• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    According to some embodiments, a plurality of heterogeneous data source nodes can each generate a series of data source node values over time associated with the operation of a power grid control system. an offline abnormal state detection model building computer can receive the series of data source node values and perform a resource extraction process to generate an initial set of resource vectors. The modeling computer can then perform resource selection with a multi-model and multidisciplinary framework to generate a vector subset of selected resources. According to some embodiments, resource dimensionality reduction can also be performed to generate the selected subset of resources. At least one decision limit can be automatically calculated and produced for an abnormal state detection model based on the selected subset of vector resources.
    公开号:BR102018003437A2
    申请号:R102018003437-5
    申请日:2018-02-22
    公开日:2018-12-04
    发明作者:Weizhong Yan;Masoud ABBASZADEH;Lalit Keshav MESTHA
    申请人:General Electric Company;
    IPC主号:
    专利说明:

    (54) Title: SYSTEM TO PROTECT AN ELECTRICITY NETWORK CONTROL SYSTEM, COMPUTERIZED METHOD TO PROTECT AN ELECTRICITY NETWORK CONTROL SYSTEM AND NON-TRANSITIONAL MEDIA (51) Int. Cl .: H04L 29/06; G06N 3/08; G06N 99/00.
    (30) Unionist Priority: 03/09/2017 US 15 / 454,219.
    (71) Depositor (s): GENERAL ELECTRIC COMPANY.
    (72) Inventor (s): WEIZHONG YAN; MASOUD ABBASZADEH; LALIT KESHAV MESTHA.
    (57) Summary: According to some embodiments, a plurality of heterogeneous data source nodes can each generate a series of data source node values over time associated with the operation of a network control system of electricity. An offline abnormal state detection model creation computer can receive the series of data source node values and perform a resource extraction process to generate an initial set of resource vectors. The model creation computer can then perform resource selection with a multi-model and multidisciplinary structure to generate a vector subset of selected resources. According to some embodiments, the reduction of the dimensionality of the resources can also be performed to generate the selected subset of resources. At least one decision threshold can be calculated and produced automatically for an abnormal state detection model based on the selected vector subset of resources.
    1/47 “SYSTEM TO PROTECT AN ELECTRICITY NETWORK CONTROL SYSTEM, COMPUTERIZED METHOD TO PROTECT AN ELECTRICITY NETWORK CONTROL SYSTEM AND NON-TRANSITIONAL MEDIA”
    Background to the Invention [001] Electricity networks are increasingly connected to the Internet. As a result, control systems associated with electrical power networks can be vulnerable to threats, such as cyber attacks (for example, associated with computer viruses, malicious software, etc.) that can harm the generation and distribution of electricity, equipment damage, etc. Current methods of protection against this type of damage mainly consider the detection of threats in Information Technology (“IT”, such as computers that store, retrieve, transmit and manipulate data) and Operation Technology (“OT”, as direct monitoring and communication line (bus) interfaces. Cyber threats can still penetrate through these layers of protection and reach the physical “domain”. Such attacks can decrease the performance of a control system and can cause complete shutdown or even catastrophic damage. Currently, fault detection isolation and hosting (“FDIA”) approaches only analyze sensor data, but a threat can occur in connection with other types of data source nodes. Also note that the FDIA is limited to only naturally occurring faults in one sensor at a time. FDIA systems do not address multiple failures that occur simultaneously, as they are usually due to malicious intent. Therefore, it would be desirable to protect an electrical power network from malicious intentions, such as cyber attacks, automatically and accurately.
    Petition 870180135014, of 9/27/2018, p. 5/53
    2/47
    Brief Description of the Invention [002] According to some embodiments, a plurality of heterogeneous data source nodes can each generate a series of data source node values over time associated with the operation of a control system of electric power network. An offline abnormal state detection model creation computer can receive the series of data source node values and perform a resource extraction process to generate an initial set of resource vectors. The model creation computer can then perform the resource selection with a multi-model and multidisciplinary structure to generate a vector subset of selected resources. At least one decision threshold can be calculated and produced automatically for an abnormal state detection model based on the selected vector subset of resources.
    [003] Some embodiments include: means for receiving, from a plurality of heterogeneous data source nodes, a series of data source node values over time associated with the operation of a network control system electrical energy; means for executing, by means of a computer creating an offline abnormal state detection model, a resource extraction process to generate an initial set of resource vectors; means for carrying out resource selection with a multi-model and multidisciplinary structure to generate a selected subset of resource vectors; and means for automatically calculating and producing at least one decision limit for an abnormal state detection model based on the selected resource vector subset.
    [004] Some technical advantages of some of the embodiments described here are improved systems and methods to protect an electricity network from malicious intentions, such as attacks
    Petition 870180135014, of 9/27/2018, p. 6/53
    3/47 cybernetic, automatically and accurately.
    Brief Description of the Figures [005] Figure 1 is a high-level block diagram of a system that can be supplied according to some embodiments.
    [006] Figure 2 is a method according to some embodiments.
    [007] Figure 3 is a threat alert system according to some embodiments.
    [008] Figure 4 illustrates limits and a vector of resources for an electric power network parameter, according to some embodiments.
    [009] Figure 5 is an offline and real-time anomaly decision and architecture of early warning tools, according to some embodiments.
    [010] Figure 6 is an offline anomaly decision limit tool, according to some embodiments.
    [011] Figure 7 illustrates a real-time decision, event / threat assessment and early warning system, according to some embodiments.
    [012] Figure 8 is a resource vector information flow diagram, according to some embodiments.
    [013] Figure 9 is a method for creating a subset of the selected resource, according to some embodiments.
    [014] Figure 10 illustrates a system for creating a decision limit, according to some embodiments.
    [015] Figure 11 is a block diagram of a power grid protection platform, according to some embodiments of the present invention.
    Petition 870180135014, of 9/27/2018, p. 7/53
    4/47 [016] Figure 12 is a tabular portion of an electricity grid database, according to some embodiments.
    [017] Figure 13 is a tabular portion of the data source database, according to some embodiments.
    [018] Figure 14 is a tabular portion of an alert database, according to some embodiments.
    [019] Figure 15 is a display screen, according to some embodiments.
    Detailed Description of the Invention [020] In the following detailed description, several specific details are presented in order to provide a complete understanding of the embodiments. However, it will be understood by those skilled in the art that embodiments can be practiced without these specific details. In other cases, well-known methods, procedures, components and circuits have not been described in detail so as not to confuse the embodiments.
    [021] Electricity network control systems that operate physical systems are increasingly connected to the Internet. As a result, these control systems can be vulnerable to threats and, in some cases, multiple attacks can occur simultaneously. Existing approaches to protecting an electricity grid control system, such as FDIA approaches, may not adequately address these threats. Therefore, it would be desirable to protect an electrical power network from malicious intentions, such as cyber attacks, automatically and accurately. Figure 1 is a high-level architecture of a system (100) according to some embodiments. The system (100) can include a "normal" spatial data source (110) and an "abnormal (120)" spatial data source. The normal spatial data source (110) can store, for each
    Petition 870180135014, of 9/27/2018, p. 8/53
    5/47 one of a plurality of heterogeneous “data source nodes” (130) (shown in Figure 1 as “DS1”, “DS2”, “DSN” for “1, 2, ... N” source nodes different data), a series of normal values over time that represent the normal functioning of an electricity network (for example, generated by a model or collected from the actual data of the data source node (130), as illustrated by the dashed line in Figure 1). As used herein, the phrase “data source node” can refer, for example, to sensor data, signals sent to actuators and auxiliary equipment, intermediate parameters that are not direct signals from the sensor and / or control (s) logical (s). These may represent, for example, threat data source nodes that receive data from the threat monitoring system on an ongoing basis in the form of continuous signals or data streams or combinations thereof. In addition, nodes (130) can be used to monitor occurrences of cyber threats or abnormal events. This data path can be designed specifically with encryption or other protection mechanisms so that information can be protected and cannot be tampered with via cyber attacks. The abnormal spatial data source (120) can store, for each of the data source nodes (130), a series of abnormal values that represent an abnormal operation of the electricity network (for example, when the system is experiencing a cyber attack). According to some embodiments, the data source nodes (130) provide "heterogeneous" data. That is, the data can represent information from widely diverse areas, such as data from social networks, wireless network data (for example, Wi-Fi data), meteorological data (for example, temperature data, information from the National Oceanic Administration and Atmospheric (NOAA), etc.), IT inputs, etc.
    [022] Information from the normal spatial data source (110) and
    Petition 870180135014, of 9/27/2018, p. 9/53
    6/47 of the abnormal spatial data source (120) can be provided to an offline abnormal state detection model creation computer (140) that uses that data to create a decision boundary (that is, a boundary that separates normal behavior from abnormal behavior). The decision limit can then be used by an abnormal state detection computer (150) running an abnormal state detection model (155). The abnormal state detection model (155) can, for example, monitor data flows from data source nodes (130) comprising data from sensor nodes, actuator nodes, and / or any other critical data source node (for example, data source nodes DS1 through DSN), calculating at least one “resource” for each data source node based on the data received and “automatically” presenting a threat alert signal for one or more data devices remote monitoring (170) when appropriate (for example, for display to a user). According to some embodiments, a threat alert signal can be transmitted to a unit controller, a plant human-machine interface (“HMI”) or to a customer using several different transmission methods. Note that a receiver of a threat alert signal can be a cloud database that correlates multiple attacks across a wide range of power grid assets. As used herein, the term "resource" can refer, for example, to mathematical characterizations of data. Examples of resources applied to the data may include the maximum, the minimum, the standard, the standard deviation, the variation, the amplitude, the current value, the adjustment time, the spectral components of the Fast Fourier Transform (“FFT”), main linear and non-linear components, independent components, sparse coding resources, deep resource learning, etc. In addition, the term "automatically" can refer, for example, to actions that can be performed with little or no human intervention. According
    Petition 870180135014, of 9/27/2018, p. 10/53
    7/47 some embodiments, information about a detected threat can be transmitted back to the power grid control system.
