothing of the general forecast error makes it possible to reduce the possibility of multiple detection of one anomaly, as well as noise in the mentioned error. After detecting the anomaly, the CPS signs are determined, which are the source of the anomaly, with the greatest contribution to the overall forecast error.

In a particular example of implementation, the mean error of degree p> 0 (for example, the root-mean-square error) can be used as the general forecast error. In another particular implementation example, the total forecast error can be a weighted mean error of degree p.

In a particular example of implementation in the system and method described in FIG. 4-5, when detecting an anomaly, the user (operator) of the FSC can be displayed related information about the detected anomaly. For example, graphs of changes in parameter values in a period covering the time point of anomaly detection. In addition, the graph can display the predicted values of the parameters, the total error threshold and the error threshold of the corresponding parameter, as well as an indication at the time of detection of the anomaly and the parameters that are the sources of the anomaly. After additional analysis, the user of the FSC can confirm or deny the detection of the anomaly, the parameters that are the source of the anomaly. This will reduce the error of the first kind and improve the accuracy of determining anomalies and identifying the parameters that are the source of this anomaly. In more detail, a data generation system for monitoring a cyber-physical system for the purpose of early detection of anomalies in a graphical user interface (GUI) system will be presented below, in Fig. nine.

FIG. 9 shows a data generation system for monitoring a cyber-physical system for the purpose of early detection of anomalies in the graphical user interface system (hereinafter referred to as the graphical user interface system, abbreviated GUI). The GUI system contains at least one GUI element for selecting a feature 910, containing, in particular, a list of features of a cyber-physical system (hereinafter referred to as a list of features), and designed to receive information about the selected user (also - operator) FSC at least one the FSC sign from the mentioned list of signs. Feature list selection is performed using the GUI to select feature list 911. In addition, at least one GUI element for time period selection 920 is configured to receive information about a user-selected time period for monitoring selected CFC features. The system also contains a predictor 221 designed to generate a forecast for the CPS signs for a specified monitoring time period and an anomaly detection tool 222 designed to generate a general forecast error for the selected CPS signs and a forecast error for each of the selected CPS signs for a specified monitoring time period. Meanwhile, the predicting means 221 and the anomaly detecting means 222 may operate according to the previously described system and method of FIG. 4-5 and in the corresponding private implementations. In addition, the embodiments described with respect to FIGS are also applicable to the GUI system. 2-5.

At least one GUI element for generating graphs 930 is intended to generate, over a specified period of time, monitoring for the data values generated by the prediction means 221 and the anomaly detection means 222. In a particular embodiment, said data values include, in particular, the following:

• each selected attribute of the FSC;

• forecast for each selected CPS attribute;

• general forecast error for CPS signs;

• forecast errors for each selected CPS attribute;

• the threshold of the total forecast error.

The means for determining anomaly 222 is additionally designed to determine an anomaly in the CPS when the total forecast error exceeds the threshold of the total error, while the GUI element for generating graphs 930 is additionally designed to generate data on the anomaly in the CPS and generate a graph of values for at least one of all signs of the CPS (that is, from the previously mentioned list of features), if the contribution of the forecast error of the mentioned at least one CPS feature to the total forecast error is higher than the contribution of at least one other CPS feature (also from among all the CPS features from the feature list) to the total forecast error ...

FIG. 9 and FIG. 10a-10b also provide an illustrative example of the operation of the described system. Namely, using the GUI element to select the feature 910 by the user, the features are selected for which the graphs are generated (built) using the GUI to generate the graphs 930 for the specified monitoring time period 920.

For example, in FIG. 10a, the top two plots are plots of real values and predicted values for the selected features ("A_feed_stream1" and "A_reactor_feed"). The lower third graph shows the total forecast error for all CPS features (that is, calculated based on the real and predicted values of all CPS features from the mentioned list of features) and the total forecast error threshold (horizontal line). At the same time, the moment of occurrence of the anomaly in the FSC is also displayed (vertical dashed line in the center on each of the graphs), - the moment in time when the total forecast error exceeds the threshold of the total error. Because the total forecast error is the sum of the forecast errors of features, then the forecast error of each feature may be insignificant, while the total forecast error may exceed the threshold of the general error, resulting in an anomaly. Therefore, such an anomaly is problematic for the user of the CFS. However, the use of the FIG. 9 of the system makes it possible to simplify this process, namely, to determine the moment of occurrence of the anomaly and generate graphs of the values of the CPS attributes and the predicted values of the mentioned attributes (with their subsequent provision to the user). The mentioned plots, generated by the GUI for the formation of plots 930, can be generated (and displayed to the user) both for the features selected by the user and for the features (from among all the CPS features) from the mentioned list of features that have the largest forecast error (that is, the contribution to the overall prediction error for these features is higher than the contribution of the other selected features). It is these signs that are the most likely sources of the anomaly.

