Abstract: A system (100) and method for detecting a malicious programmable logic controller (PLC) code segment (110) in a PLC program corresponding to a specific type of PLC includes a binary parser (112) that parses the code segment (110) into a plurality of functional elements. A variable and function block mapper (114) maps the functional elements into a high-level data structure. A fuzzer (116) generates a behavioral model of the high-level data structure into an automaton (118). A classifier (120) predicts to which processes the automaton (118) corresponds. A detector (122) detects unsafe states in the automaton (118) and that generates an indication of a detected unsafe state.

Abstract: Disclosed are various embodiments for identifying devices that are part of a network. Devices are modeled based on physical characteristics. Devices are classified or device communications can be verified.

Abstract: There is provided a method including: during a training period, collecting a plurality of scan cycle times of a programmable logic controller (PLC) program executing on a PLC; calculating one or more baseline parameters based on the plurality of scan cycle times; determining a baseline PLC program signature based on the one or more baseline statistical parameters; and storing the baseline PLC program signature.

Abstract: System and method for detecting an infected website are disclosed. A semantic finder receives top-level domains and identifies keywords of the top-level domains representing a predetermined semantics. The keywords are compared with irrelevant bad terms to find at least one irrelevant term. An inconsistency searcher searches the top-level domains and detects at least one fully-qualified domain name carrying the at least one irrelevant term. A context analyzer evaluates context information associated with the irrelevant term, identifies at least one frequently-used term identified in the context information, and determines whether the at least one frequently-used term is unrelated to a generic content of the at least one fully-qualified domain name An irrelevant bad term collector extracts the at least one frequently-used term unrelated to the generic content and adds the extracted frequently-used term to an irrelevant bad term list for detecting the infected website.

Abstract: Disclosed are various embodiments for identifying devices that are part of a network. Devices are modeled based on physical characteristics. Devices are classified or device communications can be verified.

Abstract: There is provided a method including: during a training period, collecting a plurality of scan cycle times of a programmable logic controller (PLC) program executing on a PLC; calculating one or more baseline parameters based on the plurality of scan cycle times; determining a baseline PLC program signature based on the one or more baseline statistical parameters; and storing the baseline PLC program signature.

Abstract: This disclosure provides methods for verifying the integrity of an additive manufacturing process during or after a three-dimensional (3D) print job. The methods include at least one of three validation layers: an acoustic layer, a spatial sensing layer, and a material verification layer. For the acoustic layer, the method includes determining the presence of a signature audio signal. For the spatial sensing layer, the method includes comparing a recorded trajectory with a reference trajectory. The method also includes determining the presence of a signature trajectory. For the material verification layer, the method includes determining the location of a special material in a 3D printed object based on a predetermined pattern in which the special material embedded in a filament. The methods allow for detecting alteration in the additive manufacturing process.

Abstract: System and method for detecting an infected website are disclosed. A semantic finder receives top-level domains and identifies keywords of the top-level domains representing a predetermined semantics. The keywords are compared with irrelevant bad terms to find at least one irrelevant term. An inconsistency searcher searches the top-level domains and detects at least one fully-qualified domain name carrying the at least one irrelevant term. A context analyzer evaluates context information associated with the irrelevant term, identifies at least one frequently-used term identified in the context information, and determines whether the at least one frequently-used term is unrelated to a generic content of the at least one fully-qualified domain name An irrelevant bad term collector extracts the at least one frequently-used term unrelated to the generic content and adds the extracted frequently-used term to an irrelevant bad term list for detecting the infected website.

Abstract: Disclosed are various embodiment's for fingerprinting devices that are part of a network. A network monitoring device monitors traffic between devices in the network. A fingerprint is generated based upon response times of the devices in the network. Embodiment's of the present disclosure provide for device fingerprinting in cyber-physical system, such as a control system environment. Embodiment's of the present disclosure can be used in conjunction with traditional intrusion detection system (IDS) in a control systems environment. Embodiment's of the present disclosure can be used to achieve device fingerprinting from software, hardware, and physics-based perspectives. Embodiment's of the present disclosure can prevent security compromises by accurately fingerprinting devices in a control system environment, and other networked environments, as may be appreciated. Embodiment's of the present disclosure can generate fingerprints of a device which reflects identifiable characteristics of a device, such as, e.

Abstract: Systems and methods for providing device and/or device type fingerprinting based on properties of network traffic originating from a device to be identified. In one implementation, the method includes capturing packets routed through a network at an intermediate node between the originating device to be identified and destination, measuring properties of the captured traffic, including packet inter-arrival time, and generating a signature based on the measured properties that includes identifying information about the hardware and/or software architecture of the device. Various implementations do not require deep packet inspection, do not require a managed device-side client, are protocol and packet payload agnostic, and effective for MAC or IP-level encrypted streams. Also, various implementations can provide wired-side detection of wireless devices and device types and can detect both previously detected and unknown devices.