Leveraging Semantics for Actionable Intrusion Detection in Building Automation Systems

In smart buildings, physical components (e.g., controllers, sensors, and actuators) are interconnected and communicate with each other using network protocols such as BACnet. Many smart building networks are now connected to the Internet, enabling attackers to exploit vulnerabilities in critical buildings. Network monitoring is crucial to detect such attacks and allow building operators to react accordingly. In this paper, we propose an intrusion detection system for building automation networks that detects known and unknown attacks, as well as anomalous behavior. It does so by leveraging protocol knowledge and specific BACnet semantics: by using this information, the alerts raised by our system are meaningful and actionable. To validate our approach, we use a real-world dataset coming from the building network of a Dutch university, as well as a simulated dataset generated in our lab facilities.

[1]  Michael A. Galler,et al.  Using the BACnet (R) firewall router | NIST , 2006 .

[2]  Jaspreet Kaur,et al.  Securing BACnet's Pitfalls , 2015, SEC.

[3]  Zhiyuan Zheng,et al.  Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic Analysis , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[4]  季超,et al.  Centralized control type monitoring system of electricity meter based on BACnet (a data communication protocol for building automation and control networks) , 2009 .

[5]  Matthew Peacock,et al.  Timing attack detection on BACnet via a machine learning approach , 2015 .

[6]  Jaspreet Kaur,et al.  Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems - an Approach Exemplified Using BACnet , 2014, Sicherheit.

[7]  Andreas Peter,et al.  Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol , 2017, CPS-SPC@CCS.

[8]  Christoph Sorge,et al.  Deducing User Presence from Inter-Message Intervals in Home Automation Systems , 2016, SEC.

[9]  Thomas Mundt,et al.  Security in building automation systems - a first analysis , 2016, 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security).

[10]  Jaspreet Kaur,et al.  Cyber Security of Smart Buildings , 2017 .

[11]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[12]  Olivier Hersent,et al.  The Internet of Things: Key Applications and Protocols , 2011 .

[13]  Jerry den Hartog,et al.  A white-box anomaly-based framework for database leakage detection , 2017, J. Inf. Secur. Appl..

[14]  Wolfgang Kastner,et al.  Building automation systems: Concepts and technology review , 2016, Comput. Stand. Interfaces.

[15]  Salim Hariri,et al.  Anomaly based intrusion detection for Building Automation and Control networks , 2014, 2014 IEEE/ACS 11th International Conference on Computer Systems and Applications (AICCSA).

[16]  Larry L. Peterson,et al.  binpac: a yacc for writing application protocol parsers , 2006, IMC '06.

[17]  Wolfgang Kastner,et al.  Communication systems for building automation and control , 2005, Proceedings of the IEEE.

[18]  Jerry den Hartog,et al.  From System Specification to Anomaly Detection (and back) , 2017, CPS-SPC@CCS.

[19]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[20]  David G. Holmberg,et al.  BACnet wide area network security threat assessment , 2011 .

[21]  Frank Kargl,et al.  Specification Mining for Intrusion Detection in Networked Control Systems , 2016, USENIX Security Symposium.

[22]  Sandro Etalle,et al.  From Intrusion Detection to Software Design , 2017, ESORICS.

[23]  Jaspreet Kaur,et al.  Machine Learning Methods for Anomaly Detection in BACnet Networks , 2016, J. Univers. Comput. Sci..