Abstract
Devices for building automation are often connected by field buses. Typically no encryption and authentication is available, hence the transmitted data can be read by anyone connected to the bus. This problem gave rise to the idea of developing an intrusion detection system. Due to the lack of information about previous attacks on building automation it is not possible to use a pattern-based IDS. Unsupervised machine learning algorithms should be able to find anomalies automatically and trigger an alarm in case of intrusion. A concept how to create such an IDS is hereby presented. For the analysis of the feature space local outlier factor, support vector machines and entropy analysis were used. The occurring addresses were also monitored.
Some of the tested attack scenarios could be detected. Attacks injecting traffic massively got found by nearly all four tested modules, while more cautious ones haven’t been detected.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Byres, E., Eng, P.: Unicorns and air gaps-do they really exist. Living with reality in critical infrastructures, Tofino (2012). https://www.tofinosecurity.com/blog/1-ics-and-scada-security-myth-protection-air-gap
CCC: SCADA - Gateway to (s)hell. https://media.ccc.de/v/34c3-8956-scada_-_gateway_to_s_hell
Deutsche Industrienorm: Offene Datenkommunikation für die Gebäudeautomation und Gebäudemanagement - Elektrische Systemtechnik für Heim und Gebäude: Teil 2: KNXnet/IP-Kommunikation (DIN EN 13321-2), March 2013
Hodge, V., Austin, J.: A survey of outlier detection methodologies. Artif. Intell. Rev. 22(2), 85–126 (2004). https://doi.org/10.1023/B:AIRE.0000045502.10941.a9
Hofstede, R., et al.: Flow monitoring explained: from packet capture to data analysis with NetFlow and IPFIX. IEEE Commun. Surv. Tutor. 16(4), 2037–2064 (2014). https://doi.org/10.1109/COMST.2014.2321898
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011). https://doi.org/10.1109/MSP.2011.67
Peters, M.: Analysis of distributed in-band monitoring messages for field bus networks in building automation systems. Master thesis, Univerisät Rostock, Rostock (2018). https://github.com/FreakyBytes/master-thesis/releases/download/handing-in/master-thesis-peters.pdf
Mundt, T., Dähn, A., Sass, S.: An intrusion detection system with home installation networks. Int. J. Comput. 3, 13–20 (2014). https://platform.almanhal.com/Details/article/47923
Mundt, T., Wickboldt, P.: Security in building automation systems - a first analysis. In: International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pp. 1–8. IEEE, Piscataway (2016). https://doi.org/10.1109/CyberSecPODS.2016.7502336
Northcutt, S.: Inside Network Perimeter Security, 2nd edn. Sams Pub, Indianapolis (2005). ISBN-13: 978-0672327377, ISBN-10: 9780672327377
Pan, Z., Hariri, S., Al-Nashif, Y.: Anomaly based intrusion detection for Building Automation and Control networks. In: IEEE/ACS 11th International Conference on Computer Systems and Applications (AICCSA), pp. 72–77. IEEE, Piscataway (2014). https://doi.org/10.1109/AICCSA.2014.7073181
ÄŚeleda, P., KrejÄŤĂ, R., KrmĂÄŤek, V.: Flow-based security issue detection in building automation and control networks. In: SzabĂł, R., Vidács, A. (eds.) EUNICE 2012. LNCS, vol. 7479, pp. 64–75. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32808-4_7
Peters, M.: BAS-observe (2018). https://github.com/FreakyBytes/bas-observe
Shannon, C.E.: A mathematical theory of communication. Bell Syst. Tech. J. 27(3), 379–423 (1948). https://doi.org/10.1002/j.1538-7305.1948.tb01338.x
Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An overview of ip flow-based intrusion detection. IEEE Commun. Surv. Tutor. 12(3), 343–356 (2010). https://doi.org/10.1109/SURV.2010.032210.00054
Toshniwal, D., Eshwar, B.K.: Entropy based adaptive outlier detection technique for data streams. In: Proceedings of the International Conference on Data Mining (DMIN), p. 1. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp) (2014)
Wiedenmann, S.: Fieldbus traffic simulation logs (2018). https://opsci.informatik.uni-rostock.de/index.php/Fieldbus_traffic_simulation_logs
Yang, D., Usynin, A., Hines, J.W.: Anomaly-Based Intrusion Detection for SCADA Systems. In: 5th International Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies (NPIC & HMIT 2005), pp. 12–16 (2006). 11.04.2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Peters, M., Goltz, J., Wiedenmann, S., Mundt, T. (2019). Using Machine Learning to Find Anomalies in Field Bus Network Traffic. In: Wang, G., Feng, J., Bhuiyan, M., Lu, R. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2019. Lecture Notes in Computer Science(), vol 11611. Springer, Cham. https://doi.org/10.1007/978-3-030-24907-6_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-24907-6_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-24906-9
Online ISBN: 978-3-030-24907-6
eBook Packages: Computer ScienceComputer Science (R0)