Patents /

Knowledge graph for real time industrial control system security event monitoring and management

Inventors

Pi, JiaxingWei, DongPfleger de Aguiar, LeandroWu, Yinghui

Assignees

Siemens AGWashington State University WSU

Publication Number

US-11973777-B2

Publication Date

2024-04-30

Expiration Date

2039-07-09

Interested in licensing this patent?

MTEC can help explore whether this patent might be available for licensing for your application.

Abstract

Methods and systems are disclosed for security management in an industrial control system (ICS). An event entity detection and linking module generates a model for a plurality of event entities extracted from a plurality of different data sources including one ICS data source and one IT data source. The model encodes a set of linked event entities and their relationships, each event entity associated with a vector of attribute value pairs. A data standardization of domain knowledge includes translating, by a machine learning application, extracted knowledge base information to rules for the constraints and using the rules to validate the constraints and to add new constraints. A fusion module performs temporal correlation detection across data streams of the different data sources for establishing causality between triplets of association models within a defined time span.

Core Innovation

The invention discloses methods and systems for security management in an industrial control system (ICS) by generating a model for a plurality of event entities extracted from various data sources, including at least one ICS data source and one IT data source. The model encodes linked event entities and their relationships, each entity carrying a vector of attribute-value pairs. The system leverages a lightweight ontological knowledge base that integrates heterogeneous data streams from both IT and OT domains, supporting real-time event detection, incremental querying, and knowledge extraction from diverse sources.

To solve the challenges in correlating information across IT and OT layers, which is typically time-consuming and requires collaboration between experts, the invention establishes standardized data formats and employs machine learning applications to translate domain knowledge (including engineering documentation and diagrams) into rules and constraints for validating and enhancing the event models. Fusion modules perform temporal correlation detection to establish causality between event entities by analyzing data streams within defined time windows, supporting adaptation to evolving contexts and enabling holistic, coherent responses to security events.

The addressed problem is that current ICS security monitoring solutions lack unified frameworks to combine heterogeneous data from multiple domains, provide real-time situation awareness for complex events, and support root cause analysis through cross-domain correlations. Existing tools are unable to link anomalies across independent monitoring domains or deliver a context-rich, actionable interface for operators. The proposed invention integrates causal reasoning, temporal analysis, and interactive user interfaces, offering improved detection, validation, and explanation of potential security events in ICS infrastructures.

Claims Coverage

The patent claims disclose four main inventive features for security management and event detection in industrial control systems.

Event entity detection, linking, and standardized modeling across ICS and IT data sources

A processor and memory hosting application modules that detect and link event entities from at least one industrial control system (ICS) data source and at least one information technology (IT) data source. The system generates a model as a collection of triples encoding linked event entities and their relationships, where each event entity is associated with a vector of attribute-value pairs. Data standardization functions extract information from a domain knowledge base (which includes engineering documentation), translate this information via a machine learning application into rules for constraints, and apply these rules to validate and add new constraints.

Temporal and contextual correlation for association models and causality detection

The system performs temporal and contextual correlation by developing data stream association models subject to temporal dependencies, controlling model decay, and taking into account spatial-temporal-ontological contexts. A fusion module detects temporal correlations across data streams from different sources, enabling the establishment of causality between triplets of association models within a defined time span.

Automated detection and resolution of data inconsistencies using semantic constraints

The event entity detection and linking module is configured to detect data inconsistencies based on violations of semantic constraints, which are defined by conditional functional dependencies between attributes and values of linked event entity pairs. Upon detecting inconsistencies, the system resolves them by either removing linked attribute-value pairs or updating the values associated with the violation.

Graphical user interface module for operator query, validation, and event analysis

A graphical user interface module enables operator interaction for question-and-answer sessions, including: - Generating keywords from low-level description questions to directly query the domain knowledge base - Rewriting high-level questions (e.g., missing factors) to counterpart queries that help generate quantified ranking scores of relationships, verifying if a missing factor is critical to an event This interface supports operator validation, fact checking of data inconsistencies, and verification of applied constraints during event linking.

The claims cover a comprehensive system supporting standardized event modeling, cross-domain correlation and causality analysis, automated inconsistency detection and resolution, and an interactive user interface for operator engagement in ICS security monitoring.

Stated Advantages

Enables real-time, online data processing, querying, and reasoning for ICS security events using a heterogeneous knowledge base.

Standardizes and correlates heterogeneous data from both IT and OT domains, supporting detection and response to complex events.

Supports root cause analysis and differentiates between cyberattacks and physical faults through temporal and contextual association rules.

Provides a user-friendly, context-rich graphical interface for operators, enhancing system monitoring and decision-making.

Facilitates automated detection and resolution of data inconsistencies, improving data integrity and reducing manual intervention.

Documented Applications

Security monitoring and assessment of heterogeneous data in large-scale industrial control systems.

Detection and root cause analysis of complex security events by linking IT and OT data streams within ICS environments.

Operator interface for querying security events, ranking anomalies, analyzing sensor correlations, and fact-checking in ICS systems.

JOIN OUR MAILING LIST

Stay Connected with MTEC

Keep up with active and upcoming solicitations, MTEC news and other valuable information.