RU2800740C1 - System and method for detecting anomalies in a cyber-physical system - Google Patents

Abstract

FIELD: cyber-physical systems.

SUBSTANCE: invention relates to a method and system for detecting anomalies in a cyber-physical system (CPS). In method a) the values of the CPS parameters are collected; b) at least two subsets of CPS parameters are formed from among the CPS parameters; c) at least two anomaly detectors are selected from the list of detectors and at least one generated subset of CPS parameters for each selected detector; d) each subset of CPS parameters is preprocessed before being passed to the corresponding detector, whereas each selected detector has its own set of preprocessing steps; e) at least one anomaly is detected by each selected detector in the data of the subset of CPS parameters corresponding to the detector; f) the combined anomaly in the FSC is identified by aggregating the results obtained from the selected detectors.

EFFECT: increasing the accuracy of detecting anomalies in the CPS by using a plurality of detectors of anomalies in the CPS followed by combining the results of all these detectors.

20 cl, 10 dwg

Description

Technical field

The invention relates to the field of industrial security, and more specifically to systems and methods for detecting anomalies in a cyber-physical system.

State of the art

One of the urgent problems of industrial safety is the problem of the safe functioning of technological processes (TP). The main threats to TP include wear and tear of equipment and units, unintentional errors or malicious actions in operational management, computer attacks on control systems and information systems (IS), and others.

To counter the mentioned threats, security systems of cyber-physical systems (CPS) are traditionally used, which include emergency protection systems (EPS), anomaly detection systems based on an automated process control system (APCS) and specially built "external" systems for monitoring one or another equipment and units, while such "external" systems are usually not integrated with the automated process control system. It should be noted that the above "external" systems, due to certain features of the CPS and TP occurring in them, can not always be deployed. However, even if such an installation is possible, its deployment is carried out only on critical nodes and units of the enterprise due to the high cost and complexity of maintaining such systems.

Unlike "external" systems, the ESD system, on the contrary, is built during the design of the enterprise, then integrated with the automated process control system and serves to prevent the development of previously known emergency processes. The obvious advantage of the PAZ system is its simplicity, focus on the production processes of a particular enterprise and taking into account all structural and technological solutions used at this enterprise. The disadvantages of the PAZ system include sufficient inertia in decision-making in the system and the presence of the human factor in making such decisions. In addition, the PAZ operates on the assumption that the control and measuring instruments (CIP) are functioning correctly. It is not possible in practice to ensure the failure-free operation of instrumentation in full, since instrumentation periodically fails, tends to temporary failures, and duplication of all instrumentation is extremely costly and not always technically possible.

Anomaly detection systems based on APCS telemetry, due to the completeness of such data, have the ability to simultaneously monitor all the TP of the enterprise, the interactions of various TP of the enterprise with each other, which allows even in the presence of instrumentation failures to confidently detect anomalies, which are deviations in the behavior of the monitored object - FSC or IS. The richness of the data presented in the APCS allows several models to monitor the entire enterprise - both the physical (chemical or other) processes of the enterprise, and the correct operation of all control systems for these processes, including the correctness of the actions of production operators.

Monitoring data includes:

• telemetry of physical and chemical processes, such as sensor readings, setpoint values, levels of control actions;

• events in the FSC or IS (hereinafter referred to as events), for example, individual commands, personnel actions, alarms and other changes in the state of the monitored object.

To detect anomalies in telemetry data, machine learning methods can be used, with the help of which highly effective statistical models of the correct operation of an enterprise can be built with a huge number of analyzed parameters. This allows you to find even minor deviations in the operation of the equipment, and already at an early stage of anomaly development (see patents RU 2724716, RU 2724075, RU 2749252). The special architecture and interface of such systems allows them to work in parallel with the APCS system without using its resources, find anomalies (fault detection), display and localize (fault isolation) found anomalies, and also inform production operators about the anomalies found, indicating those or other technological parameters by which this anomaly was determined.

A variety of anomaly detection methods makes it possible to cover the entire range of deviations in the technological process, however, the use of the same or overlapping data set by several anomaly detection models at the same time leads to the need to combine information about the found anomalies (data fusion - data fusion) to provide production operators with already comprehensive summary information about the presence of an anomaly and its characteristics. A striking example of this approach is in-line diagnostics of main pipelines using non-destructive testing methods. A combined in-line flaw detector, as a rule, consists of several separate diagnostic modules, including an ultrasonic (US) thickness gauge WM, a magnetic inspection module (s) MFL, an ultrasonic detector of parallel cracks and cracks in welds CD and others. The combined flaw detector is run through an industrial oil pipeline or a product pipeline by connecting all its components in series into a single projectile, followed by its movement in the flow of the pumping product. Thus, the entire diagnosable pipeline system will be evenly covered with data of several types of control, which are then sent to the modules for automatically determining the technological parameters of the pipeline and defects in its wall. The modules for determining (detectors) of the above defects (which are anomalies) differ depending on the physical principles of control, so that as a result, each of the modules produces its own set of defects and their characteristics. It is quite obvious that some of the types of defects will be observed and found by several of the considered modules. Therefore, the task of combining information from different modules into the concept of a single defect (combined anomaly) naturally arises. In addition, as a result of such a combination, it seems possible to recalculate and refine the most important characteristics of a defect, such as its type and size, which would be impossible if there was only one type of control.

So, a technical problem arises, which consists in creating an anomaly detection system in a cyber-physical system that operates with several anomaly detection modules, followed by combining (ensembling) the information received from each of the modules into the concept of a combined anomaly in the CPS.

Disclosure of the essence of the invention

The first technical result consists in scaling the system for detecting anomalies in the CPS by using a plurality of anomaly detectors in the CPS and integrating the results of using these detectors to detect anomalies in the CPS.

The second technical result is to increase the accuracy of anomaly detection in the FSC by using a plurality of anomaly detectors in the FSC with subsequent merging of the results of all these detectors.

According to an implementation variant, a computer-implemented method for detecting anomalies in a cyber-physical system (CPS) is used, in which: CPS parameter values are collected; at least two subsets of QPS parameters are formed from among the QPS parameters; select at least two anomaly detectors from the list of detectors and at least one generated subset of FSC parameters for each selected detector; carry out pre-processing of each subset of the CPS parameters before transmission to the corresponding detector; at least one anomaly is detected by each selected detector in the data of the subset of QPS parameters corresponding to the detector; the combined anomaly in the FSC is detected by ensembling the results obtained from the selected detectors.

In one of the particular implementation options, post-processing of the identified anomalies from each selected detector is carried out, and the results that have undergone post-processing are ensembled.

In another particular implementation, when choosing a detector and its corresponding subset of QPS parameters, at least one of the following is taken into account: QPS characteristics; list of CPS parameters and their values from a subset of CPS parameters; type and amount of data.

In another particular implementation, when choosing a detector and its corresponding subset of FSC parameters, at least one of the following characteristics associated with the detector is taken into account: a quality metric; results of ROC-curve analysis; lead time; the amount of resources used by the computer.

In one of the private implementation options, the preprocessing of a subset of QPS parameters includes at least one of the following steps: data buffering with a temporary buffer of length Δt; filtering of invalid data or data that arrived with a delay greater than Δt; reordering based on the time points of obtaining the values of the CPS parameters; filling gaps in the values of CFS parameters; interpolation on a uniform grid; normalization of CPS parameters values; repacking the values of the FSC parameters for processing by the detector.