    [023] As used herein, devices, including those associated with the system (100) and any other device described here, can exchange information through any communication network that may be one or more of a Local Area Network (“LAN ”), A Metropolitan Area Network (“ MAN “), a wide area network (“ WAN “), a proprietary network, a public switched telephone network (“ PSTN “), a wireless application protocol network (“ WAP “), a Bluetooth network, a wireless LAN network and / or an Internet Protocol (“ IP ”) network, such as the Internet, an intranet or an extranet. Note that any devices described here can communicate through one or more of these communication networks.
    [024] The computer creating the offline abnormal state detection model (140) can store information in and / or retrieve information from various data stores, such as the normal spatial data source (110) and / or the source abnormal spatial data (120). The various data sources can be stored locally or reside remotely from the offline abnormal state detection model creation computer (140) (which can be associated, for example, with offline or online learning) . Although a single offline abnormal state model creation computer (140) is shown in Figure 1, any number of these devices can be included. In addition, various devices described herein can be combined according to the embodiments of the present invention. For example, in some embodiments, the offline abnormal state detection model creation computer (140) and one or more data sources (110, 120) may comprise a single apparatus. The computer functions for creating the offline abnormal state detection model (140) can be
    Petition 870180135014, of 9/27/2018, p. 11/53
    8/47 performed by a constellation of networked devices, in distributed processing or cloud-based architecture.
    [025] A user can access the system (100) through one of the monitoring devices (170) (for example, a Personal Computer (“PC”), a tablet or a smartphone) to view information about and / or manage information threats according to any of the embodiments described here. In some cases, an interactive graphical display interface may allow a user to define and / or adjust certain parameters (for example, abnormal state detection trigger levels) and / or provide or receive automatically generated recommendations or results from the design computer of offline abnormal state detection model (140) and / or abnormal state detection computer (150).
    [026] For example, Figure 2 illustrates a method that can be performed by some or all elements of the system (100) described in relation to Figure 1. The flowcharts described here do not imply a fixed order for the steps, and the forms embodiments of the present invention can be practiced in any order that is practicable. Note that any of the methods described here can be performed by hardware, software or any combination of these approaches. For example, a computer-readable storage medium can store on the instructions that, when executed by a machine, result in performance according to any of the embodiments described here.
    [027] In S210, a plurality of heterogeneous real-time data source node signal inputs can receive streams of data source node signal values over time that represent a current operation of a power grid . At least one of the data source nodes (for example, controller nodes, etc.) can be associated, for example, with sensor data, an auxiliary equipment input signal,
    Petition 870180135014, of 9/27/2018, p. 12/53
    9/47 an intermediate control parameter and / or a logic control value.
    [028] On the S220, a real-time threat detection computer platform can receive the data source node signal value streams and, for each data source node signal value flow, generate a vector current data source node resource. According to some embodiments, at least one of the resource vectors of the current data source node is associated with major components, statistical resources, deep resource learning, frequency domain resources, time series analysis resources, resources logical, geographic or location-based locations and / or interaction resources.
    [029] In S230, each current data source node resource vector generated can be compared with a corresponding decision limit (for example, a linear limit, non-linear limit, multidimensional limit, etc.) for that node of data source substantially in real time, the decision boundary that separates a normal state from an abnormal state for that data source node. According to some embodiments, at least one data source node is associated with a plurality of multidimensional decision limits and the comparison in S230 is performed in connection with each of these limits. Note that a decision limit can be generated, for example, according to a resource-based learning algorithm and a high-fidelity model or normal operation of the electricity grid. In addition, at least one decision limit can exist in a multidimensional space and be associated with a dynamic model that is built using data obtained from the design of experiments, such as a complete factorial design, Taguchi screening design, a composite methodology a Box-Behnken Methodology and a real-world operating conditions methodology. In addition, an abnormal state detection model associated with a decision limit can, according to
    Petition 870180135014, of 9/27/2018, p. 13/53
    10/47 some embodiments, be obtained and dynamically adapted based on a transient condition, a stable model of the electricity network and / or data sets obtained when operating the system as in self-learning systems from the flow received data.
    [030] On the S240, the system can automatically transmit an abnormal alert signal (for example, a notification message, etc.) based on the results of the comparisons performed on the S230. The abnormal state can be associated, for example, with an actuator attack, with a controller attack, with a data source node attack, with a plant state attack, counterfeiting, physical damage, availability of units, a trip unit, loss of life and / or material damage that requires at least a new part. According to some embodiments, one or more response actions can be performed when an abnormal alert signal is transmitted. For example, the system can automatically shut down all or part of the power grid (for example, to allow the detected cyber attack to be investigated in more detail). Like other examples, one or more parameters can be modified automatically, a software application can be activated automatically to capture data and / or isolate possible causes, etc. Note that a threat alert signal can be transmitted via a cloud-based system, such as the PREDIX® field agent system. Note that, according to some embodiments, a cloud approach can also be used to archive information and / or to store information about boundaries.
    [031] According to some embodiments, the system can further locate a source of the threat for a specific data source node. For example, localization can be performed according to a time when a decision limit associated with a data source node
    Petition 870180135014, of 9/27/2018, p. 14/53
    11/47 was crossed compared to a time in which a decision threshold associated with another data source node was crossed. According to some embodiments, an indication of the particular data source node can be included in the abnormal alert signal.
    [032] Some of the embodiments described here can take advantage of the physics of a control system, learning a priori from models of adjusted high-fidelity equipment and / or real data “at work” to detect simultaneous or multiple adverse threats to the system. In addition, according to some embodiments, all node data from the data source can be converted to resources using advanced resource-based methods, and the real-time operation of the control system can be monitored substantially in real time. Abnormalities can be detected by classifying the monitored data as being “normal” or interrupted (or degraded). This decision limit can be constructed using dynamic models and can help enable early detection of vulnerabilities (and potentially prevent catastrophic failures) by allowing an operator to restore the control system to normal operation in a timely manner.
    [033] Note that an appropriate set of multidimensional resource vectors, which can be extracted automatically (for example, through an algorithm) and / or entered manually, can include a good predictor of data measured in a low vector space dimension. According to some embodiments, appropriate decision limits can be constructed in a multidimensional space using a data set that is obtained through scientific principles associated with DoE techniques. In addition, several algorithmic methods (for example, support vector machines, one of the machine learning techniques) can be used to generate decision boundaries. Since the limits can be driven
    Petition 870180135014, of 9/27/2018, p. 15/53
    12/47 for measured data (or data generated from high-fidelity models), defined threshold margins can help create a threat zone in a multidimensional resource space. In addition, margins can be dynamic in nature and adapted based on a transient or stable model of the equipment and / or be obtained when operating the system as in self-learning systems from the received data flow. According to some embodiments, a training method can be used for supervised learning, to teach decision limits. This type of supervised learning can take into account an operator's knowledge of the operation of the system (for example, the differences between normal and abnormal operation).
    [034] Note that many different types of resources can be used according to any of the embodiments described here, including main components (weights built with sets of natural bases) and statistical resources (for example, mean, variance, asymmetry, kurtosis, minimum and maximum values of time series signals, location of maximum and minimum values, independent components, etc.). Other examples include deep resource learning (for example, generated by experimental and / or historical mining data sets) and frequency domain resources (for example, associated with Fourier or Wavelet transformation coefficients). Note that a deep learning technique can be associated, for example, with an auto-encoder, a noise auto-encoder, a restricted Boltzmann machine, etc. Incorporations can also be associated with time series analysis, such as cross correlations, auto correlations, auto regressive model orders, mobile model, model parameters, derivatives and integrals of signals, rise time, stabilization time, neural networks , etc. Still other examples include logical resources (with abstractions
    Petition 870180135014, of 9/27/2018, p. 16/53
    13/47 semantics such as “yes” and “no”), geographic / position locations and interaction resources (mathematical combinations of signals from various data source nodes and specific locations). Incorporations can incorporate any number of features, with more features allowing the approach to become more accurate as the system learns more about the physical process and the threat. According to some embodiments, values other than the nodes of the data source can be normalized to the space without a unit, which can allow a simple way to compare the outputs and the strength of the outputs.
    [035] Thus, some embodiments may provide an advanced anomaly detection algorithm to detect cyber attacks, for example, key electrical network sensors. The algorithm can identify which signals are being attacked using decision limits specific to the data source node and can inform a control system to perform accommodative actions. In particular, a detection and location algorithm can detect whether a sensor, an input signal from the auxiliary equipment, an intermediate control parameter or a logic control are in a normal or anomalous state.
    [036] Some embodiments of the algorithm may use resource-based learning techniques, based on high-fidelity physics models and / or machine operating data (which would allow the algorithm to be implemented in any system) to establish a high dimensional decision limit. As a result, detection can occur more accurately using multiple signals, making detection more accurate with fewer false positives. In addition, the embodiments can detect multiple attacks on data source node data and rationalize where the root cause attack originated. For example, the algorithm can decide whether a signal is anomalous because of a signal attack
    Petition 870180135014, of 9/27/2018, p. 17/53
    Previous 14/47, or if it is independently under attack. This can be accomplished, for example, by monitoring the evolution of resources, as well as accounting for delays between attacks.
