research-article

Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol

Authors:

Herson Esquivel-Vargas,

Andreas PeterAuthors Info & Claims

CPS '17: Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy

Pages 25 - 36

https://doi.org/10.1145/3140241.3140244

Published: 03 November 2017 Publication History

Abstract

Specification-based intrusion detection (SB-ID) is a suitable approach to monitor Building Automation Systems (BASs) because the correct and non-compromised functioning of the system is well understood. Its main drawback is that the creation of specifications often require human intervention. We present the first fully automated approach to deploy SB-ID at network level. We do so in the domain of BASs, specifically, the BACnet protocol (ISO 16484-5). In this protocol, properly certified devices are demanded to have technical documentation stating their capabilities. We leverage on those documents to create specifications that represent the expected behavior of each device in the network. Automated specification extraction is crucial to effectively apply SB-ID in volatile environments such as BACnet networks, where new devices are often added, removed, or replaced. In our experiments, the proposed algorithm creates specifications with both precision and recall above 99.5%. Finally, we evaluate the capabilities of our detection approach using two months (80GB) of BACnet traffic from a real BAS. Additionally, we use synthetic traffic to demonstrate attack detection in a controlled environment. We show that our approach not only contributes to the practical feasibility of SB-ID in BASs, but also detects stealthy and dangerous attacks.

References

[1]

ANSI/ASHRAE STANDARD 135-2016. 2016. A Data Communication Protocol for Building Automation and Control Networks. (2016).

[2]

Stefan Axelsson. 2000. Intrusion detection systems: A survey and taxonomy. Technical Report. Technical report.

[3]

BACnet International 2017. BACnet Testing Laboratories. (2017). http://bacnetinternational.net/btl/

[4]

Robin Berthier and William H. Sanders. 2011. Specification-based intrusion detection for advanced metering infrastructures. In Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on. IEEE, 184--193.

Digital Library

[5]

Dan Bilefsky. 2017. Hackers Use New Tactic at Austrian Hotel: Locking the Doors. (2017). Retrieved Jun 27, 2017 from https://www.nytimes.com/2017/01/30/world/europe/hotel-austria-bitcoin-ransom.html

[6]

Marco Caselli, Emmanuele Zambon, Johanna Amann, Robin Sommer, and Frank Kargl. 2016. Specification Mining for Intrusion Detection in Networked Control Systems. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, Austin, TX, 791--806. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/caselli

[7]

Pavel Čeleda, Radek Krejčí, and Vojtech Krmíček. 2012. Flow- Based Security Issue Detection in Building Automation and Control Networks. In EUNICE. Springer, 64--75.

[8]

The Apache Software Foundation. 2017. Apache Solr. (2017). https://lucene.apache.org/solr/

[9]

Glenn Greenwald. 2014. No place to hide: Edward Snowden, the NSA, and the US surveillance state. Macmillan.

[10]

Stephen Hilt and Michael Toecker. 2017. bacnet-info NSE Script. (2017). https://nmap.org/nsedoc/scripts/bacnet-info.html

[11]

Paul Jaccard. 1912. The Distribution of the Flora in the Alpine Zone. New Phytologist 11, 2 (1912), 37--50. https://doi.org/10.1111/j.1469-8137.1912.tb05611.x

[12]

Michael N. Johnstone, Matthew Peacock, and J. I. den Hartog. 2015. Timing attack detection on BACnet via a machine learning approach. (2015).

[13]

Paria Jokar, Hasen Nicanfar, and Victor Leung. 2011. Specification-based intrusion detection for home area networks in smart grids. In Smart Grid Communications (SmartGridComm), 2011 IEEE International Conference on. IEEE, 208--213.

[14]

Steve Karg. 2017. BACnet Stack. (2017). http://bacnet. sourceforge.net/

[15]

Jaspreet Kaur, Jernej Tonejc, Steffen Wendzel, and Michael Meier. 2015. Securing BACnets Pitfalls. In ICT Systems Security and Privacy Protection. Springer, 616--629.

