Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Transparent Presentation title with image behind title. Choose this slide model if the image is large enough to be used full-screen and essential image information remains visible. Choose image by clicking on image icon or Replace an existing image with right mouse button and choose Change image.
Gothenburg, Sweden – DIMVA 2019 - 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
D. Fauri, M. Kapsalakis, D. R. dos Santos, E.Costante, J. den Hartog, S. Etalle
Role Inference + Anomaly Detection = Situational Awareness in BACnet networks
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Building Automation Systems (BAS)
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 2
• They manage HVAC, video surveillance, access control, lighting, elevators…
• Usually across many buildings, many different networks (but interoperability exists, e.g. BACnet)
• They can be managed remotely
• They can be attacked remotely
Icons made by Freepik from www.flaticon.com
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Situational Awareness in BAS Cyber Situational Awareness is structured in three subsuming levels [1]:
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 3
1) Basic perception of important data: e.g., presence of devices in a network, device configuration, device behavior, alerts raised by IDS, system specification
2) Interpretation and combination of data into knowledge: e.g., search a device’s FW version in a CVE database, recognize if a raised alert is a false alarm or not
3) Ability to predict future events and their implications: e.g., assess the risk of a vulnerability, decide if an alert should be acted upon
Perceive
Comprehend
Project
Resolve
1
2
3
[1] M. Endsley, “Design and Evaluation for Situation Awareness Enhancement”, 1988
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Anomaly Detection != Situational Awareness
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 4
Learning-based anomaly detection deals better with BAS heterogeneity, but:
• Alerts are not actionable per se: we need meaningful context information
• Learned models are specific to each device: there is no grouping into semantically equivalent classes
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Role Inference We propose to infer high-level attributes from observed data. Ex. the role of a device represents its functional behavior in the network Understandability is improved:
The role provides meaningful context information to interpret a device’s [anomalous] behavior
Adaptability is improved: When a new device appears on the network, we can apply
rules and models based on the device’s role
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 5
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
BACnet Profiles and Profile Families BACnet standard already has device Profiles, but: • the profile of a device cannot be read from the
network; • they are based on application domain, not on
functional behavior; • the profile in the specification may not
correspond to the behavior in real life [2].
Thus, we define behavioral roles based on the functional levels in BAS architecture
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 6
BACnet Device ProfileBACnet
Profile FamilyBehavioral
RoleBuilding Controller
ControllerControllerAdv. Application Controller
Application Specific ControllerSmart Actuator
Field DeviceSmart Sensor
Adv. Lighting Control Station LightingControl Stations ControllerLighting Control Station
Lighting Supervisor LightingControllersLighting Device Field Device
Router
MiscellaneousRouterGateway
Broadcast Management DeviceAccess Control Door Controller
Field DeviceAccess Control Credential Reader
<latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxLL32dT9Gs=">AAAOp3ictVfrbts2FFa7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH44jzqTqdv+8d/+DDz/6+JMHD+1PHzWaj/eePL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wzzrInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6DDmDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot33jpCbb9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT88OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs22EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59ddMhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZISSwYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1taaRG00P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKOOcLiHXONuhKFYRwk0RIyAS9uJJY0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zShhQQQaCUju1Ys5UiHKbmPIZYISBTcll2EChQptJJligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit>
[2] H. Esquivel-Vargas, “Automatic deployment of specification-based intrusion detection in the BACnet protocol”, 2017
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Behavioral Roles
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 7
• Workstation: Ex. store historical data, inform operators, adjust setpoints • Router Interconnect devices from two or more networks
• Controller Ex. execute the main logic processes, interact with Field Devices via read/write
• Field Device Interact with physical environment; they can be connected directly to Controllers, or talk BACnet
W W W
R R
C C C C
FD FD FD FD
FD
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Using roles for Situational Awareness
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 8
NetworkTraffic BACnet Parser
InventoryBuilder
MessageFields
Role-basedintrusiondetection
DynamicNetwork
Map
Alert
Role Classifier
SituationalAwareness
AdaptableIntrusionDetection
DeviceRole
DeviceDescription
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Dynamic Network Map
