Machine Learning Methods for Anomaly Detection in BACnet Networks

In recent years, the volume and the complexity of data in Building Automation System networks have increased exponentially. As a result, a manual analysis of network traffic data has become nearly impossible. Even automated but supervised methods are problematic in practice since the large amount of data makes manual labeling, required to train the algorithms to differentiate between normal traffic and anomalies, impractical. This paper introduces a framework which allows the characterization of BACnet network traffic data by means of unsupervised machine learning techniques. Specifically, we use clustering, random forests, one-class support vector machines and support vector classifier, after a pre-processing step that includes principal components analysis for dimensionality reduction. We compare the effectiveness of the methods in detecting anomalies by performing experiments on BACnet network traffic data from various sources. We describe which of these unsupervised methods work best in specific scenarios since each method has its distinct advantages and disadvantages. In particular, we discuss which method is best suited to detect new types of anomalies (novelty detection), or which method most reliably and efficiently finds new attacks of a type that has been captured in the data previously

Visualizing BACnet Data to Facilitate Humans in Building-Security Decision-Making

Building automation systems (BAS) are interlinked networks of hardware and software, which monitor and control events in the buildings. One of the data communication protocols used in BAS is Building Automation and Control networking protocol (BACnet) which is an internationally adopted ISO standard for the communication between BAS devices. Although BAS focus on providing safety for inhabitants, decreasing the energy consumption of buildings and reducing their operational cost, their security suffers due to the inherent complexity of the modern day systems. The issues such as monitoring of BAS effectively present a significant challenge, i.e., BAS operators generally possess only partial situation awareness. Especially in large and inter-connected buildings, the operators face the challenge of spotting meaningful incidents within large amounts of simultaneously occurring events, causing the anomalies in the BAS network to go unobserved. In this paper, we present the techniques to analyze and visualize the data for several events from BAS devices in a way that determines the potential importance of such unusual events and helps with the building-security decision making. We implemented these techniques as a mobile (Android) based application for displaying application data and as tools to analyze the communication flows using directed graphs

Securing BACnet's pitfalls

Building Automation Systems (BAS) are crucial for monitoring and controlling buildings, ranging from small homes to critical infrastructure, such as airports or military facilities. A major concern in this context is the security of BAS communication protocols and devices. The building automation and control networking protocol (BACnet) is integrated into products of more than 800 vendors worldwide. However, BACnet devices are vulnerable to attacks. We present a novel solution for the two most important BACnet layers, i.e. those independent of the data link layer technology, namely the network and the application layer. We provide the first implementation and evaluation of traffic normalization for BAS traffic. Our proof of concept code is based on the open source software Snort

Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol

Specification-based intrusion detection (SB-ID) is a suitable approach to monitor Building Automation Systems (BASs) because the correct and non-compromised functioning of the system is well understood. Its main drawback is that the creation of specifications often require human intervention. We present the first fully automated approach to deploy SB-ID at network level. We do so in the domain of BASs, specifically, the BACnet protocol (ISO 16484-5). In this protocol, properly certified devices are demanded to have technical documentation stating their capabilities. We leverage on those documents to create specifications that represent the expected behavior of each device in the network. Automated specification extraction is crucial to effectively apply SB-ID in volatile environments such as BACnet networks, where new devices are often added, removed, or replaced. In our experiments, the proposed algorithm creates specifications with both precision and recall above 99.5%. Finally, we evaluate the capabilities of our detection approach using two months (80GB) of BACnet traffic from a real BAS. Additionally, we use synthetic traffic to demonstrate attack detection in a controlled environment. We show that our approach not only contributes to the practical feasibility of SB-ID in BASs, but also detects stealthy and dangerous attacks