[16]

Stephen Lacey. 2013. Hackers Penetrate Googles Building Management System. (2013). Retrieved Aug 04, 2017 from https://www.greentechmedia.com/articles/read/hackers-penetrate-googles-building-management-system

[17]

Vladimir I. Levenshtein. 1966. Binary codes capable of correcting deletions, insertions and reversals. In Soviet physics doklady, Vol. 10. 707.

[18]

Hui Lin, Adam Slagell, Zbigniew Kalbarczyk, and Ravishankar K. Iyer. 2012. Using a specification-based intrusion detection system to extend the DNP3 protocol with security functionalities. Technical Report. Coordinated Science Laboratory. University of Illinois at Urbana-Champaign.

[19]

Gordon Lyon. 2017. Nmap: the Network Mapper. (2017). https://nmap.org/

[20]

Michael Newman. 2013. BACnet The Global Standard for Building Automation and Control Networks. Momentum Press, New York, N.Y.

[21]

Federal Ministry of Transport Building and Urban Affairs. 2011. BACnet in public buildings. (2011). http://www.amev-online.de/AMEVInhalt/Planen/Gebaeudeautomation/BACnet%202011%20V%201.2/bacnet2011v1-2en.pdf

[22]

Christoforos Panos, Christos Xenakis, Platon Kotzias, and Ioannis Stavrakakis. 2014. A specification-based intrusion detection engine for infrastructure-less networks. Computer Communications 54 (2014), 67--83.

Digital Library

[23]

Nicole Perlroth. 2014. Heat System Called Door to Target for Hackers. (2014). Retrieved Jun 23, 2017 from https://www.nytimes.com/2014/02/06/technology/heat-system-called-door-to-target-for-hackers.html

[24]

Cartic Ramakrishnan, Abhishek Patnia, Eduard Hovy, and Gully A. P. C. Burns. 2012. Layout-aware text extraction from full-text PDF of scientific articles. Source Code for Biology and Medicine 7, 1 (2012), 1--10. https://doi.org/10.1186/1751-0473-7-7

[25]

Eyal Ronen and Adi Shamir. 2016. Extended functionality attacks on iot devices: The case of smart lights. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on. IEEE, 3--12.

[26]

R Sekar, Ajay Gupta, James Frullo, Tushar Shanbhag, Abhishek Tiwari, Henglin Yang, and Sheng Zhou. 2002. Specification-based anomaly detection: a new approach for detecting network intrusions. In Proceedings of the 9th ACM conference on Computer and communications security. ACM, 265--274.

Digital Library

[27]

Shodan.io. 2017. Shodan. (2017). https://www.shodan.io/

[28]

Natalia Stakhanova, Samik Basu, and Johnny Wong. 2010. On the symbiosis of specification-based and anomaly-based detection. computers & security 29, 2 (2010), 253--268.

[29]

The Bro Project 2017. Bro Network Monitoring System. (2017). https://www.bro.org/

[30]

Jernej Tonejc, Sabrina Güttes, Alexandra Kobekova, and Jaspreet Kaur. 2016. Machine Learning Methods for Anomaly Detection in BACnet Networks. J. UCS 22, 9 (2016), 1203--1224.

Cited By

Martín Toral ICalvo IVillar EGil-García JBarambones O(2024)Introducing Security Mechanisms in OpenFog-Compliant Smart BuildingsElectronics10.3390/electronics1315290013:15(2900)Online publication date: 23-Jul-2024
https://doi.org/10.3390/electronics13152900
Li GRen LPradhan OO’Neill ZWen JYang ZFu YChu MHuang JWu TCandan KAdetola VZhu Q(2024)Emulation and detection of physical faults and cyber-attacks on building energy systems through real-time hardware-in-the-loop experimentsEnergy and Buildings10.1016/j.enbuild.2024.114596(114596)Online publication date: Jul-2024
https://doi.org/10.1016/j.enbuild.2024.114596
Li GRen LFu YYang ZAdetola VWen JZhu QWu TCandan KO'Neill Z(2023)A critical review of cyber-physical security for building automation systemsAnnual Reviews in Control10.1016/j.arcontrol.2023.02.00455(237-254)Online publication date: 2023
https://doi.org/10.1016/j.arcontrol.2023.02.004
Show More Cited By