    [037] A cyber attack detection and location algorithm can process a stream of power grid signal data in real time and then calculate resources (multiple identifiers) that can be compared to the specific decision limit of the sensor. A block diagram of a system (300) using a cyber attack detection and location algorithm specific to the sensor network according to some embodiments is provided in Figure 3. In particular, an electrical power network (332) provides information to the sensors (334) that help the controllers with electronics and processors (336) to adjust the actuators (338). An offline abnormal state detection system (360) can include one or more models based on high-fidelity physics (342) associated with the power grid (332) to create normal data (310) and / or abnormal data ( 320). Normal data (310) and abnormal data (320) can be accessed by a resource discovery component (344) and processed by decision threshold algorithms (346) while offline (for example, not necessarily while the power (332) is operating). The decision threshold algorithms (346) can generate a threat model including decision thresholds for various data source nodes. Each decision limit can separate two sets of data in a high dimensional space that is constructed by executing a binary classification algorithm, such as a support vector machine using normal data (310) and abnormal data (320) for each signal of data source node (for example, from sensors (334), controllers (336), and / or actuators (338)).
    [038] A real-time threat detection platform
    Petition 870180135014, of 9/27/2018, p. 18/53
    15/47 (350) can receive the limits along with data flows from nodes of the data source. The platform (350) can include an extraction of resources in each data source node element (352) and a normality decision (354) with an algorithm to detect attacks on individual signals using specific sensor thresholds, as well as rationalize attacks on multiple signals, declare which signals were attacked, and that it became anomalous due to a previous attack on the system via a location module (356). An accommodation element (358) can generate outputs (370), such as an anomaly decision indication (e.g., threat warning sign), a controller action and / or a list of attached data source nodes.
    [039] During real-time detection, contiguous batches of data from the data source node can be processed by the platform (350), normalized and the resource vector extracted. The location of the vector for each signal in a high-dimensional resource space can then be compared with a corresponding decision limit. If it is within the attack region, then a cyber attack can be declared. The algorithm can then make a decision about where the attack occurred. An attack can sometimes be on the actuators (338) and then manifested in the sensor data (334). Attack assessments can be performed in a later decision module (for example, the location element (356)) to isolate whether the attack is related to any sensor, controller or actuator (for example, indicating which part of the source node data). This can be done by individually monitoring, over time, the location of the resource vector in relation to the decision limit. For example, when a sensor (334) is counterfeited, the attacked sensor resource vector will cross the decision limit earlier than the rest of the vectors, as described in relation to Figure 4. If a sensor is declared anomalous and the charge command for auxiliary equipment is later determined to be anomalous, you can
    Petition 870180135014, of 9/27/2018, p. 19/53
    16/47 determine that the original attack, such as signal forgery, occurred on the sensor (334). Conversely, if the signal to the auxiliary equipment was anomalously determined first, and then manifested in the sensor feedback signal (334), it can be determined that the signal to the equipment was initially attacked.
    [040] According to some embodiments, it is possible to detect whether or not a signal is in normal operating space (or abnormal space) through the use of localized decision limits and real-time calculation of specific signal resources. In addition, an algorithm can differentiate between a sensor being attacked compared to a signal for auxiliary equipment being attacked. The intermediate control and logic control parameters can also be analyzed using similar methods. Note that an algorithm can rationalize signals that become anomalous. An attack on a signal can then be identified.
    [041] Figure 4 illustrates (400) limits and a resource vector that can be associated with the parameters of the data source node according to some embodiments. In particular, a graph (410) includes a first axis representing the value weight 1 (“w1”), a resource 1 and a second axis representing the value weight 2 (“w2”), a resource 2. Values for w1 and w2 they can be associated with, for example, outputs of a Principal Component Analysis (“PCA”) that is performed on the input data. The PCA can be one of the resources that can be used by the algorithm to characterize the data, but note that other resources can be leveraged.
    [042] The graph includes a hard limit (412) (solid curve), a minimum limit (416) (dotted curve) and a maximum limit (414) (dashed curve) and an indication associated with the current resource location for the parameter of the data source node (illustrated with an “X” in the graph). As
    Petition 870180135014, of 9/27/2018, p. 20/53
    17/47 illustrated in Figure 4, the current location of the data source node is between the minimum and maximum limits (that is, ο “X” is between the dotted and dashed lines). As a result, the system can determine that the operation of the power grid is normal (and no threats are being detected indicating that the system is currently under attack).
    [043] The existing methods for detecting abnormal conditions at the data source nodes are limited to FDIA (which in itself is very limited). The cyber attack detection and location algorithms described here can not only detect abnormal signals from sensors, but also detect signals sent to auxiliary equipment, intermediate control parameters and / or logic controls. The algorithm can also comprise multiple signal attacks. A challenge with correctly identifying a cyber attack threat is that it can occur with multiple sensors, being affected by the malware almost at once. According to some embodiments, an algorithm can identify in real time that an attack has occurred, which sensor (s) are affected and declare a failure response. To achieve this result, the detailed physical response of the system must be known to create acceptable decision limits. This can be accomplished, for example, by building data sets for normal and abnormal regions by running design experiments (“DoE”) on high-fidelity models. A data set for each sensor can include a resource vector for certain threat values. Full factorial, Taguchi screening, central compound and Box-Behnken are some of the well-known design methodologies used to create the attack space. When models are not available, these DoE methods are also used to collect data from real-world power generating systems. Experiments can be performed on different combinations of simultaneous attacks. In some embodiments, the
    Petition 870180135014, of 9/27/2018, p. 21/53
    18/47 system can detect a degraded / defective operation as opposed to a cyber attack. Such decisions can use a data set associated with a degraded / defective operating space. At the end of this process, the system can create data sets such as “normal v / s attack” and “degraded normal v / s” for use when building decision boundaries. Also note that a decision limit can be created for each signal using data sets in the resource space. Various classification methods can be used to calculate decision limits. For example, linear and nonlinear supervised binary classifiers are examples of methods that could be used to obtain a decision limit.
    [044] Note that embodiments can use temporal and / or spatial normalization. Temporal normalization can provide normalization along an axis of time. Spatial normalization can be used to normalize signals across multiple nodes (for example, sensor axis). In both cases, normalized signals can then be used to perform attack detection using resource extraction and comparisons with decision limits. Time series data from the sensor, actuator and controller node (as well as other types of data) can be processed substantially in real time to extract “resources” from that data. Resource data can then be compared with a decision threshold to determine whether a cyber attack has occurred on the system. A similar approach can be used to detect attacks on spatially normalized data.
    [045] The processing of data in real time may use a normal point of operation of the electric power network. This normal operating point can be determined, for example, based on the system's operating modes, external conditions, system degradation factors, etc. The sensor data measured in real time, the actuator data and the
    Petition 870180135014, of 9/27/2018, p. 22/53
    19/47 data from controller nodes can be processed so that a difference between the real and the nominal values is calculated and this difference, or delta, is normalized with the coefficients of the expected operating conditions.
    [046] Figure 5 is an offline and real-time anomaly decision and architecture of early warning tools (500) according to some embodiments. In particular, the architecture (500) includes an offline portion (510) (for example, which performs calculations once every 6 to 8 hours) and a real-time portion (550). The offline part (510) includes a multi-model, multidisciplinary resource discovery element (“MMMD”) (520) that receives scenarios and points of threat. The scenarios and points of threat can, for example, be provided to a data generation element (522) (for example, associated with a power system model) that generates data samples that are provided to functional engineering (532) , dynamic system identification (534) and / or increasing resource (536) elements of a resource discovery element (530) which, in turn, provides resource vectors for an anomaly decision modeling system (540). The anomaly decision modeling system (540) can include normal data (542) and abnormal data (544) (for example, targeted data and random data) that are used, together with the resource vectors received, by limit calculations decision (546) to produce resource limits for an anomaly decision and event evaluation element (580) in the real-time plot (550) of the architecture (500).
    [047] The real-time portion (550) of the architecture (500) can also include a pre-processing element (552) that receives information from homogeneous sources, such as data from sensors, data from social networks (e.g. tweets performance of the electricity grid), Wi-Fi data, weather data, IT inputs, etc. The prePetition element 870180135014, of 27/09/2018, p. 23/53
    20/47 processing (552) can then generate data samples that are provided to an MMMD resource extraction unit (560) and a dynamic anomaly forecast and situation awareness element (570) (for example, to generate advance warnings ). The resource extraction unit (560) can include, for example, functional engineering (562) and increasing resource (564), and provide resource vectors to the anomaly decision and event evaluation element (580). According to some embodiments, the anomaly decision and the event evaluation element (580) include normality decision making (582) (for example, to generate a normal indication) and isolation of events, location and element importance assessment (584) (for example, to generate evidence of falsification, indications of system events, indications of location, indications of importance, etc.).
    [048] According to some embodiments, the architecture (500) can implement a proposed structure consisting of two steps: (1) a resource-based model-assisted learning approach (510) for use in offline calculation at a frequency of, for example, approximately four times a day; and (2) high-speed real-time detection process (550) (for example, operating from approximately once every second to once per minute) that leverages heterogeneous data sources. The offline decision limit tool (510) can use a physics-based power systems model (for example, associated with the data generation element (522)) to characterize different points of operation as normal or abnormal conditions. The system can also signal abnormal events that may be associated with critical targets from a cybersecurity perspective. To this end, operating points can be defined to include normal operating points and any known vulnerabilities. The tool
    Petition 870180135014, of 9/27/2018, p. 24/53
    21/47 (550) in real time can use the decision limit, several mapping functions built during the offline process (510) and real-time data from heterogeneous sensors to identify abnormal conditions of normal system operation.
    [049] The offline tool (510) can be run, for example, approximately two to four times a day, to represent a higher and higher charge point expected for the electricity grid during that day. The power system model associated with the data generation element (522) may consist of a network topology with components of the power system, such as generators and transmission lines. Note that any of these physical network resources can potentially be subject to a cyber attack. According to some embodiments, synthetic data can be generated for a set of predetermined operating points from several virtual sensors incorporated in the model.
