TECHNICAL FIELD

[0001] This disclosure relates to the technical field of computer system security.

BACKGROUND

[0002] Manufacturing facilities, factories, complex equipment, power plants, transportation systems, refineries, industrial control systems, and various other operational technology (OT) systems may be controlled by computer systems that are relied on to keep the equipment operating in a desired manner. Security of OT systems traditionally relied on the standalone nature of OT installations. However, more recently, OT systems have become linked to other computer systems and the Internet, which has increased the necessity of securing OT systems. For example, OT systems may be subject to attack or other destabilization caused by electronic communications that may be harmful, destructive, or otherwise prone to causing abnormal operation of the equipment. For instance, in some examples, a malicious actor, such as a person or malicious code, may use electronic communications to cause the equipment to malfunction or otherwise operate abnormally. In other examples, the control settings for the equipment may be changed unintentionally or by mistake through an electronic communication, which can also cause undesired abnormal operation of the equipment.

SUMMARY

[0003] Implementations herein include arrangements and techniques for securing a control system from harmful communications. In some examples, a computer system may receive packet data of communications from the control system. The control system may include equipment controlled by at least one computing device. The computer system may generate a data representation based on the packet data. For instance, the data representation may represent at least one of a status or setting of the equipment. The computer system may perform recognition on the data representation to determine whether the packet information indicates a normal condition or abnormal condition. Based on determining that the received packet information indicates the abnormal condition, the computer system may perform at least one action. BRIEF DESCRIPTION OF THE DRAWINGS

[0004] The detailed description is set forth with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features.

[0005] FIG. 1 illustrates an example architecture of a computer system able to detect and manage communications that may cause abnormal operation according to some implementations .

[0006] FIG. 2 is a flow diagram illustrating an example process that may be executed by the security program according to some implementations.

[0007] FIG. 3A illustrates an example format of cyclic packets according to some implementations .

[0008] FIG. 3B illustrates an example format of sequential packets according to some implementations .

[0009] FIG. 4 illustrates an example packet data representation according to some implementations .

[0010] FIG. 5 is a flow diagram illustrating an example process according to some implementations .

[0011] FIG. 6A illustrates an example of emphasizing time series data according to some implementations .

[0012] FIG. 6B illustrates an example of emphasizing time series data according to some implementations .

[0013] FIG. 7A illustrates an example packet data representation according to some implementations .

[0014] FIG. 7B illustrates an example packet data representation according to some implementations .

[0015] FIG. 8 illustrates an example of emphasizing time series data according to some implementations .

[0016] FIG. 9 illustrates an example variable field data structure according to some implementations .

[0017] FIG. 10 illustrates an example pattern data structure according to some implementations .

[0018] FIG. 11 illustrates an example dashboard graphic user interface according to some implementations . [0019] FIG. 12 is a flow diagram illustrating an example process that may be executed by the security program according to some implementations.

DESCRIPTION OF THE EMBODIMENTS

[0020] Some implementations herein are directed to techniques and arrangements for a system that determines when equipment, machinery, an industrial control network, or other operational technology (OT) system is subject to a communication that may cause abnormal operation of the controlled system. As one example, a service computing device may recognize patterns of communication data by examining packets transferred in a network. The service computing device may determine whether the packets (or the resulting operation of the equipment) are indicated to be normal or abnormal based on a recognition result for the communication data. For instance, the service computing device may be able to classify the communication data as normal or abnormal by analyzing packets described according to a non- standardized protocol and transferred in the control network of the OT system. Accordingly, even though the protocol used by the controlled system may be unknown, implementations herein are able to distinguish normal communications from harmful communications that may cause abnormal operation of the controlled system.

[0021] Some examples include a pattern recognition system and process in which a service computing device recognizes patterns of communication data by receiving and examining packet data. As one example, the packet data may be acquired by mirroring packets transferred in a control network of a control system. In some cases, the control network may include primary and secondary lines between a human-machine interface (HMI) computing device and primary and secondary control computing devices that control equipment in the control system via the control network.

[0022] The service computing device may be configured to generate data representations from the packet data. In some cases, the data representations may include time series data blocks that represent time series data in an image or matrix format. The service computing device may generate the data representations to monitor cyclic packets including at least one of an equipment setting value (set value) or a status value for machine control. The service computing device may be configured further to generate the data representations to monitor temporary sequential packets that may update the set value(s). The service computing device may be configured further to extract the set value, status value, or operating value from the payload data of packets, and generate a corresponding time series data block including the historical values of the set value, status value, and/or operating value for corresponding equipment. The service computing device may be configured further to perform a pattern recognition process to recognize one or more patterns of communication data using the time series data block(s). The service computing device may be configured further to render and present a dashboard graphic user interface (GUI) that may summarize the recognized results statistically and display the recognized patterns along with an indication as to whether the recognized patterns are normal or abnormal based on the recognition results.

[0023] Some implementations herein provide a security system and techniques to monitor the condition of communication data by analyzing packets transferred in a control network for a controlled system. For example, the system herein is able to analyze packets described by primitive and/or non-standardized protocols that may be used for OT control systems. As one example, the system herein is able to detect attacks that spoof the control commands of the control system. For example, if a malicious actor changes the control values for operating equipment, conventional security techniques may be unable to detect these changes. On the other hand, the security system and method herein are able to analyze packets in control communications and determine whether the packets may result in undesired, harmful, or otherwise abnormal operation of the controlled equipment.

[0024] In some examples herein, a computer system may recognize patterns of communication data by analyzing packets transferred in a network connecting human machine interfaces and machine control computers. The computer system may monitor a cyclic packet to monitor the status and set value of the machine control computers and a sequential packet to operate the set value. The computer system may generate a data representation for received packet data, such as a time series data block composed of historical data representing the status and set value of the machine control computers based on the packet data. Further, the computer system may recognize the pattern for each time series data block and may classify the time series data as normal or abnormal. In addition, the computer system herein may include training data that stores the time series data blocks with the pattern number of a corresponding pattern. The training data is used to train a machine learning model that executes deep learning using the time series data block with the number of the pattern.

[0025] In some examples, the time series data block may be generated as an image data representing the historical status and set values of the machine controllers and/or the historical arrivals of the sequential packets as pixel bands. In some examples, the time series data block may be generated including an initial and end value of the status and set values independently from a pixel band of the historical data. In some examples, the time series data block may be generated to represent each kind of the status and set values as a data block using different channels. Further, in some examples, the time series data block may be generated representing each of the status and set values as a pixel using different colors in an image data. In some cases, when generating the time series data block, the status and set values of more than eight bits may be divided into the values of upper and lower bits and a time series data block may be generated representing the value of upper bits multiplied with a constant value to emphasize the upper bits.

[0026] For discussion purposes, some example implementations are described in the environment of a computer system that determines whether a communication includes packets that should not be applied to controlled equipment. However, implementations herein are not limited to the particular examples provided, and may be extended to other types of equipment and systems, other environments of use, other system architectures, other applications, and so forth, as will be apparent to those of skill in the art in light of the disclosure herein.

[0027] FIG. 1 illustrates an example architecture of a computer system 100 able to detect and manage communications that may cause abnormal operation according to some implementations. The system 100 includes at least one service computing device 102 that is able to communicate with an equipment control system 104, such as an OT control system or other control system in which equipment is controlled by a computer. For example, the service computing device 102 may be connected through one or more networks 106, which may include redundant communication lines such as line A and line B. In some examples, the one or more networks 106 may include a local area network (LAN), while in other examples, the one or more networks 106 may include a wide area network (WAN) such as the Internet. Thus, the one or more networks 106 may include a wired network including fiber optics, Ethernet, Fibre Channel; etc.; a wireless network, such as a cellular network; a local wireless network, such as Wi-Fi; short-range wireless communications, such as BLUETOOTH®; a direct wired connection, or any combination thereof. Accordingly, the one or more networks 106 may include both wired and/or wireless communication technologies. Components used for such communications can depend at least in part upon the type of network, the environment selected, or both.

[0028] The control system 104 further includes at least one primary control computing device 108 and, in some cases, at least one secondary control computing device 110. In the illustrated example, the control system 104 includes multiple pairs of the primary computing device 108 and the secondary computing device, namely a first pair including a first primary control computing device 108(1) and a first secondary control computing device 110(1), through an Nth pair including an Nth primary control computing device 108(N) and an Nth secondary control computing device llO(N), each of which may execute a control application 112. The primary computing device 108 of each pair may execute the control application 112 to control one or more equipment 114, such as equipment in an OT system, or other controlled equipment, as enumerated elsewhere herein. Furthermore, the secondary control computing device 110 of each pair may execute the control application 112 to serve as a redundant fallback system should there be a failure in the primary control computing device 108.

[0029] In the illustrated example, the first pair of control computing devices 108(1) and 110(1) execute the control application 112 to control three equipment, namely, equipment A 114(a), equipment B 114(b), and equipment C 114(c). Furthermore, the Nth pair of control computing devices 108(N) and l lO(N) execute the control application 112 to control three equipment, namely, equipment D 114(d), equipment E 114(e), and equipment F 114(f). In this example, each equipment 114 includes a process manager 116 and one or more machines, such as a first machine 118 and a second machine 120. Thus, the equipment A 114(a) may include a process manager 116(a), a first machine 118(a) and a second machine 120(a); the equipment B 114(b) may include a process manager 116(b), a first machine 118(b) and a second machine 120(b); the equipment C 114(c) may include a process manager 116(c), a first machine 118(c) and a second machine 120(c); the equipment D 114(d) may include a process manager 116(d), a first machine 118(d) and a second machine 120(d); the equipment E 114(e) may include a process manager 116(e), a first machine 118(e) and a second machine 120(e); the equipment F 114(f) may include a process manager 116(f), a first machine 118(f) and a second machine 120(f). The process manager 116 may be a computing device, such as an embedded processor, logic circuit, other processing device, or the like, that receives instructions from the control application 112 and controls the machines of the respective equipment 114. Alternatively, in other examples, the process manager 116 might not be included and the control application 112 might communicate directly with the respective machines 118, 120, such as by sending control signals directly.

[0030] In addition, the control system 104 may include one or more human machine interface (HMI) computing devices 124, which may be used by a person such as an administrator, system manager, or other user. The HMI computing device 124 may execute an administrative application, such as a management program 126, or the like, for monitoring and/or managing the control system 104 and the associated equipment 114. Accordingly, the HMI computing device(s) 124, the primary control computing devices 108, the secondary control computing devices 110, and in some examples, the service computing device(s) 102, are able to communicate over the one or more networks 106 using wired or wireless connections, and combinations thereof. In addition, in some examples, the primary control computing device 108 and the secondary control computing device 110 may communicate with the equipment 114 over the one or more networks 106 or, alternatively, over one or more other networks, separate LANs, direct connections, or the like. Furthermore, while one example of a control system 104 is illustrated in the example of FIG. 1, numerous alternative configurations and variations will be apparent to those of skill in the art having the benefit of the disclosure herein. Accordingly, implementations herein are not limited to any particular configuration for the control system 104.

[0031] In some implementations, the service computing device 102 may include one or more servers, personal computers, or other types of computing devices that may be embodied in any number of ways. For instance, in the case of a server, the programs, other functional components, and at least a portion of data storage may be implemented on at least one server, such as on a stand-alone server, a cluster of servers, a server farm or data center, a cloud-hosted computing service, and so forth, although other computer architectures may additionally or alternatively be used.

