Transparent Presentation title with image behind title. Choose this slide model if the image is large enough to be used full-screen and essential image information remains visible. Choose image by clicking on image icon or Replace an existing image with right mouse button and choose Change image.

Gothenburg, Sweden – DIMVA 2019 - 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment

D. Fauri, M. Kapsalakis, D. R. dos Santos, E.Costante, J. den Hartog, S. Etalle

Role Inference + Anomaly Detection = Situational Awareness in BACnet networks

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Building Automation Systems (BAS)

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 2

•  They manage HVAC, video surveillance, access control, lighting, elevators…

•  Usually across many buildings, many different networks (but interoperability exists, e.g. BACnet)

•  They can be managed remotely

•  They can be attacked remotely

Icons made by Freepik from www.flaticon.com

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Situational Awareness in BAS Cyber Situational Awareness is structured in three subsuming levels [1]:

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 3

1) Basic perception of important data: e.g., presence of devices in a network, device configuration, device behavior, alerts raised by IDS, system specification

2) Interpretation and combination of data into knowledge: e.g., search a device’s FW version in a CVE database, recognize if a raised alert is a false alarm or not

3) Ability to predict future events and their implications: e.g., assess the risk of a vulnerability, decide if an alert should be acted upon

Perceive

Comprehend

Project

Resolve

1

2

3

[1] M. Endsley, “Design and Evaluation for Situation Awareness Enhancement”, 1988

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Anomaly Detection != Situational Awareness

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 4

Learning-based anomaly detection deals better with BAS heterogeneity, but:

•  Alerts are not actionable per se: we need meaningful context information

•  Learned models are specific to each device: there is no grouping into semantically equivalent classes

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Role Inference We propose to infer high-level attributes from observed data. Ex. the role of a device represents its functional behavior in the network Understandability is improved:

The role provides meaningful context information to interpret a device’s [anomalous] behavior

Adaptability is improved: When a new device appears on the network, we can apply

rules and models based on the device’s role

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 5

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

BACnet Profiles and Profile Families BACnet standard already has device Profiles, but: •  the profile of a device cannot be read from the

network; •  they are based on application domain, not on

functional behavior; •  the profile in the specification may not

correspond to the behavior in real life [2].

Thus, we define behavioral roles based on the functional levels in BAS architecture

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 6

BACnet Device ProfileBACnet

Profile FamilyBehavioral

RoleBuilding Controller

ControllerControllerAdv. Application Controller

Application Specific ControllerSmart Actuator

Field DeviceSmart Sensor

Adv. Lighting Control Station LightingControl Stations ControllerLighting Control Station

Lighting Supervisor LightingControllersLighting Device Field Device

Router

MiscellaneousRouterGateway

Broadcast Management DeviceAccess Control Door Controller

Field DeviceAccess Control Credential Reader

<latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit>

[2] H. Esquivel-Vargas, “Automatic deployment of specification-based intrusion detection in the BACnet protocol”, 2017

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Behavioral Roles

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 7

•  Workstation: Ex. store historical data, inform operators, adjust setpoints •  Router Interconnect devices from two or more networks

•  Controller Ex. execute the main logic processes, interact with Field Devices via read/write

•  Field Device Interact with physical environment; they can be connected directly to Controllers, or talk BACnet

W W W

R R

C C C C

FD FD FD FD

FD

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Using roles for Situational Awareness

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 8

NetworkTraffic BACnet Parser

InventoryBuilder

MessageFields

Role-basedintrusiondetection

DynamicNetwork

Map

Alert

Role Classifier

SituationalAwareness

AdaptableIntrusionDetection

DeviceRole

DeviceDescription

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Dynamic Network Map

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 9

NetworkTraffic BACnet Parser

InventoryBuilder

MessageFields

Role-basedintrusiondetection

DynamicNetwork

Map

Alert

Role Classifier

SituationalAwareness

AdaptableIntrusionDetection

DeviceRole

DeviceDescription

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Inventory Builder

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 10

NetworkTraffic BACnet Parser

InventoryBuilder

MessageFields

Role-basedintrusiondetection

DynamicNetwork

Map

Alert

Role Classifier

SituationalAwareness

AdaptableIntrusionDetection

DeviceRole

DeviceDescription

We extract information from the payload of observed BACnet messages: •  Unique ID •  Object Name

