Role Inference + Anomaly Detection = Situational Awareness in BACnet - - PowerPoint PPT Presentation

▶

Dec 16, 2023 669 likes •839 views

Role Inference + Anomaly Detection = Situational Awareness in BACnet networks D. Fauri , M. Kapsalakis, D. R. dos Santos, E.Costante, J. den Hartog, S. Etalle Gothenburg, Sweden DIMVA 2019 - 16th Conference on Detection of Intrusions and

SLIDE 1

Gothenburg, Sweden – DIMVA 2019 - 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment

D. Fauri, M. Kapsalakis, D. R. dos Santos, E.Costante, J. den Hartog, S. Etalle

Role Inference + Anomaly Detection = Situational Awareness in BACnet networks

SLIDE 2

Building Automation Systems (BAS)

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 2

They manage HVAC, video surveillance, access

control, lighting, elevators…

Usually across many buildings, many different

networks (but interoperability exists, e.g. BACnet)

They can be managed remotely
They can be attacked remotely

Icons made by Freepik from www.flaticon.com

SLIDE 3

Situational Awareness in BAS

Cyber Situational Awareness is structured in three subsuming levels [1]:

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 3

1) Basic perception of important data:

e.g., presence of devices in a network, device configuration, device behavior, alerts raised by IDS, system specification

2) Interpretation and combination of data into knowledge:

e.g., search a device’s FW version in a CVE database, recognize if a raised alert is a false alarm or not

3) Ability to predict future events and their implications:

e.g., assess the risk of a vulnerability, decide if an alert should be acted upon

Perceive Comprehend Project Resolve 1 2 3

[1] M. Endsley, “Design and Evaluation for Situation Awareness Enhancement”, 1988

SLIDE 4

Anomaly Detection != Situational Awareness

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 4

Learning-based anomaly detection deals better with BAS heterogeneity, but:

Alerts are not actionable per se: we

need meaningful context information

Learned models are specific to

each device: there is no grouping into semantically equivalent classes

SLIDE 5

Role Inference

We propose to infer high-level attributes from observed data.

Ex. the role of a device represents its functional behavior in the network

Understandability is improved:

The role provides meaningful context information to interpret a device’s [anomalous] behavior

Adaptability is improved:

When a new device appears on the network, we can apply rules and models based on the device’s role

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 5

SLIDE 6

BACnet Profiles and Profile Families

BACnet standard already has device Profiles, but:

the profile of a device cannot be read from the

network;

they are based on application domain, not on

functional behavior;

the profile in the specification may not

correspond to the behavior in real life [2]. Thus, we define behavioral roles based on the functional levels in BAS architecture

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 6 BACnet Profile Family Behavioral Role Controller Controller Field Device Lighting Control Stations Controller Lighting Controllers Field Device Miscellaneous Router Field Device er