In a particular example of the implementation described in FIG. 9, the GUI system additionally contains a GUI element for selecting the display mode 940, designed to receive information about the monitoring mode selected by the user for the selected CPS features: in real time, in the encoding-decoding mode, while if the real-time mode is selected, the said GUI element for generating graphs 930 generates graphs of these values at the current time, (see Fig. 10a-10c).

The described system also contains a GUI element for generating the forecast error of feature 921, designed to receive information about the user-selected mode of formation or not to generate a forecast error for the selected features into the GUI element to generate graphs 930. In this example, the mean squared error , MSE). For example, in FIG. 10a and FIG. 10c, the display of the characteristic forecast error is not selected. At the same time, in FIG. 10b, the display of the forecast error of the attribute is selected - as a result of this choice, in the GUI element for generating graphs 930, after the graph for each attribute, a graph is displayed for the forecast error of this attribute. For example, the first schedule is for characteristic "A_feed_stream1", the second schedule contains a forecast error for this characteristic. The bottom-most graph displays the overall forecast error for the features.

The GUI element for selecting the display order 922 is intended to receive information about the user-selected sorting method and display the selected features on the GUI element to generate graphs 930. For example, the sorting mode (English sorted tags, selected in FIGS. 10a-10b) can be selected, when the graphs of characteristic values will be sorted by the largest forecast error - from the largest forecast error for a characteristic in the first graph to the smallest forecast error for a characteristic in the last graph. This display mode may be the default display mode. And it allows the system to automatically generate and provide the FSC user with information about the most probable place of anomaly and TP violation. The display mode can also be selected in the order in which the selected features are contained in the previously mentioned list of FSC features (selected in Fig. 10c).

In another particular example of implementation, the GUI system additionally contains at least one GUI element for selecting events 950 (see Fig. 12) intended for generating a list of FSC events in which an anomaly occurred and, when the user selects one of the mentioned events, said at least At least one GUI element for selecting events 950 is designed to generate for the selected event a graph of the values of said data at the time of the anomaly and for the specified monitoring time period.

In one particular example of implementation, the mentioned list 910 for each of the features of the CPS additionally contains:

a) attribute identifier;

b) description of the feature;

c) forecast errors for the feature;

d) the observed value of the feature;

e) the predicted value of the feature;

f) units of measure of the attribute;

g) permissible limits of change of the attribute;

h) linking the feature to the equipment (PLC, etc.).

FIG. 11a shows a GUI element for settings of forecast errors 970, designed to receive information about the user's choice to display the GUI for changing forecast errors 971, which in turn serves to display the current value of the threshold of the total forecast error and is intended to receive information about changes made by the user to the values of the mentioned threshold of the total forecast error. As a result, the GUI for changing forecast errors 971 will change the value of the said threshold of the total forecast error. For example, the user can raise the threshold for the overall prediction error when there are a lot of false positives. Obviously, the changed value of the threshold of the general forecast error will also entail corresponding changes in determining the anomaly in the FSC (in Fig. 4 - Fig. 5).

FIG. 11b GUI for changing forecast errors 971 is additionally designed to display the values of the weighting coefficients for the forecast errors of each selected CPS attribute and serves to receive the changes made by the user in the values of the indicated weighting coefficients. In this case, the overall prediction error will be recalculated, for example, by the predictor 221 using the modified values of the indicated weights.

In another particular example of implementation, at least one of the elements of the GUI for grouping features 912 is designed to receive information about the group of features selected by the user, in particular, related to one PID controller, while the GUI element for generating graphs 930 generates graphs of said values for the specified monitoring time period for the CPS signs from the selected group of signs, allowing the user to quickly switch between the various created groups, which can be tied to the TP areas that are important from the user's point of view.

In one particular implementation example, at least one GUI element for displaying feature groups 913 is intended for displaying CPS features from the generated feature groups. That is, as a result of the grouping of features by means of the GUI 912, feature groups displayed in the GUI 913 will be formed, while the user has the opportunity to select, edit the indicated groups, and also display graphs of values for the CPS features from the specified groups using the GUI 930.