In another particular embodiment, the detectors from the list of detectors implement at least one of the following anomaly detection methods: a method according to which an anomaly is detected if the total prediction error exceeds a threshold value, while pre-predicting the values of the FSC parameters and then determining the total prediction error for FSC parameters; a method according to which an anomaly is detected by applying a machine learning model based on the values of the QPS parameters; a method according to which an anomaly is detected when the anomaly detection rule is executed; a method according to which an anomaly is detected based on a comparison of the obtained values of the FSC parameters with the limit values of the established ranges of values for the FSC parameters.

In another particular embodiment, the FSC parameters take at least one of the following values: sensor measurement; the value of the controlled parameter of the actuator; setting of the actuator; the value of at least one input signal proportional-integral-derivative controller (PID controller); PID controller output value.

In one of the particular implementation options, the values of the CPS parameters are collected simultaneously from the entire CPS with an indication of the CPS parameters or from individual parts of the CPS in the form of several separate streams of CPS parameter values with an indication of the CPS parameters contained in each stream.

In another particular embodiment, the results obtained from the selected detectors are ensembled in at least one of the following ways: by combining anomaly localization regions from individual detectors in order to localize common anomalies, said regions defining anomalies in space and/or time; by analyzing the contribution of one or another detector to the combined anomaly; by calculating predetermined characteristics of the combined anomaly using the characteristics of the anomalies obtained from each of the detectors and information about its contribution.

In another particular embodiment, at least one of the following conditions is used to combine areas or times of anomalies from individual detectors: if the spatial or temporal intersection of the above areas exceeds a certain percentage of the combined area; if the centers of the respective regions lie in a certain spatial or temporal range; if a specially trained neural network marks these areas as belonging to one combined anomaly.

In one of the particular implementation options, the contribution of one or another detector to the anomaly is analyzed by setting a feature vector corresponding to the total number of detectors, and then performing at least one of the following actions: the detector contribution to the anomaly is equated to a number calculated from the contribution of the spatial or temporal region of the anomaly obtained by this detector into a combined anomaly; determine the contribution by the degree of proximity to the center of this combined anomaly; determine the contribution by applying a pre-trained neural network that evaluates such a contribution; in the absence of one or another detector in the formation of the combined anomaly, its contribution is set equal to zero; if there is information about the degree of reliability or criticality of a particular detector for a technological process (TP) in the FSC, in which the said detector detects an anomaly, the contribution of this detector is changed.

In another particular embodiment, after at least one anomaly is detected by each selected detector, the output data is additionally post-processed, in particular, an extended set of anomaly characteristics is calculated, including an anomaly risk assessment, typing and sizing of such anomalies, normalization and unification of output information about anomalies, moreover, the combined anomaly in the FSC is detected by ensembling the results obtained from the selected detectors and passed the mentioned post-processing.

In yet another particular embodiment, if it is impossible to calculate the anomaly characteristic in the detector, a preselected value is set for said anomaly characteristic.

In one of the private implementation options, at least one of the following characteristics of the anomaly associated with the detector that detected it is calculated: the hazard class of the anomaly detected by the detector, its type and size; the probability of detecting an anomaly by the detector; values of deviations of the predicted values of the CPS parameters from their true values or default values, the values of the specified deviations from the settings, the root-mean-square values of the measure of deviations of individual or all CPS parameters used in the detector; maximum or average deviations of the observed values of the CPS parameters from certain predetermined limits, the duration in time and the frequency of these deviations; detector performance in detecting an anomaly.

In another particular embodiment, for a subset of QPS parameters, the detector is selected that provides the required accuracy and completeness of anomaly detection by this detector for a given subset of QPS parameters, or the specified detector performance on this subset of QPS parameters, or in accordance with expert knowledge about the subset of QPS parameters.

In yet another particular implementation of the subset of QPS parameters is selected based on at least one of the following characteristics of the QPS subset: the significance of the QPS parameters for the TP; FSC parameters belong to one or another type of equipment; belonging to one TP; uniformity of CPS physical parameters in a subset.

According to an implementation variant, a system for detecting anomalies in a cyber-physical system (CPS) is used, which contains: a data collection tool designed to collect CPS parameter values; generating means for: generating at least two subsets of QPS parameters from among the QPS parameters; selecting at least two detectors from the list of detectors and at least one generated subset of FSC parameters for each selected detector; at least one preprocessing block for processing each subset of QPS parameters before transmission to the corresponding detector, each detector having its own set of preprocessing blocks; said at least two detectors for detecting at least one anomaly in the data of the subset of QPS parameters corresponding to the detector; an ensembling tool designed to detect a combined anomaly in the FSC by ensembling the results obtained from the selected detectors.

In one particular implementation, the preprocessing blocks perform at least one of the following steps: data buffering with a temporary buffer of length Δt; filtering of invalid data or data that arrived with a delay greater than Δt; reordering based on the time points of obtaining the values of the CPS parameters; filling gaps in the values of CFS parameters; interpolation on a uniform grid; normalization of CPS parameters values; repacking the values of the FSC parameters for processing by the detector.

In another particular implementation, a system is used, further comprising at least one post-processing unit designed to process the output of its corresponding detector before passing it to the ensembler, each detector having its own set of post-processing units.

In yet another particular implementation, the post-processing blocks perform at least one of the following steps: an anomaly risk assessment; typing and sizing of such anomalies; normalization and unification of output information about anomalies.

Brief description of the drawings

Additional objects, features and advantages of the present invention will become apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

On FIG. 1a shows an example of a technological system.

On FIG. 1b shows a particular example of the implementation of a technological system.

On FIG. 1c presents a possible variant of the organization of the Internet of Things using the example of wearable devices.

On FIG. 1d shows a possible set of device sensors.

On FIG. Figure 2 shows an example of a CPS with certain characteristics, as well as a system for detecting anomalies in the CPS.

On FIG. 3 shows examples of anomaly detection tools.

On FIG. 4 shows the system for detecting anomalies in the FSC.

On FIG. 5 shows an example of a data processing pipeline.

On FIG. 6 shows a method for detecting anomalies in the FSC.

Fig. 7 is an example of a general purpose computer system with which the present invention may be implemented.

Implementation of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The foregoing description is intended to assist a person skilled in the art in a thorough understanding of the invention, which is defined only within the scope of the appended claims.

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The foregoing description is intended to assist a person skilled in the art in a thorough understanding of the invention, which is defined only within the scope of the appended claims.

Glossary

A control object is a technological object to which external influences (control and / or disturbing) are directed in order to change its state, in a particular case, such objects are a device (for example, an electric motor) or a technological process (or part of it).

Technological process (TP) - the process of material production, which consists in a sequential change in the states of a material entity (object of labor).

Control loop (eng. control loop) - consists of material entities and control functions necessary for automated adjustment of the values of the measured process parameters to the values of the desired settings. The control loop contains sensors and sensors, controllers and actuators.

Process Variable (PV) - the current measured value of a certain part of the TP, which is observed or controlled. The process variable can be, for example, a sensor measurement.

Setpoint - the supported value of the technological parameter.

Manipulated Variable (MV) is a variable that is adjusted to keep the process variable at the setpoint.

External influence is a method of changing the state of the element to which the influence is directed (for example, an element of a technological system (TS)) in a certain direction, the impact from the element of the TS to another element of the TS is transmitted in the form of a signal.

The state of the control object is a set of its essential properties, expressed by the parameters of the states, changed or maintained under the influence of external influences, including control actions from the control subsystem. State parameter - one or more numerical values characterizing the essential property of the object, in a particular case, the state parameter is a numerical value of a physical quantity.

The formal state of the control object is the state of the control object corresponding to the technological map and other technological documentation (if we are talking about TP) or the timetable (if we are talking about a device).

