Using Machine Learning to Find Anomalies in Field Bus Network Traffic

  • Martin Peters
  • Johannes GoltzEmail author
  • Simeon Wiedenmann
  • Thomas Mundt
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11611)


Devices for building automation are often connected by field buses. Typically no encryption and authentication is available, hence the transmitted data can be read by anyone connected to the bus. This problem gave rise to the idea of developing an intrusion detection system. Due to the lack of information about previous attacks on building automation it is not possible to use a pattern-based IDS. Unsupervised machine learning algorithms should be able to find anomalies automatically and trigger an alarm in case of intrusion. A concept how to create such an IDS is hereby presented. For the analysis of the feature space local outlier factor, support vector machines and entropy analysis were used. The occurring addresses were also monitored.

Some of the tested attack scenarios could be detected. Attacks injecting traffic massively got found by nearly all four tested modules, while more cautious ones haven’t been detected.


Field bus Machine learning KNX BAS Anomaly detection 


  1. 1.
    Byres, E., Eng, P.: Unicorns and air gaps-do they really exist. Living with reality in critical infrastructures, Tofino (2012).
  2. 2.
  3. 3.
    Deutsche Industrienorm: Offene Datenkommunikation für die Gebäudeautomation und Gebäudemanagement - Elektrische Systemtechnik für Heim und Gebäude: Teil 2: KNXnet/IP-Kommunikation (DIN EN 13321-2), March 2013Google Scholar
  4. 4.
    Hodge, V., Austin, J.: A survey of outlier detection methodologies. Artif. Intell. Rev. 22(2), 85–126 (2004). Scholar
  5. 5.
    Hofstede, R., et al.: Flow monitoring explained: from packet capture to data analysis with NetFlow and IPFIX. IEEE Commun. Surv. Tutor. 16(4), 2037–2064 (2014). Scholar
  6. 6.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011). Scholar
  7. 7.
    Peters, M.: Analysis of distributed in-band monitoring messages for field bus networks in building automation systems. Master thesis, Univerisät Rostock, Rostock (2018).
  8. 8.
    Mundt, T., Dähn, A., Sass, S.: An intrusion detection system with home installation networks. Int. J. Comput. 3, 13–20 (2014). Google Scholar
  9. 9.
    Mundt, T., Wickboldt, P.: Security in building automation systems - a first analysis. In: International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8. IEEE, Piscataway (2016).
  10. 10.
    Northcutt, S.: Inside Network Perimeter Security, 2nd edn. Sams Pub, Indianapolis (2005). ISBN-13: 978-0672327377, ISBN-10: 9780672327377Google Scholar
  11. 11.
    Pan, Z., Hariri, S., Al-Nashif, Y.: Anomaly based intrusion detection for Building Automation and Control networks. In: IEEE/ACS 11th International Conference on Computer Systems and Applications (AICCSA), pp. 72–77. IEEE, Piscataway (2014).
  12. 12.
    Čeleda, P., Krejčí, R., Krmíček, V.: Flow-based security issue detection in building automation and control networks. In: Szabó, R., Vidács, A. (eds.) EUNICE 2012. LNCS, vol. 7479, pp. 64–75. Springer, Heidelberg (2012). Scholar
  13. 13.
    Peters, M.: BAS-observe (2018).
  14. 14.
    Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948). Scholar
  15. 15.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An overview of ip flow-based intrusion detection. IEEE Commun. Surv. Tutor. 12(3), 343–356 (2010). Scholar
  16. 16.
    Toshniwal, D., Eshwar, B.K.: Entropy based adaptive outlier detection technique for data streams. In: Proceedings of the International Conference on Data Mining (DMIN), p. 1. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp) (2014)Google Scholar
  17. 17.
    Wiedenmann, S.: Fieldbus traffic simulation logs (2018).
  18. 18.
    Yang, D., Usynin, A., Hines, J.W.: Anomaly-Based Intrusion Detection for SCADA Systems. In: 5th International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies (NPIC & HMIT 2005), pp. 12–16 (2006). 11.04.2019Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Institute of Computer ScienceUniversity of RostockRostockGermany

Personalised recommendations