•  Vendor Name •  Model Name •  FW Version •  Location •  Data Link Layer •  Is a BBMD •  Is a Foreign Device

Uniquely identify a device

Describe a device (configuration, location, etc…)

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Role Classifier We infer roles with two techniques:

Heuristics based classification (HBC): We classify devices by checking if their observed behavior contains patterns unique to a role:

•  Only Workstation devices should initiate a WritePropertyMultiple request •  Only Routers forward messages from other networks

Distance based classification (DBC): We classify remaining devices by their distance to previously classified devices, using:

•  Vendor ID •  Model Name •  Data Link Layer type

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 11

NetworkTraffic BACnet Parser

InventoryBuilder

MessageFields

Role-basedintrusiondetection

DynamicNetwork

Map

Alert

Role Classifier

SituationalAwareness

AdaptableIntrusionDetection

DeviceRole

DeviceDescription

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

We evaluated discovery and classification on a real-life dataset from a university campus (106GB, 9 days of traffic, ~20 million BACnet pkts)

•  HBC+DBC discovers all devices •  One misclassification: Workstation had behavior consistent with a Controller •  Using this model for intrusion detection, Workstation might raise false alerts

(but role helps interpret them)

Classification Results

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 12

Dataset 2

RoleGroundtruth

Controller 219Router 21

Workstation 1Total 241

HBC

Classification TP FP

213 212 121 21 00 0 0

234 233 1

HBC + DBC

Classification TP FP

220 219 121 21 00 0 0

241 240 1<latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit><latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit><latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit><latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit><latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit>

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

NetworkTraffic BACnet Parser

InventoryBuilder

MessageFields

Role-basedintrusiondetection

DynamicNetwork

Map

Alert

Role Classifier

SituationalAwareness

AdaptableIntrusionDetection

DeviceRole

DeviceDescription

Role-based Intrusion Detection

Roles (and other high-level attributes) can be used as features for different IDS modules:

•  Learning role-based behavior: “All Controllers send beween 0 and 60 ReadProperty requests per hour”

•  Specifying attribute-based policies and consistency checks(*): “Field Devices cannot initiate WriteProperty requests”

“Devices with Vendor XYZ cannot be Controllers” (*) Consistency checks help in finding misconfigured or misclassified devices

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 13

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Intrusion Detection Results We extend previous results[3] by detecting two previously undetected attacks:

Snooping by new Controller: it sends abnormally many ReadProperty requests for its role

Tampering by Field Device: it sends a WriteProperty request

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 14

Wago 750-831 (Controller) FS-QS-1010 (Router) BMT-DIO 4/2 BMT-AI 8 BMT-AO 4

BACnet/IP

BACnet/IP

BACnet MS/TP

BACnet MS/TP

BACnet MS/TP

Raspberry PiOur Solution

Wago BACnet Configurator

(Workstation)

Mango Automation (Workstation)

[3] D. Fauri et al., “Leveraging Semantics for Actionable Intrusion Detection in Building Automation Systems”, CRITIS ‘18

✔

✔ Evaluation of our IDS on the real-life dataset showed good results for usability (~6.4 FP/h) and adaptability to new devices (~0.1 FP/h increase after cross validation)

Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text

Conclusion

•  We propose the use of high-level attributes (ex. roles) for enriching situational awareness in heterogeneous systems;

•  Roles improve actionability of alerts and adaptability of detection systems;

•  We intend to improve the granularity of this approach, and extend it

to other domains (ex. ICS) or other attributes

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 15