105 research outputs found
Anomaly Detection in BACnet/IP managed Building Automation Systems
Building Automation Systems (BAS) are a collection of devices and software which manage the operation of building services. The BAS market is expected to be a $19.25 billion USD industry by 2023, as a core feature of both the Internet of Things and Smart City technologies. However, securing these systems from cyber security threats is an emerging research area. Since initial deployment, BAS have evolved from isolated standalone networks to heterogeneous, interconnected networks allowing external connectivity through the Internet. The most prominent BAS protocol is BACnet/IP, which is estimated to hold 54.6% of world market share. BACnet/IP security features are often not implemented in BAS deployments, leaving systems unprotected against known network threats. This research investigated methods of detecting anomalous network traffic in BACnet/IP managed BAS in an effort to combat threats posed to these systems.
This research explored the threats facing BACnet/IP devices, through analysis of Internet accessible BACnet devices, vendor-defined device specifications, investigation of the BACnet specification, and known network attacks identified in the surrounding literature. The collected data were used to construct a threat matrix, which was applied to models of BACnet devices to evaluate potential exposure. Further, two potential unknown vulnerabilities were identified and explored using state modelling and device simulation.
A simulation environment and attack framework were constructed to generate both normal and malicious network traffic to explore the application of machine learning algorithms to identify both known and unknown network anomalies. To identify network patterns between the generated normal and malicious network traffic, unsupervised clustering, graph analysis with an unsupervised community detection algorithm, and time series analysis were used. The explored methods identified distinguishable network patterns for frequency-based known network attacks when compared to normal network traffic. However, as stand-alone methods for anomaly detection, these methods were found insufficient. Subsequently, Artificial Neural Networks and Hidden Markov Models were explored and found capable of detecting known network attacks. Further, Hidden Markov Models were also capable of detecting unknown network attacks in the generated datasets.
The classification accuracy of the Hidden Markov Models was evaluated using the Matthews Correlation Coefficient which accounts for imbalanced class sizes and assess both positive and negative classification ability for deriving its metric. The Hidden Markov Models were found capable of repeatedly detecting both known and unknown BACnet/IP attacks with True Positive Rates greater than 0.99 and Matthews Correlation Coefficients greater than 0.8 for five of six evaluated hosts.
This research identified and evaluated a range of methods capable of identifying anomalies in simulated BACnet/IP network traffic. Further, this research found that Hidden Markov Models were accurate at classifying both known and unknown attacks in the evaluated BACnet/IP managed BAS network
A critical review of cyber-physical security for building automation systems
Modern Building Automation Systems (BASs), as the brain that enables the
smartness of a smart building, often require increased connectivity both among
system components as well as with outside entities, such as optimized
automation via outsourced cloud analytics and increased building-grid
integrations. However, increased connectivity and accessibility come with
increased cyber security threats. BASs were historically developed as closed
environments with limited cyber-security considerations. As a result, BASs in
many buildings are vulnerable to cyber-attacks that may cause adverse
consequences, such as occupant discomfort, excessive energy usage, and
unexpected equipment downtime. Therefore, there is a strong need to advance the
state-of-the-art in cyber-physical security for BASs and provide practical
solutions for attack mitigation in buildings. However, an inclusive and
systematic review of BAS vulnerabilities, potential cyber-attacks with impact
assessment, detection & defense approaches, and cyber-secure resilient control
strategies is currently lacking in the literature. This review paper fills the
gap by providing a comprehensive up-to-date review of cyber-physical security
for BASs at three levels in commercial buildings: management level, automation
level, and field level. The general BASs vulnerabilities and protocol-specific
vulnerabilities for the four dominant BAS protocols are reviewed, followed by a
discussion on four attack targets and seven potential attack scenarios. The
impact of cyber-attacks on BASs is summarized as signal corruption, signal
delaying, and signal blocking. The typical cyber-attack detection and defense
approaches are identified at the three levels. Cyber-secure resilient control
strategies for BASs under attack are categorized into passive and active
resilient control schemes. Open challenges and future opportunities are finally
discussed.Comment: 38 pages, 7 figures, 6 tables, submitted to Annual Reviews in Contro
NETWORK TRAFFIC CHARACTERIZATION AND INTRUSION DETECTION IN BUILDING AUTOMATION SYSTEMS