[0032] In the illustrated example, the service computing device 102 includes, or otherwise may have associated therewith, one or more processors 130, one or more communication interfaces 132, and one or more computer-readable media 134. Each processor 130 may be a single processing unit or a number of processing units, and may include single or multiple computing units, or multiple processing cores. The processor(s) 130 may be implemented as one or more central processing units, microprocessors, microcomputers, microcontrollers, digital signal processors, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. For instance, the processor(s) 130 may be one or more hardware processors and/or logic circuits of any suitable type specifically programmed or configured to execute the algorithms and processes described herein. The processor(s) 130 may be configured to fetch and execute computer-readable instructions stored in the computer- readable media 134, which can program the processor(s) 130 to perform the functions described herein.

[0033] The computer-readable media 134 may include volatile and nonvolatile memory and/or removable and non-removable media implemented in any type of technology for storage of information such as computer-readable instructions, data structures, program modules, or other data. For example, the computer-readable media 134 may include, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, optical storage, solid state storage, magnetic tape, magnetic disk storage, RAID storage systems, object storage systems, storage arrays, network attached storage, storage area networks, cloud storage, or any other medium that can be used to store the desired information and that can be accessed by a computing device. Depending on the configuration of the service computing device 102, the computer-readable media 134 may be a tangible non-transitory medium to the extent that, when mentioned, non-transitory computer-readable media exclude media such as energy, carrier signals, electromagnetic waves, and/or signals per se. In some cases, the computer-readable media 134 may be at the same location as the service computing device 102, while in other examples, the computer-readable media 134 may be partially remote from the service computing device 102.

[0034] The computer-readable media 134 may be used to store any number of functional components that are executable by the processor(s) 130. In many implementations, these functional components comprise executable instructions and/or programs that are executable by the processor(s) 130 and that, when executed, specifically program the processor(s) 130 to perform the actions attributed herein to the service computing device 102. Functional components stored in the computer-readable media 134 may include a security program 136. The security program 136 may include one or more computer programs, computer-readable instructions, executable code, or portions thereof that are executable to cause the processor(s) 130 to perform various tasks as described herein. In the illustrated example, the security program 136 may include or may access a model building program 138 that may be invoked to generate and train one or more machine learning models 140 using training data 142. In addition, the security program 136 may further be executed to generate a simulator GUI 146 and/or a time series data data structure (DS) 148, as discussed additionally below.

[0035] The model building program 138 may be an executable module of the security program 136, or a portion thereof. Alternatively, in other examples, the model building program 138 may be a separately executable stand-alone computer program that may be invoked by the security program 136. The model building program 138 may configure the one or more processors 130 to build and train at least one machine learning model 140 to be used for recognizing packets that can cause abnormal operation of the equipment 114, such as the machines 118, 120, or the process manager 116. The security program 136 may subsequently apply the trained machine learning model 140 to newly received packets for determining if the packets correspond to a normal or abnormal operating condition.

[0036] Additionally, the functional components in the computer-readable media 134 may include an operating system (not shown in FIG. 1) that may control and manage various functions of the service computing device 102. In some cases, the functional components may be stored in a storage portion of the computer-readable media 134, loaded into a local memory portion of the computer-readable media 134, and executed by the one or more processors 130. Numerous other software and/or hardware configurations will be apparent to those of skill in the art having the benefit of the disclosure herein.

[0037] In addition, the computer-readable media 134 may store data and data structures used for performing the functions and services described herein. For example, the computer-readable media 134 may store the one or more machine learning models 140, and may store the training data 142 used for training the machine learning model(s) 140. Additional data and data structures that may be stored in the computer-readable media 134 include the time series data DS 148, a recognition results DS 150, a pattern DS 152, and a variable field DS 154, as discussed additionally below. Further, the computer-readable media 134 may store state transition information related to the equipment 114 in a state transition information DS 158. The state transition information may include domain information related to the equipment 114 and the environment in which the equipment 114 operates that may be used for determining whether the recognition results 150 correspond to normal or abnormal conditions.

[0038] The machine learning model 140 may be used by the security program 136 for determining whether one or more received packets are likely to cause abnormal operation of the equipment 114. Examples of the machine learning model 140 may include classification models such as random forest, support vector machines, or deep learning networks, such as a convolutional neural network. Additional examples of the machine learning model 140 may include predictive models, decision trees, regression models, such as linear regression models, stochastic models, such as Markov models and hidden Markov models, artificial neural networks, such as recurrent neural networks, and so forth. Accordingly, implementations herein are not limited to a particular type of machine learning model.

[0039] The service computing device(s) 102 may further include or have associated therewith one or more displays 160. For example, the security program 136 may generate the simulator GUI 146 on a display 160 for presenting pattern information. In addition, the security program 136 may generate a dashboard GUI 162 on a display 160 for presenting the recognition results and information related to any identified abnormal packets. The service computing device(s) 102 may also include or maintain other functional components and data, which may include programs, drivers, etc., and the data used or generated by the functional components. Further, the service computing device(s) 102 may include many other logical, programmatic, and physical components, of which those described above are merely examples that are related to the discussion herein.

[0040] The communication interface(s) 132 may include one or more interfaces and hardware components for enabling communication with various other devices, such as over the one or more networks 106. Thus, the communication interfaces 132 may include, or may couple to, one or more ports that provide connection to the network(s) 106. For example, the communication interface(s) 132 may enable communication through one or more of a LAN (local area network), WAN (wide area network), the Internet, cable networks, cellular networks, wireless networks (e.g., Wi-Fi) and wired networks (e.g., fiber optic, Ethernet, Fibre Channel,), direct connections, as well as short-range wireless communications, such as BLUETOOTH®, and the like, as additionally enumerated below.

[0041] Further, the HMI computing device(s) 124, the primary control computing device(s) 108, the secondary control computing device(s) 110, and in some cases, the process manager(s) 116 may include configurations and hardware similar to those discussed above, but with different functional components, such as the management program 126, the control application 112, and different data. For instance, in some cases, the HMI computing device(s) 124 may be any type of computing device able to communicate over a network including server computing devices, desktop computing devices, laptop computing devices, tablet computing devices, smart phone computing devices, wearable computing devices, and so forth.