The control action is a purposeful (the purpose of the action is the impact on the state of the object) legitimate (provided by TP) external influence from the control subjects of the control subsystem on the control object, leading to a change in the state of the control object or maintaining the state of the control object.

The subject of control is a device that directs the control action to the control object or transfers the control action to another control subject for transformation before directly sending it to the object.

The state of the subject of control is a set of its essential properties, expressed by the parameters of the states, changed or maintained under the influence of external influences. State parameter - one or more numerical values characterizing the essential property of the subject, in a particular case, the state parameter is a numerical value of a physical quantity.

The essential properties (respectively, the essential parameters of the state) of the subject of control are the properties that have a direct impact on the state of the control object. At the same time, the essential properties of the control object are properties that have a direct impact on the controlled factors (accuracy, safety, efficiency) of the TS operation. For example, the correspondence of cutting modes to formally specified modes, the movement of the train in accordance with the schedule, keeping the reactor temperature within acceptable limits. Depending on the controlled factors, the parameters of the state of the control object and, accordingly, the parameters of the states of the control subjects associated with them, which have a control effect on the control object, are selected.

A multi-level control subsystem - a set of control subjects that includes several levels.

Information system (English information system) - a set of computing devices and communications used for their communication,

A cyber-physical system is an information technology concept that implies the integration of computing resources into physical processes. In such a system, sensors, equipment and information systems are connected throughout the entire value chain that goes beyond a single enterprise or business. These systems communicate with each other using standard internet protocols to predict, self-adjust and adapt to change. Examples of a cyber-physical system are a technological system, the Internet of Things (including wearable devices), and the industrial Internet of Things.

The Internet of Things (Internet of Things, IoT) is a computing network of physical objects (“things”) equipped with built-in network technologies for interacting with each other or with the external environment. The Internet of Things includes technologies such as wearable devices, vehicle electronic systems, smart cars, smart cities, industrial systems, etc.

Industrial Internet of Things (IIoT) - consists of Internet-connected equipment and advanced analytics platforms that process data received from connected devices. IIoT devices can range from small weather sensors to complex industrial robots. While the word “industrial” is associated with warehouses, shipyards, and manufacturing plants, IIoT technologies have great potential for use in a wide variety of industries, including agriculture, healthcare, financial services, retail, and advertising. Industrial Internet of Things is a subcategory of Internet of Things ¹ ( ¹ https://www.hpe.com/en/en/what-is/industrial-iot.html).

Object - the object of monitoring, in particular IS or FSC.

Technological system (TS) is a functionally interconnected set of control subjects of a multilevel control subsystem and a control object (TP or device), which implements a change in the state of the control object through a change in the states of control subjects. The structure of the technological system is formed by the main elements of the technological system (interrelated control subjects of the multilevel control subsystem and the control object), as well as the links between these elements. In the case when the control object in the technological system is a technological process, the ultimate goal of control is to change the state of the object of labor (raw materials, blanks, etc.) through a change in the state of the control object. In the case when the object of control in the technological system is a device, the ultimate goal of control is to change the state of the device (vehicle, space object, etc.). The functional relationship of the elements of the TS implies the relationship of the states of these elements. In this case, there may not be a direct physical connection between the elements, in particular, there is no physical connection between the actuators and the technological operation. For example, the cutting speed is functionally related to the spindle speed, despite the fact that these state parameters are not physically related.

A computer attack (also a cyberattack, from the English cyber attack) is a targeted impact on information systems and information and telecommunication networks by software and hardware, carried out in order to violate the security of information in these systems and networks (see "The main directions of state policy in the field of ensuring safety of automated control systems for production and technological processes of critically important infrastructure facilities of the Russian Federation” (approved by the President of the Russian Federation on 03.02.2012 N 803).

Anomaly in the FSC or IS, anomaly is a deviation from the technical process in the FSC or IS. An anomaly may occur, for example, due to a computer attack, due to incorrect or illegitimate human intervention in the operation of the TS or TP, due to a failure or deviation of the technological process, including those associated with periods of changing its modes, due to the transfer of circuits control to manual mode or due to incorrect sensor readings, as well as for other reasons known from the prior art. An anomaly can be characterized by a deviation of the FSC parameters.

Anomaly area, anomaly localization area - anomaly observation time range (time area) and/or anomaly occurrence location - that is, an indication of the element or part of the FSC where the anomaly occurred (spatial area), for example, an indication of the sensor or its coordinates, in which an anomaly has occurred. For each anomaly, the area of localization of the anomaly is determined - temporal and/or spatial. To determine the spatial areas, the CPS can be divided into different parts in accordance with belonging to different TS or its parts, in accordance with belonging to different physical or logical areas of the CPS, and according to other criteria, including those specified by the CPS operator.

On FIG. 1a schematically shows an example of a technological system 100 , which includes elements 110a and 110b , where the elements of the vehicle: control object 110a ; control subjects 110b forming a multi-level control subsystem 120 ; horizontal links 130a and vertical links 130b . Control subjects 110b are grouped into levels 140 .

OnFig. 1ba particular example of the implementation of a technological system is schematically shown100'. Control object110a' is the TP or device, on the control object110a' control actions are sent, which are generated and implemented by an automated control system (ACS)120', in ACS120' there are three levels140', consisting of control subjects110b', interconnected both horizontally by horizontal links (links within the level, not shown in the figure), and vertically by vertical links130b'(links between levels). Relationships are functional, i.e. in the general case, a change in the state of the subject of control110b' at one level causes a change in the states of the control subjects associated with it110b' at this level and at other levels. Information about the change in the state of the subject of control110b' transmitted as a signal along horizontal and vertical links established between the subjects of control110b', i.e. information about the change in the state of the control subject under consideration110b' is an external influence in relation to other subjects of management110b'. Levels140' in ACS120' allocate in accordance with the purpose of the subjects of management110b'. The number of levels may vary depending on the complexity of the ACS120'. Simple systems may contain one or more lower levels. For physical connection of TS elements (110a, 110b) and TS subsystems100 wired networks, wireless networks, integrated circuits are used for logical connection between the elements of the vehicle (110a, 110b) and TS subsystems100 Ethernet, industrial Ethernet, industrial networks are used. At the same time, industrial networks and protocols are used of various types and standards: Profibus, FIP, ControlNet, Interbus-S, DeviceNet, P-NET, WorldFIP, LongWork, Modbus, etc.

The upper level (the level of supervisory control and data acquisition, SCADA) is the level of supervisory-operator control, includes at least the following control subjects 110b ' : controllers, control computers, human-machine interfaces (eng. human-machine interface , HMI) (in Fig. 1b , Fig. 2 are shown within one SCADA control subject). The level is designed to track the states of the TS elements ( 110a', 110b' ), obtain and accumulate information about the state of the TS elements ( 110a', 110b' ) and, if necessary, correct them.

The middle level (control level) is the level of controllers, includes at least the following control subjects 110b' : programmable logic controllers (English Programmable Logic Controller, PLC), counters, relays, regulators. Control subjects 110b' of the "PLC" type receive information from control subjects 110b' of the "control and measuring equipment" type and control subjects 110b' of the "sensors" type about the state of the control object 110a'. Control subjects 110b' of the "PLC" type generate (form) a control action in accordance with the programmed control algorithm on control subjects 110b' of the "actuator" type. Actuators directly implement the specified control action (apply to the control object) at the lower level. The actuator (English actuator) - part of the actuator (equipment). Controllers, such as PID controllers (proportional-integral-derivative controller - PID controller) are devices in a feedback control loop.

