WO2018136088A1 - Système d'inspection de reseau otxit utilisant une detection d'anomalie basée sur une analyse de groupe - Google Patents
Système d'inspection de reseau otxit utilisant une detection d'anomalie basée sur une analyse de groupe Download PDFInfo
- Publication number
- WO2018136088A1 WO2018136088A1 PCT/US2017/014440 US2017014440W WO2018136088A1 WO 2018136088 A1 WO2018136088 A1 WO 2018136088A1 US 2017014440 W US2017014440 W US 2017014440W WO 2018136088 A1 WO2018136088 A1 WO 2018136088A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- data
- grids
- cluster
- command
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Definitions
- the physical platform can be configured to support multi-domain IoT services such as smart grid, predictive maintenance and optimized factory using virtual machine of service platform and virtual wide area network of IT network.
- multi-domain IoT services such as smart grid, predictive maintenance and optimized factory using virtual machine of service platform and virtual wide area network of IT network.
- the requirement for quality and security is different between services.
- example implementations can logically detect anomaly using actual energy consumption data from microgrid using NIS implementations.
- Example implementations can confirm logical anomalies as actual anomalies using sensor data in combination with network attributes and OT protocol inspection from NIS implementations.
- FIG. 3 illustrates an example of security implementations for IT systems and OT systems.
- FIG. 7A illustrates an example OT Command / Format Dictionary Table, in accordance with an example implementation.
- FIG. 7B illustrates an example flow diagram for the OT Protocol Inspector, in accordance with an example implementation.
- FIG. 8A illustrates an example FFT range table, in accordance with an example implementation.
- FIG. 9 illustrates a configuration of function blocks, in accordance with an example implementation.
- FIG. 17 illustrates example anomaly detection over each connection shown over a map, in accordance with an example implementation.
- OT protocol information 104-4 can include communication information (com), reply information (reply), sequence information (seq), and acknowledgement information (ack).
- NIS 103 received packets at TCP/IP header inspector from Mirror/Tap 102.
- FIG. 13 illustrates an example flow for Clustering 1022, in accordance with an example implementation.
- Clustering 1022 determines the grid with largest density at 2301. In the example of FIG. 12, the largest density grid is identified at 2204.
- the grid is set as an independent cluster. The cluster number of 1 is assigned to the grid.
- Clustering 1022 finds the grid with next largest density at 2303. If the grid with next largest density exists at 2304, Clustering 1022 judges if the neighbor with the larger density exists at 2305. If yes, the grid is merged with neighbor as shown at 2307 and as illustrated at 2205 in FIG. 12. If no, the grid is set as an independent cluster as shown in FIG. 12 at 2206.
- FIG. 16 illustrates example anomaly detection over each connection from using cluster analysis, in accordance with an example implementation.
- a dashboard 1601 can be provided to compare OT parameters with a desired OT or IT parameter, as described with respect to FIGS. 15(a) to 15(d).
- a dashboard 1602 can also be provided to indicate when clusters are generated or when new clusters are detected for selected OT or IT parameters.
- Another dashboard 1603 can also be provided to indicate connections from both OT and IT devices, which can include information such as wide area network (WAN) internet protocol (IP) address, local area network (LAN) IP address, WAN port, LAN port, WAN round trip delay (RRT), OT sequence number, OT sensor data, OT frequency, and loss in WAN connection.
- WAN wide area network
- IP internet protocol
- LAN local area network
- RRT WAN round trip delay
Abstract
Des modes de réalisation illustratifs de l'invention concernent des systèmes d'inspection de réseau (NIS) configurés pour fournir une solution de sécurité couvrant des réseaux de technologie opérationnelle (OT). Des exemples de mises en oeuvre peuvent impliquer un bloc de transformée de Fourier rapide (FFT) et un générateur de données historiques pour calculer des valeurs de bande passante et de capteur cycliquement à travers chaque connexion. Des modes de réalisation donnés à titre d'exemple impliquent également un inspecteur de protocole OT et un dictionnaire de commande/format OT pour extraire des données de couche OT sur chaque connexion. Des modes de réalisation donnés à titre d'exemple impliquent en outre une analyse de grappe en utilisant un capteur ou d'autres données en plus des attributs de réseau pour chaque connexion, et fournissent une interface pour indiquer des anomalies associées à de telles données à travers chaque connexion.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2017/014440 WO2018136088A1 (fr) | 2017-01-20 | 2017-01-20 | Système d'inspection de reseau otxit utilisant une detection d'anomalie basée sur une analyse de groupe |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2017/014440 WO2018136088A1 (fr) | 2017-01-20 | 2017-01-20 | Système d'inspection de reseau otxit utilisant une detection d'anomalie basée sur une analyse de groupe |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2018136088A1 true WO2018136088A1 (fr) | 2018-07-26 |