[0042] In some examples, the management program 126 executing on the HMI computing device 124 may monitor the operating status of the equipment 114 controlled by the control computing devices 108, 110. For example, the control application 112 may be configured to cyclically send cyclic monitoring packets (cyclic packets) 170 including, e.g., set value(s) and status value(s) for the equipment 114, from the control computing devices 108 and 110 over line A and line B, respectively, e.g., from the control computing device(s) 108 and 110, respectively, to the HMI computing device(s) 124. In some examples, the cyclic packets 170 may be sent periodically at a constant interval. Accordingly, the management program 126 on the HMI computing device 124 may receive the cyclic packets 170 and may present information from the cyclic packets 170 on a display (not shown in FIG. 1) to enable the HMI computing device 124 to be used to monitor the status of the equipment 114 and the control computing devices 108 and/or 110.

[0043] In some examples, each of the primary control computing device 108 and the secondary control computing device 110 may have its own IP address to use for communication with the HMI computing device 124. When the primary control computing device 108 is operating normally, the cyclic packets 170 received by the HMI computing device 124 from the secondary control computing device 110 may be discarded. On the other hand, should the primary control computing device 108 suffer a malfunction or other type of failure, the HMI computing device 124 may switch over to receiving the cyclic packets 170 from the secondary control computing device 110, such as by switching to using the IP address of the secondary control computing device 110 for communications. Further, in such a situation, the secondary control computing device 110 may take over control of the equipment 114 that the primary control computing device 108 was controlling, and may continue to cyclically send the cyclic packets 170 to the respective HMI computing device(s) 124.

[0044] In addition, the management program 126 may be used to manually control the equipment 114, such as by enabling an operator to send instructions via sequential operating packets (sequential packets) 172 to the primary control computing device 108 (or the secondary control computing device 110 if the primary control computing device 108 is down). For example, the sequential packets 172 may include instructions for setting or changing an operation value of one or more targeted pieces of equipment 114 such as one of the machines 118, 120. The control computing device 108 or 110 may receive and read the sequential packets 172, and may then send a corresponding control signal to the target equipment 114 to change the operation of the target equipment 114.

[0045] The security program 136 executing on the service computing device 102 may receive packet data 176 from line A and line B, such as by mirroring communication data from both line A and line B, or through various other techniques. In some cases, the received packet data 176 may include both the cyclic packets 170 and the sequential packets 172. As mentioned above, the cyclic packets 170 used to monitor the set value and status value of the equipment 114 controlled by the control computing devices 108, 110 may be cyclically sent over line A and line B, e.g., at a constant intervals. As one example, the security program 136 may receive a packet arriving first from either line A or line B and may discard a packet arriving later from the other one of line A or line B. In addition, sequential packets 172 to instruct the setting of a set value of targeted equipment 114 may be sent over either line A or line B. Therefore, the security program 136 may receive and examine all sequential packets 172 arriving through both line A and line B.

[0046] As mentioned above, when the security program 136 receives the packet data 176, the security program 136 may generate a data representation from the packet data 176, and may use the machine learning model 140 to determine whether any of the packets are likely to correspond to abnormal operation of the equipment 114. Details of the process performed by the security program 136 are discussed additionally below e.g., with respect to FIG. 2. Information regarding packet patterns that correspond to abnormal operation of the control system 104 may be indicated and/or updated via the simulator GUI 146. Furthermore, the results determined by the security program 136 may be presented on the display 160 in the dashboard GUI 162.

[0047] Furthermore, in some examples, the security program 136 may perform one or more operations or other actions based on the results of analyzing the packet data 176. In some examples, if the security program 136 determines that a packet is likely to cause abnormal operation of the equipment 114, the security program 136 may send information in a communication to the HMI computing device 124 to cause the management program 126 send a corrective instruction as additional sequential packets 172 to the affected control computing device 108, 110. As another example, if the security program 136 determines that a packet is likely to cause abnormal operation of the equipment 114 the security program 136 may send a communication directly to the control computing device 108, 110 to cause the control computing device to change one or more operational parameters of the equipment to correct the abnormal operation. In addition, while the service computing device 102 is illustrated in this example as being a separate computing device from the HMI computing device 124, in other examples, the service computing device 102 may be the same computing device as the HMI computing device 124, and thus, the security functions described herein may be executed by the HMI computing device 124.

[0048] FIGS. 2, 5, and 12 include flow diagrams illustrating example processes according to some implementations. The processes are illustrated as collections of blocks in logical flow diagrams, which represent a sequence of operations, some or all of which may be implemented in hardware, software or a combination thereof. In the context of software, the blocks may represent computer-executable instructions stored on one or more computer-readable media that, when executed by one or more processors, program the processors to perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures and the like that perform particular functions or implement particular data types. The order in which the blocks are described should not be construed as a limitation. Any number of the described blocks can be combined in any order and/or in parallel to implement the process, or alternative processes, and not all of the blocks need be executed. For discussion purposes, the processes are described with reference to the environments, frameworks, and systems described in the examples herein, although the processes may be implemented in a wide variety of other environments, frameworks, and systems.

[0049] FIG. 2 is a flow diagram illustrating an example process 200 for detecting packets corresponding to abnormal operation of the equipment according to some implementations. The process 200 may be executed at least partially by the security program 136 executing on the service computing device 102 or other suitable computing device.

[0050] At 202, the security program receives packet data 176 from the control system 104. As mentioned above, the packet data 176 may be mirrored to the service computing device 102 from the control system 104. The format of the cyclic packets and sequential packets that the security program 136 receives from the control system 104 is discussed additionally below with respect to FIG. 3. As mentioned above, the security program may discard the cyclic packets received from the secondary control computing device when the primary control computing device is operating normally.

