US2021360009A1PendingUtilityA1

Centralized controller management and anomaly detection

65
Assignee: KARAMBA SECURITY LTDPriority: Apr 6, 2016Filed: May 17, 2021Published: Nov 18, 2021
Est. expiryApr 6, 2036(~9.7 yrs left)· nominal 20-yr term from priority
H04L 63/1425H04L 63/0236H04L 2012/40215G06F 21/51H04L 2209/84H04L 12/40H04W 12/128H04L 63/1416H04L 63/1441H04L 43/06H04L 63/145
65
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

In one implementation, a method for providing security on externally connected controllers includes receiving, at a server system, operation information for a plurality of instances of a controller, the plurality of instances being installed across a plurality of devices; statistically analyzing, by the server system, the operation information; identifying, by the server system, one or more anomalous controller behaviors based on the statistical analysis; and providing, by the server system, information regarding the one or more anomalous controller behaviors on the controller as potential security threats.

Claims

exact text as granted — not AI-modified
1 - 25 . (canceled) 
     
     
         26 . A system for providing controller security, the system comprising:
 a processor and computer-readable memory, the computer-readable memory comprising instructions that, when executed by the processor, cause the processor to perform security operations comprising:
 receiving operation information for a plurality of instances of a controller, the plurality of instances being installed across a plurality of devices; 
 statistically analyzing the received operation information, wherein the statistically analyzing comprises identifying an operation from the received operation information that is outside of determined normal operations of the controller, the identified operation comprising at least one of:
 a processor operation; 
 a memory operation; or 
 an input/output operation; 
 
 identifying one or more anomalous controller behaviors based on the statistical analysis; and 
 identifying information regarding the one or more anomalous controller behaviors on the controller as a potential security threat. 
   
     
     
         27 . The system of  claim 26 , wherein the statistically analyzing comprises analyzing at least one of: a process sequence, a function sequence, a network packet, a process frequency, a function frequency, a device context, a system context, or a resource usage. 
     
     
         28 . The system of  claim 26 , wherein the plurality of instances of the controller are of a common controller type. 
     
     
         29 . The system of  claim 28 , wherein the determined normal operations of the controller comprise determined normal operations for the common controller type. 
     
     
         30 . The system of  claim 26 , wherein the plurality of devices are of a common device type. 
     
     
         31 . The system of  claim 26 , wherein the security operations further comprise performing at least one of: generating a security policy or modifying a security policy. 
     
     
         32 . The system of  claim 31 , wherein the security operations further comprise modifying the security policy by performing at least one of:
 removing information corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy;   removing function mappings corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy;   removing an IP address corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy;   removing a network port corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy;   removing a payload content type corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy; or   altering a process map that is part of the security policy.   
     
     
         33 . The system of  claim 26 , wherein the security operations further comprise:
 modifying an existing security policy; and   pushing out the modified security policy to at least one of the plurality of instances of the controller having the existing security policy.   
     
     
         34 . The system of  claim 26 , wherein identifying the operation that is outside of determined normal operations of the controller comprises determining that the operation deviates from a behavioral baseline by a threshold number of standard deviations. 
     
     
         35 . The system of  claim 26 , wherein the operation information comprises at least one malware report that identifies malware on at least one of the plurality of instances of the controller. 
     
     
         36 . The system of  claim 35 , wherein the malware is associated with the one or more anomalous controller behaviors. 
     
     
         37 . The system of  claim 36 , wherein the security operations further comprise:
 modifying a security policy; and   deploying the modified security policy to at least one of the plurality of instances of the controller, wherein the modified security policy is configured to cause the at least one of the plurality of instances of the controller to perform at least one of:
 blocking the identified malware; or 
 preventing the one or more anomalous controller behaviors. 
   
     
     
         38 . A method for providing controller security, the method comprising:
 receiving operation information for a plurality of instances of a controller, the plurality of instances being installed across a plurality of devices;   statistically analyzing the received operation information, wherein the statistically analyzing comprises identifying an operation from the received operation information that is outside of determined normal operations of the controller, the identified operation comprising at least one of:
 a processor operation; 
 a memory operation; or 
 an input/output operation; 
   identifying one or more anomalous controller behaviors based on the statistical analysis; and   identifying information regarding the one or more anomalous controller behaviors on the controller as a potential security threat.   
     
     
         39 . The method of  claim 38 , wherein the statistically analyzing comprises analyzing at least one of: a process sequence, a function sequence, a network packet, a process frequency, a function frequency, a device context, a system context, or a resource usage. 
     
     
         40 . The method of  claim 38 , further comprising at least one of:
 generating a security policy; or   modifying a security policy.   
     
     
         41 . The method of  claim 40 , further comprising modifying the security policy by performing at least one of:
 removing information corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy;   removing function mappings corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy;   removing an IP address corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy;   removing a network port corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy;   removing a payload content type corresponding to the one or more anomalous controller behaviors from one or more whitelists that are part of the security policy; or   altering a process map that is part of the security policy.   
     
     
         42 . The method of  claim 38 , further comprising:
 modifying an existing security policy; and   pushing out the modified security policy to at least one of the plurality of instances of the controller having the existing security policy.   
     
     
         43 . The method of  claim 38 , wherein the operation information comprises at least one malware report that identifies malware on at least one of the plurality of instances of the controller. 
     
     
         44 . The method of  claim 43 , wherein the malware is associated with the one or more anomalous controller behaviors. 
     
     
         45 . The method of  claim 44 , further comprising:
 modifying a security policy; and   deploying the modified security policy to at least one of the plurality of instances of the controller, wherein the modified security policy is configured to cause the at least one of the plurality of instances of the controller to perform at least one of:
 blocking the identified malware; or 
 preventing the one or more anomalous controller behaviors.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.