<latexit sha1_base64="v25aLXC5tX1rxdndwxL 32dT9Gs=">A Op3ictVfrbts2F a7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH4 jzqTqdv+8d/+D z/6+JMHD+1PHzWaj/e PL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wz rInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6D mDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot3 jpCb 9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT8 OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs2 EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59d MhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZIS wYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1ta RG0 P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKO cLiHXONuhKFYRwk0RIyAS9uJ Y0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zSh Q aCUju1Ys5UiHKbmPIZYISBTcl 2EChQptJ ligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxL 32dT9Gs=">A Op3ictVfrbts2F a7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH4 jzqTqdv+8d/+D z/6+JMHD+1PHzWaj/e PL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wz rInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6D mDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot3 jpCb 9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT8 OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs2 EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59d MhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZIS wYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1ta RG0 P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKO cLiHXONuhKFYRwk0RIyAS9uJ Y0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zSh Q aCUju1Ys5UiHKbmPIZYISBTcl 2EChQptJ ligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxL 32dT9Gs=">A Op3ictVfrbts2F a7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH4 jzqTqdv+8d/+D z/6+JMHD+1PHzWaj/e PL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wz rInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6D mDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot3 jpCb 9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT8 OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs2 EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59d MhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZIS wYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1ta RG0 P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKO cLiHXONuhKFYRwk0RIyAS9uJ Y0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zSh Q aCUju1Ys5UiHKbmPIZYISBTcl 2EChQptJ ligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxL 32dT9Gs=">A Op3ictVfrbts2F a7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH4 jzqTqdv+8d/+D z/6+JMHD+1PHzWaj/e PL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wz rInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6D mDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot3 jpCb 9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT8 OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs2 EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59d MhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZIS wYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1ta RG0 P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKO cLiHXONuhKFYRwk0RIyAS9uJ Y0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zSh Q aCUju1Ys5UiHKbmPIZYISBTcl 2EChQptJ ligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit><latexit sha1_base64="v25aLXC5tX1rxdndwxL 32dT9Gs=">A Op3ictVfrbts2F a7W6vVbtr97B92gY1taAzbwdBh2IA6CboNWNEsXi5AZAQ0RdlEqAtIypmn6nX2TnuEvcWOLNk1aUn2ho3+YVriOTzfd75DH4 jzqTqdv+8d/+D z/6+JMHD+1PHzWaj/e PL2QYSwIPSchD8XVGEvKWUDPFVOcXkWCYn/M6eX49jh7fzmjQrIw+FXNIzry8SRgHiNYwaObJ4/+cMZ0woJEYTBJr8fPR7ZDaKCoYMHEbjkER9nK5ITOGKHoVIQe41S+WM7Qa+wz rInOHDRWQgvUSxjzPkcYSlDwrCiLrpjaorUlPqd1HY4HlOebfltVPiDh3kc0gfL1S9YEnMs0gS9I4sPglfTDKztKPqbGnvJ0eA4oArp8aWovVpguLomo4SkuZXj6D mDg3c1crUbqN6J3SKZywUmIOjDLlujhyniLU1cGcd9DaiAqtQoMtQ3Eq1yADSRhsI92OumAjvksM0+Sot3 jpCb 9KUuVhwmVRuwtCN7wtbZvqm8MjhyShZr0Dnpguz3UPF74VNueMBlxPC+x02xzio5ixl2QHDoOAyVCzqkotbLfg/p6Aer9ekj6BuT1t0agi5wMIqiyvBgqdi7DuG41jCjJCqrEvMR0OT8 OEztoY+FQgOi4gVfVaOtoe4vcL1mlLuF6LVcGpHmWwxpIGs2 EhGrtef2WSqspTsptd+tV6XnmCHpTrsVpVytSz2y4RrKm4VaL30DJA6xiJ7aGji3OR+G8TClV24MuGhLTLdBLg9yHK59d MhzFwM2MVMvjXICFi8+Bp1+jMHDXFsYq8ONkzdOuq13zosvXowRB7VM0rlLvrMbvm6X9TbnmsBoftLVxpfgZBEAfZvy6k+hQHlG9SV0dZxSm4c6WvUWa3KlVSQpVeA3VM1fxFlB5kAwKpkqvqKRHFrorQPe0mirJ612RhQt0erg61xnZIS wYUGYciLvQVMLyriowafovhbA9yjKEZ2GsyjsK3WqjvXjDJKGcQx2FsSzrMHLP6UagP0Dbe1fZ/dRm8UiE2CVYKvQGB3hCfejHzVOvwnT9VDCYOgnhQChL6j9pL/RhtkVGagR1IXKGOTqj2F1ta RG0 P+a3kJKN5AP3+zt9/tdBcDbU56xWTfKsbpzd5fjhuSOKO cLiHXONuhKFYRwk0RIyAS9uJ Y0wuQWGr2EaYJ9KUG92Z0pRC564yAPKPICDFk/XLRLsSzn3x3Dt8SFcNQWT7EvqbpX3zSh Q aCUju1Ys5UiHKbmPIZYISBTcl 2EChQptJ ligQlISvOUKHb7uxZyskxZxk3PZGJzctHv9Lqd3i/9/VcvCpYeWM+sz60vrJ710npl/WidWucWaTQah43vGt83v2y+bV40r/Kl9+8VNp9Z2mjivwH5nrBx</latexit>

[2] H. Esquivel-Vargas, “Automatic deployment of specification-based intrusion detection in the BACnet protocol”, 2017

SLIDE 7

Behavioral Roles

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 7

Workstation:
Ex. store historical data, inform operators, adjust setpoints
Router

Interconnect devices from two or more networks

Controller
Ex. execute the main logic processes, interact with Field Devices via read/write
Field Device

Interact with physical environment; they can be connected directly to Controllers, or talk BACnet

W W W R R C C C C

FD FD FD FD FD

SLIDE 8

Using roles for Situational Awareness

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 8

Network Traffic BACnet Parser Inventory Builder Message Fields Role-based intrusion detection Dynamic Network Map Alert Role Classifier Situational Awareness Adaptable Intrusion Detection Device Role

