Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol

Abstract: Specification-based intrusion detection (SB-ID) is a suitable approach to monitor Building Automation Systems (BASs) because the correct and non-compromised functioning of the system is well understood. Its main drawback is that the creation of specifications often require human intervention. We present the first fully automated approach to deploy SB-ID at network level. We do so in the domain of BASs, specifically, the BACnet protocol (ISO 16484-5). In this protocol, properly certified devices are demanded to… Show more

“…Larson et al in [29] employ the CAN protocol version 2 and the CANOpen application layer draft standard 3.01 as specification source to extract the expected behaviour of electronic control unit of an in-vehicle network. Also, Esquivel-Vargas et al in [30] exploit the Building Automation and Control Networks (BACnet) protocol as specification source to depict the normal behaviour of each device in the BACnet network.…”

“…2) Automatic: Efforts have been made in recent years to extract the correct system behaviour from the specification source automatically [30], [34], [28]. Esquivel-Vargas et al in [30] made the first attempt to extract specification automatically.…”

“…2) Automatic: Efforts have been made in recent years to extract the correct system behaviour from the specification source automatically [30], [34], [28]. Esquivel-Vargas et al in [30] made the first attempt to extract specification automatically. In this work, they implement automated specification extraction in two steps: a subset of the devices capabilities is observed in the network traffic; and based on this observation, an algorithm is used to extract all the devices capabilities from the specification source.…”

“…Similarly, the security specifications of DNP3 protocol have been modelled as a parser and integrated into Bro by Lin et al in [16], [17]. And Esquivel-Vargas et al in [30] use Bro for specification modelling of the automatically extracted correct system behaviour.…”

“…2) Centralised Detector Placement: Centralised detector placement refers to the detector placement where the detector is located at a centralised component, for example, a dedicated host or a network router. This is the strategy employed by most of the survey works [18], [27], [16], [30], [28], [35], [17], [24], [25], [36]. Even though the use of centralised detector placement creates a single point of failure, the ease of its implementation is responsible for its prevalence.…”

A Survey of Specification-based Intrusion Detection Techniques for Cyber-Physical Systems

“…Larson et al in [29] employ the CAN protocol version 2 and the CANOpen application layer draft standard 3.01 as specification source to extract the expected behaviour of electronic control unit of an in-vehicle network. Also, Esquivel-Vargas et al in [30] exploit the Building Automation and Control Networks (BACnet) protocol as specification source to depict the normal behaviour of each device in the BACnet network.…”

“…2) Automatic: Efforts have been made in recent years to extract the correct system behaviour from the specification source automatically [30], [34], [28]. Esquivel-Vargas et al in [30] made the first attempt to extract specification automatically.…”

“…2) Automatic: Efforts have been made in recent years to extract the correct system behaviour from the specification source automatically [30], [34], [28]. Esquivel-Vargas et al in [30] made the first attempt to extract specification automatically. In this work, they implement automated specification extraction in two steps: a subset of the devices capabilities is observed in the network traffic; and based on this observation, an algorithm is used to extract all the devices capabilities from the specification source.…”

“…Similarly, the security specifications of DNP3 protocol have been modelled as a parser and integrated into Bro by Lin et al in [16], [17]. And Esquivel-Vargas et al in [30] use Bro for specification modelling of the automatically extracted correct system behaviour.…”

“…2) Centralised Detector Placement: Centralised detector placement refers to the detector placement where the detector is located at a centralised component, for example, a dedicated host or a network router. This is the strategy employed by most of the survey works [18], [27], [16], [30], [28], [35], [17], [24], [25], [36]. Even though the use of centralised detector placement creates a single point of failure, the ease of its implementation is responsible for its prevalence.…”

A Survey of Specification-based Intrusion Detection Techniques for Cyber-Physical Systems

Leveraging Semantics for Actionable Intrusion Detection in Building Automation Systems

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks