Abstract: Methods and apparatus are disclosed for security event detection through virtual machine introspection. Example methods involve monitoring usage of a plurality of resources by a first virtual machine executing on a computing device by a monitoring agent, the monitoring agent executing on the computing device separate from the first virtual machine. Example methods further involve detecting a potential security event by comparing the usage of the plurality of resources to resource usage patterns. Example methods further involve assigning a severity level to the detected potential security event, and initiating a security action defined for the assigned severity level.

Abstract: A security appliance includes: a network port enabling direct connection to a gateway; a storage module having stored thereon firmware for operating the security appliance; and a processor that executes the program code of the firmware. The firmware configures the appliance to: establish a seamless communication interface with a connected gateway; monitor traffic coming into and going out from the connected gateway; and identify traffic anomalies within the monitored traffic. The firmware further configures the appliance to: in response to identifying one or more of the traffic anomalies: forward information about the identified traffic anomalies to a centralized database for evaluation and reporting; and in response to receiving an update from a server associated with the centralized database, update a security protocol of the appliance and/or the gateway to more quickly respond to detection of similar traffic anomalies and mitigate or counter emerging threats associated with the traffic anomalies.

Abstract: An anomaly detection system installed in a plant communications network detects unexpected changes or anomalies in the traffic patterns over the communications network to detect infected or potentially infected nodes. The anomaly detection system includes various data collection modules at each of the nodes of the network which operate to view the message traffic into and out of the node and to generate metadata pertaining to the message traffic. The communication modules at the nodes send the traffic metadata to an anomaly analysis engine, which processes the metadata using a rules engine that analyzes the metadata using a set of logic rules and traffic pattern baseline data to determine if current traffic patterns at one or more network nodes are anomalous. If so, the analysis engine may generate an alert or message to a user informing the user of the potentially infected node, may automatically disconnect the node from the network, or may take some other action to minimize the effects of an infected node.

Abstract: A security appliance includes: a network port enabling direct connection to a gateway; a storage module having stored thereon firmware for operating the security appliance; and a processor that executes the program code of the firmware. The firmware configures the appliance to: establish a seamless communication interface with a connected gateway; monitor traffic coming into and going out from the connected gateway; and identify traffic anomalies within the monitored traffic. The firmware further configures the appliance to: in response to identifying one or more of the traffic anomalies: forward information about the identified traffic anomalies to a centralized database for evaluation and reporting; and initiate steps to prevent further occurrence of the traffic anomalies, without user approval.

Abstract: Methods and apparatus to control communications of endpoints in an industrial enterprise system based on integrity are disclosed. An example apparatus includes an integrity measurement comparator to compare an integrity measurement to a reference value. The integrity measurement is generated by an endpoint in a network of an industrial enterprise system based on a state of the endpoint. The reference value corresponds to a trusted state of the endpoint. The example apparatus also includes an authorization controller to enable communications access for the endpoint on the network based on the comparison of the integrity measurement to the reference value.

Abstract: A security appliance includes: a network port enabling direct connection to a gateway; a storage module having stored thereon firmware for operating the security appliance; and a processor that executes the program code of the firmware. The firmware configures the appliance to: establish a seamless communication interface with a connected gateway; monitor traffic coming into and going out from the connected gateway; and identify traffic anomalies within the monitored traffic. The firmware further configures the appliance to: in response to identifying one or more of the traffic anomalies: forward information about the identified traffic anomalies to a centralized database for evaluation and reporting; and initiate steps to prevent further occurrence of the traffic anomalies, without user approval.

Abstract: Methods and apparatus to control communications of endpoints in an industrial enterprise system based on integrity are disclosed. An example apparatus includes an integrity measurement comparator to compare an integrity measurement to a reference value. The integrity measurement is generated by an endpoint in a network of an industrial enterprise system based on a state of the endpoint. The reference value corresponds to a trusted state of the endpoint. The example apparatus also includes an authorization controller to enable communications access for the endpoint on the network based on the comparison of the integrity measurement to the reference value.

Abstract: An anomaly detection system installed in a plant communications network detects unexpected changes or anomalies in the traffic patterns over the communications network to detect infected or potentially infected nodes. The anomaly detection system includes various data collection modules at each of the nodes of the network which operate to view the message traffic into and out of the node and to generate metadata pertaining to the message traffic. The communication modules at the nodes send the traffic metadata to an anomaly analysis engine, which processes the metadata using a rules engine that analyzes the metadata using a set of logic rules and traffic pattern baseline data to determine if current traffic patterns at one or more network nodes are anomalous. If so, the analysis engine may generate an alert or message to a user informing the user of the potentially infected node, may automatically disconnect the node from the network, or may take some other action to minimize the effects of an infected node.

Abstract: Methods and apparatus are disclosed for security event detection through virtual machine introspection. Example methods involve monitoring usage of a plurality of resources by a first virtual machine executing on a computing device by a monitoring agent, the monitoring agent executing on the computing device separate from the first virtual machine. Example methods further involve detecting a potential security event by comparing the usage of the plurality of resources to resource usage patterns. Example methods further involve assigning a severity level to the detected potential security event, and initiating a security action defined for the assigned severity level.