[0051] At 204, the security program may generate a time series data block from the received packet data as a data representation of the received packet data. The process of generating the time series data block is discussed additionally below. In some examples, the security program 136 may access the variable field data structure 154 when generating the time series data block to determine placement of pixels, or the like, as discussed additionally below. .

[0052] At 206, the security program may store the time series data block in the time series data DS 148 and may provide the time series data block for recognition.

[0053] At 208, the security program may use the machine learning model 140 to recognize a pattern in the received time series data block. For example, the security program 136 may use the machine learning model 140 for recognizing a pattern of the communication data with deep learning by classifying a pattern of the time series data block as corresponding to a pattern that indicates normal or abnormal operation of the control system. In some cases, the recognition may include associating the time series data block with a particular pattern number from a plurality of patterns included in the pattern DS 152.

[0054] At 210, the security program may revise the result of the pattern recognition by using the time series result of pattern recognition. For example, when the pattern should be changed from A to B and from B to C according to the experience of local site, if the recognized pattern changes from A to D and from D to C, the pattern of D is revised to C.

[0055] At 212, the security program may store the time-series data block with the associated pattern number and the result (or revised result) to the training data 142. By adding this information to the training data 142, the training data is constantly updated to enable the machine learning model 140 to be periodically retrained and updated.

[0056] At 214, the security program may store the recognition result in the recognition results data structure 150. [0057] At 216, the security program may determine whether the operation corresponding to the received packet data 176 is harmful or may otherwise result in abnormal operation of the equipment. For example, the security program 136 may compare the recognition result with state transition information in the state transition information DS 158, and may apply a set of logic rules for determining whether the operation is malicious, harmful, or otherwise abnormal. For instance, the state transition information may be based on knowledge of the equipment and the environment in which the equipment operates, and may include state transition information of recognized patterns.

[0058] At 218, the security program may generate and present the dashboard GUI 162 from the recognition result, from the determination regarding whether the operation is harmful or otherwise abnormal, and from pattern information obtained from the pattern data structure 152.

[0059] At 220, in some cases, the security program may receive one or more changes to via the dashboard GUI 162. For example, a user may determine that a result that is classified as abnormal is actually normal or vice versa. Accordingly, the user may change a normal or abnormal designation in the dashboard, and the security program 136 may update the pattern DS 152 in response.

[0060] At 222, the security program may generate the simulator GUI 148, such as in response to a user instruction, or the like. As discussed additionally below, the simulator GUI 148 may include the pattern data from the pattern data structure 152. A user may change the pattern data such as by adding patterns to the pattern DS, as indicated at 224.

[0061] At 224, the security program may receive added patterns received via the simulator GUI 148, and may store the added pattern in the pattern DS.

[0062] At 226, the security program may use the patterns in the pattern DS 152 to generate simulated time series data blocks. For example, the newly received patterns may be used to generate time series data blocks similar to those generated based on received packet data 176. Security program 136 may access the variable field DS 154 when constructing the simulated time series data blocks to determine pixel location or the like. The simulated time series data blocks and associated pattern number from the pattern DS 152 may be added to the training data 142.

[0063] At 228, in some examples, based on the recognition results of a conventional recognition technique, such as clustering and differentiation extraction to classify images, the security program may append a pattern number to the time series data blocks in the time series data DS 148 to generate a time series data block with pattern number. The time series data block with pattern number may be added to the training data 142 to be used as part of the training data 142 which subsequently updating the machine learning model 140.

[0064] At 230, the security program 136 may periodically invoke the model building program to train and/or update the machine learning model 140. For example, as new training data 142 is accumulated, the model building program may be used periodically to retrain the machine learning model 140 with the more recent training data 142.

[0065] FIG. 3A illustrates an example format 300 of the cyclic packets 170 according to some implementations. As mentioned above, the cyclic packets 170 may be used to monitor the status value and set value of the machines, and the signal of the process manager(s) controlled by the control computing devices. The cyclic packet 170 includes an SIP 302 representing a source IP address (e.g., the IP address of the respective control computing device), a DIP 304 representing a destination IP address (e.g., the IP address of the HMI computing device), Sport 306 representing a source port number, Dport 308 representing a destination port number, and a command name 309.

[0066] In addition, the cyclic packet 170 includes control information for one or more machines and one or more process managers, such as a first machine 310, a second machine 312, ..., an Mth machine 314, and a first process manager 316, ..., an Lth process manager 318. Information provided for each machine may include a status value 320, a first set value 322, a second set value 324, and third set value 326. Further, the information provided for each process manager may include a first signal 330, a second signal 332, and a third signal 334. Additionally, while an example packet format and information is described with respect to FIG. 3A, numerous other variations will be apparent to those of skill in the art having the benefit of the disclosure herein.

[0067] FIG. 3B illustrates an example format 350 of the sequential packets 172 according to some implementations. As mentioned above, the sequential packets 172 may be used to set values of machines in the equipment. The sequential packet 172 in this example includes control information that may be sent to one of the control computing devices controlling the equipment, e.g., to set a value for a machine setting and/or a process manager signal setting. The sequential packet 172 includes an SIP 302 representing a source IP address (e.g., the IP address of the HMI computing device), a DIP 304 representing a destination IP address (e.g., the IP address of the respective control computing device), Sport 306 representing a source port number, Dport 308 representing a destination port number, and a command name 305.

[0068] In addition, the sequential packet 172 may include a write/read instruction 352 instructing that a write or read be performed. In addition, the sequential packet 172 may include a machine indicator 354 instructing to which machine of the equipment the value should be written or read; a set value number 356 representing a set value number; and a set value 358 indicating the new value. Furthermore, the sequential packet 172 may include a process manager indicator 360 indicating to which process manager of the equipment the signal value should be written or read; a signal number 362 representing a signal number (e.g., 1, 2, or 3 in some examples); and a signal value 364 representing a signal value to be applied to the process manager.