    [050] Figure 6 is an offline anomaly decision limit tool (600) according to some embodiments. In particular, the tool (600) illustrates key steps used in a resource-based structure for offline calculation. A power system model (622) can receive associated inputs (for example, threat points), for example, power line (with impedances), transmission lines, generators, loads, bypass, controlled Volt-Ampere reactive devices ( “VAR”), electronic power devices, DC busbars, DC lines, etc. The collection of synthetic data (630) (for example, associated with virtual sensors, current, voltage, reactive power, active power, etc.) can receive information from the power system model and provide data for pre-processing (650) . Pre-processing (650) can be associated, for example, with resampling, synchronization of
    Petition 870180135014, of 9/27/2018, p. 25/53
    22147 time, verification of missing data, etc. and can help test a realistic scenario in a controlled simulation environment by creating abnormal scenarios for detected data flows.
    [051] Preprocessed sensor data (650) is converted to salient features using a multimodal, Multidisciplinary (“MMMD”) resource discovery framework (660) that can employ machine learning to identify superficial, knowledge-based resources and / or deep maximizing leverage of conventional (for example, existing) and unconventional data sources. Note that the MMMD resource discovery structure can be associated with functional engineering (662) (for example, associated with analysis, such as batch selection, base vector calculation, resource extraction, dimensionality reduction, etc.). ) and projected and dynamic system resource vectors (664). In addition, pre-processing information (650) can pass through optimal resources (672), system identification (674) and / or dynamic system resources (676) before being provided to the projected and dynamic system resource vectors (664). The MMMD resource discovery framework (660) can, according to some embodiments, prepare data sets (for example, normal data (642) and abnormal data (646), such as targeted data and random data) to be used to generate decision limits.
    [052] A subset of these resources can be used to build a dynamic state space model in the resource space that will model the time evolution of the resources. This information can be augmented for the previous set of engineering resource vectors. Thus, the augmented resource vector may contain information from a physics-based model and the dynamic nature of the resources themselves. For simplicity, the evolution of time with sensor data within a batch
    Petition 870180135014, of 9/27/2018, p. 26/53
    23/47 processing can be used. According to some embodiments, resource maps (for example, base vectors, dimension of the resource vector, resource parameters, etc.) will be stored for use during real-time operation. Several possible threat scenarios can be simulated for a given operating condition, and the importance of these threat scenarios in relation to their impact on a power system phenomenon (for example, voltage stability, inter-area oscillatory stability, etc.) it can be quantified using a resource-based algorithm that explores underlying network structure information. This can help to characterize and classify threats from the perspective of a large-scale energy system phenomenon.
    [053] Figure 7 illustrates a real-time decision, event / threat assessment and early warning system (700) according to some embodiments. Real-time components can include, for example, pre-processing (752) (for example, associated with resampling, time synchronization, checking for missing data, conditioning, etc.) that receives raw sensor data and generates data of processed sensors. A resource extraction unit (760) (for example, associated with functional engineering for vector-based knowledge based on superficial / deep learning and / or an increase in resources for designed and / or dynamic system resource vector functions) can receiving the processed sensor data and providing information to a decision processor (782) of an event and anomaly evaluation unit (780). The decision processor (782) can generate a normal indication (if appropriate) and / or provide abnormal data for an isolation status assessment module, location and event importance of the post-publication decision processor (784). The decision processor after the isolation, location and
    Petition 870180135014, of 9/27/2018, p. 27/53
    24/47 event evaluation (784) can, for example, receive data from social networks, Wi-Fi data, weather data, communication network data, etc. and generate indications of forgery, indications of system events, indications of location, indications of importance, etc. (for example, deterministic decisions). An anomaly prediction mechanism and situation awareness mechanism (770) can include optimal features (772), system identification (774), dynamic system resource extraction (776) and / or an anomaly forecast element (778) ) to generate early warning indications for spoof or system events (for example, probabilistic decisions).
    [054] In real time, raw sensor data can be obtained from traditional power system sensors, such as remote terminal units (“RTUs”) and modern sensors such as transmission and distribution of Phasor measurement units (“ PMUs ”), microPMUs, digital fault recorders (“ DFRs ”) and smart meters. This can go beyond non-traditional sources such as Wi-Fi activity, text messaging activity, cyber infrastructure and / or social media status entries and internet feeds. Preprocessing (752) can be performed to align data sets and identify the possibility of data integrity attacks (for example, associated with spoofing). In this step, the system can import several resource mapping functions generated in the offline decision limit tool for use in real time. This feature set can be further augmented with features protruding from the dynamic system by performing system identification on current and past optimal feature sets. The dynamic system model can be updated, for example, in real time for use in forecasting and awareness of the situation.
    [055] The augmented resource set may consist of
    Petition 870180135014, of 9/27/2018, p. 28/53
    25/47 static and dynamic resources and can be compared with the decision limits built from offline analysis so that a decision can be made with a corresponding confidence interval. This feature set can also be used for the anomaly prediction and situation awareness mechanism (870) to allow early warning of impending threats. If an abnormality is detected, the feature set can be further analyzed within the later decision processing module (884). In this module (884), the abnormality event can be further evaluated using data from conventional and unconventional sensors and classified as spoofing and bad data, a system event, cyber attack, etc. Note that this decision and classification can be considered of a deterministic nature. The location and criticality or importance of said abnormality location can also be assessed using the poor data detection framework and complex network theory models developed during offline calculations. More probabilistic decisions may arise from the anomaly forecast and the situation awareness mechanism (870) in which the anomaly forecast is made for early warning using updated dynamic models of state space from real-time resources.
    [056] According to some embodiments, data can be received in streams or batches. The event and anomaly assessment mechanism (770) in Figure 7 can provide a deterministic decision about the status of the system (for example, “normal”, “spoofing” or “system event”). Before an anomaly occurs, the status of the deterministic system can be “normal” and can remain normal until an anomaly actually occurs. The engine (770) can detect an anomaly as it happens and decide whether it is a spoofing situation or a system event. The anomaly prediction and situation awareness mechanism (770) can provide
    Petition 870180135014, of 9/27/2018, p. 29/53
    26/47 a probabilistic decision and generate early alerts for the electricity grid. At every moment, a situation awareness block can project a current status for the future using a dynamic stochastic forecast. The probabilistic status can remain normal until the confidence interval of the normal status becomes large enough (and the confidence level drops) that the situation guarantees an early warning indication. Once an initial warning is generated, the future forecast can continue with a probabilistic decision as to whether a predicted anomaly is an attack or a failure (with associated probabilities of occurrence for each). Between the time an early warning is generated and the time an anomaly actually occurs, the attack and failure confidence intervals can be tightened (and confidence levels can be increased) until reaching a minimum (representing maximum confidence) in the moment of a real anomaly (at which point the deterministic status can also reflect the anomaly). The future forecast can still continue with the blocking of knowledge of the situation (with confidence intervals naturally increasing as the forecast horizon expands).
    [057] As the system receives continuous updates from different sensors, the proposed structure and algorithms can signal any suspicion of abnormality, along with a confidence interval. A deterministic decision can represent a firm decision, while a probabilistic decision can be associated with a future forecast. In the deterministic decision, the system can provide the location and an assessment of the importance of the attack in relation to the electricity grid. An electricity grid operator can choose to view the location of the abnormality and / or the sensors that feed the abnormal data. The electricity grid operator may also decide to make other control selections, as appropriate.
    Petition 870180135014, of 9/27/2018, p. 30/53
    27/47 [058] According to some embodiments, a complex network approach can help identify assets and critical nodes in a power network to determine their vulnerability to malicious intentions, such as cyber attacks. In such an approach, a power system model (“network model”) that represents the normal functioning condition of the network can be used. The power system model can consist of static network information, such as network topology, power line impedance and transformers that connect multiple power lines and generators and loads (for example, represented as power injections into the respective power lines ). The power system model can be augmented with dynamic data, such as sub-transient models for different generator resources, engine models for loads and other high power electronic devices. According to some embodiments, the electric power network can be modeled using a complete representation of the differential-algebraic equation (“DAE”).
    [059] Note that, in the structure described in relation to Figures 5 to 8, identifying salient features can be an important aspect of the development of control optimization for dynamic systems, as well as machine learning and data mining solutions. Extracting resources from different data sources (for example, time series sensor measurements, text documents, event logs, etc.) is a way to leverage information from different types of data sources (multiple “modalities”) to improve performance. According to some embodiments, an MMMD resource discovery framework can generate resources from different data sources. That is, in an integrated structure, an initial vector of static resources can be extracted (for example, using machine learning techniques). So, to capture the evolution of resources over time, a dynamic model
    Petition 870180135014, of 9/27/2018, p. 31/53
    28/47 can be identified for an optimal subset of the original resources, and the dynamic resources of the model (or “resource resources”) can be extracted to be increased as the total resource vector. Note that resources can be associated with a dynamic model that includes, for example, stability margins, control indices, observability indices, elements of an observability matrix, elements of a control matrix, poles and / or zeros of the model dynamic evolution of resources over time.
    [060] Figure 8 is a resource vector information flow diagram (800) in which a heterogeneous set of data sources is associated with an electric power network (810). Data sources can include, for example, information from multivariate time series (812) (for example, from sensor nodes), text data (814) (for example, extracted from social media sources), images (816) , etc. Information from data sources (812, 814, 816) is provided for the discovery of MMMD resources (850), which generates an initial resource set (860). The discovery of MMMD resources (850) may include, according to some embodiments, deep learning resource (520), superficial learning resource (830) and / or knowledge based resources (840). Since the initial feature set (860) can be relatively large, a feature dimensionality reduction process (870) can be used to create a selected feature subset (880).