The goal of this research was threefold: (1) to learn the operational trends and behaviors of a realworld building automation system (BAS) network for creating building device models to detect anomalous behaviors and attacks, (2) to design a framework for evaluating BA device security from both the device and network perspectives, and (3) to leverage new sources of building automation device documentation for developing robust network security rules for BAS intrusion detection systems (IDSs). These goals were achieved in three phases, first through the detailed longitudinal study and characterization of a real university campus building automation network (BAN) and with the application of machine learning techniques on field level traffic for anomaly detection. Next, through the systematization of literature in the BAS security domain to analyze cross protocol device vulnerabilities, attacks, and defenses for uncovering research gaps as the foundational basis of our proposed BA device security evaluation framework. Then, to evaluate our proposed framework the largest multiprotocol BAS testbed discussed in the literature was built and several side-channel vulnerabilities and software/firmware shortcomings were exposed. Finally, through the development of a semi-automated specification gathering, device documentation extracting, IDS rule generating framework that leveraged PICS files and BIM models.Ph.D
Machine Learning Based Network Vulnerability Analysis of Industrial Internet of Things
It is critical to secure the Industrial Internet of Things (IIoT) devices
because of potentially devastating consequences in case of an attack. Machine
learning and big data analytics are the two powerful leverages for analyzing
and securing the Internet of Things (IoT) technology. By extension, these
techniques can help improve the security of the IIoT systems as well. In this
paper, we first present common IIoT protocols and their associated
vulnerabilities. Then, we run a cyber-vulnerability assessment and discuss the
utilization of machine learning in countering these susceptibilities. Following
that, a literature review of the available intrusion detection solutions using
machine learning models is presented. Finally, we discuss our case study, which
includes details of a real-world testbed that we have built to conduct
cyber-attacks and to design an intrusion detection system (IDS). We deploy
backdoor, command injection, and Structured Query Language (SQL) injection
attacks against the system and demonstrate how a machine learning based anomaly
detection system can perform well in detecting these attacks. We have evaluated
the performance through representative metrics to have a fair point of view on
the effectiveness of the methods
A spatio-temporal entropy-based approach for the analysis of cyber attacks (demo paper)
Computer networks are ubiquitous systems growing exponentially with a predicted 50 billion devices connected by 2050. This dramatically increases the potential attack surface of Internet networks. A key issue in cyber defense is to detect, categorize and identify these attacks, the way they are propagated and their potential impacts on the systems affected. The research presented in this paper models cyber attacks at large by considering the Internet as a complex system in which attacks are propagated over a network. We model an attack as a path from a source to a target, and where each attack is categorized according to its intention. We setup an experimental testbed with the concept of honeypot that evaluates the spatiotemporal distribution of these Internet attacks. The preliminary results show a series of patterns in space and time that illustrate the potential of the approach, and how cyber attacks can be categorized according to the concept and measure of entropy
DETECTION OF SYNTHETIC ANOMALIES ON AN EXPERIMENTALLY GENERATED 5G DATA SET USING CONVOLUTIONAL NEURAL NETWORKS
The research microgrid currently deployed at Marine Corps Air Station, Miramar, is leveraging Verizon’s Non-Standalone (NSA) 5G communications network to provide connectivity between dispersed energy assets and the energy and water operations center (EWOC). Due to its anchor to the Verizon 4G/LTE core, the NSA network does not provide technological avenues for cyber anomaly detection. In this research, we developed a traffic anomaly detection model using supervised machine learning for the energy communication infrastructure at Miramar. We developed a preliminary cyber anomaly detection platform using a convolutional neural network (CNN). We experimentally generated a benign 5G data set using the AT&T 5G cellular tower at the NPS SLAMR facility. We injected synthetic anomalies within the data set to test the CNN and its effectiveness at classifying packets as anomalous or benign. Data sets with varying amounts of anomalous data, ranging from 10% to 50%, were created. Accuracy, precision, and recall were used as performance metrics. Our experiments, conducted with Python and TensorFlow, showed that while the CNN did not perform its best on the data sets generated, it has the potential to work well with a more balanced data set that is large enough to host more anomalous traffic.ONRLieutenant, United States NavyApproved for public release. Distribution is unlimited
Cybersecurity of Industrial Cyber-Physical Systems: A Review
Industrial cyber-physical systems (ICPSs) manage critical infrastructures by
controlling the processes based on the "physics" data gathered by edge sensor
networks. Recent innovations in ubiquitous computing and communication
technologies have prompted the rapid integration of highly interconnected
systems to ICPSs. Hence, the "security by obscurity" principle provided by
air-gapping is no longer followed. As the interconnectivity in ICPSs increases,
so does the attack surface. Industrial vulnerability assessment reports have
shown that a variety of new vulnerabilities have occurred due to this
transition while the most common ones are related to weak boundary protection.
Although there are existing surveys in this context, very little is mentioned
regarding these reports. This paper bridges this gap by defining and reviewing
ICPSs from a cybersecurity perspective. In particular, multi-dimensional
adaptive attack taxonomy is presented and utilized for evaluating real-life
ICPS cyber incidents. We also identify the general shortcomings and highlight
the points that cause a gap in existing literature while defining future
research directions.Comment: 32 pages, 10 figure
- …