[0069] FIG. 4 illustrates an example time series data block 400 as a data representation according to some implementations. In some examples, the time series data block 400 is a data representation generated by the security program 136 (not shown in FIG. 4) using packet data that the security program receives from the control system 104, as discussed above with respect to FIGS. 1 and 2. For example, the security program may create a time series data block 400 using the set values, status values, and operating data extracted from a cyclic packet 170, which may indicate the status value and set value applied by the respective control computing device to respective equipment 114 (not shown in FIG. 4). Additionally, the security program may create a time series data block 400 using a sequential packet 172, which may indicate the value(s) to be applied by the control computing device to a machine or process manager in respective equipment. In some examples, the security program may generate a time series data block 400 according to the placement information described in the variable field data structure 154 discussed above with respect to FIGS. 1 and 2, and as discussed additionally below with respect to FIG. 9.

[0070] In the illustrated example, the security program generates the time series data block 400 from the received packet information as image data 402 composed of multiple pixels. Accordingly, in this example, the time series data block 400 is an image that represents the received packet information. The image may be used during the recognition process described above with respect to FIGS. 1 and 2. In an alternative example, the received packet information may be represented as a matrix as the time series data block 400, as discussed additionally below. For example, an image may be represented as a matrix in which height is a first dimension, width is a second dimension, and RGB color is a third dimension, where the size is limited to three. In some cases, the matrix may have an unlimited size in the third dimension. Other variations will be apparent to those of skill in the art having the benefit of the disclosure herein.

[0071] In the time series data block 400 in FIG. 4, the image data 402 shows older data toward the bottom 404 of the time series data block 400 and newer data toward the top 406 of the time series data block 400. This order may be reversed in other examples, or, as another alternative, the information may be represented chronologically in a horizontal direction rather than vertically. Further, as indicated at 408, the time series data block 400 is divided in the vertical direction into a plurality of time intervals corresponding to one pixel each, in which the vertical interval of one pixel represents one cycle.

[0072] The time series data block 400 includes a first pixel band 410 representing time series data of a status value, e.g., corresponding to the status value 320 discussed above with respect to FIG. 3. Further, a second pixel band 412 may represent time series data of the set value 1 322 of FIG. 3, and a third pixel band 414 may represent time series data of the set value 2 324 of FIG. 3. In addition, a pixel 420 and a pixel 422 represent the arrival of sequential packets to operate the set value 2, and a pixel 424 and a pixel 426 represent the arrival of sequential packets to operate the set value 1. For each arriving pixel, an transition 430 may be represented on the corresponding pixel band. The pixel bands 410, 412, and 414 representing the time series data of the status value and the set values 1 and 2, respectively, may have a width of one pixel or more, and in some examples, may be colored or may have other graphical effects or pattern corresponding to the values extracted from the packets. As one example, the width of the pixel bands 410, 412, and 414 may correspond to a bit width of the status value and the set values 1 and 2, respectively. Pixel bands for the set value 3 326 and/or the signals 1-3 330-334 of FIG. 3 are not included in the time series data block 400 in this example, but may be included in other examples if packets that include those parameters are received.

[0073] As discussed above, e.g., with respect to FIG. 2, the security program may append a pattern number to the time series data block 400, and may store the time series data block 400 with appended pattern number as part of the training data used by the model building program for training the machine learning model. The security program may use the time series data block 400 as input to the machine learning model to recognize patterns in the time series data block 400. As one example, the machine learning model may be based on a deep learning algorithm such as CNN (Convolutional Neural Network), although other types of machine learning models may be used, as enumerated above.

[0074] By using the machine learning model to recognize patterns in the time series data blocks 400, the security program is able to recognize the patterns of communication data by analyzing packets of non- standardized protocols transferred in the control system 104. In some examples, the security program may limit the time for recognizing patterns to times at which a respective time series data block 400 includes pixels representing the arrival of sequential packets 172. Furthermore, security program is able to present the dashboard GUI with classification information based on the output of the machine learning model that classifies the communication data as corresponding to normal or abnormal operation of the equipment by matching the recognition result with information of normal or abnormal operation defined in pattern data structure 152.

[0075] FIG. 5 is a flow diagram illustrating an example process 500 for generating a time series data block according to some implementations. In some examples, the process 500 may be performed by one or more processors of the service computing device 102, or other suitable computing device, by executing the security program 136 for performing at least some of the operations described in the process 500.

[0076] At 502, the security program may receive a packet from the control system 104, e.g., as discussed above with respect to FIGS. 1 and 2.

[0077] At 504, the security program may determine whether the received packet is a cyclic packet or a sequential packet. If the packet is a cyclic packet, the process goes to 506; otherwise the process goes to 514.

[0078] At 506, the security program may determine whether the cyclic packet is a new cyclic packet. For example, when the packet is a cyclic packet, the packet may be comprised of multiple packets. Accordingly, the security program may determine whether a particular cycle of the packet is new or not. If so, the process goes to 508; otherwise the process skips 508.

[0079] At 508, the security program may add one row (corresponding to one cycle, i.e., time interval) to the bottom of the time series data block.

[0080] At 510, the security program may extract the variable field from the payload of the packet.

[0081] At 512, the security program may add the extracted value to the pre-set field (e.g., as specified in column 910 in the variable field DS 154 discussed below with respect to FIG. 9) within the top row of time series data block while referring to the variable field DS 154. For example, the variable field DS 154 may indicate the place of packet field that should be extracted as the set value or status value.

[0082] At 514, in the case that the packet is determined to be a sequential packet at 504, the security program may extract the field of operation target from the payload of the packet. For example, this may be determined based on the destination IP address (DIP 304) as discussed above with respect to FIG. 3B.

[0083] At 516, the security program may add the notification of arrival to the preset field within the top row of the time series data structure, while referring to the variable field data structure to determine the location of the packet field to extract as the set value or status value. [0084] At 518, if the number of rows in the time series data block exceeds a threshold value, the time series data may be stored to time series data DS 148, and the bottom row of time series data is eliminated. When adding one row to the time series data block 401 in step 1104, the time series data block generator 101 may copy the current top row of the time series data block 401 as a new top row. If the time series data block generator 101 does not receive packets, the data of the previous row is used as the data of the new row.