The lower level (Input/Output level) is the level of such control subjects 110b' as sensors and sensors, instrumentation (CIP) that control the state of the control object 110a' , as well as actuators. Actuators directly affect the state of the control object 110a' to bring it into line with the formal state, i. the state corresponding to the technological task, technological map or other technological documentation (if we are talking about TP) or the timetable (if we are talking about a device). At this level, the signals from the control subjects 110b' of the "sensors" type are coordinated with the inputs of the control subjects 110b' of the middle level and the control actions generated by the control subjects 110b' of the "PLC" type are coordinated with the control subjects 110b' of the "actuators" type that implement them. . The actuator is part of the actuator. The actuator carries out the movement of the regulatory body in accordance with the signals coming from the regulator or control device. Actuators are the last link in the automatic control chain and generally consist of the following elements (auxiliary devices):

• amplification devices (contactor, frequency converter, amplifier, etc.);

• actuating mechanism (electric, pneumatic, hydraulic drive) with feedback elements (output shaft position sensors, end position signaling, manual drive, etc.);

• regulating body (gates, dampers, dampers, dampers, etc.).

Depending on the conditions of use, the actuators may be structurally different from each other. The main elements of actuators usually include actuators and regulatory bodies.

In a particular example, the actuator as a whole is referred to as an actuator.

It is worth noting that to solve the problems of planning and managing an enterprise, an automated control system 120a' (automatic enterprise management system) is used, which is part of the automated control system 120' .

OnFig. 1v a possible variant of the organization of the Internet of things is presented on the example of wearable devices. The system contains many different computing devices151 user. Among user devices151 can be, for example, a smartphone152, tablet153, laptop154wearable devices such as augmented reality glasses155, "smart watch156 (eng. smart watch), etc. User devices151 contain many different sensors157a-157n, e.g. heart rate monitor2001 and a pedometer2003.

It is worth noting that the sensors 157a - 157n can be located on one user device 151 or on several. Moreover, some sensors 157a - 157n may reside on multiple user devices 151 at the same time. Part of the sensors 157a - 157n can be represented in several copies. For example, a Bluetooth module may be present on all of the user's devices 151 , and a smartphone 152 may contain two or more microphones needed for noise cancellation and distance detection.

On FIG. 1d shows a possible set of device sensors 151 . Among the sensors 157a - 157n may be, for example, the following:

• heart rate monitor (heart rate sensor) 2001 to determine the user's heart rate. In one embodiment, the heart rate monitor 2001 may include electrodes and measure an electrocardiogram;

• oxygen saturation sensor (saturation) 2002 ;

• pedometer 2003 ;

• fingerprint scanner 2004 ;

• gesture recognition sensor 2005 ;

• cameras 2006 , for example, a camera aimed at the user's eyes to detect the movement of the user's eyes, as well as to authenticate the user's identity from the iris or retina of the eye, as well as a camera aimed at the environment of the user's device;

• the user's body temperature sensor 2007 (eg, in direct contact with the user's body or non-contact);

• microphone 2008 ;

• ultraviolet radiation sensor 2009 ;

• geolocation system receiver 2010 , such as GPS receiver, GLONASS, BeiDou, Galileo, DORIS, IRNSS, QZSS, etc.;

• One or more wireless modules (eg GSM, LTE, NFC, Bluetooth, Wi-Fi and others) 2011 ;

• ambient temperature sensor 2012 ;

• barometer 2013 ;

• geomagnetic sensor 2014 (electronic compass);

• humidity sensor 2015 ;

• light sensor 2016 ;

• proximity sensor 2017 ;

• image depth sensor 2018 ;

• accelerometer 2019 ;

• gyroscope 2020 ;

• Hall sensor 2021 (magnetic field sensor);

• dosimeter-radiometer 2022 .

On FIG. Figure 2 shows an example of a cyber-physical system 200 that has certain characteristics, as well as an anomaly detection system in the CPS (also a data processing pipeline, English pipeline - conveyor) 500 . FSC 200 is presented in a simplified version. Examples of FSC 200 are the previously described technological system (TS) 100 (see Fig. 1a-1b ), the Internet of things (see Fig. 1c-1d ), industrial Internet of things, IP. For definiteness, further in the application, TS will be considered as the main example of FSC 200 . As mentioned earlier in the description of FIG. 1a-1b , FSC 200 contains a plurality of control subjects, such as sensors, actuators, PID controllers. The data of said control subjects is transmitted in raw form to the PLC. In this case, an analog signal can be used for data transmission. Then the PLC performs data processing and data conversion into digital form - into the values of the CFS parameters, including the technological parameters of the CFS (that is, into the telemetry data of the CFS 200 ), as well as into events (for example, the activation of a particular sensor, the activation of sensor alarms, individual teams, etc.). The FSC parameter values are then transmitted to the SCADA system 110b' and to the anomaly detection system in the FSC 500' .

The anomaly detection system in the FSC 500 contains anomaly detectors 300 (also anomaly detection modules, hereinafter referred to as detectors). Examples of detectors 300' , in particular means 301-305 ' , are shown in FIG. 3 , a description of the options for their implementation is presented below.

Description of anomaly detectors 300

The detectors 300 serve to detect anomalies in the FSC 200 as well as related information about the detected anomalies. In a particular implementation, information about anomalies in the FSC 200 includes such information about the anomaly as the anomaly localization area, the values of the FSC parameters at each moment of the anomaly observation time range, the contribution of each FSC parameter to the anomaly, information about the method for detecting the specified anomaly (that is, about the detector 300 , who identified the anomaly). In another particular embodiment, the information about anomalies in the FSC 200 additionally includes for each FSC parameter at least one of: a time series of values, the current value of the deviation of the predicted value from the actual value, the smoothed value of the deviation of the predicted value from the actual value. In another particular case, information about anomalies in the CPS 200 additionally includes information about the maximum, minimum and average values of the CPS parameters taken over the period of the anomaly, other statistical and deterministic characteristics, including sample variances and quantiles, Fourier spectrum and wavelet transforms, convolutional operators from parameters FSC.

As detectors 300 , the system and method for determining the anomaly in the FSC 301 described earlier in patents RU2724716, RU2724075, RU2749252 can be used, which determine the anomaly by predicting the values of a subset of the FSC parameters (the term "signs of the FSC" corresponding to the term " CPS parameters" in the claimed invention) and subsequent determination of the total prediction error for a subset of the CPS parameters, while determining the anomaly in the CPS 200 if the total prediction error exceeds the threshold value, in addition, the contribution of the subset of the CPS parameters to the total prediction error is determined as the contribution of the prediction error of the corresponding FSC parameter into the total forecast error.

The detectors 300 may include a base model module 302 for applying a trained machine learning model to detect anomalies from the values of a subset of QPS parameters (hereinafter referred to as the base model). In this case, the base model can be trained on the data of the training sample, including or not including known anomalies in the FSC 200 and the values of a subset of the FSC parameters for a certain period of time - that is, a supervised machine learning model is used. In addition, an unsupervised machine learning model can be used as a base model. To improve the quality of the base model, the trained base model can be tested and validated on the test and validation sets, respectively. In this case, the test and validation samples may include known anomalies and values of a subset of the CPS parameters for a certain period of time preceding the known anomaly in the CPS 200 , but differ from the training sample.

In yet another embodiment, the detectors 300 include a rule-based determination module 303 , with which anomaly determination rules are applied. Such rules can be preliminarily generated and received from the CPS operator via the feedback interface and contain conditions applied to the values of a subset of the CPS parameters, under which an anomaly is determined.

In yet another embodiment, the detectors 300 include a limit value determination module 304 that detects an anomaly when at least one QPS parameter of a subset of QPS parameters is outside a predetermined range of values for a specified QPS parameter. In this case, the indicated ranges of values can be calculated from the values of the characteristics or documentation for the FSC 200 or obtained from the operator of the FSC through the feedback interface.

