| CPC H04L 63/1433 (2013.01) [G05B 19/4155 (2013.01); G06N 20/00 (2019.01); H04L 63/1425 (2013.01); G05B 2219/31368 (2013.01)] | 20 Claims |
|
1. A non-transitory computer-readable medium, comprising computer-executable instructions that, when executed by one or more processors, cause the one or more processors to:
receive data associated with network communication from a plurality of devices in an industrial automation system;
identify one or more communication patterns within the network communication based on the data;
identify one or more devices of the plurality of devices based on one or more identifiers associated with the one or more communication patterns;
determine one or more communication metrics associated with each device of the one or more devices using the one or more communication patterns, wherein the one or more communication metrics comprise a number of messages per unit time, a data volume, a duration of communication, a number of connections to the one or more devices, a source error rate, or a destination error rate;
generate an actor model based on the one or more communication patterns and the one or more communication metrics, wherein the actor model comprises expected communication metrics of each device of the one or more devices;
generate a network model based on the actor model, wherein the network model comprises a plurality of expected properties of the network communication relative to the expected communication metrics of each device of the one or more devices, wherein the plurality of expected properties of the network communication comprises a density component, a centrality component, a modularity component, and an entropy component, and wherein the density component is associated with a determined respective amount of repetitive communications of each device of the one or more devices based on the expected communication metrics, the centrality component is associated with a determined respective amount of communications of each device of the one or more devices with respect to a threshold amount of communications determined based on the expected communication metrics, the modularity component is associated with a determined formation of one or more interaction-based groups of two or more devices of the one or more devices in a set pattern based on the expected communication metrics, and the entropy component is associated with a determined level of uncertainty associated with communications between the one or more devices based on the expected communication metrics;
generate, using machine learning, a state-space model comprising a plurality of time-series patterns based on the plurality of expected properties of the network communication of the network model with respect to time;
receive additional data associated with the network communication from the plurality of devices in the industrial automation system after receiving the data;
detect one or more anomalies in the network communication based on a comparison between one or more network metrics associated with the additional data and the state-space model; and
send a notification to a computing device in response to detecting the one or more anomalies.
|