[0085] FIG. 6A illustrates example time series data 600 according to some implementations. The example of FIG. 6A, is a diagram illustrating an example of generating one vertical interval (i.e., one cycle) on the pixel bands 410-414 of FIG. 4, which represent the time series data of the status value 320, the set value 1 322, and the set value 2 324, respectively, in the time series data block 400 of FIG. 4. For instance, one pixel of a full-color image data may typically has 8 bits of data for each color of red, green, and blue, for a total of 24 bits of color data. Additionally, one pixel of gray-scale image data may typically have 8 bits of data representing brightness. The time series data block 400 may include one vertical interval of the pixel bands 410-414 of FIG. 4 of multiple pixels in order to represent one vertical interval of status value 320, the set value 1, and the set value 2, respectively, as having a width of more than 8 bits.

[0086] FIG. 6A illustrates one example of a technique to represent the status value 320, the set value 1 322, and the set value 2 324, as having a width of more than 8 bits by dividing the status and set values of more than 8 bits into the values of the upper and lower bits and generating a time series data block representing the value of the upper bits multiplied with a constant value. In this example, the initial value extracted from the packet is divided into two values comprising the upper bits 602 and the lower 8 bits 604. The value of the upper bits 602 may be emphasized by multiplying with a constant value, e.g., 8 in this example, to produce a value of the multiplied upper bits 606. The multiplied upper bits 606 are combined with the value of the lower bits 604 to generate multi pixels 608.

[0087] FIG. 6B illustrates an example 620 of generating time series data according to some implementations. In the example of FIG. 6A, the described technique may not be sufficient to represent the feature because the values of both the lower and upper bits may become small values when the value carries from the value of lower bits to the value of upper bits. Accordingly, to represent the feature clearly, some examples herein may include a process to add a pixel representing the carry or the magnitude relationship between the values of the upper bits and the lower bits. The process of FIG. 6B includes initially dividing the status value 320 and the set values 322 and 324 of more than 8 bits into a value of lower 8 bits 622 and another value of upper bits 624. Next, a pixel 626 representing the value of the lower 8 bits 622 may be generated directly. Further, a pixel 628 may be generated representing the carry by becoming the maximum value (OxFF) when the value of upper bits 624 is larger than 0; and pixel 630, 632, and 634 may be generated representing the magnitude relationship by multiplying the value of upper bits with a constant value (i.e., 32 in this example) when the value of the upper bits is larger than a constant value. Finally, this process combines these pixels into multiple pixel data 640. The security program may then generate the pixel bands 410, 412, 414 represented as the width of the multiple pixels. Accordingly, the security program may emphasize the features of the time series data block 400 generated using the above process for improving the accuracy of pattern recognition.

[0088] FIG. 7A illustrates an example time series data block 700 according to some implementations. The example of FIG. 7A includes an alternate process for emphasizing features in the time series data block 700. This example may emphasize the initial and end value of the status value 320 and/or the set values 322 and 324. In this example, the time series data block 700 includes a pixel band 702 representing the time series set value 1, and a pixel band 704 representing the time series set value 2. In this case, the time series data block 700 includes a pixel 706 representing the initial value of the set value 1, and a pixel 708 representing the initial value of the set value 2. In addition, the time series data block 700 includes a pixel 710 representing the end value of the set value 1, and a pixel 712 representing the end value of the set value 2. Accordingly, the time series data block 700 emphasizes the initial value and end value of the status value 320 and/or the set values 322 and 324.

[0089] FIG. 7B illustrates an example data block 720 according to some implementations. The example of FIG. 7B includes an alternate process for emphasizing the feature using a different channel data like color data of RGB for each of the status value and the set values 1 and 2. In this example, the time series data block 720 has three kinds of data like RGB (Red, Green, Blue) as three channels of data for individual pixels. The time series data block 720 represents the pixel bands using the combination of the different channels for the different kinds of data. For example, the time series data block 720 includes a pixel band 722 representing the time series status value, a pixel band 724 representing the time series set value 1, and a pixel band 726 representing the time series set value 2. In this case, the pixel band 722 representing the time series status value may use color channel 1 (e.g., red), the pixel band 724 representing the time series set value 1 may use the color channels 2 and 3 (e.g., green, blue), and the pixel band 726 representing the time series set value 2 may use the color channel 2 (e.g., green). Accordingly, the time series data block 720 emphasizes the features by each kind of data value, which improves the accuracy of the pattern recognition herein. [0090] FIG. 8 illustrates example 800 of time series data according to some implementations. In this example, the security program may generate one vertical (cyclic) interval of the pixel bands representing the time series data of the status value 320 and the set values 322 and 324 in a time series data block. For instance, the time series data block, such as time series data block 410, may represents one vertical (cyclic) interval of the status value 320 and/or the set value 322, 324, based on data of one byte for each value. For example, when the status value 320 and the set values 322 and 324 are each represented as a value of 4 bits (e.g., OxC) respectively, and written as being left-aligned values, such as OxCC 802 and OxCO 804, as illustrated in FIG. 8, within the payload of the cyclic packets 300, the left-aligned values may be divided into three values of upper 4 bits 806, middle 4 bits 808, and lower 4 bits 810. These three values may each be multiplied by a constant value, such as 8 in this example, and represented as three independent values of one byte, such as OxCO 812, 814, and 816, respectively. The security program may represents each value of less than 8 bits as an independent value of one byte, and therefore is able to emphasize features of a time series data block using the above-mentioned process, which improves the accuracy of the pattern recognition herein.