In another particular implementation, the detectors 300 include a diagnostic rules module 305 , which generates diagnostic rules by specifying a set of QPS parameters used in the diagnostic rule and a method for calculating the values of the auxiliary QPS parameter, followed by calculating the values of the auxiliary QPS parameters using the specified set of parameters. FSC and in accordance with the formed diagnostic rule. As a result, the diagnostic rules module 305 determines an anomaly in the FSC 200 based on the values of all FSC parameters.

In another particular implementation, the detectors300 include a graphical interface system for determining the anomaly by the FSC operator manually (see patent RU2724716), information about which can be transmitted via the feedback interface.

On FIG. 4 shows the anomaly detection system in the FSC (data processing pipeline) 500 . The FSC 200 data is collected either in real time, or the data can be read from files (eg, csv format), databases, or obtained from third-party applications. The data can be presented in the form of a list of QPS parameters 401a and measured values of the mentioned QPS parameters 401 in the format "time stamp - QPS parameter value" and stored in the data store 410 . The timestamp may correspond to the actual measurement time, the time the value was stored, or the sampling time of this FSC parameter. In this case, the actual time of data acquisition by the data collector 402 may differ from the time indicated in the timestamp, due to delays in data transmission, associated, for example, with a heavy data transmission load or for other reasons. In addition, the timestamp may correspond to the time when the value of the FSC parameter was received. In another particular implementation, the timestamp is the time the FSC parameter value was recorded in the data store 410 .

In a particular implementation, the values of the parameters of the QPS 401 include at least one of the following values:

• sensor measurement;

• value of the controlled parameter of the actuator;

• setting of the actuator;

• values of input signals of the proportional-integral-differentiating controller (PID-controller);

• PID controller output value.

In a particular implementation, the data of the FSC 200 (that is, the values of the parameters of the FSC 401 ) are collected in one of the possible ways:

• simultaneously from the entire FSC 200 with indication of the parameters of FSC 401a ;

• in the form of several separate data streams from individual parts of the FSC 200 with an indication of the parameters of the FSC 401a contained in each data stream.

After receiving the values of the parameters of the CPS 401 by the data collector 402, a register of the CPS parameters presented in this data is created, after which this information is sent to the generation tool 403, which is designed to:

a) forming subsets of the parameters of the QPS 411 from among the parameters of the QPS 401a , while these subsets 411 are stored in the data store 410 ;

b) selecting a detector from a list of detectors 412 for each of the subsets of FSC parameters 411 , where the list of detectors 412 includes some or all of the detectors 300 shown in FIG. 3 and is contained in the data store 410 ;

c) selecting pre-processing and post-processing blocks for the selected detectors 300 .

It should be noted that all subsets 411 together form the set of all CPS parameters. It is also worth noting that these subsets 411 may overlap, overlap, or not overlap. In a particular implementation, some QPS parameters may not be included in any of the subsets 411 . In this case, all subsets 411 together form the set of all QPS parameters, except for those QPS parameters not included in any of the subsets 411 .

It is worth noting that the mentioned data storage 410 is intended both for storing data and for providing access to data, including the received values of the QPS 401 parameters, the generated subsets of the QPS parameters 411 and the list of detectors 412 . Moreover, the list of detectors 412 can be set in advance.

Pre-processing blocks 501 are designed to process each subset of QPS 411 parameters before being passed to the corresponding detector 300 (eg, a combined processing block including pre-processing blocks in FIG. 5 ). Each detector 300 has its own set of preprocessing blocks 501 of one or more blocks. Each of the post-processing units 502 is designed to process the output of its respective detector 300 before being passed to ensembler 404 (see FIG. 5 for details). Each detector 300 has its own set of post-processing blocks 502 of one or more blocks. The parameters of the FSC 401a are divided into subsets of the parameters of the FSC 411 according to a certain principle, for example, depending on the characteristics of the subsets (by belonging to a particular type of equipment), by physical meaning (by belonging to one physical process, the same type of physical parameters of the FSC, for example, temperature or pressure, according to the danger to the process pipeline, etc.).

In a particular implementation of the subset of the parameters of the QPS 411 is selected based on at least one of the characteristics of the subset:

• significance of CPS parameters for TP;

• FSC parameters belonging to one or another type of equipment;

• belonging to one physical (chemical or other) TS;

• uniformity of physical parameters of CPS in a subset (temperatures, pressures, and so on).

Detector selection 300 for subsets of FSC parameters 411

For each of the subsets of parameters of the FSC 411 , the choice of detector 300 is made taking into account the characteristics of such a detector 300 and the characteristics of the subset of parameters of the FSC 411 used to determine anomalies by this detector 300 . So, for a given subset of FSC 411 parameters, detector 300 can be selected based on at least one of the following considerations: accuracy and completeness of anomaly detection by a given detector 300 for a given subset of FSC 411 parameters, performance of detector 300 on this subset of FSC 411 parameters, expert knowledge about the subset of CPS 411 parameters (if the parameters of the CPS of the subset refer to a certain TP, type of equipment, etc.) and others.

In a particular implementation, the detector 300 and its corresponding subset of FSC parameters 411 are selected, taking into account, in particular, at least one of the following:

• characteristics of FSC 200 ;

• list of parameters of CPS 401a from the subset of parameters of CPS 411 ;

• type and amount of data.

In another particular implementation option, the values of the QPS parameters are additionally taken into account when choosing the detector 300 and the corresponding subset of the QPS parameters 411 .

Thus, for FSC 200 operating with fast time processes (of the order of 1-10 ms), typical, for example, for electrical equipment, timely anomaly detection becomes critical, which, in turn, imposes serious restrictions on both the number of parameters processed by the detector from subset of FSC parameters 411 , and the choice of the detector itself - here preference is given to threshold detectors or detectors based on simple diagnostic rules. On the contrary, for slow-flowing, inert processes typical for the petrochemical industry with their huge number of parameters (from 1000-10000) and reaction times of the order of 1-10 minutes, subsets 411 are selected, consisting of FSC parameters covering certain FSC installations, for example, atmospheric or vacuum columns, and containing hundreds of such FSC parameters. As an anomaly detector for such subsets 411 , as a rule, they take trained statistical or neural network models that take into account the complexity of the processes occurring in such installations or FSCs.

In another particular implementation, the detector 300 and its corresponding subset of FSC parameters 411 are selected, taking into account, in particular, at least one of the following characteristics associated with the detector 300 :

• quality metrics;

• results of ROC-curve analysis;

• execution time;

• the amount of resources used by the computer.

In yet another particular embodiment, characteristics associated with detector 300 include the performance of that detector 300 , such as memory size, processor time, number of computer processor cores, number of computers connected over a network and participating in the implementation of the method, and others).

Selecting Data Processing Pipeline Blocks

On FIG. 5 shows an example of a data processing pipeline 500 - in the framework of the present invention, this is a set of pre-processing blocks 501 , detectors 300 and post-processing blocks 502 .

Pipeline blocks 500 , in particular pre-processing blocks 501 and post-processing 502 , are functional modules implemented on a computer processor (see the example in Fig. 7 ) with the ability to perform a given functionality. Each selected detector 300 has its own set of pre-processing blocks 501 and post-processing blocks 502 - this information can be contained, for example, in the list of detectors 412 or in a separate list in the data store 410 . Pre-processing blocks 501 serve to process data of a subset of QPS 411 parameters selected for the detector 300 and received from the generator 403 , or to process data received from other pre-processing blocks 501 . The data of the last pre-processing block 501 is passed to the detector block 300 . Post-processing blocks 502 are used to process the output of its respective anomaly detector 300 (ie, information about detected anomalies). The last of the post-processing units transmits the processed data to the ensembler 404 .