    [061] The information flow diagram (800) can achieve improved detection performance by leveraging, as much as possible, data information from conventional sensors (for example, measurements from network sensors and generators) and unconventional data (for example, cell phone, web, satellite and thermal data), through the discovery of modal and multidisciplinary resources (850). Given the heterogeneous data types, the system can
    Petition 870180135014, of 9/27/2018, p. 32/53
    29/47 extract resources from each individual data source using different methods of extracting resources and then combine the results to create the initial resource set (860) (this “combination” process is often called “resource merging” in domains machine learning and data mining). Since the initial feature set (860) is likely to be substantially large, the system then applies dimensionality reduction techniques (870) to reduce the number of features to a reasonable level before the feature subset (880) used is used by a anomaly detection mechanism.
    [062] Note that the discovery of the MMMD resource (850) may include some or all knowledge-based resources, technology (840), the superficial learning resource (830) and the deep learning resource (820). Knowledge-based technology (840) can use domain knowledge or physical engineering of the power grid (810) to create resources for different sensor measurements. These resources can simply be statistical descriptors (for example, maximum, minimum, average, variance, different orders of moments, etc.) calculated over a window of a time series signal and its corresponding spectrum of Fast Fourier Transformation (“FFT” ) also. Knowledge-based resources (840) can also use an analysis of the energy system, such as decomposition of the base vector, state estimation, network observability matrices, topology matrices, system plant matrices, domain resources resources frequency and poles and zeros of the system. These analyzes can represent a characterization of the current operation of the electric power network (810) through stable, transient and small signal behaviors.
    [063] Although knowledge-based technology (840) is a traditional approach to resource extraction, it is often a
    Petition 870180135014, of 9/27/2018, p. 33/53
    30/47 laborious manual process. The approach is also very application specific and is therefore not generalizable or scalable. Learning resources directly from data (for example, via a learning machine) can address these problems. For example, the superficial learning resource technique (830) includes many unsupervised learnings (for example, K media grouping), multiple learning and non-linear incorporation (for example, isomap methods and Local Linear Incorporation (“LLE”) ), small-scale projection (for example, Principal Component Analysis (“PCA”) and Independent Component Analysis (“ICA”)) and / or neural networks (for example, self-organizing map techniques (“SOM”). Other examples of the superficial learning resource technique (830) include genetic programming and sparse coding.The deep learning resource (820) can represent a machine learning subfield that involves learning good representations of data through multiple levels of abstraction. of hierarchical learning resources by layer, with higher level resources that represent more abstract aspects of the data, the learning resource deep (820) can discover sophisticated underlying structure and resources.
    [064] The discovery of multimodal and multidisciplinary resources (850) (or “extraction”) is likely to lead to a large amount of resources in the initial resource set (860). In addition, there may be many redundant resources. Direct use of such a large number of resources can be costly for downstream anomaly detection models. As a result, the reduction in dimensionality (870) can reduce the number of resources by removing redundant information, preserving the useful information of the resources as much as possible. The embodiments described here can be associated with resource selection techniques and / or resource transformation techniques.
    Petition 870180135014, of 9/27/2018, p. 34/53
    31/47 [065] By combining knowledge-based technology (850) and advanced deep learning techniques (820) (and applying them to different data sources), the MMMD resource discovery framework (850) can be effective in discovering a set of features that provides accurate and reliable threat detection. Note that the structure is generic (and can be used effectively for other analysis applications) and flexible in managing situations where the numbers and types of data sources available vary from system to system.
    [066] Figure 9 is a method for creating a subset of the selected resource according to some embodiments. In the S910, the system can receive, from a plurality of heterogeneous data source nodes, a series of data source node values over time associated with the operation of the power grid control system. An example of a data source is the sensor data, such as data from critical sensory nodes of the electricity network, actuator nodes of the electricity network, controller nodes of the electricity network, key software node of the electricity network , data from switches, data from critical measurement points of an electrical bus and / or data from a circuit breaker. Other examples of data sources may include text data, image data, cell phone data, satellite data, web data, social network data, wireless network data, time data, information technology entries, etc. Note that the received series of values from data source nodes can include normal and abnormal values from the data source node.
    [067] In the S920, the system can perform a resource extraction process to generate an initial set of resource vectors. According to some embodiments, the resource extraction process can be performed in connection with an offline abnormal state detection model and / or MMMD resource discovery model creation computer. O
    Petition 870180135014, of 9/27/2018, p. 35/53
    32/47 resource extraction process can be associated with a superficial resource learning technique, such as unsupervised learning, K media grouping, multiple learning, non-linear incorporation, isomap method, LLE, low-dimensional projection, PCA, ICA , neural networks, a SOM method, genetic programming and / or sparse coding. According to some embodiments, the resource extraction process is associated with a deep learning resource technique and / or a knowledge based resource technique. Some examples of knowledge-based resource techniques are associated with statistical descriptors, such as a maximum value, a minimum value, an average, variance data, different moment orders and / or FFT spectrum information. Other examples of knowledge-based resource techniques are associated with an analysis of the energy system, including decomposition of the base vector, state estimation, network observability matrices, topology matrices, system plant matrices, domain resources frequency, system poles and / or system zeros.
    [068] In S930, the system can execute the resource section with a multimodal and multidisciplinary structure to generate a vector subset of selected resources. According to some embodiments, in S940 the system can perform a process to reduce the dimensionality of the resource to generate the subset of the selected resource vector. According to some embodiments, the process of reducing the dimensionality of the resource may be associated with a resource selection technique and / or a resource transformation technique. In the S950, the system can automatically calculate and produce at least one decision limit for an abnormal state detection model based on the selected feature vector subset. According to some embodiments, the subset of the vector of selected resources is still
    Petition 870180135014, of 9/27/2018, p. 36/53
    33/47 used in connection with anomaly detection, anomaly housing, anomaly prediction and / or system diagnosis.
    [069] Figure 10 illustrates a system (1000) for creating a decision limit according to some embodiments. The system (1000) can be associated with a data-based model fusion approach to resources. In particular, a resource fusion platform (1010) receives threat point information and generates data sets (1090). Datasets (1090) can include, for example, normal data (1092) and abnormal data (1094) (for example, targeted data and random data) and can be used to generate at least one decision threshold (for example, separating the behavior of the normal power grid from the behavior of the abnormal power grid). Note that the resource fusion platform (1010) can be run in connection with normal data, random data and / or targeted data.
    [070] The threat point information can be processed by a power system model (1020) to create data from virtual sensors provided to a resource mechanism with the analysis (1030). The resource mechanism with the analysis (1030) provides data for an augmented resource (1040) and an optimized resource selection element (1050). A dynamic system identification element (1160) can receive information from the optimized resource selection element (1050) and provide data for dynamic system resources (1070). The augmentation resource (1040) can then use information from the resource mechanism with the analysis (1030) and the resources of the dynamic system (1070) to create increased resource vectors for the data sets (1090).
    [071] According to some embodiments, the dynamic system identification algorithm (1060) can receive a resource vector calculated by the resource mechanism (1030). So, an optimal subset
    Petition 870180135014, of 9/27/2018, p. 37/53
    34/47 (1050) of the resources suitable for dynamic modeling is selected. The optimal resource selection algorithm (1050) can take into account the variation and sensitivity of the resources (as well as the computational efficiency and the sparsity structure). This step can help to develop a cost effective solution for the evolution of resources for dynamic modeling. The selected features can then be used for dynamic modeling using methods of identifying the state space system.
    [072] According to some embodiments, the dynamic state space model of resources can be represented as:
    x [k + 1] = Ax [k] + Bw [k] y [k] = Cx [k] + Dv [k] where A, B, C and D are the state space matrices, y is the vector measurement (ie, vector of calculated resources), x is the state vector evew are exogenous disturbances (process and measurement noise, respectively). Process noise can represent model uncertainty and measurement noise can represent numerical errors in resource extractions. The matrix C can be taken as an identity (C = I), so the states of the system would be the same as the resources (subject to measurement noise). This can provide observability for a model with probability (assuming zero mean measurement noise) and improve the numerical efficiency and convergence properties of the system identification.
    [073] Once the dynamic model for the evolution of the resource has been identified, the properties of the dynamic model (such as stability margins and modal observability margins) can be extracted as additional resources. These margins can indicate the distance of individual resources to become unstable or unobservable, which is an indication of potential anomalies. These additional resources (resource resources)
    Petition 870180135014, of 9/27/2018, p. 38/53
    35/47 can be sent to the increased resource (1040) to be used collectively in decision limit calculations.
    [074] The embodiments described here can be implemented using any number of different hardware configurations. For example, Figure 11 is a block diagram of a power grid protection platform (1100) that can, for example, be associated with the system (100) of Figure 1. The power grid protection platform (1100) comprises a processor (1110), such as one or more commercially available central processing units (“CPUs”), in the form of single chip microprocessors, coupled to a communication device (1120) configured to communicate over communication network (not shown in figure 11). The communication device (1120) can be used to communicate, for example, with one or more remote data source nodes, user platforms, etc. The electrical network protection platform (1100) also includes an input device (1140) (for example, a computer mouse and / or keyboard to enter information from the electricity network) and / an output device (1150) ) (for example, a computer monitor to display and provide alerts, transmit recommendations and / or create reports). According to some embodiments, a mobile device, physical monitoring system and / or PC can be used to exchange information with the power grid protection platform (1100).
    [075] The processor (1110) also communicates with a storage device (1130). The storage device (1130) can comprise any suitable information storage device, including combinations of magnetic storage devices (e.g., a hard disk drive), optical storage devices, mobile phones, and / or memory devices
    Petition 870180135014, of 9/27/2018, p. 39/53
    36/47 semiconductor. The storage device (1130) stores a program (1112) and / or an abnormal state detection model (1114) to control the processor (1110). The processor (1110) executes program instructions (1112, 1114) and thus operates in accordance with any of the embodiments described herein. For example, the processor (1110) can receive, from a plurality of heterogeneous data source nodes, a series of data source node values over time associated with the operation of the power grid control system . The processor (1110) can then perform a resource extraction process to generate an initial set of resource vectors. A resource selection process can be performed with a multi-model and multidisciplinary structure by the processor (1110) to generate a subset of the selected resource vector. At least one decision threshold can be automatically calculated by the processor for an abnormal state detection model based on the subset of the selected resource vector. Note that a set of resource vectors can include normal resource vectors and / or abnormal resource vectors. For example, in some cases, only the vectors of normal resources can be used together with unsupervised learning algorithms to build a decision boundary. In such scenarios, abnormal resource vectors may not be used. Another option may be to use abnormally generated abnormal data values, injecting false data into normal data values and to use normal and abnormal values on the computer creating the abnormal state detection model.
    [076] Programs (1112, 1114) can be stored in a compressed format, not compiled and / or encrypted. Programs (1112, 1114) may, in addition, include other program elements, such as an operating system, clipboard application,
    Petition 870180135014, of 9/27/2018, p. 40/53
    37/47 database management and / or device drivers used by the processor (1110) to interface with peripheral devices.
    [077] As used herein, the information can be "received" by or "transmitted" to, for example: (i) the platform (1100) for protection of the electric power network of another device; or (ii) a software application or module within the power grid protection platform (1100) from another software application, module or any other source.
    [078] In some embodiments (like the one shown in figure 11), the storage device (1130) still stores a power grid database (1200), data source database (1300) and a resource vector database (1400). Examples of databases that can be used in connection with the power grid protection platform (1100) will now be described in detail in relation to Figures 12 to 14. Note that the databases described here are examples only, and additional and / or different information can be stored in it. In addition, several databases can be divided or combined according to any of the embodiments described here.
    [079] Referring to Figure 12, a table is shown that represents the electricity grid database (1200) that can be stored on the electric grid protection platform (1000) according to some forms of realization. The table may include, for example, entries that identify components associated with an electricity network. The table can also define fields (1202, 1204, 1206) for each of the entries. The fields (1202, 1204, 1206) can, according to some embodiments, specify: an electrical network identifier (1202), a component identifier (1204) and a description (1206). The power grid database (1200) can be created and updated, by
    Petition 870180135014, of 9/27/2018, p. 41/53
    38/47 example, offline (non-real time) when a new electricity grid is monitored or modeled.
    [080] The electricity network identifier (1202) can be, for example, a unique alphanumeric code that identifies an electricity network to be monitored. The component identifier (1204) can be associated with an element of the electrical network and the description (1206) can describe the component (for example, a transformer, a load, etc.). The electricity network database (1200) can also store, according to some embodiments, connections between components (for example, defining a network topology), component states, etc. According to some embodiments, the information in the electricity grid database can be used in connection with knowledge-based resources (840) in Figure 8 and / or the power system model (1020) in Figure 10 .
    [081] Referring to Figure 13, a table is shown that represents the data source database (1300) that can be stored on the power grid protection platform (1000) according to some embodiments . The table may include, for example, entries that identify data sources associated with an electricity network. The table can also define the fields (1302, 1304, 1306) for each of the entries. The fields (1302, 1304, 1306) can, according to some embodiments, specify: a data source identifier (1302), a time series of data values (1304) and the description (1306). The data source database (1300) can be created and updated, for example, based on information received from heterogeneous sensors.
    [082] The data source identifier (1302) can be, for example, a unique alphanumeric code that identifies a data source that can provide information to be monitored to protect a network
    Petition 870180135014, of 9/27/2018, p. 42/53
    39/47 of electrical energy. The time series of values (1304) can be associated with a set of numbers that are reported by a specific sensor (for example, representing voltages, currents, etc.) and the description (1306) can describe the type of information being monitored (for example, a sensor, social media, weather data, etc.). The data source database (1300) can also store, according to some embodiments, other information, such as an electricity network identifier or a component identifier (for example, which can be based on or associated with the power grid identifier (1202) and the component identifier (1204) described in relation to the power grid database (1200) of figure 12). According to some embodiments, information from the data source database (1300) can be provided as input to the MMMD (850) of Figure 8.
    [083] Referring to Figure 14, a table is shown that represents the resource vector database (1400) that can be stored on the power grid protection platform (1000) according to some embodiments . The table can include, for example, entries that identify electrical power networks being analyzed by an MMMD structure. The table can also define the fields (1402, 1404, 1406) for each of the entries. The fields (1402, 1404, 1406) can, according to some embodiments, specify: a power network identifier (1402), a set of initial resources (1404) and a subset of selected resource (1406). The resource vector database (1400) can be created and updated, for example, offline, when an electricity grid is newly added or modified.
    [084] The electricity network identifier (1402) can be, for example, a unique alphanumeric code that identifies an electricity network to be monitored (and can be based on or associated with
    Petition 870180135014, of 9/27/2018, p. 43/53
    40/47 electricity network identifier (1202) in the electricity network database (1200)). The initial resource set (1404) can represent values associated with the initial resource set (960) created by the MMMD resource discovery (850) in Figure 8. The selected resource subset (1306) can represent values associated with the selected resource subset (880) created by reducing the dimensionality of the resource (870) of Figure 8. The selected resource subset (1404) can be used, according to some embodiments, to separate the normal behavior from the abnormal behavior of a power grid electrical.
    [085] Note that cybersecurity is an important function, necessary in protecting assets, such as power grid equipment. Dynamic normalization in this space can improve detection resolution. The machines associated with power networks can be very complex and the embodiments described here can allow the implementation of a cyber security algorithm that makes detections quickly and reliably. Note that a receiver operating condition curve (“ROC”) can be used to evaluate the use of dynamic normalization for load fluctuations (for example, including indications of true and false positives, truth and false negative detections, etc. .).
    [086] Thus, the hybrid data-driven approach, described in this document, can reduce the limitations associated with approaches based on data-based models (eg, out of memory) and single model (eg, not scalable to dimensions) combining the two worlds in a unified and integrated structure. In addition, the embodiments can provide large-scale learning for an electricity grid. Given the complexity of
    Petition 870180135014, of 9/27/2018, p. 44/53
    41/47 a power grid system and heterogeneous data sources from conventional network sensors (for example, PMUs, DFRs, Micro-PMUs) and unconventional sensors such as cyber sensors (for example, Twitter messaging sensors from mining, WiFi signal sensor processing, etc.) can be substantially large and different. The embodiments described here can facilitate the learning of resources from such a large data set and effectively reduce the number of resources. In addition, resources with dynamic components can be computed so that an augmented set includes static and dynamic resource set information in a large augmented resource vector.
    [087] The following content illustrates several additional embodiments of the invention. These do not constitute a definition of all possible embodiments, and those skilled in the art will understand that the present invention is applicable to many other embodiments. In addition, while the following embodiments are briefly described for clarity, those skilled in the art will understand how to make any changes, if necessary, to the apparatus and methods described above to accommodate these and other embodiments and applications.
    [088] Although specific hardware and data configurations have been described here, please note that any number of other configurations can be provided according to the embodiments of the present invention (for example, some of the information associated with the databases described here can be combined or stored on external systems). For example, although some embodiments are focused on electric power networks, any of the embodiments described here can be applied to other types of assets, such as dams, wind farms, etc. Also, note that some embodiments may be associated with an information display for a
    Petition 870180135014, of 9/27/2018, p. 45/53
    42/47 operator. For example, Figure 15 illustrates an interactive graphical user interface (“GUI”) screen (1500) that can display information about an electrical power network (1510) (for example, including an initial set of resource vectors and a vector subset of selected resource). According to some embodiments, information on resource vectors and / or attack states can be intertwined between different energy networks. For example, a power network may be aware of the status of other nodes (on other electrical networks) and this approach can help to thwart coordinated cyber threats.
    [089] In addition to automatic threat detection, some of the embodiments described here can provide systems with an additional cyber defense layer and be deployable without custom programming (for example, when using operational data). Some embodiments can be sold with a license key and can be incorporated as a monitoring service. For example, the vectors of resources and / or limits can be periodically updated when the equipment in an electricity network is updated.
    [090] The present invention has been described in terms of various embodiments for the purpose of illustration only. Those skilled in the art will recognize from this description that the invention is not limited to the described embodiments, but can be practiced with modifications and alterations limited only by the scope and scope of the appended claims.
