Background

Power grids have evolved into complex networks comprised of multiple layers (physical, cyber, economic and social). The complexity and fluidity of the power grid makes high precision detection of cyber-attacks near impossible.

RAMI is an anomaly detection triage engine that sorts predicted adverse events into detection classes according to their impact on supervisor actions. The detection classifier will analyze the predicted failure mode and the corresponding recovery actions along multiple complexity metrics (duration, geographical scope, severity). The detection classifier will use class-specific action thresholds, tailoring the false alarm rate to class-specific ability to mitigate its effects.

Technical Details

RAMI classifies anomalies and incipient failures based on:

  • predicted evolution (Imminence),
  • severity (Severity),
  • and the scope of the response required (Response Complexity).

In the event of a false alarm RAMI mitigates its effect and uses the data to relearn the classification model to better identify anomalies according to the level of impact they would have on system operations.

RAMI Classification Tree
RAMI classifies anomalies according to three criteria: imminence, severity, and response complexity.

Anticipated Benefits and Applications

Military:

Barnstorm will pursue military transition opportunities to protect the following:

  • Critical Infrastructure, by triaging anomalies, thereby reducing the cognitive load and accelerating responsiveness of operators.
  • Satellites in geosynchronous orbit, by triaging changes in orbiting patterns and behaviors, that may be indicators of attack or sabotage or a false alarm, so as to better direct the attention of operators, and provide advanced indication of probable intervention required.

Commercial:

Barnstorm will pursue commercial transition opportunities to protect the following:

  • Smart homes, commercial buildings, and any environment monitored through Internet-of-Things technology by triaging alarms according to severity.
  • Computer Networks of companies by triaging intrusions, and misuse, so as to better identify false from true alarms.

Disclaimer

This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the author(s) and should not be interpreted as reflecting the official views or policies of the Department of Defense or the U.S. Government. (Approved for Public Release, Distribution Unlimited 4/27/17)