The following pre-processing blocks 501 can be used to process the input data stream: an alignment block and a time alignment block, a data filtering block, a block for interpolating data on a uniform grid, a block for normalizing and repacking data, and other blocks, while for post-processing blocks 502 , information is typically brought about the found anomalies into some pre-approved unified form to facilitate their further ensemble.

The choice of pre-processing blocks 501 and post-processing 502 depends on the choice of detector 300 and the required output information about the found anomalies.

In one particular implementation, prior to transmission to the selected data detectors 300, the data is additionally processed by a pre-processor 501 , including at least one of the following steps:

• data buffering with some temporary buffer of length Δt;

• filtering (deleting) invalid data or data that arrived with a delay greater than Δt;

• reordering based on the moments of time of obtaining the values of the parameters of the FSC 401 ;

• filling in the gaps in the values of the CFS parameters 401 ;

• interpolation to a uniform grid;

• normalization of CFS parameters values 401 ;

• repacking the values of the FSC parameters for processing by the detector 300 .

After processing by the detector 300, regardless of its type, information about anomalies in the FSC 200 may include such information about the anomaly (also the characteristics of the anomaly), such as the time interval for observing the anomaly, the contribution of each FSC parameter to the anomaly, information about the detector 300 that detected the specified anomaly , the values of the parameters of the FSC 401 at each moment of the time interval of the anomaly, and others. In addition, an extended set of anomaly characteristics can be calculated, and such a calculation is performed in post-processing blocks 502 , which may include blocks for assessing the danger of anomalies, in particular defects, blocks for typing and determining the size of such anomalies, blocks for normalizing and unifying output information about anomalies and other blocks. It should be noted that if it is impossible to calculate any characteristic of the anomaly in one or another detector 300 , the block for normalizing the output information forcibly sets this characteristic to some pre-selected value.

In a particular implementation, other characteristics of the anomaly associated with the detector 300 that detected it can be calculated, for example, the following:

• hazard class of the anomaly detected by the detector 300 , its type, dimensions and other similar characteristics of the anomaly;

• probabilities of detecting an anomaly by the detector 300 ;

• magnitudes of deviations of predictive values of CPS parameters from their true values or default values, magnitudes of deviations from settings, root-mean-square values of the measure of such deviations of both individual CPS parameters and the entire set of CPS parameters used in this detector 300 ;

• maximum or average deviations of the observed values of the CPS parameters from certain predetermined limits, duration and frequency of such deviations;

• the performance of this detector 300 in detecting an anomaly, for example, the amount of memory, processor time, the number of computer processor cores, the number of computers connected over the network and participating in the implementation of the method, and others).

Data pipeline 500

After the formation of subsets of FSC parameters 411 , a list of detectors 412 and blocks of pre-processing 501 and post-processing 502 , the operation of the anomaly detection system is built as follows. The data from the data collector 402 is divided into parallel streams (without duplication) in accordance with the division of the parameters of the QPS 401a into subsets of the parameters of the QPS 411 and then each subset 411 is sent to its corresponding one or more preprocessing block 501 to prepare data for processing by the corresponding detector 300 . Then, the prepared data is processed by the specified detector 300 , which results in the appearance of a stream of anomalies and other related information, for example, the probability of an anomaly, its hazard class, spatial and temporal dimensions, method or method of detection, and others, determined by the detector 300 . The anomaly stream and other related information is processed by post-processing blocks 502 to bring this stream into a unified form that is the same for all detectors 300 . Thus, in fact, there is a set of parallel branches for processing subsets of data (English branch) of the pipeline 500 , each separate branch of which processes its own subset of data and has its own tools for preparing this data, identifying anomalies and bringing them into a uniform form. Pipeline branch - a group (set) of modules designed to process one data stream, and consisting of a detector 300 and its corresponding pre-processing blocks 501 and post-processing blocks 502 .

It should be noted that the processing of the incoming set of FSC parameters by different branches of the pipeline 500 is usually carried out unevenly in time, so data on anomalies from some branches may come with a large delay relative to other branches. To avoid situations in which the ensembler 404 will work in the absence of information from any branches of the pipeline 500 , buffering of the anomaly stream entering the ensembler 404 can be used similarly to buffering the FSC parameters data entering its individual branches.

In the example in FIG. 5, data is received from a data source, for example, from FSC 200 , after which, using means 402 - 403 (see Fig. 4 ), subsets of FSC parameters 411 are processed and formed and detectors 300 are selected from the list of detectors 412 for each subset 411 . The processed data is further branched into p branches of the pipeline 500 , each branch is given its corresponding subset 411 . So, branch No. 1 of pipeline 500 receives subset No. 1 and processes it with pre-processing blocks No. (1,1) - (1, n ₁ ), then with detector No. 1 and post-processing blocks No. (1, 1) - (1, m ₁ ) . The processed data from all branches #1-p of the pipeline 500 is passed to the ensembler 404 for further anomaly processing.

Ensemble results

Ensemble tool 404 serves to detect a combined anomaly (also compound/total anomaly) in the FSC 200 by ensembling the results (data fusion, also data fusion) obtained from the selected detectors 300 . Ensembler 404 collects all detected anomalies from all branches of the pipeline 500 represented in some universal and predetermined way. This type can be dictated by the peculiarity of the TP and the anomalies detected in it, the features of the available means for determining anomalies, the features of the data, and so on. So, for the above example of in-line diagnostics, information about the anomaly from each of the non-destructive testing tools traditionally has the following form - the frame (local area) of the defect, the type of defect, its size and type of control.

After collecting the results from all the selected detectors 300 , namely all information about all the anomalies detected by the detectors 300 in a certain time, the ensemble engine 404 performs at least one of the following:

• combining anomaly localization areas from individual detectors 300 to localize common anomalies, wherein said areas define (localize) anomalies in space (an indication of the element or part of the FSC where the anomaly occurred) and/or time (the range of anomaly observation time);

• analysis of the contribution of one or another detector 300 to the combined anomaly;

• calculation of predetermined characteristics of the combined anomaly using the characteristics of the anomalies obtained from each of the detectors 300 and information about its contribution - that is, based on the area of localization of the combined anomaly and the values of all parameters of the FSC.

The combination of areas or times of anomalies is carried out on the basis of an analysis of the spatial or temporal areas marked as an anomaly by one or another detector 300 . Thus, areas of anomalies obtained from different detectors 300 can be combined into one common area of the combined anomaly (also the area of localization of the combined anomaly) when at least one of the following conditions is met:

• if the spatial or temporal intersection of the above areas exceeds a certain percentage of the combined area;

• if the centers of the corresponding areas lie in a certain spatial or temporal range;

• if a specially pre-trained neural network marks these areas as belonging to one combined anomaly, in particular, a combined defect.

It is worth noting that in the step of combining anomalies from different detectors 300 , three types of anomalies will be obtained, namely, anomalies obtained by combining areas from all detectors 300 , anomalies obtained by combining areas from only a part of the detectors 300 , and anomalies obtained by only one of 300 detectors. All these anomalies after the combination step are also called combined anomalies, even if they are anomalies of the latter type.

It is worth noting that if the anomalies detected by the detectors300, spatial and/or temporal areas are significantly different according to one of the above conditions, these anomalies will not be combined into one combined anomaly, but will be considered separate anomalies. For example, anomalies can occur in different TPs or in different parts of the FSC200 - that is, the difference in the spatial areas of anomalies. In another example, anomalies can occur with a significant difference in time, which also indicates that these are different anomalies of one part of the FSC200. In yet another example, anomalies can occur and be detected by detectors.300 in different places and with a large difference in time, which also indicates different anomalies both in time and space.

