公开(公告)号：US11411983B2

公开(公告)日：2022-08-09

申请号：US16654319

申请日：2019-10-16

Applicant: GENERAL ELECTRIC COMPANY

Inventor： Mustafa Tekin Dokucu ,  Subhrajit Roychowdhury ,  Olugbenga Anubi ,  Masoud Abbaszadeh ,  Justin Varkey John

IPC: H04L12/26 ,  H04L9/40 ,  G01R19/00 ,  G06N20/00

Abstract: An industrial asset may have monitoring nodes that generate current monitoring node values. An abnormality detection computer may determine that an abnormal monitoring node is currently being attacked or experiencing fault. A dynamic, resilient estimator constructs, using normal monitoring node values, a latent feature space (of lower dimensionality as compared to a temporal space) associated with latent features. The system also constructs, using normal monitoring node values, functions to project values into the latent feature space. Responsive to an indication that a node is currently being attacked or experiencing fault, the system may compute optimal values of the latent features to minimize a reconstruction error of the nodes not currently being attacked or experiencing a fault. The optimal values may then be projected back into the temporal space to provide estimated values and the current monitoring node values from the abnormal monitoring node are replaced with the estimated values.

公开(公告)号：US20220037916A1

公开(公告)日：2022-02-03

申请号：US17274980

申请日：2018-09-13

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Pierino Gianni Bonanni ,  Reza Ghaemi

IPC: H02J13/00 ,  G05B13/04

Abstract: A method for controlling a distributed power system is provided, the system including an aggregator communicatively coupled to a plurality of nodes, each of the plurality of nodes including an associated load. The method includes receiving, at the aggregator, a commanded power profile from an independent service operator, the commanded power profile including a commanded power deviation for the distributed power system, calculating, using the aggregator, a score for each of the plurality of nodes based on a current operating power of each node, selecting, using the aggregator, a subset of the plurality of nodes based on the calculated scores, and commanding, using the aggregator, each node in the subset to adjust its current power by a respective predetermined amount, the predetermined amounts determined based on the commanded power deviation.

公开(公告)号：US20210211455A1

公开(公告)日：2021-07-08

申请号：US16734499

申请日：2020-01-06

Applicant: GENERAL ELECTRIC COMPANY

Inventor： Honggang Wang ,  Masoud Abbaszadeh ,  Mustafa Tekin Dokucu

IPC: H04L29/06

Abstract: A procedure for neutralizing an attack on a control system of an industrial asset includes detecting an anomaly in a first sensor node associated with a first unit operating in a first operational mode, and receiving time series data associated with the first sensor node. A subset of the time series data is provided to each of a plurality of virtual sensor models A first virtual sensor model is selected from among a plurality of virtual sensor models based upon the subset of the time series data received by each of the plurality of virtual sensor models. A first confidence level of the first virtual sensor is determined. Responsive to determining that the first confidence level is below a first confidence level threshold, the first unit is transferred to a second operational mode using sensor readings associated with a second sensor node of a second unit of the industrial asset.

公开(公告)号：US10819725B2

公开(公告)日：2020-10-27

申请号：US15964644

申请日：2018-04-27

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Lalit Keshav Mestha

IPC: G06F21/00 ,  H04L29/06 ,  G06F21/55

Abstract: In some embodiments, a plurality of monitoring nodes each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. An attack detection computer platform may receive the series of current monitoring node values and generate a set of current feature vectors including a current feature for capturing transients (e.g., local transients and/or global transients). The attack detection computer platform may also access an attack detection model having at least one decision boundary that was created using at least one of a set of normal feature vectors and/or a set of attacked feature vectors. The attack detection model may then be executed such that an attack alert signal is transmitted by the attack detection computer platform, when appropriate, based on the set of current feature vectors (including the current feature to capture transients) and the at least one decision boundary.

公开(公告)号：US10805329B2

公开(公告)日：2020-10-13

申请号：US15977595

申请日：2018-05-11

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Lalit Keshav Mestha

IPC: H04L29/06 ,  G05B23/02 ,  H04L12/24 ,  G05B19/042 ,  H04L29/08

Abstract: An industrial asset may be associated with a plurality of monitoring nodes, each monitoring node generating a series of monitoring node values over time representing current operation of the industrial asset. An abnormality detection computer may determine that at least one abnormal monitoring node is currently being attacked or experiencing a fault. A virtual sensing estimator may continuously execute an adaptive learning process to create or update virtual sensor models for the monitoring nodes. Responsive to an indication that a monitoring node is currently being attacked or experiencing a fault, the virtual sensing estimator may be dynamically reconfigured to estimate a series of virtual node values for the abnormal monitoring node or nodes based on information from normal monitoring nodes and appropriate virtual sensor models. The series of monitoring node values from the abnormal monitoring node or nodes may then be replaced with the virtual node values.