In another particular example of implementation, at least one GUI element is functionally capable of forming sublists from the user-selected FSC features and, when the user selects said sublist, to generate graphs of values for features from said sublist (not shown in the figures).

FIG. 13 shows an element of the GUI for selecting models 960, designed to select a model for predicting the values of CPS attributes.

FIG. 14 shows a method of generating data for monitoring a cyber-physical system for the purpose of early detection of anomalies in a graphical user interface (GUI) system. At step 1410, using at least one GUI element to select a feature 910 containing, in particular, a list of features of a cyber-physical system (CPS), information about a user-selected at least one feature of a CPS from said list of features is received. Next, at step 1420, using at least one GUI element to select a time period 920, information is received about the user-selected time period for monitoring the selected FSC features. Then, at step 1430, using the predictor 221, a forecast of the values of the FSC features is generated for the specified monitoring time period using the forecasting model of the values of the selected FSC features. Then, at step 1440, using the anomaly determination means 222, for the specified monitoring time period, the total forecast error for the selected FSC features and the forecast error for each selected FSC feature are determined. As a result, at step 1450, using at least one GUI element to generate graphs 930, graphs are generated for the indicated monitoring time period for each of the following values that are necessary for monitoring the CPS:

• each selected attribute of the FSC;

• forecast for each selected CPS attribute;

• general forecast error for CPS signs;

• forecast errors for each selected CPS attribute;

• the threshold of the total forecast error.

Particular examples of implementation described earlier in FIG. 9-13 are also applicable to the GUI system and the method of FIG. fourteen.

Obviously, the system and method of FIG. 9-14 provide a graphical user interface that allows a user to monitor a cyber physical system for early detection of anomalies, and implement automated user control of a cyber physical system for early detection of anomalies. In addition, a technical problem will be solved, which consists in the absence of a system and a method for generating data for monitoring a cyber-physical system, for performing anomaly detection in a graphical user interface system, in which the time elapsed from the moment the anomaly occurred in the CFS until the moment of its detection was would be lower than that of existing analogues.

FIG. 15 is an example of a general purpose computer system with which the present invention may be implemented. In one particular example of implementation using a computer system, a learning tool 211, a calculator 212, a remote server 213, as well as a predictor 221 and an anomaly detection tool 222 can be implemented. circuits (including the central processor and / or graphics processor). Returning to the general purpose computer system shown in FIG. 15, a personal computer or server 20, contains a central processor 21, a system memory 22 and a system bus 23, which contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any known from the prior art bus a structure that in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus that can interact with any other bus architecture. System memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains basic procedures that transfer information between the elements of the personal computer 20, for example, at the time of loading the operating room. systems using ROM 24.

The personal computer 20, in turn, contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31, such as CD-ROM, DVD -ROM and other optical media. The hard disk 27, the magnetic disk drive 28, and the optical drive 30 are connected to the system bus 23 via the hard disk interface 32, the magnetic disk interface 33, and the optical drive interface 34, respectively. Drives and corresponding computer storage media are non-volatile storage media for computer instructions, data structures, program modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29 and a removable optical disk 31, but it should be understood that other types of computer storage media 56 are possible that are capable of storing data in a computer readable form (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55.

The computer 20 has a file system 36, where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38 and program data 39. The user (operator) has the ability to enter commands and information into the personal computer 20 through input devices (keyboards 40 , manipulator "mouse" 42). Other input devices may be used (not shown): microphone, joystick, game console, scanner, etc. Such input devices are conventionally connected to the computer system 20 through a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, etc. ...

The personal computer 20 is capable of operating in a networked environment using a network connection with other or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the entity. the personal computer 20 shown in FIG. 15. In a computer network, there may also be other devices, such as routers, network stations, peer-to-peer devices or other network nodes.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks (also information systems), internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, personal computer 20 is connected to local network 50 via a network adapter or network interface 51. When using networks, personal computer 20 may use a modem 54 or other means of providing communication with a wide area network, such as the Internet. Modem 54, which is an internal or external device, is connected to the system bus 23 via a serial port 46. It should be noted that the network connections are only exemplary and are not required to reflect the exact configuration of the network, i. E. in fact, there are other ways of establishing a connection by technical means of communication of one computer with another.

In accordance with the description, the components, stages of execution, data structure described above can be performed using various types of operating systems, computer platforms, programs.