After obtaining the area of localization of the combined anomaly, the analysis of the contribution of certain detectors 300 to this combined anomaly is carried out. Thus, a feature vector is introduced corresponding to the total number of detectors 300 , and the contribution of one or another detector 300 is expressed as a number calculated either from the contribution of the spatial or temporal region of the anomaly obtained by this detector 300 to the combined anomaly, or from the degree of proximity of the center of this and the combined anomaly , or by applying a pre-trained neural network that evaluates such a contribution. Note that in the absence of one or another detector 300 in the formation of the combined anomaly, its contribution is set to zero. We also note that if there is information about the degree of reliability or criticality of one or another detector 300 for a given TP in the FSC 200 , in which the said detector detects an anomaly, the contribution of this detector 300 is changed, for example, it is significantly increased or decreased.

After calculating the contribution of each of the detectors 300 to the combined anomaly, the predetermined characteristics of the combined anomaly are calculated based on the localization area of the combined anomaly and the values of all FSC parameters included in all subsets of the FSC parameters of the pipeline 500 . An example of such a characterization is described in patent application RU2021139349, and can be carried out on the basis of only local data on the FSC parameters of the anomaly, taking into account the vector of contributions of the detectors 300 to this anomaly, taking into account the characteristics of the anomalies obtained from each of the detectors 300 or in any combination of the above. . It should be noted that at the same stage, if necessary, anomalies are filtered either with predetermined characteristics, or determined by only one detector 300 , or determined by a pre-trained neural network, or according to a certain pre-selected set of rules.

So, at the output of the ensemble tool 404, the TS operator receives a set of combined anomalies with their calculated characteristics, which may include the anomaly probability, its hazard class, spatial and temporal dimensions, detection method or method, and others.

The following is an example in which the use of the limit value determination module 304 can be applied to those FSC parameters that are critical for a particular TP in order to highlight critical anomalies (first subset). In this case, the rest of the CPS parameters (the second subset) will be analyzed in a different way, for example, by means 301 . In this case, the ensemble tool 404 has information about the anomaly detection method (detector 300 ) and, when an anomaly is detected, only module 304 determines the combined anomaly with a certain probability and hazard class (for example, 80%, hazard class “second”), while when an anomaly is detected both detectors 300 at the same time, the ensemble 404 determines the combined anomaly with a higher probability and a higher hazard class (for example, 90%-100%, hazard class "first"), and then transmits this information to the FSC operator.

Another example is the situation when the parameters of the FSC 401a are divided into subsets of the parameters of the FSC 411 according to a certain principle, with each subset of the parameters of the FSC 411 choosing its own detector 300 . After that, each branch of the data processing pipeline 500 separately determines and evaluates the probability and severity of the found anomalies and sends this information to the ensemble tool 404 . It is worth noting that the level of criticality of anomalies determined by the parameters of the FSC 401a of each subset of the parameters of the FSC 411 can be set, for example, by the operator of the FSC through the feedback interface, using a pre-trained machine learning model to estimate the level of criticality, using statistics from earlier certain anomalies.

Ensembling tool 404 combines the results obtained from the selected detectors 300 , namely all the received anomalies by estimating the proximity of the centers of the corresponding areas of anomalies, and then calculates the probability and hazard class of the anomaly, in particular, by weighting the levels of criticality and probability over all methods that determined the corresponding anomaly (i.e. 300 detectors). The averaging weights are the vector corresponding to the detection (value 1) or non-detection (value 0) of this anomaly by one or another means. In this case, if the total anomaly probability level exceeds the specified threshold (for example, more than 0.5), then the anomaly is confirmed, otherwise it is not confirmed and is filtered out.

On FIG. 6 shows a method for detecting anomalies in the FSC.

At the initial stage 601 collect data containing the values of the parameters of the FSC 401 . Next, at step 602 , at least two subsets of QPS 411 parameters are generated from among the QPS parameters 401a . At step 603 , at least two detectors 300 are selected from the list of detectors 412 and at least one subset of FSC parameters 411 for each selected detector 300 . Then, at step 604 , each subset of QPS 411 parameters is pre-processed before being passed to the corresponding detector 300 . At step 605 , using each selected detector 300, anomalies are detected in the data corresponding to the detectors 300 of subsets of the QPS 411 parameters. Finally, at step 606 , the combined anomaly in the FSC is detected by aggregating the results from the selected detectors 300 .

It is worth noting that steps 604 - 605 may run in parallel for each subset of QPS 411 parameters. For example, one of the detectors 300 may perform pre-anomaly detection in 1 ms and pass the result to ensembler 404 , while the second detector may take 1 second to pre-detect the anomaly. The particular implementations presented earlier in FIG. 2 - Fig. 5 are also applicable to the method of FIG. 6 .

Thus, the present invention allows solving the claimed technical problem and achieving the indicated technical results, namely, scaling the anomaly detection system in the FSC by using a plurality of detectors and integrating the results of the use of these detectors, as well as improving the accuracy of anomaly detection in the FSC by using a plurality of detectors with subsequent merging of the results of all the specified detectors.

Fig. 7 is an example of a general purpose computer system with which the present invention can be implemented, in particular system 500 and its elements, detectors 300 . The personal computer or server 20 includes a central processing unit 21 , system memory 22 , and a system bus 23 which contains various system components including memory associated with the central processing unit 21 . The system bus 23 is implemented as any bus structure known in the art, in turn comprising a bus memory or bus memory controller, a peripheral bus, and a local bus capable of interfacing with any other bus architecture. The system memory contains read-only memory (ROM) 24 , random access memory (RAM) 25 . The main input/output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of a personal computer 20 , for example, at the time of booting the operating system using ROM 24 .

The personal computer 20 in turn comprises a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29 and an optical drive 30 for reading and writing to removable optical disks 31 such as CD-ROM, DVD -ROM and other optical storage media. The hard disk 27 , the magnetic disk drive 28 , the optical drive 30 are connected to the system bus 23 via the hard disk interface 32 , the magnetic disk interface 33 , and the optical drive interface 34 , respectively. Drives and related computer storage media are non-volatile means of storing computer instructions, data structures, program modules, and other personal computer data 20 .

The present description discloses an implementation of a system that uses a hard disk 27' , a removable magnetic disk 29' , and a removable optical disk 31' , but it should be understood that other types of computer storage media 56 that are capable of storing data in a computer-readable form (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.), which are connected to the system bus 23 through the controller 55 .

The computer 20 has a file system 36 that stores the recorded operating system 35 as well as additional software applications 37 , other program modules 38 and program data 39 . The user (operator) has the ability to enter commands and information into the personal computer 20 through input devices (keyboard 40 , mouse 42 ). Other input devices (not shown) may be used: microphone, joystick, game console, scanner, etc. Such input devices are typically connected to the computer system 20 through a serial port 46 , which in turn is connected to the system bus, but may be connected in other ways, such as through a parallel port, game port, or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48' . In addition to the monitor 47 , the personal computer may be equipped with other peripheral output devices (not shown), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment using a network connection to another or more remote computers 49 . The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the nature of the personal computer 20 shown in FIG. 7 . Other devices may also be present in the computer network, such as routers, network stations, peer-to-peer devices, or other network nodes.

The network connections may form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks (also - information systems), internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local network 50 via a network adapter or network interface 51 . When using networks, personal computer 20 may use a modem 54 or other means to communicate with a wide area network, such as the Internet. The modem 54 , which is an internal or external device, is connected to the system bus 23 via the serial port 46 . It should be clarified that network connections are only indicative and are not required to represent the exact network configuration, i.e. in fact, there are other ways to establish a connection by technical means of communication from one computer to another.