Family
ID=62908273
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2017/014440 WO2018136088A1 (fr) | 2017-01-20 | 2017-01-20 | Système d'inspection de reseau otxit utilisant une detection d'anomalie basée sur une analyse de groupe |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2018136088A1 (fr) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113361869A (zh) * | 2021-05-19 | 2021-09-07 | 上海天麦能源科技有限公司 | 一种用于燃气管网的人工智能异常检测方法及系统 |
CN114270281A (zh) * | 2019-08-29 | 2022-04-01 | 西门子股份公司 | 用于对ot系统进行安全监控的方法和系统 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070289013A1 (en) * | 2006-06-08 | 2007-12-13 | Keng Leng Albert Lim | Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms |
US20090234899A1 (en) * | 2008-03-11 | 2009-09-17 | Paragon Science, Inc. | Systems and Methods for Dynamic Anomaly Detection |
US20110145262A1 (en) * | 2009-12-15 | 2011-06-16 | International Business Machines Corporation | Measuring node proximity on graphs with side information |
US20130245793A1 (en) * | 2011-03-28 | 2013-09-19 | International Business Machines Corporation | Anomaly detection system, anomaly detection method, and program for the same |
US20140074796A1 (en) * | 2011-12-12 | 2014-03-13 | International Business Machines Corporation | Dynamic anomaly, association and clustering detection |
US20160301709A1 (en) * | 2015-04-09 | 2016-10-13 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
-
2017
- 2017-01-20 WO PCT/US2017/014440 patent/WO2018136088A1/fr active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070289013A1 (en) * | 2006-06-08 | 2007-12-13 | Keng Leng Albert Lim | Method and system for anomaly detection using a collective set of unsupervised machine-learning algorithms |
US20090234899A1 (en) * | 2008-03-11 | 2009-09-17 | Paragon Science, Inc. | Systems and Methods for Dynamic Anomaly Detection |
US20110145262A1 (en) * | 2009-12-15 | 2011-06-16 | International Business Machines Corporation | Measuring node proximity on graphs with side information |
US20130245793A1 (en) * | 2011-03-28 | 2013-09-19 | International Business Machines Corporation | Anomaly detection system, anomaly detection method, and program for the same |
US20140074796A1 (en) * | 2011-12-12 | 2014-03-13 | International Business Machines Corporation | Dynamic anomaly, association and clustering detection |
US20160301709A1 (en) * | 2015-04-09 | 2016-10-13 | Accenture Global Services Limited | Event correlation across heterogeneous operations |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114270281A (zh) * | 2019-08-29 | 2022-04-01 | 西门子股份公司 | 用于对ot系统进行安全监控的方法和系统 |
CN113361869A (zh) * | 2021-05-19 | 2021-09-07 | 上海天麦能源科技有限公司 | 一种用于燃气管网的人工智能异常检测方法及系统 |
CN113361869B (zh) * | 2021-05-19 | 2023-11-24 | 上海天麦能源科技有限公司 | 一种用于燃气管网的人工智能异常检测方法及系统 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107667505B (zh) | 用于监控和管理数据中心的系统及方法 | |
US10397260B2 (en) | Network system | |
EP3248358B1 (fr) | Capture de paquet pour flux du trafic anormaux | |
US9860154B2 (en) | Streaming method and system for processing network metadata | |
US9825835B2 (en) | Systems and methods for implementing a traffic visibility network | |
EP3133793A1 (fr) | Procédé d'atténuation de cyberattaques sur des systèmes de commande industriels | |
US10218731B2 (en) | Method and system for data breach and malware detection | |
CA3207248A1 (fr) | Systeme et techniques de gestion de trafic distribue | |
Karimi et al. | Distributed network traffic feature extraction for a real-time IDS | |
US20200186547A1 (en) | Detecting encrypted malware with splt-based deep networks | |
US20160094517A1 (en) | Apparatus and method for blocking abnormal communication | |
JP2016508353A (ja) | ネットワークメタデータを処理する改良されたストリーミング方法およびシステム | |
US11336545B2 (en) | Network device measurements employing white boxes | |
EP3417571B1 (fr) | Procédé et système de compression et d'optimisation de données de sécurité d'informations en transit et en ligne | |
Jung et al. | Anomaly Detection in Smart Grids based on Software Defined Networks. | |
US9722955B2 (en) | Buffered session filtering for inline bypass application | |
WO2018136088A1 (fr) | Système d'inspection de reseau otxit utilisant une detection d'anomalie basée sur une analyse de groupe | |
US11863584B2 (en) | Infection spread attack detection device, attack origin specification method, and program | |
EP2760181A1 (fr) | Procédés et systèmes pour fournir une redondance dans des communications de réseau de données | |
US11165682B2 (en) | Session aware adaptive packet filtering | |
CN105099799A (zh) | 僵尸网络检测方法和控制器 | |
Khemapatapan | 2-Stage Soft Defending Scheme Against Ddos Attack Over Sdn Based on Nb and Svm | |
CN109547418B (zh) | 基于软件定义网络sdn的数据传输网络系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 17893085 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 17893085 Country of ref document: EP Kind code of ref document: A1 |