Search

KR-20260067206-A - CYBERSECURITY THREATS MONITORING METHOD OF INDUSTRIAL CONTROL SYSTEMS USING CORRELATION ANALYSIS AND SYSTEM THEREOF

KR20260067206AKR 20260067206 AKR20260067206 AKR 20260067206AKR-20260067206-A

Abstract

The present invention relates to a method and system for monitoring cybersecurity threats in an Industrial Control System (ICS). The present invention includes the steps of collecting data generated in an Industrial Control System (ICS), inputting the data into a neural network model to identify security threats, deriving a correlation between the data input into the neural network model when the security threat is identified, and predicting a threat probability corresponding to the identified security threat using the derived correlation.

Inventors

  • 송현석
  • 장승진
  • 최재혁
  • 김희재
  • 이준영

Assignees

  • 한전케이디엔주식회사

Dates

Publication Date
20260512
Application Date
20241105

Claims (7)

  1. A step of collecting data generated from an Industrial Control System (ICS); A step of identifying security threats by inputting the above data into a neural network model; When the above security threat is identified, a step of deriving a correlation between the data input to the neural network model; and A step comprising predicting the possibility of a threat corresponding to the identified security threat using the correlation derived above, Cyber security threat monitoring methods.
  2. In claim 1, The above data includes one or more of log data, traffic data, and operation data generated in the industrial control system (ICS). Cybersecurity threat monitoring methods.
  3. In claim 1, The above neural network model receives data as input and outputs a binary label corresponding to whether there is a security threat, Cybersecurity threat monitoring methods.
  4. In claim 1, The above neural network model receives data as input and constructs a dataset, and The correlation between the above datasets is pre-trained, Cybersecurity threat monitoring methods.
  5. In claim 1, The above correlation is derived using the Pearson correlation coefficient, Cybersecurity threat monitoring methods.
  6. In claim 1, A method comprising the step of outputting a user interface for visually representing the identified security threat and the predicted threat potential. Cybersecurity threat monitoring methods.
  7. It includes a processor that collects data generated from an Industrial Control System (ICS), and The processor inputs the data into a neural network model to identify whether there is a security threat, and if the security threat is identified, derives a correlation between the data input into the neural network model to predict the possibility of a threat corresponding to the identified security threat. Cybersecurity threat monitoring system.

Description

Method and System for Monitoring Cybersecurity Threats of Industrial Control Systems Using Correlation Analysis The present invention relates to a method and system for monitoring cybersecurity threats in an Industrial Control System (ICS). Industrial Control Systems (ICS) are systems used to monitor and control machinery, equipment, and processes in industrial environments. Since safety and reliability are critical to these systems, responding to cyber security threats is essential. Accordingly, cybersecurity monitoring of Industrial Control Systems (ICS) primarily applied signature-based detection technology, sandbox analysis, firewalls, and Intrusion Detection Systems (IDS). However, since Industrial Control Systems (ICS) primarily consist of manufacturing and control systems, external access is restricted due to the use of proprietary network protocols, making it difficult to apply existing IT security solutions. Furthermore, conventional security detection technologies are tailored only to IT environments, making it difficult to detect specific threats occurring in Industrial Control Systems (ICS). In particular, because they rely solely on post-event analysis when a security threat occurs, there is a problem in that it is difficult to immediately detect and respond to security threats occurring in real time. In addition, conventional security detection technologies focus only on the local analysis of individual datasets, which makes it difficult to predict the causes or propagation paths of threats. FIG. 1 is a drawing illustrating a cybersecurity threat monitoring system for an industrial control system according to one embodiment of the present invention. FIG. 2 is a diagram illustrating a method for monitoring cybersecurity threats of an industrial control system according to an embodiment of the present invention. FIG. 3 is a diagram illustrating a training method for a neural network model that identifies whether there is a security threat. The aforementioned objectives, features, and advantages are described in detail below with reference to the attached drawings, thereby enabling those skilled in the art to easily implement the technical concept of the present invention. In describing the present invention, detailed descriptions of known technologies related to the present invention are omitted if it is determined that such descriptions would unnecessarily obscure the essence of the invention. Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the attached drawings. In the drawings, the same reference numerals are used to indicate the same or similar components. In this specification, terms such as "first," "second," etc. are used to describe various components, but these components are not limited by these terms. These terms are used merely to distinguish one component from another, and unless specifically stated otherwise, the first component may be the second component. Additionally, in this specification, the statement that any configuration is disposed on the "upper (or lower)" or "upper (or lower)" of a component may mean not only that any configuration is disposed in contact with the upper (or lower) surface of said component, but also that another configuration may be interposed between said component and any configuration disposed on (or below) said component. Furthermore, where it is stated in this specification that one component is "connected," "coupled," or "connected" to another component, it should be understood that while the components may be directly connected or connected to each other, another component may be "interposed" between each component, or each component may be "connected," "coupled," or "connected" through another component. Additionally, singular expressions used in this specification include plural expressions unless the context clearly indicates otherwise. In this application, terms such as "composed of" or "comprising" should not be interpreted as necessarily including all of the various components or steps described in the specification, and should be interpreted as meaning that some of the components or steps may not be included, or that additional components or steps may be included. Additionally, in this specification, "A and/or B" means A, B, or A and B unless specifically stated otherwise, and "C to D" means C or more and D or less unless specifically stated otherwise. Hereinafter, a method and system for monitoring cybersecurity threats of an industrial control system according to some embodiments of the present invention will be described. Referring to FIG. 1, a cybersecurity threat monitoring system of an Industrial Control System (ICS) (10) may include a processor (20). The processor (20) may include at least one physical element among ASICs (application specific integrated circuits), DSPs (digital signal processors), DSPDs (digital signal processing devices), PLDs (programmable logic d