TY - GEN
T1 - Automatic deployment of specification-based intrusion detection in the BACnet Protocol
AU - Esquivel-Vargas, Herson
AU - Caselli, Marco
AU - Peter, Andreas
N1 - Publisher Copyright:
© 2017 ACM.
PY - 2017/11/3
Y1 - 2017/11/3
N2 - Specification-based intrusion detection (SB-ID) is a suitable approach to monitor Building Automation Systems (BASs) because the correct and non-compromised functioning of the system is well understood. Its main drawback is that the creation of specifications often require human intervention. We present the first fully automated approach to deploy SB-ID at network level. We do so in the domain of BASs, specifically, the BACnet protocol (ISO 16484-5). In this protocol, properly certified devices are demanded to have technical documentation stating their capabilities. We leverage on those documents to create specifications that represent the expected behavior of each device in the network. Automated specification extraction is crucial to effectively apply SB-ID in volatile environments such as BACnet networks, where new devices are often added, removed, or replaced. In our experiments, the proposed algorithm creates specifications with both precision and recall above 99.5%. Finally, we evaluate the capabilities of our detection approach using two months (80GB) of BACnet traffic from a real BAS. Additionally, we use synthetic traffic to demonstrate attack detection in a controlled environment. We show that our approach not only contributes to the practical feasibility of SB-ID in BASs, but also detects stealthy and dangerous attacks.
AB - Specification-based intrusion detection (SB-ID) is a suitable approach to monitor Building Automation Systems (BASs) because the correct and non-compromised functioning of the system is well understood. Its main drawback is that the creation of specifications often require human intervention. We present the first fully automated approach to deploy SB-ID at network level. We do so in the domain of BASs, specifically, the BACnet protocol (ISO 16484-5). In this protocol, properly certified devices are demanded to have technical documentation stating their capabilities. We leverage on those documents to create specifications that represent the expected behavior of each device in the network. Automated specification extraction is crucial to effectively apply SB-ID in volatile environments such as BACnet networks, where new devices are often added, removed, or replaced. In our experiments, the proposed algorithm creates specifications with both precision and recall above 99.5%. Finally, we evaluate the capabilities of our detection approach using two months (80GB) of BACnet traffic from a real BAS. Additionally, we use synthetic traffic to demonstrate attack detection in a controlled environment. We show that our approach not only contributes to the practical feasibility of SB-ID in BASs, but also detects stealthy and dangerous attacks.
KW - Automatic specification extraction
KW - BACnet
KW - Building automation systems security
KW - Specificationbased intrusion detection
UR - http://www.scopus.com/inward/record.url?scp=85037101762&partnerID=8YFLogxK
U2 - 10.1145/3140241.3140244
DO - 10.1145/3140241.3140244
M3 - Contribución a la conferencia
AN - SCOPUS:85037101762
T3 - CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017
SP - 25
EP - 36
BT - CPS-SPC 2017 - Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy, co-located with CCS 2017
PB - Association for Computing Machinery, Inc
T2 - 3rd ACM Workshop on Cyber-Physical Systems Security and PrivaCy, CPS-SPC 2017
Y2 - 3 November 2017
ER -