US Patent No. 9,130,983

APPARATUS AND METHOD FOR DETECTING ABNORMALITY SIGN IN CONTROL SYSTEM


Patent No. 9,130,983
Issue Date September 08, 2015
Title Apparatus And Method For Detecting Abnormality Sign In Control System
Inventorship Youngjun Heo, Daejeon (KR)
Seon-Gyoung Sohn, Daejeon (KR)
Dong Ho Kang, Daejeon (KR)
Byoung-Koo Kim, Daejeon (KR)
Jung-Chan Na, Daejeon (KR)
Ik Kyun Kim, Daejeon (KR)
Assignee Electronics and Telecommunications Research Institute, Daejeon (KR)

Claim of US Patent No. 9,130,983

1. An apparatus for detecting an abnormality sign in a control system, the control system comprising control equipments, network
equipments, security equipments or server equipment & the apparatus comprising:
an information collection module configured to collect system information, network information, security event information
or transaction information in interworking with the control equipments, network equipments, security equipments or server
equipments;

a storage module that stores the information collected by the information collection module;
an abnormality detection module configured to analyze a correlation between the collected information and a prescribed security
policy to detect whether there is an abnormality sign in the control system;

the information collection module including:
a system information manager configured to collect the system information from the respective equipments in the control system
for the management thereof;

a component manager, configured to collect information on network nodes and end systems connected to a network in interworking
with the respective equipments in the control system and the other end systems which exchange authenticated data for the management
thereof;

a security event information manager configured to collect the security event information for the management thereof;
the security event information manager being further configured to manage a the security event information including a connection
attempt of unauthorized users, an alarm for an excess of maximum connections, an alarm for an excess of maximum simultaneous
connections, an alarm for an excess of minimum idle times or maximum idle times, an alarm for a buffer overflow or a buffer
underflow, an alarm for a deformed Protocol Description Unit (PDU) or a modulated PDU; and

a control facility configured to collect and manage information including, detection of the connection status or the disconnection
status of end system to a network, detection of status of network nodes that are newly added, or detection of new paths.