| 主权项 |
1. A method for use in identifying abnormal behavior in a supervisory control and data acquisition (SCADA) system including a learning system, said method comprising:
receiving, by a computing device, a plurality of operating events associated with the SCADA system, wherein the operating events represent at least one physical operating event; determining, by the computing device, an actual behavior of the SCADA system based on the operating events; dynamically identifying, by the learning system, at least one correlation between a plurality of past operating events stored in a past event database; creating an artificial intelligence (AI) event correlation model based on the at least one correlation identified by the learning system; comparing, by the computing device, the actual behavior of the SCADA system to the AI event correlation model to determine whether the actual behavior differs from the AI event correlation model; comparing, by the computing device and independent of said comparing the actual behavior of the SCADA system to the AI event correlation model, the actual behavior of the SCADA system to user policies using a complex event processing component; receiving, by the computing device, an indication of whether the actual behavior is abnormal from a user when the actual behavior differs from the AI event correlation model; and updating, by the computing device, the AI event correlation model based on the received indication. |