Index Terms

Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Network security

Recommendations

Specification-Based Testing of Intrusion Detection Engines Using Logical Expression Testing Criteria
QSIC '10: Proceedings of the 2010 10th International Conference on Quality Software

An Intrusion Detection System (IDS) protects computer networks against attacks and intrusions. One class of IDS is called signature-based network IDSs as they monitor network traffic, looking for evidence of malicious behaviour as specified in attack ...
Network intrusion detection

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, ...
A Survey on Intrusion Detection and Prevention Systems
Abstract
In the digital world, malicious activities that violate the confidentiality, integrity, or availability of data and devices are known as intrusions. An intrusion detection system (IDS) analyses the activities of a single system or a network to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CPS '17: Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy

November 2017

146 pages

ISBN:9781450353946

DOI:10.1145/3140241

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
Rakesh B. Bobba
Oregon State University, USA
,
Awais Rashid
Lancaster University, UK

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Costa Rica Institute of Technology

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CPS '17 Paper Acceptance Rate 8 of 10 submissions, 80%;

Overall Acceptance Rate 53 of 66 submissions, 80%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
307
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)4

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Martín Toral ICalvo IVillar EGil-García JBarambones O(2024)Introducing Security Mechanisms in OpenFog-Compliant Smart BuildingsElectronics10.3390/electronics1315290013:15(2900)Online publication date: 23-Jul-2024
https://doi.org/10.3390/electronics13152900
Li GRen LPradhan OO’Neill ZWen JYang ZFu YChu MHuang JWu TCandan KAdetola VZhu Q(2024)Emulation and detection of physical faults and cyber-attacks on building energy systems through real-time hardware-in-the-loop experimentsEnergy and Buildings10.1016/j.enbuild.2024.114596(114596)Online publication date: Jul-2024
https://doi.org/10.1016/j.enbuild.2024.114596
Li GRen LFu YYang ZAdetola VWen JZhu QWu TCandan KO'Neill Z(2023)A critical review of cyber-physical security for building automation systemsAnnual Reviews in Control10.1016/j.arcontrol.2023.02.00455(237-254)Online publication date: 2023
https://doi.org/10.1016/j.arcontrol.2023.02.004
Yang JSun L(2022)A Comprehensive Survey of Security Issues of Smart Home System: “Spear” and “Shields,” Theory and PracticeIEEE Access10.1109/ACCESS.2022.322480610(124167-124192)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3224806
Graveto VCruz TSimöes P(2022)Security of Building Automation and Control SystemsComputers and Security10.1016/j.cose.2021.102527112:COnline publication date: 3-Jan-2022
https://dl.acm.org/doi/10.1016/j.cose.2021.102527
Zambrano ABetancur ABurbano LNiño AGiraldo LSoto MGiraldo JCardenas AKim YKim JVigna GShi E(2021)You Make Me Tremble: A First Look at Attacks Against Structural Control SystemsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3485386(1320-1337)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3485386
Smith ARamotsoela THancke G(2021)Behavioural Intrusion Detection for Wireless Sensor Networks2021 IEEE 30th International Symposium on Industrial Electronics (ISIE)10.1109/ISIE45552.2021.9576349(01-06)Online publication date: 20-Jun-2021
https://doi.org/10.1109/ISIE45552.2021.9576349
Olufowobi HYoung CZambreno JBloom G(2020)SAIDuCANT: Specification-Based Automotive Intrusion Detection Using Controller Area Network (CAN) TimingIEEE Transactions on Vehicular Technology10.1109/TVT.2019.296134469:2(1484-1494)Online publication date: Feb-2020
https://doi.org/10.1109/TVT.2019.2961344
Esquivel-Vargas HCaselli MLaanstra GPeter A(2020)Putting Attacks in Context: A Building Automation Testbed for Impact Assessment from the Victim’s PerspectiveDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-52683-2_3(44-64)Online publication date: 7-Jul-2020
https://doi.org/10.1007/978-3-030-52683-2_3
Rubio JAlcaraz CRoman RLopez J(2019)Current cyber-defense trends in industrial control systemsComputers and Security10.1016/j.cose.2019.06.01587:COnline publication date: 1-Nov-2019
https://dl.acm.org/doi/10.1016/j.cose.2019.06.015
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents