US 12,437,063 B2
Unified multi-agent system for abnormality detection and isolation
Masoud Abbaszadeh, Clifton Park, NY (US); Weizhong Yan, Clifton Park, NY (US); Justin Varkey John, Cohoes, NY (US); and Matthew Christian Nielsen, Soctia, NY (US)
Assigned to GE VERNOVA INFRASTRUCTURE TECHNOLOGY LLC, Greenville, SC (US)
Filed by General Electric Company, Schenectady, NY (US)
Filed on Apr. 12, 2021, as Appl. No. 17/228,162.
Prior Publication US 2022/0327204 A1, Oct. 13, 2022
Int. Cl. G06F 21/32 (2013.01); G06F 21/55 (2013.01); G06N 20/00 (2019.01)
CPC G06F 21/554 (2013.01) [G06N 20/00 (2019.01); G06F 2221/034 (2013.01)] 17 Claims
OG exemplary drawing
 
1. A system to protect a cyber physical system, comprising:
a plurality of real-time monitoring nodes to receive streams of monitoring node signal values over time that represent a current operation of the cyber physical system; and
a threat detection computer platform comprising:
a local status determination module comprising an ensemble of local agents, the ensemble of local agents including two or more pluralities of local agents, wherein each plurality of local agents determines a local normal/abnormal status for a respective node of the plurality of real-time monitoring nodes, and the local status determination module is adapted to determine an anomaly status for the plurality of real-time monitoring nodes, wherein each local agent is trained with data representing a different mode of operation of the plurality of real-time monitoring nodes, and wherein each real-time monitoring node is one of a sensor, an actuator, a controller, a component and a sub-system;
a global status determination module comprising an ensemble of global agents, wherein each global agent monitors a portion of the cyber physical system and the global status determination module is adapted to determine an anomaly status for the cyber physical system;
a memory storing instructions; and
a computer processor to execute the instructions to cause the threat detection computer platform to:
receive the monitoring node signal values,
generate feature vectors from the received monitoring node signal values;
fuse, via a first status fusion module, global agent output from a plurality of global agents, the fusion generating a final global system status indicating a global normal/abnormal decision for the cyber physical system, wherein each global agent outputs its own respective anomaly status based on a comparison of global agent-specific feature vectors of the generated feature vectors to a global agent-specific decision boundary, wherein the fusion is: 1 A rule-based fusion including at least one of majority voting and dynamic detection selection, or 2 a machine-learning (ML)-based fusion;
fuse, via a second status fusion module, local agent output from each respective plurality of local agents, the fusion generating a final local node status for the respective node indicating a local normal/abnormal decision for the respective node, wherein each local agent outputs its own respective anomaly status based on a comparison of local agent-specific feature vectors of the generated feature vectors to a local agent-specific decision boundary, wherein the fusion is: 1. a rule-based fusion including at least one of majority voting and dynamic detection selection, or 2. a machine-learning (ML)-based fusion;
receive at a decision fusion module: 1 the final local node status for each respective node, and 2 the final global system status;
fuse, via the decision fusion module, the final local node status for each monitoring node and the final global system status for the cyber physical system; and
wherein each of the local status determination module, the global status determination module and the decision fusion module is a software module.