Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems

摘要

The embodiments described herein include a system and a method. In one embodiment, a system includes a device monitoring component configured to measure control system behavior and an intrusion prevention system communicatively coupled to the device monitoring component and a communications network. The intrusion prevention system includes a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a first rule set to determine whether an anomaly, an intrusion, or both are present.

主权项

1. A system comprising:
a device monitoring component configured to measure control system behavior; and an intrusion prevention system communicatively coupled to the device monitoring component and a communications network, wherein the intrusion prevention system includes: a control system analysis component configured to analyze the control system behavior measured by the device monitoring component against a first rule set; a network analysis component configured to analyze network parameters of communication packets transmitted over the communications network against a second rule set by performing a comparison between the network parameters and data included in a first list and in a second list and classifying the communication packets as at least one of an anomaly and an intrusion based on a result of the comparison; and a machine learning and correlated analysis component configured to:
correlate results from the control system analysis component and the network analysis component;determine when the correlated results lead to a false positive or a false negative; andmodify the first rule set and the second rule set when a false positive or a false negative is detected.