Advertisement

Using Machine Learning to Find Anomalies in Field Bus Network Traffic

  • Martin Peters
  • Johannes GoltzEmail author
  • Simeon Wiedenmann
  • Thomas Mundt
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11611)

Abstract

Devices for building automation are often connected by field buses. Typically no encryption and authentication is available, hence the transmitted data can be read by anyone connected to the bus. This problem gave rise to the idea of developing an intrusion detection system. Due to the lack of information about previous attacks on building automation it is not possible to use a pattern-based IDS. Unsupervised machine learning algorithms should be able to find anomalies automatically and trigger an alarm in case of intrusion. A concept how to create such an IDS is hereby presented. For the analysis of the feature space local outlier factor, support vector machines and entropy analysis were used. The occurring addresses were also monitored.

Some of the tested attack scenarios could be detected. Attacks injecting traffic massively got found by nearly all four tested modules, while more cautious ones haven’t been detected.

Keywords

Field bus Machine learning KNX BAS Anomaly detection 

References

  1. 1.
    Byres, E., Eng, P.: Unicorns and air gaps-do they really exist. Living with reality in critical infrastructures, Tofino (2012). https://www.tofinosecurity.com/blog/1-ics-and-scada-security-myth-protection-air-gap
  2. 2.
  3. 3.
    Deutsche Industrienorm: Offene Datenkommunikation für die Gebäudeautomation und Gebäudemanagement - Elektrische Systemtechnik für Heim und Gebäude: Teil 2: KNXnet/IP-Kommunikation (DIN EN 13321-2), March 2013Google Scholar
  4. 4.
    Hodge, V., Austin, J.: A survey of outlier detection methodologies. Artif. Intell. Rev. 22(2), 85–126 (2004).  https://doi.org/10.1023/B:AIRE.0000045502.10941.a9CrossRefzbMATHGoogle Scholar
  5. 5.
    Hofstede, R., et al.: Flow monitoring explained: from packet capture to data analysis with NetFlow and IPFIX. IEEE Commun. Surv. Tutor. 16(4), 2037–2064 (2014).  https://doi.org/10.1109/COMST.2014.2321898CrossRefGoogle Scholar
  6. 6.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011).  https://doi.org/10.1109/MSP.2011.67CrossRefGoogle Scholar
  7. 7.
    Peters, M.: Analysis of distributed in-band monitoring messages for field bus networks in building automation systems. Master thesis, Univerisät Rostock, Rostock (2018). https://github.com/FreakyBytes/master-thesis/releases/download/handing-in/master-thesis-peters.pdf
  8. 8.
    Mundt, T., Dähn, A., Sass, S.: An intrusion detection system with home installation networks. Int. J. Comput. 3, 13–20 (2014). https://platform.almanhal.com/Details/article/47923 Google Scholar
  9. 9.
    Mundt, T., Wickboldt, P.: Security in building automation systems - a first analysis. In: International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8. IEEE, Piscataway (2016).  https://doi.org/10.1109/CyberSecPODS.2016.7502336
  10. 10.
    Northcutt, S.: Inside Network Perimeter Security, 2nd edn. Sams Pub, Indianapolis (2005). ISBN-13: 978-0672327377, ISBN-10: 9780672327377Google Scholar
  11. 11.
    Pan, Z., Hariri, S., Al-Nashif, Y.: Anomaly based intrusion detection for Building Automation and Control networks. In: IEEE/ACS 11th International Conference on Computer Systems and Applications (AICCSA), pp. 72–77. IEEE, Piscataway (2014).  https://doi.org/10.1109/AICCSA.2014.7073181
  12. 12.
    Čeleda, P., Krejčí, R., Krmíček, V.: Flow-based security issue detection in building automation and control networks. In: Szabó, R., Vidács, A. (eds.) EUNICE 2012. LNCS, vol. 7479, pp. 64–75. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32808-4_7CrossRefGoogle Scholar
  13. 13.
    Peters, M.: BAS-observe (2018). https://github.com/FreakyBytes/bas-observe
  14. 14.
    Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948).  https://doi.org/10.1002/j.1538-7305.1948.tb01338.xMathSciNetCrossRefzbMATHGoogle Scholar
  15. 15.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An overview of ip flow-based intrusion detection. IEEE Commun. Surv. Tutor. 12(3), 343–356 (2010).  https://doi.org/10.1109/SURV.2010.032210.00054CrossRefGoogle Scholar
  16. 16.
    Toshniwal, D., Eshwar, B.K.: Entropy based adaptive outlier detection technique for data streams. In: Proceedings of the International Conference on Data Mining (DMIN), p. 1. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp) (2014)Google Scholar
  17. 17.
    Wiedenmann, S.: Fieldbus traffic simulation logs (2018). https://opsci.informatik.uni-rostock.de/index.php/Fieldbus_traffic_simulation_logs
  18. 18.
    Yang, D., Usynin, A., Hines, J.W.: Anomaly-Based Intrusion Detection for SCADA Systems. In: 5th International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies (NPIC & HMIT 2005), pp. 12–16 (2006). 11.04.2019Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Institute of Computer ScienceUniversity of RostockRostockGermany

Personalised recommendations