METHOD, SYSTEMS AND APPARATUS FOR INTELLIGENTLY EMULATING FACTORY CONTROL SYSTEMS AND SIMULATING RESPONSE DATA

Abstract

A controller emulator, coupled to an interface that exposes the controller emulator to inputs from external sources, provides one or more control signals to a process simulator and a deep learning process. In response, the process simulator simulates response data that is provided to the deep learning processor. The deep learning processor generates expected response data and expected behavioral pattern data for the one or more control signals, as well as actual behavioral pattern data for the simulated response data. A comparison of at least one of the simulated response data to the expected response data and the actual behavioral pattern data to the expected behavioral pattern data is performed to determine whether anomalous activity is detected. As a result of detecting anomalous activity, one or more operations are performed to address the anomalous activity.

Description

Claims

1. A method, comprising: receiving, by a honeypot system comprising a deep learning processor, an input from an interface coupled to the honeypot system, the input comprising a malware attack;initiating, by the honeypot system, a simulated process performed by a simulator of the honeypot system, wherein the simulated process simulates a manufacturing process performed by a manufacturing system;generating, by an emulator of the honeypot system, one or more emulated control signals, the emulator configured to emulate a process controller deployed in the manufacturing system;generating, by the simulator of the honeypot system, simulated response data based on the one or more emulated control signals;generating, by the deep learning processor of the honeypot system, expected response data based on the one or more emulated control signals;generating, by the deep learning processor of the honeypot system, actual response data based on the simulated response data;comparing, by the deep learning processor of the honeypot system, the expected response data to the actual response data to the actual response data; andlearning, by the deep learning processor of the honeypot system, to identify anomalous activity based on the comparing.

2. The method of claim 1, further comprising: generating, by the deep learning processor of the honeypot system, expected behavioral pattern data based on the one or more emulated control signals;generating, by the deep learning processor of the honeypot system, actual behavioral pattern data based on the simulated response data;comparing, by the deep learning processor of the honeypot system, the expected behavioral pattern data to the expected behavioral pattern data; andlearning, by the deep learning processor of the honeypot system, to identify the anomalous activity based on the comparing.

3. The method of claim 1, wherein learning, by the deep learning processor of the honeypot system, to identify the malware attack based on the comparing comprises: identifying deviations between the expected response data and the actual response data.

4. The method of claim 1, further comprising: generating, by the deep learning processor of the honeypot system, a confidence level that the anomalous activity exists.

5. The method of claim 4, further comprising: initiating, by the deep learning processor of the honeypot system, a remedial action based on the confidence level being within a threshold range.

6. The method of claim 5, further comprising: determining, by the deep learning processor of the honeypot system, that the confidence level is above the threshold range; andbased on the determining, initiating, by the deep learning processor of the honeypot system, an alert protocol.

7. The method of claim 5, further comprising: determining, by the deep learning processor of the honeypot system, that the confidence level is below the threshold range; andbased on the determining, flagging, by the deep learning processor of the honeypot system, the anomalous activity.

8. A manufacturing system comprising: a honeypot system comprising a deep learning processor conditioned to generate expected response data and expected behavioral pattern data in a manufacturing process based on one or more control signals, the deep learning processor disconnected from a process, equipment, and control system in which the deep learning processor will be deployed; andan interface in communication with the honeypot system, the interface configured to provide external updates to the honeypot system.

9. The manufacturing system of claim 8, wherein the deep learning processor comprises a trained process simulator configured to receive control signals from a process controller deployed in the manufacturing system and generate simulated response data based on the control signals.

10. The manufacturing system of claim 9, further comprising: an emulator configured to emulate the process controller deployed in the manufacturing system.

11. The manufacturing system of claim 10, wherein the trained process simulator is configured to receive emulated control signals from the emulator and generate further simulated response data based on the emulated control signals.

12. The manufacturing system of claim 8, wherein the honeypot system is isolated from other components of the manufacturing system.

13. The manufacturing system of claim 8, wherein the interface introduces a malware attack to the honeypot system for analysis.

14. The manufacturing system of claim 8, wherein the deep learning processor is trained to identify anomalous activity within the manufacturing system.

15. A non-transitory computer readable medium comprising one or more sequences of instructions, which, when executed by a processor, causes a computing system to perform operations comprising: receiving, by a deep learning processor, an input from an interface coupled to the computing system, the input comprising a malware attack;initiating, by the computing system, a simulated process performed by a simulator of the computing system, wherein the simulated process simulates a manufacturing process performed by a manufacturing system;generating, by an emulator of the computing system, one or more emulated control signals, the emulator configured to emulate a process controller deployed in the manufacturing system;generating, by the simulator of the computing system, simulated response data based on the one or more emulated control signals;generating, by the deep learning processor, expected response data based on the one or more emulated control signals;generating, by the deep learning processor, actual response data based on the simulated response data;comparing, by the deep learning processor, the expected response data to the actual response data to the actual response data; andlearning, by the deep learning processor, to identify anomalous activity based on the comparing.

16. The non-transitory computer readable medium of claim 15, further comprising: generating, by the deep learning processor, expected behavioral pattern data based on the one or more emulated control signals;generating, by the deep learning processor, actual behavioral pattern data based on the simulated response data;comparing, by the deep learning processor, the expected behavioral pattern data to the expected behavioral pattern data; andlearning, by the deep learning processor, to identify the anomalous activity based on the comparing.

17. The non-transitory computer readable medium of claim 15, wherein learning, by the deep learning processor, to identify the malware attack based on the comparing comprises: identifying deviations between the expected response data and the actual response data.

18. The non-transitory computer readable medium of claim 15, further comprising: generating, by the deep learning processor, a confidence level that the anomalous activity exists.

19. The non-transitory computer readable medium of claim 18, further comprising: initiating, by the deep learning processor, a remedial action based on the confidence level being within a threshold range.

20. The non-transitory computer readable medium of claim 19, further comprising: determining, by the deep learning processor, that the confidence level is above the threshold range; andbased on the determining, initiating, by the deep learning processor, an alert protocol.