Alarm flood reduction using multiple data sources

The introduction of distributed control systems in the process industry has increased the number of alarms per operator exponentially. Modern plants present a high level of interconnectivity due to steam recirculation, heat integration and the complex control systems installed in the plant. When there is a disturbance in the plant it spreads through its material, energy and information connections affecting the process variables on the path. The alarms associated to these process variables are triggered. The alarm messages may overload the operator in the control room, who will not be able to properly investigate each one of these alarms. This undesired situation is called an “alarm flood”. In such situations the operator might not be able to keep the plant within safe operation. The aim of this thesis is to reduce alarm flood periods in process plants. Consequential alarms coming from the same process abnormality are isolated and a causal alarm suggestion is given. The causal alarm in an alarm flood is the alarm associated to the asset originating the disturbance that caused the flood. Multiple information sources are used: an alarm log containing all past alarms messages, process data and a topology model of the plant. The alarm flood reduction is achieved with a combination of alarm log analysis, process data root-cause analysis and connectivity analysis. The research findings are implemented in a software tool that guides the user through the different steps of the method. Finally the applicability of the method is proved with an industrial case study

Network attacks detection based on traffic flows analysis using hybrid machine learning algorithms

Razvoj savremenih mrežnih okruženja se zasniva na primeni različitih tehnologija, povezivanju sa drugim tehnološki drugačijim konceptima i obezbeđivanju njihove interoperabilnosti. Tako složeno mrežno okruženje je neprekidno izloženo različitim izazovima, pri čemu je obezbeđivanje sigurnosti servisa i podataka jedan od najvažnijih zadataka. Novi zahtevi za sisteme zaštite se zasnivaju na potrebi za efikasnim praćenjem i razumevanju karakteristika mrežnog saobraćaja, a uslovljeni su stalnim porastom broja korisnika i razvojem novih aplikacija. Razvoj rešenja u oblasti detekcije anomalija i napada je postao svojevrsni imperativ, imajući u vidu da se paralelno odvija intenzivni razvoj u oblasti sajber napada. Osim toga, promene mrežnog saobraćaja su postale sve dinamičnije, a kao poseban problem se izdvaja velika heterogenost primenjenih tehnologija i korisničkih uređaja. Iako dostupna literatura prepoznaje veliki broj radova koji se bave analizom tokova mrežnog saobraćaja za potrebe praćenja performansi i sigurnosnih aspekata mreža, mali je broj istraživanja koja se zasnivaju na procedurama generisanja i analize profila ponašanja mrežnog saobraćaja, odnosno specifičnih komunikacionih obrazaca. U tom smislu, analiza ponašanja mreže se u sve većoj meri oslanja na razumevanje normalnih ili prihvatljivih obrazaca ponašanja na osnovu kojih je moguće efikasno otkrivanje obrazaca anomalija. Za razliku od sistema za otkrivanje napada koji se zasnivaju na analizi sadržaja svakog pojedinačnog paketa (signature-based), ovaj pristup je izuzetno koristan za identifikaciju nepoznatih pretnji, napada nultog dana, sumnjivog ponašanja i za sveopšte poboljšavanje performansi mrežnih okruženja...The development of the modern network environments, their application, and the dynamics of their interoperability with other technologically different concepts, is based on the application and compatibility of different heterogeneous technologies. Such a complex network environment is constantly exposed to various operational challenges, where ensuring the security and safety of services and data represents one of the most important tasks. The constant increase in the number of users and the intensive development of new applications that require high bandwidth has defined new requirements for security systems, which are based on monitoring and effectively understanding network traffic characteristics. In the light of the increasingly intensive development in the field of cyberattacks, persistent dynamic changes in network traffic, as well as the increased heterogeneity of the used technologies and devices, the development of solutions in the field of anomaly and attack detection has become a kind of imperative. Although the available literature recognizes a large number of papers dealing with the analysis of network traffic flows for the needs of the monitoring of the performance and security aspects of networks, just a few studies are based on the procedures for generating network traffic behavior profiles, or specific communication patterns. In this sense, network behavior analysis relies on an understanding of normal or acceptable behavior patterns, which would allow for the effective detection of unusual, anomalous behavior patterns. Unlike the intrusion detection systems that are based on the packet payload or signature (signature-based), this approach is extremely useful not only for the identification of unknown threats, zero-day attacks, and suspicious behavior, but also for the improvement of the overall network performance..

A general framework of hierarchical clustering and its applications

10.1016/j.ins.2014.02.062Information Sciences27229-48ISIJ