Anomaly detection in industrial communications networks

Abstract

The anomaly detection system detects unexpected changes or anomalies in traffic patterns, to detect potentially infected nodes. The detection system generally consists of distributed data collection modules at each node of a network, and a centralised or separate anomaly analysis engine. The collection modules view the message traffic into and out of the node to generate metadata pertaining to the message traffic. This metadata is sent to the analysis engine which processes the metadata using a rules engine, analysis it with a set of logic rules, it can also use traffic pattern baseline data, to determine if the traffic patterns at the nodes are anomalous. If it does determine an anomalous pattern, it will generate a message, it also may perform some corrective action. An example is disconnecting the node from the network.

Description

technical field [0001] In general terms, this application relates to process or industrial plant communication systems, and in particular, this application relates to detecting control and maintenance communication networks (such as those used in process and industrial control systems) based on the detection of message traffic anomalies in plant communication networks. those) intrusions. Background technique [0002] Process or industrial control and maintenance systems, such as distributed or scalable process control systems such as those used in power generation, chemical, petroleum, or other manufacturing processes, typically include one or more A plurality of controllers communicatively coupled to at least one host or operator workstation via the process control network and to one or more field devices via an analog, digital, or combined analog / digital bus. Field devices (which can be, for example, valves, valve positioners, switches, and transmitters (such as temperatu...

AI Technical Summary

Problems solved by technology

Although it is possible to run background virus scanning software at every node of the communication network, this software takes up a lot of storage space and processing resources, needs to be updated regularly (which requires significant network maintenance resources and time), and still cannot detect zero day virus

[0009] In many cases, a virus or unauthorized software at a plant device or network node may degrade the performance of that device or network, may interrupt normal plant operations, and cause errors or alarms at that node or other nodes in the network , or may cause other serious and noticeable problems

In some of these cases, the operator or other plant personnel may be able to detect the presence of the virus relatively easily, but it is still difficult to detect the location of the virus

Furthermore, in many other cases, a virus or attack may operate undetected for a long period of time, while it may degrade network operations slightly, such degradation or other impact on plant operations may be negligible, So it's very difficult to detect

As a result, in many cases, viruses may go undetected for long periods of time, during which time they may operate to reduce plant efficiency, allow the theft of plant data, allow more serious intrusions, and expose network devices to under serious assault or injury, etc.

Images