Abstract: The present disclosure describes systems and methods for detecting malware. More particularly, the system includes a monitoring device that monitors side-channel activity of a target device. The monitoring device that can work in conjunction with (or independently of) a cloud-based security analytics engine to perform anomaly detection and classification on the side-channel activity. For example, the monitoring device can calculate a first set of features that are then transmitted to the security analytics engine for anomaly detection and classification.

Abstract: The present disclosure describes systems and methods for detecting malware. More particularly, the system includes a monitoring device that monitors side-channel activity of a target device. The monitoring device that can work in conjunction with (or independently of) a cloud-based security analytics engine to perform anomaly detection and classification on the side-channel activity. For example, the monitoring device can calculate a first set of features that are then transmitted to the security analytics engine for anomaly detection and classification.

Abstract: The present disclosure describes systems and methods for detecting malware. More particularly, the system includes a monitoring device that monitors side-channel activity of a target device. The monitoring device that can work in conjunction with (or independently of) a cloud-based security analytics engine to perform anomaly detection and classification on the side-channel activity. For example, the monitoring device can calculate a first set of features that are then transmitted to the security analytics engine for anomaly detection and classification.

Abstract: The present disclosure describes systems and methods for detecting malware. More particularly, the system includes a monitoring device that monitors side-channel activity of a target device. The monitoring device that can work in conjunction with (or independently of) a cloud-based security analytics engine to perform anomaly detection and classification on the side-channel activity. For example, the monitoring device can calculate a first set of features that are then transmitted to the security analytics engine for anomaly detection and classification.

Abstract: A method includes storing a security credential associated with a communication network on a portable storage device. The method also includes detecting removal of the portable storage device from a specified location. The method further includes allowing at least one communication device to communicate over the communication network using the security credential. In addition, the method includes revoking the security credential after a specified time period has elapsed. The portable storage device could represent a card, and the specified location could represent a card reader/writer. Also, the communication network could represent a wireless network, and the security credential could represent a cryptographic key.

Abstract: A method includes identifying a condition associated with a communication network and/or an industrial control and automation system. The method also includes selecting, based on the identified condition, one or more quality of service (QoS) parameters used to route data through the communication network. In addition, the method includes communicating information identifying the one or more QoS parameters to one or more components in the communication network. The one or more QoS parameters could be contained within one of multiple QoS policies, and the method could include selecting one of the QoS policies. The condition could represent an emergency condition, and the one or more QoS parameters could include a higher QoS priority for traffic (such as voice communications and sensor data) to and from specified personnel (such as first responders). The communication network could represent at least one wired network and/or at least one wireless network.

Abstract: A method includes receiving data at a first wireless node in a wireless network, where the data is associated with an industrial control and automation system. The method also includes decrypting the received data using a first encryption key to produce decrypted data and encrypting the decrypted data using a second encryption key to produce encrypted data. The method further includes communicating the encrypted data to at least a second wireless node in the wireless network. Another method includes generating first data at a first wireless node in a wireless network, where the data is associated with an industrial control and automation system. The other method also includes encrypting the first data using an encryption key and transmitting the first data to multiple second wireless nodes in the wireless network, where the second wireless nodes are capable of using the same encryption key to decrypt the first data.

Abstract: A method includes wirelessly receiving a message at a receiving node. The method also includes extracting a partial counter value from the message, where the partial counter value represents a subset of bits from a complete counter value of a transmitting node. The method further includes decrypting and authenticating the message based on the partial counter value. Decrypting and authenticating the message could include examining a bitmap to identify a bit value associated with the partial counter value, decrypting and authenticating the message if the identified bit value has a first value, and discarding the message if the identified bit value has a second value. Decrypting and authenticating the message could also include identifying at least one complete counter value at the receiving node based on the partial counter value and attempting to decrypt and authenticate the message using the at least one complete counter value.

Abstract: The present system having a secure wireless infrastructure with a key server acting as a key distribution center. The key server may be the core of the network, securely admitting new nodes or devices, deploying and updating keys and authorizing secure communications sessions. The system may also share secure keying information with a new device not already a member of a secure wireless network. The keying information may be used for authentication or encryption or both, and may be provided to the new device in a manner or mode which is not susceptible to exposure outside of the secure network. The keying information shared with the new device may be regarded as a birth key. Then the new device may send a birth key encrypted request to join the secure network via an exposed communication mode. The key server may respond with a birth key encrypted key encryption key.

