Abstract
In smart buildings, physical components (e.g., controllers, sensors, and actuators) are interconnected and communicate with each other using network protocols such as BACnet. Many smart building networks are now connected to the Internet, enabling attackers to exploit vulnerabilities in critical buildings. Network monitoring is crucial to detect such attacks and allow building operators to react accordingly. In this paper, we propose an intrusion detection system for building automation networks that detects known and unknown attacks, as well as anomalous behavior. It does so by leveraging protocol knowledge and specific BACnet semantics: by using this information, the alerts raised by our system are meaningful and actionable. To validate our approach, we use a real-world dataset coming from the building network of a Dutch university, as well as a simulated dataset generated in our lab facilities.
Partially funded by EU-H2020-CITADEL (nr 700665), ITEA3-APPSTACLE (nr 15017), NWO-IDEA-ICS (nr 628.001.023) and NWO-SotJ (nr 628.013.001).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
References
ASHRAE: BACnet - a data communication protocol for building automation and control networks. Standard (2016)
Caselli, M., Zambon, E., Amann, J., Sommer, R., Kargl, F.: Specification mining for intrusion detection in networked control systems. In: Proceedings of USENIX Security (2016)
Costante, E., den Hartog, J., Petković, M., Etalle, S., Pechenizkiy, M.: A white-box anomaly-based framework for database leakage detection. JISA 32, 27–46 (2017)
Domingues, P., Carreira, P., Vieira, R., Kastner, W.: Building automation systems: concepts and technology review. Comput. Stand. Interfaces 45(Suppl. C), 1–12 (2016)
Esquivel-Vargas, H., Caselli, M., Peter, A.: Automatic deployment of specification-based intrusion detection in the BACnet protocol. In: Proceedings of CPS-SPC (2017)
Etalle, S.: From intrusion detection to software design. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017, Part I. LNCS, vol. 10492, pp. 1–10. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66402-6_1
Fauri, D., dos Santos, D., Costante, E., den Hartog, J., Etalle, S., Tonetta, S.: From system specification to anomaly detection (and back). In: CPS-SPC (2017)
Hersent, O., Boswarthick, D., Elloumi, O.: The Internet of Things: Key Applications and Protocols. John Wiley & Sons, Chichester (2011)
Holmberg, D.: BACnet wide area network security threat assessment. Technical report, NIST (2003)
Holmberg, D.: Using the BACnet firewall router. ASHRAE J. 48(11), B10–B14 (2006)
Johnstone, M., Peacock, M., den Hartog, J.: Timing attack detection on BACnet via a machine learning approach. In: Proceedings of AISM (2015)
Kastner, W., Neugschwandtner, G., Soucek, S., Newman, H.M.: Communication systems for building automation and control. Proc. IEEE 93(6), 1178–1203 (2005)
Kaur, J., Tonejc, J., Wendzel, S., Meier, M.: Securing BACnet’s pitfalls. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IFIP AICT, vol. 455, pp. 616–629. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18467-8_41
Möllers, F., Sorge, C.: Deducing user presence from inter-message intervals in home automation systems. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 369–383. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33630-5_25
Mundt, T., Wickboldt, P.: Security in building automation systems - a first analysis. In: Proceedings of Cyber Security (2016)
Newman, H.: Broadcasting BACnet®. ASHRAE J. 52, B8–B12 (2010)
Pan, Z., Hariri, S., Al-Nashif, Y.: Anomaly based intrusion detection for building automation and control networks. In: Proceedings of AICCSA (2014)
Pang, R., Paxson, V., Sommer, R., Peterson, L.: Binpac: a yacc for writing application protocol parsers. In: Proceedings of IMC (2006)
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE S&P (2010)
Szlósarczyk, S., Wendzel, S., Kaur, J., Schubert, F.: Towards suppressing attacks on and improving resilience of building automation systems - an approach exemplified using BACnet. In: GI Sicherheit (2014)
Tonejc, J., Guttes, S., Kobekova, A., Kaur, J.: Machine learning methods for anomaly detection in BACnet networks. JUCS 22(9), 1203–1224 (2016)
Urbina, D., et al.: Limiting the impact of stealthy attacks on industrial control systems. In: Proceedings of ACM SIGSAC CCS (2016)
Wendzel, S., Tonejc, J., Kaur, J., Kobekova, A.: Cyber security of smart buildings (2017)
Zheng, Z., Reddy, A.: Safeguarding building automation networks: THE-driven anomaly detector based on traffic analysis. In: Proceedings of ICCCN (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Fauri, D., Kapsalakis, M., dos Santos, D.R., Costante, E., den Hartog, J., Etalle, S. (2019). Leveraging Semantics for Actionable Intrusion Detection in Building Automation Systems. In: Luiijf, E., Žutautaitė, I., Hämmerli, B. (eds) Critical Information Infrastructures Security. CRITIS 2018. Lecture Notes in Computer Science(), vol 11260. Springer, Cham. https://doi.org/10.1007/978-3-030-05849-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-05849-4_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05848-7
Online ISBN: 978-3-030-05849-4
eBook Packages: Computer ScienceComputer Science (R0)