Anomaly based intrusion detection for Building Automation and Control networks

Abstract

Advanced networking technology and increasing information services have led to extensive interconnection between Building Automation and Control (BAC) networks and Internet. The connection to Internet and public networks massively elevates the risk of the BAC networks being attacked. In this paper, we present a framework for a rule based anomaly detection of Building Automation and Control networks. We develop an anomaly based intrusion detection system to the building network by training the system with dataflows that are dynamically captured from the Fire Alarm System testbed using the BACnet Protocol Monitoring module. The rules acquired from the offline data mining procedure can detect attacks against the BACnet protocol with an extremely low false positive rate. We evaluate our approach by launching several attacks that exploit the generic vulnerabilities of the BACnet Protocol. A classification of detected attacks is introduced at the end.