Skip to main content
SpringerLink
Log in

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11543))

Abstract

In smart buildings, cyber-physical components (e.g., controllers, sensors, and actuators) communicate with each other using network protocols such as BACnet. Many of these devices are now connected to the Internet, enabling attackers to exploit vulnerabilities on protocols and devices to attack buildings. Situational awareness and intrusion detection are thus critical to provide operators with a clear and dynamic picture of their network, and to allow them to react to threats and attacks. Due to Smart Buildings being relatively dynamic and heterogeneous environments, situational awareness further needs to rapidly adapt to the appearance of new devices, and to provide enough context and information to understand a device’s behavior. In this paper, we propose a novel approach to situational awareness that leverages a combination of learning and knowledge of possible role devices. Specifically, we introduce a role-based situational awareness and intrusion detection system to monitor BACnet building automation networks. The system discovers devices, classifies them according to functional roles and detects deviations from the assigned roles. To validate our approach, we use a simulated dataset generated from a BACnet testbed, as well as a real-world dataset coming from the building network of a Dutch university.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/digitalbond/Redpoint.

  2. 2.

    https://github.com/iadgov/GRASSMARLIN.

  3. 3.

    https://www.forescout.com/platform/silentdefense/.

  4. 4.

    https://github.com/JoelBender/bacpypes.

References

  1. ASHRAE: BACnet - a data communication protocol for building automation and control networks. Standard (2016)

    Google Scholar 

  2. Becker, R., Eick, S., Wilks, A.: Visualizing network data. IEEE Trans. Visual Comput. Graphics 1(1), 16–28 (1995)

    Article  Google Scholar 

  3. Brandstetter, T., Reisinger, K.: (in)security in Building Automation How to Create Dark Buildings with Light Speed. Blackhat (2017)

    Google Scholar 

  4. Caselli, M., Zambon, E., Amann, J., Sommer, R., Kargl, F.: Specification mining for intrusion detection in networked control systems. In: 25th USENIX Security Symposium, pp. 791–806 (2016)

    Google Scholar 

  5. Costante, E., den Hartog, J., Petković, M., Etalle, S., Pechenizkiy, M.: A white-box anomaly-based framework for database leakage detection. J. Inf. Secur. Appl. 32, 27–46 (2017)

    Google Scholar 

  6. Domingues, P., Carreira, P., Vieira, R., Kastner, W.: Building automation systems: concepts and technology review. Comput. Stand. Interfaces 45, 1–12 (2016)

    Article  Google Scholar 

  7. Esquivel-Vargas, H., Caselli, M., Peter, A.: Automatic deployment of specification-based intrusion detection in the BACnet protocol. In: Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, pp. 25–36 (2017)

    Google Scholar 

  8. Fauri, D., Kapsalakis, M., dos Santos, D., Costante, E., den Hartog, J., Etalle, S.: Leveraging semantics for actionable intrusion detection in building automation systems. In: Critical Information Infrastructures Security, pp. 113–125 (2019)

    Google Scholar 

  9. Fauri, D., dos Santos, D., Costante, E., den Hartog, J., Etalle, S., Tonetta, S.: From system specification to anomaly detection (and back). In: Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, pp. 13–24 (2017)

    Google Scholar 

  10. Holmberg, D.: BACnet wide area network security threat assessment. Technical report, NIST (2003)

    Google Scholar 

  11. Johnstone, M., Peacock, M., den Hartog, J.: Timing attack detection on BACnet via a machine learning approach. In: Proceedings of the 13th Australian Information Security Management Conference, pp. 57–64 (2015)

    Google Scholar 

  12. Kastner, W., Neugschwandtner, G., Soucek, S., Newman, H.M.: Communication systems for building automation and control. Proc. IEEE 93(6), 1178–1203 (2005)

    Article  Google Scholar 

  13. Mundt, T., Wickboldt, P.: Security in building automation systems - a first analysis. In: International Conference On Cyber Security And Protection Of Digital Services, pp. 1–8 (2016)

    Google Scholar 

  14. Pan, Z., Hariri, S., Al-Nashif, Y.: Anomaly based intrusion detection for building automation and control networks. In: IEEE/ACS 11th International Conference on Computer Systems and Applications, pp. 72–77 (2014)

    Google Scholar 

  15. Sommer, R., Paxson, V.: Outside the closed world: On using machine learning for network intrusion detection. In: IEEE Symposium on Security and Privacy, pp. 305–316 (2010)

    Google Scholar 

  16. Tonejc, J., Guttes, S., Kobekova, A., Kaur, J.: Machine learning methods for anomaly detection in BACnet networks. J. Univ. Comput. Sci. 22(9), 1203–1224 (2016)

    MathSciNet  Google Scholar 

  17. Urbina, D., et al.: Limiting the impact of stealthy attacks on industrial control systems. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1092–1105 (2016)

    Google Scholar 

  18. Webster, S., Lippmann, R., Zissman, M.: Experience using active and passive mapping for network situational awareness. In: 5th IEEE International Symposium on Network Computing and Applications, pp. 19–26 (2006)

    Google Scholar 

  19. Wendzel, S., Tonejc, J., Kaur, J., Kobekova, A.: Cyber Security of Smart Buildings, pp. 327–351. Wiley, Hoboken (2017). Chapter 16

    Google Scholar 

  20. Yüksel, O., den Hartog, J., Etalle, S.: Reading between the fields: practical, effective intrusion detection for industrial control systems. In: Proceedings of the 31st Annual ACM Symposium on Applied Computing, pp. 2063–2070 (2016)

    Google Scholar 

  21. Yüksel, Ö., den Hartog, J., Etalle, S.: Towards useful anomaly detection for back office networks. In: Ray, I., Gaur, M.S., Conti, M., Sanghi, D., Kamakoti, V. (eds.) ICISS 2016. LNCS, vol. 10063, pp. 509–520. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49806-5_30

    Chapter  Google Scholar 

  22. Zheng, Z., Reddy, A.: Safeguarding building automation networks: THE-driven anomaly detector based on traffic analysis. In: 26th International Conference on Computer Communication and Networks, pp. 1–11 (2017)

    Google Scholar 

  23. Ziegenfus, S.: BACnet® is in a “family way”. ASHRAE J. 58(9), 100–102 (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Technical University of Eindhoven, 5600MB, Eindhoven, Netherlands

    Davide Fauri, Jerry den Hartog & Sandro Etalle

  2. Forescout OT Center of Excellence, John F. Kennedylaan 2, 5612AB, Eindhoven, Netherlands

    Michail Kapsalakis, Daniel Ricardo dos Santos & Elisa Costante

Authors
  1. Davide Fauri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michail Kapsalakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Ricardo dos Santos
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Elisa Costante
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jerry den Hartog
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Sandro Etalle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Davide Fauri .

Editor information

Editors and Affiliations

  1. University of Georgia, Athens, GA, USA

    Roberto Perdisci

  2. University of Rennes, CNRS, IRISA, Rennes, France

    Clémentine Maurice

  3. University of Cagliari, Cagliari, Italy

    Giorgio Giacinto

  4. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fauri, D., Kapsalakis, M., dos Santos, D.R., Costante, E., den Hartog, J., Etalle, S. (2019). Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-22038-9_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-22037-2

  • Online ISBN: 978-3-030-22038-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation