Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic Analysis
- Additional Document Info
- View All
© 2017 IEEE. Building Automation Systems (BAS) are distributed networks of hardware and software that monitor and control heating, ventilation, and air-conditioning (HVAC), as well as lighting and security of smart buildings. BACnet is a standard data communication protocol designed to operate across many types of BAS field panels and controllers. This paper studies BACnet traffic in a real-world BAS from various vantage points and develops an anomaly detector for BAS networks. Our analysis of BACnet traffic through several measures reveals that BACnet traffic is neither strictly periodic as expected of control traffic nor exhibits diurnal patterns of IP network traffic. BACnet traffic is a combination of multiple flow-service streams that belong to "THE-driven'" categories: Time-driven, Human-driven, and Event-driven. Time-driven traffic follows periodic patterns, regular patterns, or on/off models. Human-driven and event- driven traffic present non-periodic patterns. We construct flow-service models for time-driven traffic and develop THE-Driven Anomaly Detector which adopts different mechanisms for each category of traffic. We evaluate the anomaly detector using k-fold cross validation and synthetic attacks. The proposed THE-Driven Anomaly Detector is shown to be able to effectively detect suspicious traffic in BAS networks with small false alarm rate.
author list (cited authors)