In conclusion, it should be noted that the information given in the description are examples, which do not limit the scope of the present invention defined by the claims.

Claims (37)

1. A method for determining the sources of anomalies in a cyber-physical system (CPS), in which: a) using the forecasting tool, the values of the CPS signs are obtained for the input window, which is a time interval and contained within the observation period, while the input window is determined by the trained forecasting model, while the CPS signs are the numerical characteristics of control subjects; b) using a forecasting tool using a trained forecasting model and according to the obtained values of the CPS attributes for the input window, forecasting the values of the CPS attributes for the forecast window, which is a time interval and is contained within the observation period; c) using the means for determining anomalies for the forecast window, determine the total forecast error for the CPS signs; d) using the means for determining anomalies when the total forecast error exceeds the total error threshold, determine the anomaly in the CPS; e) using the means for determining the anomalies, at least one CPS indicator is determined, which is the source of the anomaly, if the contribution of the forecast error of the mentioned at least one CPS indicator to the total forecast error is higher than the contribution of at least one other CPS indicator to the total forecast error. 2. The method according to claim 1, in which, if the values of the CPS attributes are received in real time, the total forecast error is determined for the forecast window after a time equal to the sum of the forecast horizon and the input window. 3. The method according to claim 1, in which, if the values of the CPS attributes are contained in the initial sample for the historical observation period, the total forecast error is determined for the forecast window according to the data of the initial sample for the historical observation period. 4. The method of claim 1, wherein the cyber-physical system has at least one of the following characteristics: • the industry in which the cyber-physical system operates; • types of processes that describe the parameters of the CPS, in particular, one of: continuous, conveyor, cyclic; • the presence of seasonality and / or trends in the signs of the FSC; • inertness of FSC processes; • time of the FSC reaction to changes in the FSC and in the external environment; • the level of danger of production for personnel and the environment; • cost of downtime of technological processes due to abnormal situations; • type of control, in particular, performed using PID controllers, state machines or a combined method; • the type of the subject of control, which is characterized by at least one feature, while the type of the subject of control is one of: a sensor, an actuator or a PID controller; • data of self-diagnostics of FSC; • the state of the subject of management: working or non-working; • the interconnection of the subjects of management at the level of the technical process. 5. The method according to claim 1, in which when calculating the total forecast error, the errors of each CPS feature are used, which determine the contribution of the forecast error of the said at least one CPS feature to the total forecast error, and for the said errors of each CPS feature, weighting coefficients are used, while : a) using the training tool, a low value is assigned to the weighting factor for the feature, if the control subject, characterized by this feature, provides data with noisy, or invalid data, or is periodically disabled by the user of the FSC; b) using the teaching tool, a low value is assigned to the weighting coefficient for a feature in which the occurrence of an anomaly does not affect the operation of the CPS, and a high value is assigned to the weighting coefficient for a feature in which the occurrence of an anomaly affects the operation of the CPS. 6. The method according to claim 5, in which the value of the weighting coefficient of the feature is selected using the training tool, which depends on the accuracy of predicting the CPS features. 7. The method of claim 1, wherein the prediction model uses a neural network. 8. The method according to claim 7, wherein the neural network is optimized using genetic algorithms. 9. The method according to claim. 8, in which the neural network is selected according to the data of the labeled initial sample, using one of the quality metrics: NAB-metric, F1-metric. 10. The method according to claim 1, in which the technical documentation of the FSC or the user report is obtained on the anomalies previously detected by the trained system, while the weight of the feature is selected using the training tool depending on the significance of the specified feature and on the basis of the technical documentation of the FSC or the user's report. 11. The system for determining the sources of anomalies in the cyber-physical system (CPS), containing: a) a forecasting tool designed for: • obtaining the values of the CPS signs for the input window, which is a time interval and contained within the observation period, while the input window is determined by the trained forecasting model, while the CPS signs are the numerical characteristics of control subjects; • predicting the values of the CPS attributes for the forecast window, which is a time interval and contained within the observation period, using the trained forecasting model and according to the data of the obtained values of the CPS attributes for the input window; b) an anomaly detection tool designed for: • determination of the total forecast error for the forecast window for the CPS attributes; • determination of the anomaly in the CPS when the total forecast error exceeds the total error threshold; • determination of at least one CPS feature, which is the source of the anomaly, if the contribution of the forecast error of the mentioned at least one CPS feature to the total forecast error is higher than the contribution of at least one other CPS feature to the total forecast error.

Images