    Component List
    Number Description
    100 System
    110 Normal spatial data source
    120 Abnormal spatial data source
    Petition 870180135014, of 9/27/2018, p. 46/53
    43/47
    130 Data source nodes
    140 Abnormal state model creation computer 150 Abnormal state detection computer 155 Abnormal state detection model
    170 Remote terminals
    300 System
    310 Normal data
    320 Abnormal data
    332 Electricity network
    334 Sensors
    336 Controllers with electronics and processors
    338 Actuators
    342 Model based on high fidelity physics
    344 Resource Discovery
    346 Decision limit algorithms
    350 Real-time threat detection platform 352 Resource extraction at each monitoring node
    354 Normality decision
    356 Location
    358 Accommodation
    370 Production
    400 Illustration
    410 Graph
    412 Average limit
    414 Minimum limit
    416 Maximum limit
    418 Resource vector movement
    500 System
    Petition 870180135014, of 9/27/2018, p. 47/53
    44/47
    510 Offline
    520 Discovery of the MMMD resource
    522 Data generation
    530 Resource discovery element
    532 Functional engineering
    534 Dynamic System ID
    536 Increasing appeal
    540 Anomaly decision modeling
    542 Normal data
    544 Abnormal data
    546 Threshold decision calculations
    550 Real Time
    552 Pre-processing
    560 Extraction of the MMMD resource
    562 Functional engineering
    564 Increasing appeal
    570 Dynamic anomaly prediction and situation perception 580 Anomaly decision and event evaluation
    582 Normality decision making
    584 Event isolation, location and importance assessment
    600 System
    622 Power System Model
    630 Collection of synthetic data
    640 Datasets
    642 Normal
    646 Abnormal
    650 Pre-processing
    660 Discovery of the MMMD resource
    Petition 870180135014, of 9/27/2018, p. 48/53
    45/47
    662 Functional engineering
    664 Designed and dynamic system resource vectors
    672 Great features
    674 System Identification
    676 Dynamic System Features
    700 System
    752 Pre-processing
    760 Resource extraction
    780 Evaluation of anomaly decision events
    782 Decision Processor
    784 Subsequent decision processor
    770 Anomaly prediction and situation perception
    772 Great Features
    774 System Identification
    776 Dynamic system resource extraction
    778 Anomaly forecast
    800 System
    810 Electricity network
    812 Multi-variable time series
    814 Text
    816 images
    820 Learning deep resources
    830 Learning surface resources
    840 Knowledge-based resources
    850 Discovery of the MMMD resource
    860 Initial feature set
    870 Reduction of resource dimensionality
    880 Subset of selected features
    Petition 870180135014, of 9/27/2018, p. 49/53
    46/47
    1000 System
    1010 Resource Fusion Platform
    1020 Electric Power System Model
    1030 Appeal mechanism with analysis
    1040 Resource Amplifier
    1050 Optimal Feature Selections
    1060 Dynamic System ID
    1070 Dynamic System Features
    1090 Datasets
    1092 Normal
    1094 Abnormal
    1100 Power grid protection platform
    1110 Processor
    1112 Program
    1114 Abnormal state detection model 1120 Communication device
    1130 Storage unit
    1140 Input device
    1150 Output device
    1200 Electricity grid database 1202 Component identifier 1204 Description
    1300 Data source database
    1302 Data source identifier
    1304 Time series of data values 1306 Description
    1400 Resource vector database
    1402 Electricity network identifier
    Petition 870180135014, of 9/27/2018, p. 50/53
    47/47
    1404 Initial feature set
    1406 Subset of selected features
    1500 Interactive display
    1520 Resource vector processing
    Petition 870180135014, of 9/27/2018, p. 51/53
    1/9
    权利要求:
    Claims (9)
    [1]
    Claims
    1. SYSTEM TO PROTECT AN ELECTRICITY NETWORK CONTROL SYSTEM, characterized by the fact that it comprises:
    a plurality of heterogeneous data source nodes, each generating a series of data source node values over time, associated with the operation of the electricity grid control system; and a computer for creating an offline abnormal state detection model, coupled to heterogeneous data source nodes, to:
    (i) receive the series of data source node values and perform a resource extraction process to generate an initial set of resource vectors, (ii) perform the resource selection with a multi-model and multidisciplinary structure to generate a subset selected resource vector, (iii) automatically calculate and produce at least one decision limit for an abnormal state detection model based on the selected resource vector subset.
    [2]
    2. SYSTEM, according to claim 1, characterized by the fact that the offline abnormal state detection model creation computer is still necessary to perform a resource dimensionality reduction process to generate the subset of vectors of selected resources.
    [3]
    3. SYSTEM, according to claim 2, characterized by the fact that the process of reducing the dimensionality of the resource is associated with a resource selection technique.
    [4]
    4. SYSTEM, according to claim 2, characterized
    Petition 870180014254, of 02/22/2018, p. 125/149
    2/9 due to the fact that the process of reducing the dimensionality of resources is associated with a resource transformation technique.
    [5]
    5. SYSTEM according to claim 1, characterized by the fact that the series of data source node values received includes normal data source node values and abnormal data source node values.
    [6]
    6. SYSTEM, according to claim 1, characterized by the fact that at least one of the heterogeneous data source nodes is associated with at least one of the following:
    (i) sensor data, (ii) text data, (iii) image data, (iv) cell phone data, (v) satellite data, (vi) network data, (vii) social media data , (viii) wireless network data, (ix) meteorological data, (x) inputs of information technology, (xi) critical sensory nodes of the electricity network, (xii) actuator nodes of the electricity network, ( xiii) power grid controller nodes, (xiv) key power grid software node, (xv) switch data, (xvi) critical measurement point data for an electric power line, and (xvii ) data from a circuit breaker.
    [7]
    7. SYSTEM, according to claim 1, characterized
    Petition 870180014254, of 02/22/2018, p. 126/149
    3/9 due to the fact that resource selection is still associated with a superficial resource learning technique.
    [8]
    8. SYSTEM, according to claim 7, characterized by the fact that the surface resource learning technique uses at least one of the following:
    O) unsupervised learning, (ii) grouping of k means, (iü) multiple learning, (iv) non-linear incorporation, (V) an isomap method, (saw) locally linear incorporation (“LLE”), (vii) low dimension projection, (viii) principal component analysis (“PCA”), (ix) independent component analysis (“ICA”), (X) neural networks, (xi) a self-organizing map method (“SOM”), (xü) genetic programming, and (xiü) sparse coding. 9. SYSTEM, according to claim 1, characterized by the fact that the selection of resources is still associated with a technique of deep learning resource associated with at least one of: 0) an auto encoder, (ü) an auto noise encoder, and (iü) a restricted Boltzmann machine. 10. SYSTEM, according to claim 1, characterized by the fact that resource selection is also associated with a technique of knowledge-based resources. 11. SYSTEM, according to claim 10, characterized
    Petition 870180014254, of 02/22/2018, p. 127/149
    4/9 by the fact that the knowledge-based resource technique uses a statistical descriptor that includes at least one of:
    0) a maximum value, (ü) a minimum value, (iü) an average, (iv) variance data, (v) different order of moments, and Fourier. (saw) quick information on the transformation spectrum of 12. SYSTEM, according to claim 10, characterized by the fact that knowledge-based resource technique uses a power system analysis including at least one of: 0) decomposition of the base vector, (ü) state estimate, (iü) network observability matrices, (iv) topology matrices, (v) system plant arrays, (saw) frequency domain resources, (vü) system poles, and (viii) system zeros. 13. SYSTEM, according to claim 1, characterized
    due to the fact that the selected resource vector subset is additionally used in connection with at least one of:
    (i) anomaly detection, (ii) anomaly accommodation, (iii) anomaly prediction, and (iv) system diagnosis.
    14. SYSTEM, according to claim 1, characterized
    Petition 870180014254, of 02/22/2018, p. 128/149
    5/9 by the fact that a dynamic model is identified for an optimal subset of the initial set of resource vectors to capture an evolution of resources over time.
    15. SYSTEM, according to claim 1, characterized by the fact that the resources are associated with a dynamic model that comprises at least one of:
    (i) stability margins, (ii) control indices, (iii) observability indices, (iv) elements of an observability matrix, (v) elements of a control matrix, (vi) poles, and (vii) zeros of the dynamic model of the evolution of resources over time.
    16. SYSTEM, according to claim 1, characterized by the fact that it also comprises:
    a real-time threat detection computer, coupled with the plurality of heterogeneous data source nodes, to:
    (i) receiving a series of current data source node values and generating a set of current resource vectors based on the offline resource creation process, (ii) accessing the abnormal state detection model with at least a decision limit created offline, and (iii) run the abnormal state detection model and transmit an abnormal state alert signal, based on the current resource vector set and at least one decision limit.
    17. SYSTEM, according to claim 16, characterized by the fact that the abnormal state detection model is associated with
    Petition 870180014254, of 02/22/2018, p. 129/149
    6/9 at least one of:
    (i) an actuator attack, (ii) a controller attack, (iii) a data source node attack, (iv) a plant state attack, (v) spoofing, (vi) physical damage, ( vii) unit availability, (viii) a trip unit (unit triptych), (ix) loss of unit life, and (x) damage to assets that require at least a new part.
    18. SYSTEM, according to claim 16, characterized by the fact that the abnormal state detection model that includes at least one decision limit is associated with at least one of:
    (i) a line, (ii) a hyperplane, and (iii) a non-linear boundary separating normal space and abnormal space.
    19. COMPUTERIZED METHOD TO PROTECT AN ELECTRICITY NETWORK CONTROL SYSTEM, characterized by the fact that it comprises:
    receiving, from a plurality of heterogeneous data source nodes, a series of data source node values over time associated with the operation of the electricity grid control system;
    perform, through a computer for creating an offline abnormal state detection model, a resource extraction process to generate an initial set of resource vectors;
    Petition 870180014254, of 02/22/2018, p. 130/149
    7/9 perform the selection of resources with a multi-model, multidisciplinary structure, to generate a vector subset of selected resources;
    automatically calculate and produce at least one decision limit for an abnormal state detection model based on the selected vector subset of resources;
    receive, on a real-time threat detection computer, a series of current data source node values;
    generate a set of current resource vectors based on the offline resource creation process;
    access the abnormal state detection model with at least one decision limit created offline;
    run the abnormal state detection model; and transmitting an abnormal state warning signal based on the current resource vector set and at least one decision threshold.
    20. METHOD according to claim 19, characterized by the fact that at least one of the heterogeneous data source nodes is associated with at least one of the following:
    (i) sensor data, (ii) text data, (iii) image data, (iv) cell phone data, (v) satellite data, (vi) network data, (vii) social media data , (viii) wireless network data, (ix) meteorological data, (x) information technology inputs, (xi) critical sensory nodes of the electricity network,
    Petition 870180014254, of 02/22/2018, p. 131/149
    8/9 (xii) power grid actuator nodes, (xiii) power grid controller nodes, (xiv) key power grid software node, (xv) switch data, (xvi) data of critical points of measurement of an electric power line, and (xvii) data of a circuit breaker.
    21. METHOD, according to claim 20, characterized by the fact that the resource selection includes at least one among:
    (i) a superficial resource learning technique, (ii) a deep learning resource technique, and (iii) a knowledge-based resource technique.