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 9
NetworkTraffic BACnet Parser
InventoryBuilder
MessageFields
Role-basedintrusiondetection
DynamicNetwork
Map
Alert
Role Classifier
SituationalAwareness
AdaptableIntrusionDetection
DeviceRole
DeviceDescription
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Inventory Builder
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 10
NetworkTraffic BACnet Parser
InventoryBuilder
MessageFields
Role-basedintrusiondetection
DynamicNetwork
Map
Alert
Role Classifier
SituationalAwareness
AdaptableIntrusionDetection
DeviceRole
DeviceDescription
We extract information from the payload of observed BACnet messages: • Unique ID • Object Name
• Vendor Name • Model Name • FW Version • Location • Data Link Layer • Is a BBMD • Is a Foreign Device
Uniquely identify a device
Describe a device (configuration, location, etc…)
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Role Classifier We infer roles with two techniques:
Heuristics based classification (HBC): We classify devices by checking if their observed behavior contains patterns unique to a role:
• Only Workstation devices should initiate a WritePropertyMultiple request • Only Routers forward messages from other networks
Distance based classification (DBC): We classify remaining devices by their distance to previously classified devices, using:
• Vendor ID • Model Name • Data Link Layer type
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 11
NetworkTraffic BACnet Parser
InventoryBuilder
MessageFields
Role-basedintrusiondetection
DynamicNetwork
Map
Alert
Role Classifier
SituationalAwareness
AdaptableIntrusionDetection
DeviceRole
DeviceDescription
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
We evaluated discovery and classification on a real-life dataset from a university campus (106GB, 9 days of traffic, ~20 million BACnet pkts)
• HBC+DBC discovers all devices • One misclassification: Workstation had behavior consistent with a Controller • Using this model for intrusion detection, Workstation might raise false alerts
(but role helps interpret them)
Classification Results
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 12
Dataset 2
RoleGroundtruth
Controller 219Router 21
Workstation 1Total 241
HBC
Classification TP FP
213 212 121 21 00 0 0
234 233 1
HBC + DBC
Classification TP FP
220 219 121 21 00 0 0
241 240 1<latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit><latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit><latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit><latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit><latexit sha1_base64="0GuiuY9oBplKq9eFUUIqK45w/BA=">AAAGHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8CCs+hRUSSIgFG/gbPI88pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5hhtOjSFEcBpweBuNOxh+eUKWZFHvmNKK9EA8FGzCCjV06Xq21UUCHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGAA29jYwg34KSCERtkJit886a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO33mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFbbwMM/PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdaccuwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBoo1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6wwsU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPeeB88jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA==</latexit>
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
NetworkTraffic BACnet Parser
InventoryBuilder
MessageFields
Role-basedintrusiondetection
DynamicNetwork
Map
Alert
Role Classifier
SituationalAwareness
AdaptableIntrusionDetection
DeviceRole
DeviceDescription
Role-based Intrusion Detection
Roles (and other high-level attributes) can be used as features for different IDS modules:
• Learning role-based behavior: “All Controllers send beween 0 and 60 ReadProperty requests per hour”
• Specifying attribute-based policies and consistency checks(*): “Field Devices cannot initiate WriteProperty requests”
“Devices with Vendor XYZ cannot be Controllers” (*) Consistency checks help in finding misconfigured or misclassified devices
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 13
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Intrusion Detection Results We extend previous results[3] by detecting two previously undetected attacks:
Snooping by new Controller: it sends abnormally many ReadProperty requests for its role
Tampering by Field Device: it sends a WriteProperty request
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 14
Wago 750-831 (Controller) FS-QS-1010 (Router) BMT-DIO 4/2 BMT-AI 8 BMT-AO 4
BACnet/IP
BACnet/IP
BACnet MS/TP
BACnet MS/TP
BACnet MS/TP
Raspberry PiOur Solution
Wago BACnet Configurator
(Workstation)
Mango Automation (Workstation)
[3] D. Fauri et al., “Leveraging Semantics for Actionable Intrusion Detection in Building Automation Systems”, CRITIS ‘18
✔
✔ Evaluation of our IDS on the real-life dataset showed good results for usability (~6.4 FP/h) and adaptability to new devices (~0.1 FP/h increase after cross validation)
Text format by Increase / decrease list level Place cursor in text and use these 2 buttons (tab Start - group Paragraph) 1 = Normal text 2 = Paragraph text 3 = • text 4 = • text 5 = • text
Conclusion
• We propose the use of high-level attributes (ex. roles) for enriching situational awareness in heterogeneous systems;
• Roles improve actionability of alerts and adaptability of detection systems;
• We intend to improve the granularity of this approach, and extend it
to other domains (ex. ICS) or other attributes
Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 15