公开(公告)号：US10771495B2

公开(公告)日：2020-09-08

申请号：US15454144

申请日：2017-03-09

Applicant: General Electric Company

Inventor： Lalit Keshav Mestha ,  Olugbenga Anubi ,  Masoud Abbaszadeh

IPC: H04L29/06

Abstract: The example embodiments are directed to a system and method for neutralizing abnormal signals in a cyber-physical system. In one example, the method includes receiving input signals comprising time series data associated with an asset and transforming the input signals into feature values in a feature space, detecting one or more abnormal feature values in the feature space based on a predetermined normalcy boundary associated with the asset, and determining an estimated true value for each abnormal feature value, and performing an inverse transform of each estimated true value to generate neutralized signals comprising time series data and outputting the neutralized signals.

公开(公告)号：US10686806B2

公开(公告)日：2020-06-16

申请号：US15681827

申请日：2017-08-21

Applicant: General Electric Company

Inventor： Masoud Abbaszadeh ,  Lalit Keshav Mestha ,  Weizhong Yan

IPC: H04L29/06

Abstract: According to some embodiments, a plurality of monitoring nodes may each generate a series of current monitoring node values over time that represent a current operation of the industrial asset. A node classifier computer, coupled to the plurality of monitoring nodes, may receive the series of current monitoring node values and generate a set of current feature vectors. The node classifier computer may also access at least one multi-class classifier model having at least one decision boundary. The at least one multi-class classifier model may be executed and the system may transmit a classification result based on the set of current feature vectors and the at least one decision boundary. The classification result may indicate, for example, whether a monitoring node status is normal, attacked, or faulty.

公开(公告)号：US10476902B2

公开(公告)日：2019-11-12

申请号：US15497974

申请日：2017-04-26

Applicant: General Electric Company

Inventor： Daniel Francis Holzhauer ,  Masoud Abbaszadeh ,  Lalit Keshav Mestha ,  Justin Varkey John ,  Cody Bushy

IPC: H04L29/06

Abstract: A system to protect a fleet of industrial assets may include a communication port to exchange information with a plurality of remote industrial assets. An industrial fleet protection system may receive information from the plurality of remote industrial assets or a cloud-based security platform and calculate, based on information received from multiple industrial assets, a current fleet-wide operation feature vector. The industrial fleet protection system may then compare the current fleet-wide operation feature vector with a fleet-wide decision boundary (e.g., separating normal from abnormal operation of the industrial fleet). The system may then automatically transmit a response (e.g., a cyber-attack threat alert or an adjustment to a decision boundary of an industrial asset) when a result of the comparison indicates abnormal operation of the industrial fleet.

公开(公告)号：US12141052B2

公开(公告)日：2024-11-12

申请号：US18321545

申请日：2023-05-22

Applicant: General Electric Company

Inventor： Hema K Achanta ,  Masoud Abbaszadeh ,  Weizhong Yan ,  Mustafa Tekin Dokucu

IPC: G06F11/36 ,  G06F11/263 ,  G06F18/213 ,  G06F18/214 ,  G06F18/24 ,  G06N3/08 ,  G06V10/82 ,  H04L9/40 ,  H04L41/16 ,  H04L43/12 ,  H04W12/128 ,  G06N3/04

Abstract: According to some embodiments, a system, method and non-transitory computer-readable medium are provided to protect a cyber-physical system having a plurality of monitoring nodes comprising: a normal space data source storing, for each of the plurality of monitoring nodes, a series of normal monitoring node values over time that represent normal operation of the cyber-physical system; a situational awareness module including an abnormal data generation platform, wherein the abnormal data generation platform is operative to generate abnormal data to represent abnormal operation of the cyber-physical system using values in the normal space data source and a generative model; a memory for storing program instructions; and a situational awareness processor, coupled to the memory, and in communication with the situational awareness module and operative to execute the program instructions to: receive a data signal, wherein the received data signal is an aggregation of data signals received from one or more of the plurality of monitoring nodes, wherein the data signal includes at least one real-time stream of data source signal values that represent a current operation of the cyber-physical system; determine, via a trained classifier, whether the received data signal is a normal signal or an abnormal signal, wherein the trained classifier is trained with the generated abnormal data and normal data; localize an origin of an anomaly when it is determined the received data signal is the abnormal signal; receive the determination and localization at a resilient estimator module; execute the resilient estimator module to generate a state estimation for the cyber-physical system. Numerous other aspects are provided.

公开(公告)号：US12067124B2

公开(公告)日：2024-08-20

申请号：US17479370

申请日：2021-09-20

Applicant: GENERAL ELECTRIC COMPANY

Inventor： Georgios Boutselis ,  Masoud Abbaszadeh

IPC: G06F21/57 ,  G06F16/2457

CPC classification number: G06F21/577 ,  G06F16/24578 ,  G06F2221/034

Abstract: The present application describes techniques for node selection and ranking for, e.g., attack detection and localization in cyber-physical systems, without relying on digital twins, computer models of assets, or operational domain expertise. The described techniques include obtaining an input dataset of values for a plurality of nodes (e.g., sensors, actuators, controllers, software nodes) of industrial assets, computing a plurality of principal components (PCs) for the input dataset according to variance of values for each node, computing a set of common weighted PCs based on the plurality of PCs according to variance of each PC, and ranking each node based on the node's contribution to the set of common weighted PCs.