The “Industrial Internet” refers to an integrated networked system of complex physical machinery (referred to as “assets”) with embedded sensors and advanced analytic tools configured to communicate with one another. As the Industrial Internet technologies evolve, a greater number of assets (e.g., medical equipment, aviation units, trains, and gas turbines) are integrated into cloud architectures with data collected from the assets' embedded sensors being used by analytic engines for predictive analytics and optimizations. Although the connectivity of these assets brings a number of productivity benefits, it also presents significant challenges in the domain of cyber-security. For example, in a widely connected environment, a “zero-day” cyber-attack that exploit unknown system vulnerabilities can generate malware that quickly spreads through the network thereby creating significant damage. The term “zero-day” stems from the fact that these attacks sometimes take new form, going unnoticed by monitoring entities, thereby allowing no time before support engineers or software developers can distribute a “software patch” that fixes and removes the vulnerability. To this end, there are significant efforts to enhance the cyber security infrastructures of the Industrial Internet to deal with such threats.
For example, cyber-security analytic engines may be specifically designed to detect anomalies in the Industrial internet that are associated with cyber-attacks. These engines monitor network and sensor data, assess their parameters and try to detect unusual behavioral patterns that could signal a “zero-day” attack. However, analytics engines that are based on behavioral patterns often suffer from higher rates of false positives compared to the targeted approach. Since the targeted approach cannot be applied to detect a newly invented “zero-day” attack, cyber-security solutions designed to mitigate this risk must resort to some behavioral analysis and hence are prone to a higher rate of false positive alerts. These false positives will potentially trigger misleading alerts through the monitoring system, thereby leading to a series of unnecessary and even disruptive automated or human operated action items.