Leveraging Semantics for Actionable Intrusion Detection in Building Automation Systems

  • Davide FauriEmail author
  • Michail Kapsalakis
  • Daniel Ricardo dos Santos
  • Elisa Costante
  • Jerry den Hartog
  • Sandro Etalle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11260)


In smart buildings, physical components (e.g., controllers, sensors, and actuators) are interconnected and communicate with each other using network protocols such as BACnet. Many smart building networks are now connected to the Internet, enabling attackers to exploit vulnerabilities in critical buildings. Network monitoring is crucial to detect such attacks and allow building operators to react accordingly. In this paper, we propose an intrusion detection system for building automation networks that detects known and unknown attacks, as well as anomalous behavior. It does so by leveraging protocol knowledge and specific BACnet semantics: by using this information, the alerts raised by our system are meaningful and actionable. To validate our approach, we use a real-world dataset coming from the building network of a Dutch university, as well as a simulated dataset generated in our lab facilities.


  1. 1.
    ASHRAE: BACnet - a data communication protocol for building automation and control networks. Standard (2016)Google Scholar
  2. 2.
    Caselli, M., Zambon, E., Amann, J., Sommer, R., Kargl, F.: Specification mining for intrusion detection in networked control systems. In: Proceedings of USENIX Security (2016)Google Scholar
  3. 3.
    Costante, E., den Hartog, J., Petković, M., Etalle, S., Pechenizkiy, M.: A white-box anomaly-based framework for database leakage detection. JISA 32, 27–46 (2017)Google Scholar
  4. 4.
    Domingues, P., Carreira, P., Vieira, R., Kastner, W.: Building automation systems: concepts and technology review. Comput. Stand. Interfaces 45(Suppl. C), 1–12 (2016)CrossRefGoogle Scholar
  5. 5.
    Esquivel-Vargas, H., Caselli, M., Peter, A.: Automatic deployment of specification-based intrusion detection in the BACnet protocol. In: Proceedings of CPS-SPC (2017)Google Scholar
  6. 6.
    Etalle, S.: From intrusion detection to software design. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017, Part I. LNCS, vol. 10492, pp. 1–10. Springer, Cham (2017). Scholar
  7. 7.
    Fauri, D., dos Santos, D., Costante, E., den Hartog, J., Etalle, S., Tonetta, S.: From system specification to anomaly detection (and back). In: CPS-SPC (2017)Google Scholar
  8. 8.
    Hersent, O., Boswarthick, D., Elloumi, O.: The Internet of Things: Key Applications and Protocols. John Wiley & Sons, Chichester (2011)CrossRefGoogle Scholar
  9. 9.
    Holmberg, D.: BACnet wide area network security threat assessment. Technical report, NIST (2003)Google Scholar
  10. 10.
    Holmberg, D.: Using the BACnet firewall router. ASHRAE J. 48(11), B10–B14 (2006)Google Scholar
  11. 11.
    Johnstone, M., Peacock, M., den Hartog, J.: Timing attack detection on BACnet via a machine learning approach. In: Proceedings of AISM (2015)Google Scholar
  12. 12.
    Kastner, W., Neugschwandtner, G., Soucek, S., Newman, H.M.: Communication systems for building automation and control. Proc. IEEE 93(6), 1178–1203 (2005)CrossRefGoogle Scholar
  13. 13.
    Kaur, J., Tonejc, J., Wendzel, S., Meier, M.: Securing BACnet’s pitfalls. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IFIP AICT, vol. 455, pp. 616–629. Springer, Cham (2015). Scholar
  14. 14.
    Möllers, F., Sorge, C.: Deducing user presence from inter-message intervals in home automation systems. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 369–383. Springer, Cham (2016). Scholar
  15. 15.
    Mundt, T., Wickboldt, P.: Security in building automation systems - a first analysis. In: Proceedings of Cyber Security (2016)Google Scholar
  16. 16.
    Newman, H.: Broadcasting BACnet®. ASHRAE J. 52, B8–B12 (2010)Google Scholar
  17. 17.
    Pan, Z., Hariri, S., Al-Nashif, Y.: Anomaly based intrusion detection for building automation and control networks. In: Proceedings of AICCSA (2014)Google Scholar
  18. 18.
    Pang, R., Paxson, V., Sommer, R., Peterson, L.: Binpac: a yacc for writing application protocol parsers. In: Proceedings of IMC (2006)Google Scholar
  19. 19.
    Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: Proceedings of IEEE S&P (2010)Google Scholar
  20. 20.
    Szlósarczyk, S., Wendzel, S., Kaur, J., Schubert, F.: Towards suppressing attacks on and improving resilience of building automation systems - an approach exemplified using BACnet. In: GI Sicherheit (2014)Google Scholar
  21. 21.
    Tonejc, J., Guttes, S., Kobekova, A., Kaur, J.: Machine learning methods for anomaly detection in BACnet networks. JUCS 22(9), 1203–1224 (2016)MathSciNetGoogle Scholar
  22. 22.
    Urbina, D., et al.: Limiting the impact of stealthy attacks on industrial control systems. In: Proceedings of ACM SIGSAC CCS (2016)Google Scholar
  23. 23.
    Wendzel, S., Tonejc, J., Kaur, J., Kobekova, A.: Cyber security of smart buildings (2017)Google Scholar
  24. 24.
    Zheng, Z., Reddy, A.: Safeguarding building automation networks: THE-driven anomaly detector based on traffic analysis. In: Proceedings of ICCCN (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Davide Fauri
    • 1
    Email author
  • Michail Kapsalakis
    • 2
  • Daniel Ricardo dos Santos
    • 1
  • Elisa Costante
    • 2
  • Jerry den Hartog
    • 1
  • Sandro Etalle
    • 1
    • 2
  1. 1.Eindhoven University of TechnologyEindhovenNetherlands
  2. 2.SecurityMattersEindhovenNetherlands

Personalised recommendations