Abstract: A recursive verification protocol to reduce the time variance due to delays in the network by putting the subject node at most one hop from the verifier node provides for an efficient manner to test wireless sensor nodes. Since the software signatures are time based, recursive testing will give a much cleaner signal for positive verification of the software running on any one node in the sensor network. In this protocol, the main verifier checks its neighbor, who in turn checks its neighbor, and continuing this process until all nodes have been verified. This ensures minimum time delays for the software verification. Should a node fail the test, the software verification downstream is halted until an alternative path (one not including the failed node) is found. Utilizing techniques well known in the art, having a node tested twice, or not at all, can be avoided.

Abstract: A method includes wirelessly receiving a message at a receiving node. The method also includes extracting a partial counter value from the message, where the partial counter value represents a subset of bits from a complete counter value of a transmitting node. The method further includes decrypting and authenticating the message based on the partial counter value. Decrypting and authenticating the message could include examining a bitmap to identify a bit value associated with the partial counter value, decrypting and authenticating the message if the identified bit value has a first value, and discarding the message if the identified bit value has a second value. Decrypting and authenticating the message could also include identifying at least one complete counter value at the receiving node based on the partial counter value and attempting to decrypt and authenticate the message using the at least one complete counter value.

Abstract: A method includes storing a security credential associated with a communication network on a portable storage device. The method also includes detecting removal of the portable storage device from a specified location. The method further includes allowing at least one communication device to communicate over the communication network using the security credential. In addition, the method includes revoking the security credential after a specified time period has elapsed. The portable storage device could represent a card, and the specified location could represent a card reader/writer. Also, the communication network could represent a wireless network, and the security credential could represent a cryptographic key.

Abstract: A method includes receiving data at a first wireless node in a wireless network, where the data is associated with an industrial control and automation system. The method also includes decrypting the received data using a first encryption key to produce decrypted data and encrypting the decrypted data using a second encryption key to produce encrypted data. The method further includes communicating the encrypted data to at least a second wireless node in the wireless network. Another method includes generating first data at a first wireless node in a wireless network, where the data is associated with an industrial control and automation system. The other method also includes encrypting the first data using an encryption key and transmitting the first data to multiple second wireless nodes in the wireless network, where the second wireless nodes are capable of using the same encryption key to decrypt the first data.

Abstract: A method includes identifying a condition associated with a communication network and/or an industrial control and automation system. The method also includes selecting, based on the identified condition, one or more quality of service (QoS) parameters used to route data through the communication network. In addition, the method includes communicating information identifying the one or more QoS parameters to one or more components in the communication network. The one or more QoS parameters could be contained within one of multiple QoS policies, and the method could include selecting one of the QoS policies. The condition could represent an emergency condition, and the one or more QoS parameters could include a higher QoS priority for traffic (such as voice communications and sensor data) to and from specified personnel (such as first responders). The communication network could represent at least one wired network and/or at least one wireless network.

Abstract: A wireless node in a wireless network examines data packets directed to itself (i.e., value in destination address field indicates that the wireless node is an intended recipient)for presence of anomalies that suggest intrusion. The data packet is examined as part of the normal course of operation of the node. Upon detection of an anomaly, the wireless node sends a message packet containing details of the anomaly to a sentinel device. The sentinel device processes the anomalies to determine if a possibility of intrusion is indicated, and activates a spy routine in the wireless node. The spy routine enables further investigation into the intrusion. As components (such as wireless nodes) in the wireless network operate normally (normal operations) until an anomalous condition/event occurs, the additional power requirements for intrusion detection are reduced. If intrusion is detected, appropriate actions, such as alerting an operator, are taken to mitigate the intrusion.

Abstract: The present system having a secure wireless infrastructure with a key server acting as a key distribution center. The key server may be the core of the network, securely admitting new nodes or devices, deploying and updating keys and authorizing secure communications sessions. The system may also share secure keying information with a new device not already a member of a secure wireless network. The keying information may be used for authentication or encryption or both, and may be provided to the new device in a manner or mode which is not susceptible to exposure outside of the secure network. The keying information shared with the new device may be regarded as a birth key. Then the new device may send a birth key encrypted request to join the secure network via an exposed communication mode. The key server may respond with a birth key encrypted key encryption key.

Abstract: A recursive verification protocol to reduce the time variance due to delays in the network by putting the subject node at most one hop from the verifier node provides for an efficient manner to test wireless sensor nodes. Since the software signatures are time based, recursive testing will give a much cleaner signal for positive verification of the software running on any one node in the sensor network. In this protocol, the main verifier checks its neighbor, who in turn checks its neighbor, and continuing this process until all nodes have been verified. This ensures minimum time delays for the software verification. Should a node fail the test, the software verification downstream is halted until an alternative path (one not including the failed node) is found. Utilizing techniques well known in the art, having a node tested twice, or not at all, can be avoided.