    22. NON-TRANSITIONAL MEDIA, readable by computer, characterized by the fact that it stores instructions that, when executed by a computer processor, cause the computer processor to execute a method to protect a power grid control system, the method comprising:
    receiving, from a plurality of heterogeneous data source nodes, a series of data source node values over time associated with the operation of the electricity grid control system;
    perform, through a computer for creating an offline abnormal state detection model, a resource extraction process to generate an initial set of resource vectors;
    perform the selection of resources with a multi-model, multidisciplinary structure, to generate a vector subset of selected resources;
    and automatically calculate and produce at least a limit of
    Petition 870180014254, of 02/22/2018, p. 132/149
    [9]
    9/9 decision for an abnormal state detection model based on the selected vector subset of resources.
    23. MEANS, according to claim 22, characterized by the fact that the selection of resources includes at least among:
    (i) a superficial resource learning technique, (ii) a deep learning resource technique, and (iii) a knowledge-based resource technique.
    Petition 870180014254, of 02/22/2018, p. 133/149
    1/14 ο
    r- = 3
    Ο.
    Ε ο
    Ο! Π ρ-4>
    ! V! Λ
    --Ί>
    V σ
    σ ο
    03 ° CN
    W τΟ
    Ο.
    ω φ
    类似技术:
    公开号 | 公开日 | 专利标题
    BR102018003437A2|2018-12-04|system to protect a power grid control system, computerized method to protect a power grid control system and non-transient means
    US20190219994A1|2019-07-18|Feature extractions to model large-scale complex control systems
    BR102018003806A2|2018-10-30|computer systems and method for protecting a non-transient computer-readable power and media network
    US20200089885A1|2020-03-19|Industrial system event detection and corresponding response
    US10594712B2|2020-03-17|Systems and methods for cyber-attack detection at sample speed
    Alimi et al.2020|A review of machine learning approaches to power system security and stability
    US20180137277A1|2018-05-17|Dynamic normalization of monitoring node data for threat detection in industrial asset control system
    Mohammadpourfard et al.2017|A statistical unsupervised method against false data injection attacks: A visualization-based approach
    DE102017128693A1|2018-06-07|Feature and limit setting for threat detection in an industrial plant control system
    US10686806B2|2020-06-16|Multi-class decision system for categorizing industrial asset attack and fault types
    US10692012B2|2020-06-23|Classifying transactions at network accessible storage
    US11113395B2|2021-09-07|System and method for anomaly and cyber-threat detection in a wind turbine
    US20210067527A1|2021-03-04|Structural graph neural networks for suspicious event detection
    Cepeda et al.2015|Data‐mining‐based approach for predicting the power system post‐contingency dynamic vulnerability status
    Ferragut et al.2017|Real-time cyber-physical false data attack detection in smart grids using neural networks
    Gumaei et al.2020|A robust cyberattack detection approach using optimal features of SCADA power systems in smart grids
    Demertzis et al.2018|A computational intelligence system identifying cyber-attacks on smart energy grids
    Shitharth et al.2019|Integrated Probabilistic Relevancy Classification | Scheme for Intrusion Detection in SCADA
    Sundararajan et al.2018|A tri-modular human-on-the-loop framework for intelligent smart grid cyber-attack visualization
    Pandey2019|Design and performance analysis of various feature selection methods for anomaly‐based techniques in intrusion detection system
    Zhang et al.2019|An improved network intrusion detection based on deep neural network
    Lai et al.2021|Review of Intrusion Detection Methods and Tools for Distributed Energy Resources.
    CN111709447A|2020-09-25|Power grid abnormality detection method and device, computer equipment and storage medium
    Majdani et al.2020|Detecting malicious signal manipulation in smart grids using intelligent analysis of contextual data
    Zhang et al.2021|Time Series Anomaly Detection for Smart Grids: A Survey
    同族专利:
    公开号 | 公开日
    JP2018185794A|2018-11-22|
    CA2995864A1|2018-09-09|
    US20180262525A1|2018-09-13|
    MX2018002954A|2018-11-09|
    EP3373552A1|2018-09-12|
    CN108574691A|2018-09-25|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US7225343B1|2002-01-25|2007-05-29|The Trustees Of Columbia University In The City Of New York|System and methods for adaptive model generation for detecting intrusions in computer systems|
    JP3812739B2|2002-05-28|2006-08-23|三菱電機株式会社|Motor abnormality detection device and electric power steering control device|
    US8655939B2|2007-01-05|2014-02-18|Digital Doors, Inc.|Electromagnetic pulse hardened information infrastructure with extractor, cloud dispersal, secure storage, content analysis and classification and method therefor|
    US8161550B2|2007-01-23|2012-04-17|Knowledge Based Systems, Inc.|Network intrusion detection|
    US8468599B2|2010-09-20|2013-06-18|Sonalysts, Inc.|System and method for privacy-enhanced cyber data fusion using temporal-behavioral aggregation and analysis|
    CN102074955B|2011-01-20|2015-06-10|中国电力科学研究院|Method based on knowledge discovery technology for stability assessment and control of electric system|
    WO2014144246A1|2013-03-15|2014-09-18|Cyberricade, Inc.|Cyber security|
    CN104462762A|2014-11-04|2015-03-25|西南交通大学|Fuzzy fault classification method of electric transmission line|
    CN104794534B|2015-04-16|2017-12-15|国网山东省电力公司临沂供电公司|A kind of power grid security Tendency Prediction method based on improvement deep learning model|
    US20170024649A1|2015-07-24|2017-01-26|General Electric Company|Anomaly detection system and method for industrial asset|
    US10147049B2|2015-08-31|2018-12-04|International Business Machines Corporation|Automatic generation of training data for anomaly detection using other user's data samples|
    US10365639B2|2016-01-06|2019-07-30|Kla-Tencor Corporation|Feature selection and automated process window monitoring through outlier detection|
    US10419458B2|2016-01-21|2019-09-17|Cyiot Ltd|Distributed techniques for detecting atypical or malicious wireless communications activity|
    US11005863B2|2016-06-10|2021-05-11|General Electric Company|Threat detection and localization for monitoring nodes of an industrial asset control system|US10587635B2|2017-03-31|2020-03-10|The Boeing Company|On-board networked anomaly detectionmodules|
    US10970647B1|2017-08-16|2021-04-06|Facebook, Inc.|Deep feature generation for classification|
    US10489238B2|2017-10-28|2019-11-26|Facebook, Inc.|Analyzing screenshots to detect application issues|
    CN109308548B|2018-09-12|2021-01-26|中科绿建(天津)科技发展有限公司|Equipment safety management method and system based on grid prediction|
    CN109035066A|2018-09-30|2018-12-18|国网山西省电力公司阳泉供电公司|The high breaking route genetic analysis of 10 kilovolts of distributions and administering method based on SVM|
    CN109389181B|2018-10-30|2020-11-24|全球能源互联网研究院有限公司|Association rule generation method and device for power grid abnormal event|
    CN109257383B|2018-11-09|2021-09-21|中国人民解放军战略支援部队信息工程大学|BGP anomaly detection method and system|
    GB2580317B|2018-12-27|2022-03-16|British Telecomm|Threat forecasting|
    CN110033014A|2019-01-08|2019-07-19|阿里巴巴集团控股有限公司|The detection method and its system of abnormal data|
    CN110048884B|2019-04-04|2021-11-05|上海大学|Intelligent power distribution network communication network planning method for resisting random attack and intentional network attack|
    CN110110523A|2019-05-10|2019-08-09|极智企业管理咨询有限公司|A method of it promoting rule code and scans accuracy rate|
    CN110035090B|2019-05-10|2020-09-15|燕山大学|False data injection attack detection method for smart grid|
    CN110213087B|2019-05-16|2020-08-25|北京航空航天大学|Complex system fault positioning method based on dynamic multilayer coupling network|
    CN110321947A|2019-06-27|2019-10-11|和远智能科技股份有限公司|A kind of multiplexing electric abnormality pre-judging method based on convolutional neural networks|
    CN110351301B|2019-07-26|2021-09-28|长沙市智为信息技术有限公司|HTTP request double-layer progressive anomaly detection method|
    EP3787229A1|2019-09-02|2021-03-03|Siemens Aktiengesellschaft|Method and device for automatically selecting analysis strings for feature extraction|
    US11201893B2|2019-10-08|2021-12-14|The Boeing Company|Systems and methods for performing cybersecurity risk assessments|
    CN110866287B|2019-10-31|2021-12-17|大连理工大学|Point attack method for generating countercheck sample based on weight spectrum|
    US10686810B1|2020-02-05|2020-06-16|The Florida International University Board Of Trustees|Systems and methods for providing security in power systems|
    JP6725928B1|2020-02-13|2020-07-22|東洋インキScホールディングス株式会社|Regression model creation method, regression model creation device, and regression model creation program|
    EP3869228A1|2020-02-21|2021-08-25|Tata Consultancy Services Limited|Edge based sensor actuation and control in iot network for event monitoring|
    CN111786979A|2020-06-24|2020-10-16|杭州电子科技大学|Power attack identification method based on multi-mode learning|
    CN112068065A|2020-10-12|2020-12-11|武汉格蓝若智能技术有限公司|Voltage transformer state early warning method and device and storage medium|
    CN112261041B|2020-10-21|2021-08-13|中国科学院信息工程研究所|Multistage distributed monitoring and anti-seepage system for power terminal|
    CN112367338A|2020-11-27|2021-02-12|腾讯科技(深圳)有限公司|Malicious request detection method and device|
    CN113794742B|2021-11-18|2022-02-15|国网浙江浙电招标咨询有限公司|High-precision detection method for FDIA of power system|
    法律状态:
    2018-12-04| B03A| Publication of an application: publication of a patent application or of a certificate of addition of invention|
    优先权:
    申请号 | 申请日 | 专利标题
    US15/454,219|US20180262525A1|2017-03-09|2017-03-09|Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid|
    US15/454,219|2017-03-09|
    [返回顶部]