[0091] FIG. 9 illustrates an example variable field data structure 154 according to some implementations. The variable field data structure 154 may be used for specifying variable fields for the equipment, and may represent image data or matrix data. The variable field data structure 154 includes an identifier 902 of equipment; the machines 904 included in the respective equipment; the process managers 906 included in the respective equipment; the types of values 908 for the respective machines and process managers; the position 910 of pixels (or columns) from the left in the respective time series data block; and the position 912 of bytes (or packets) from the left in the packet payload according to each value. For example, equipment A 114(a) includes and controls machine 118(a), machine 120(a), and process manager 116(a). Each machine 118(a), 120(a) includes the status value, the set values 1-4, the operating value for the set values 1-2, and another operating value. Furthermore, the process manager 116(a) includes the signals 1-3. Similarly, equipment B 114(b) includes and controls machine 118(b), machine 120(b), and process manager 116(b). Each machine 118(b), 120(b) includes the status value, the set values 1-4, the operating value for the set values 1-2, and another operating value. Furthermore, the process manager 116(b) includes the signals 1-3. Similarly, equipment C 114(c) includes and controls machine 118(c), machine 120(c), and process manager 116(c). Each machine 118(c), 120(c) includes the status value, the set values 1-4, the operating value for the set values 1-2, and another operating value. Furthermore, the process manager 116(c) includes the signals 1-3.

[0092] As mentioned above, column 910 of the variable field data structure 154 indicates the pre-set field (pixel or column) within the top row of each time series data block. The information of the variable field data structure 154 specifying variable fields may be changeable via the simulator GUI discussed above with respect to FIGS. 1 and 2. Through the information contained in the variable field data structure 154, the security program is able to determine the position of teach value within a respective packet, and generate a time series data block using the information specifying variable fields, as illustrated in FIG. 9.

[0093] FIG. 10 illustrates an example pattern data structure (DS) 152 according to some implementations. The example of FIG. 10 illustrates and example format of the pattern DS 152, which includes a list of patterns by pattern number 1002, and the information of normal or abnormal for each listed pattern, as indicated at 1004. Furthermore, the pattern DS 152 includes the action 1006 of the status value, the set value 1-4, the operating value for the set value 1-2, the other operating value, and/or the signal 1-3 by each equipment 114 listed according to machine 118, 120 or process manager 116, as indicated at for each listed pattern.

[0094] The information 1008 of the action 1006 may include whether a specified value increases or decreases, the initial value, the end value, the initial and end cycle of change, and/or how the value changes. The information of the pattern DS 152 may be displayed in the simulator GUI 146 discussed above with respect to FIGS. 1 and 2. Furthermore, the information in the pattern DS 152 may be manually changed or added to by a user via the simulator GUI, and/or may be automatically created based on the actual time series data blocks. Accordingly, the security program may enable a user to change the designation of“normal” or“abnormal” 1004 for each pattern 1002 by manually changing the information of the pattern table or file 117 via simulator GUI. The security program may generate the time series data blocks as specified by the information of the patterns recorded in the pattern DS 152. Furthermore, the model building program may create the machine learning model 140 based on a combination of training data obtained from running simulations based on the patterns in the pattern data structure 152 and based on information obtained from the actual operating environment.

[0095] FIG. 11 illustrates an example dashboard GUI 162 according to some implementations. In the example of FIG. 11, the dashboard GUI 162 includes a first table 1102 displaying a currently recognized pattern 1104 and a second table 1106 displaying previously recognized statistical patterns 1108. [0096] The first table 1102 displaying the currently recognized pattern 1104 displays the pattern numbers 1110 of the currently recognized pattern and an indication 1112 of whether the pattern is normal or abnormal according to each equipment A-C, and for each corresponding machine 118, 120 and process manager 116. The second table 1106 displaying the previously recognized statistical patterns 1108 may include, by each pattern, the pattern number 1120, the operation pattern and values 1122, an indication 1124 of normal or abnormal, a number of occurrences 1126, a frequency 1128, a recent time 1130, and the actually detected pattern 1108. A user may update the indication of normal or abnormal for a particular pattern via the column 1124 indicating displaying normal or abnormal by each pattern, and the updated information is reflected to the pattern data structure. Thus, the dashboard GUI 162 enables a user to manually change the information of normal or abnormal after running, and displaying the statistical information such as the number of occurrences.

[0097] FIG. 12 is a flow diagram illustrating an example process 1200 that may be executed by the security program 136 according to some implementations. In the above-described examples, a system to recognize patterns using packet data as input data is disclosed. As demonstrated by the example of FIG. 12, the system and process herein may use data other than packet data in some examples. FIG. 12 illustrates a flow for recognizing a pattern using time series data 1202 received from a data generation source 1204 such as sensor, camera, microphone, storage, IT devices, weather observer, medical record, or the like. In this example, block 202 is changed from receive packet data to receiving data in general as indicated at 1206. Otherwise, the process of FIG. 12 for recognizing abnormal data is generally the same as that discussed above with respect to FIG. 2.

[0098] The example processes described herein are only examples of processes provided for discussion purposes. Numerous other variations will be apparent to those of skill in the art in light of the disclosure herein. Further, while the disclosure herein sets forth several examples of suitable systems, architectures and environments for executing the processes, the implementations herein are not limited to the particular examples shown and discussed. Furthermore, this disclosure provides various example implementations, as described and as illustrated in the drawings. However, this disclosure is not limited to the implementations described and illustrated herein, but can extend to other implementations, as would be known or as would become known to those skilled in the art.

[0099] Various instructions, processes, and techniques described herein may be considered in the general context of computer-executable instructions, such as programs stored on computer-readable media, and executed by the processor(s) herein. Generally, programs include routines, modules, objects, components, data structures, executable code, etc., for performing particular tasks or implementing particular abstract data types. These programs, and the like, may be executed as native code or may be downloaded and executed, such as in a virtual machine or other just-in-time compilation execution environment. Typically, the functionality of the programs may be combined or distributed as desired in various implementations. An implementation of these programs and techniques may be stored on computer storage media or transmitted across some form of communication media.

[00100] Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as example forms of implementing the claims.