As described, the components, execution steps, data structure described above can be executed using various types of operating systems, computer platforms, programs.

In conclusion, it should be noted that the information given in the description are examples that do not limit the scope of the present invention defined by the formula.

Claims (86)

1. A computer-implemented method for detecting anomalies in a cyber-physical system (CPS), in which: a) collect the values of the CPS parameters; b) at least two subsets of QPS parameters are formed from among the QPS parameters; c) selecting at least two anomaly detectors from the list of detectors and at least one generated subset of FSC parameters for each selected detector; d) pre-processing each subset of FSC parameters before passing it to the corresponding detector, with each selected detector corresponding to its own set of pre-processing steps; e) detecting at least one anomaly by each selected detector in the data of the subset of FSC parameters corresponding to the detector; f) identify the combined anomaly in the FSC by aggregating the results obtained from the selected detectors. 2. The method according to claim 1, in which post-processing of the detected anomalies from each selected detector is carried out, and the ensemble of the results that have passed post-processing is carried out. 3. The method according to claim 1, in which at least one of the following is taken into account when choosing a detector and its corresponding subset of FSC parameters: characteristics of FSC; list of CPS parameters and their values from a subset of CPS parameters; type and amount of data. 4. The method according to claim 1, in which, when choosing a detector and its corresponding subset of FSC parameters, at least one of the following characteristics associated with the detector is taken into account: quality metric; results of ROC-curve analysis; lead time; the amount of resources used by the computer. 5. The method according to claim 1, in which the preprocessing of a subset of QPS parameters includes at least one of the following steps: buffering data with a temporary buffer of length Δt; filtering of invalid data or data that arrived with a delay greater than Δt; reordering based on the time points of obtaining the values of the CPS parameters; filling gaps in the values of CFS parameters; interpolation on a uniform grid; normalization of CPS parameters values; repacking the values of the FSC parameters for processing by the detector. 6. The method according to claim 1, in which the detectors from the list of detectors implement at least one of the following anomaly detection methods: a method according to which an anomaly is detected in the event that the total prediction error exceeds a threshold value, while first performing the prediction of the values of the QPS parameters and then determining the total prediction error for the QPS parameters; a method according to which an anomaly is detected by applying a machine learning model based on the values of the QPS parameters; a method according to which an anomaly is detected when the anomaly detection rule is executed; a method according to which an anomaly is detected based on a comparison of the obtained values of the FSC parameters with the limit values of the established ranges of values for the FSC parameters. 7. The method according to claim 1, in which the CPS parameters take at least one of the following values: sensor measurement; the value of the controlled parameter of the actuator; setting of the actuator; the value of at least one input signal proportional-integral-derivative controller (PID controller); PID controller output value. 8. The method according to claim 1, in which the values of the CPS parameters are collected simultaneously from the entire CPS with an indication of the CPS parameters or from individual parts of the CPS in the form of several separate streams of CPS parameter values with an indication of the CPS parameters contained in each stream. 9. The method according to p. 1, in which the ensemble of the results obtained from the selected detectors is performed by at least one of the following methods: by combining areas of localization of anomalies from individual detectors in order to localize common anomalies, and said areas define anomalies in space and/or time; by analyzing the contribution of one or another detector to the combined anomaly; by calculating predetermined characteristics of the combined anomaly using the characteristics of the anomalies obtained from each of the detectors and information about its contribution. 10. The method of claim 9, wherein at least one of the following conditions is used to combine areas or times of anomalies from individual detectors: if the spatial or temporal intersection of the above areas exceeds a certain percentage of the combined area; if the centers of the respective regions lie in a certain spatial or temporal range; if a specially pre-trained neural network marks these areas as belonging to one combined anomaly. 11. The method according to claim 9, in which the contribution of one or another detector to the anomaly is analyzed by setting a feature vector corresponding to the total number of detectors, and then performing at least one of the following actions: the contribution of the detector to the anomaly is equated to a number calculated from the contribution of the spatial or temporal region of the anomaly obtained by this detector to the combined anomaly; determine the contribution by the degree of proximity to the center of this combined anomaly; determine the contribution by applying a pre-trained neural network that evaluates such a contribution; in the absence of one or another detector in the formation of the combined anomaly, its contribution is set equal to zero; if there is information about the degree of reliability or criticality of a particular detector for a technological process (TP) in the FSC, in which the said detector detects an anomaly, the contribution of this detector is changed. 12. The method according to claim 9, in which, after detecting at least one anomaly by each selected detector, post-processing of the output data is additionally performed, in particular, an extended set of anomaly characteristics is calculated, including an assessment of the danger of anomalies, typing and sizing of such anomalies, normalization and unification of output information about anomalies, moreover, a combined anomaly is detected in the FSC by aggregating the results obtained from the selected detectors and passed the mentioned post-processing. 13. The method according to claim 9, wherein if the anomaly characteristic cannot be calculated, the detector is set to a preselected value for said anomaly characteristic. 14. The method according to claim 9, in which at least one of the following characteristics of the anomaly associated with the detector that detected it is calculated: the hazard class of the anomaly detected by the detector, its type and size; the probability of detecting an anomaly by the detector; values of deviations of the predicted values of the CPS parameters from their true values or default values, the values of the specified deviations from the settings, the root-mean-square values of the measure of deviations of individual or all CPS parameters used in the detector; maximum or average deviations of the observed values of the CPS parameters from certain predetermined limits, the duration in time and the frequency of these deviations; detector performance in detecting an anomaly. 15. The method according to claim 1, in which, for a subset of CPS parameters, the detector is selected that provides the required accuracy and completeness of anomaly detection by this detector for a given subset of CPS parameters, or a given detector performance on this subset of CPS parameters, or in accordance with expert knowledge about a subset of CPS parameters. 16. The method according to claim 1, wherein the subsets of QPS parameters are selected based on at least one of the following characteristics of the QPS subset: significance of CPS parameters for TP; FSC parameters belong to one or another type of equipment; belonging to one TS; uniformity of CPS physical parameters in a subset. 17. System for detecting anomalies in the cyber-physical system (CPS), containing: a) a data collection tool designed to collect the values of the CPS parameters; b) a means of formation intended for: forming at least two subsets of QPS parameters from among the QPS parameters; selecting at least two detectors from the list of detectors and at least one generated subset of FSC parameters for each selected detector; c) at least one pre-processing block designed to process each subset of CPS parameters before transmission to the corresponding detector, each detector having its own set of pre-processing blocks; d) each of said at least two detectors is designed to detect at least one anomaly in the data of the subset of FSC parameters corresponding to the detector; e) Ensemble tool designed to detect the combined anomaly in the FSC by ensembling the results obtained from the selected detectors. 18. The system of claim 17, wherein the pre-processing units perform at least one of the following steps: buffering data with a temporary buffer of length Δt; filtering of invalid data or data that arrived with a delay greater than Δt; reordering based on the time points of obtaining the values of the CPS parameters; filling gaps in the values of CFS parameters; interpolation on a uniform grid; normalization of CPS parameters values; repacking the values of the FSC parameters for processing by the detector. 19. The system of claim 17, further comprising at least one post-processing block for processing the output of its respective detector before being passed to the ensembler, each detector having its own set of post-processing blocks. 20. The system of claim 19, wherein the post-processing units perform at least one of the following steps: a) assessment of the risk of anomalies; b) typification and sizing of such anomalies; c) normalization and unification of output information about anomalies.

Images