Detecting anomalies in BACnet network data

Over the last few years, the volume of data in the Building Automation System (BAS) networks has increased exponentially. Nowadays, it is possible to obtain several kinds of data from building networks such as data based on individual service type, specific building location and even specific time of the day. As a consequence, large volumes of data with more variables have to be considered when performing the data analysis. This means that there is a need to identify the most important variables for analysis. In this paper, we introduce a framework which allows the characterization of BACnet network traffic data by means of machine learning techniques. This framework is based on unsupervised machine learning methods, specifically, Principal Components Analysis and Clustering. Such methods are used because of the large volume of data that needs to be taken into consideration, preventing the manual labeling of the data which is required for supervised learning methods. We show the efficiency and effectiveness of the framework in detecting anomalies by performing experiments on different BACnet network traffic data, captured by Wireshark, together with synthetically generated data.

[1]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[2]  Andrew W. Moore,et al.  Bayesian Neural Networks for Internet Traffic Classification , 2007, IEEE Transactions on Neural Networks.

[3]  H WittenIan,et al.  The WEKA data mining software , 2009 .

[4]  Wil L. Kling,et al.  Comparison of machine learning methods for estimating energy consumption in buildings , 2014, 2014 International Conference on Probabilistic Methods Applied to Power Systems (PMAPS).

[5]  Jaspreet Kaur,et al.  Securing BACnet's Pitfalls , 2015, SEC.

[6]  Grenville J. Armitage,et al.  A survey of techniques for internet traffic classification using machine learning , 2008, IEEE Communications Surveys & Tutorials.

[7]  Jean-Loup Guillaume,et al.  Fast unfolding of communities in large networks , 2008, 0803.0476.

[8]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[9]  Salim Hariri,et al.  Anomaly based intrusion detection for Building Automation and Control networks , 2014, 2014 IEEE/ACS 11th International Conference on Computer Systems and Applications (AICCSA).

[10]  Jaspreet Kaur,et al.  Visualizing BACnet Data to Facilitate Humans in Building-Security Decision-Making , 2015, HCI.

[11]  Sumeet Dua,et al.  Data Mining and Machine Learning in Cybersecurity , 2011 .

[12]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.