| CPC H04L 63/1416 (2013.01) [G06F 21/552 (2013.01); G06F 21/554 (2013.01); H04L 63/1408 (2013.01); H04L 67/535 (2022.05); H04L 67/12 (2013.01)] | 24 Claims |
|
1. An intrusion detection method for protecting against sequences of operationally valid control messages that in combination harm or disrupt devices in an operational control system comprising multiple devices, the method comprising:
gathering, by one or more processors, current contextual information which includes a set of physical constraints on control system properties;
determining, by the one or more processors, system-level correlations between different pairwise connections across the multiple devices based on operationally valid control messages and the current contextual information;
generating, by the one or more processors and based on the system-level correlations, a history of message sequences between the devices of the operational control system, and the current contextual information, a plurality of candidate sequences of operationally valid control messages;
determining, by the one or more processors, a subset of one or more candidate sequences of the plurality of candidate sequences of operationally valid control messages that would result in actual harm based on an operational effect to the operational control system from each candidate sequence of the plurality of candidate sequences of operationally valid control messages; and
monitoring, by the one or more processors, the operationally valid control messages communicated in the operational control system and reporting a threat when a harmful sequence of messages is identified matching at least one of the subset of one or more candidate sequences of operationally valid control messages that would result in actual harm.
|