Device Description

SLIDE 9

Dynamic Network Map

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 9

Network Traffic BACnet Parser Inventory Builder Message Fields Role-based intrusion detection Dynamic Network Map Alert Role Classifier Situational Awareness Adaptable Intrusion Detection Device Role Device Description

SLIDE 10

Inventory Builder

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 10

We extract information from the payload of

bserved BACnet messages:
Unique ID
Object Name
Vendor Name
Model Name
FW Version
Location
Data Link Layer
Is a BBMD
Is a Foreign Device

Uniquely identify a device Describe a device (configuration, location, etc…)

SLIDE 11

Role Classifier

We infer roles with two techniques: Heuristics based classification (HBC):

We classify devices by checking if their observed behavior contains patterns unique to a role:

Only Workstation devices should initiate a WritePropertyMultiple request
Only Routers forward messages from other networks

Distance based classification (DBC):

We classify remaining devices by their distance to previously classified devices, using:

Vendor ID
Model Name
Data Link Layer type

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 11

SLIDE 12

We evaluated discovery and classification on a real-life dataset from a university campus (106GB, 9 days of traffic, ~20 million BACnet pkts)

HBC+DBC discovers all devices
One misclassification: Workstation had behavior consistent with a Controller
Using this model for intrusion detection, Workstation might raise false alerts

(but role helps interpret them)

Classification Results

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 12

Dataset 2 Role Ground truth Controller 219 Router 21 Workstation 1 Total 241 HBC Classification TP FP 213 212 1 21 21 234 233 1 HBC + DBC Classification TP FP 220 219 1 21 21 241 240 1

<latexit sha1_base64="0GuiuY9oBplKq9eFU IqK45w/BA=">A GHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8C s+hRUS IgFG/gbPI8 pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5h tOjSFEcBpweBuNOxh+eUKWZFHvmNK 9EA8FGzC jV06Xq21U CHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGA 29jYwg34KSCERtkJit8 6a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO3 mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFb wM /PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdac uwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBo 1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6w sU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPe B8 jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA= </latexit><latexit sha1_base64="0GuiuY9oBplKq9eFU IqK45w/BA=">A GHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8C s+hRUS IgFG/gbPI8 pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5h tOjSFEcBpweBuNOxh+eUKWZFHvmNK 9EA8FGzC jV06Xq21U CHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGA 29jYwg34KSCERtkJit8 6a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO3 mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFb wM /PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdac uwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBo 1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6w sU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPe B8 jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA= </latexit><latexit sha1_base64="0GuiuY9oBplKq9eFU IqK45w/BA=">A GHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8C s+hRUS IgFG/gbPI8 pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5h tOjSFEcBpweBuNOxh+eUKWZFHvmNK 9EA8FGzC jV06Xq21U CHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGA 29jYwg34KSCERtkJit8 6a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO3 mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFb wM /PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdac uwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBo 1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6w sU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPe B8 jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA= </latexit><latexit sha1_base64="0GuiuY9oBplKq9eFU IqK45w/BA=">A GHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8C s+hRUS IgFG/gbPI8 pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5h tOjSFEcBpweBuNOxh+eUKWZFHvmNK 9EA8FGzC jV06Xq21U CHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGA 29jYwg34KSCERtkJit8 6a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO3 mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFb wM /PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdac uwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBo 1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6w sU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPe B8 jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA= </latexit><latexit sha1_base64="0GuiuY9oBplKq9eFU IqK45w/BA=">A GHnicvVTLbhMxFJ2WBEp4tIUlmwsVFRIhmpkUAeqmIhV0WVBfUhxVHsdJrHjske2pKMP8C s+hRUS IgFG/gbPI8 pi1iVRwlOfa59/j6jOcGEWfauO7vhcUrtfrVa0vXGzdu3rq9vLJ650DLWBG6TySX6ijAmnIm6L5h tOjSFEcBpweBuNOxh+eUKWZFHvmNK 9EA8FGzC jV06Xq21U CHTCQG25S0a4L7vQYiVBiqmBg2SlaHmPO0MYuNOVZpAiT/pA2A89SHgrBUGHPDbK1xKBI/TUiaoGA 29jYwg34KSCERtkJit8 6a3kFNYBNc8qd0nPKrxWMhZ9hMCo2IwQFf1pwEQsl+lIYZTknKpstg6+9yKrCJV7xKYgCgpm1KFUY21yk3Iy56AivScN5jDN3vCqAZWa7HwdjXSECU08Gv7NsIsta08t23nZudCsCy1CTRvZrJTR4Vjr6dO3 mYOb+7tos0cvMoAQt3WUxr25uR9rz07p+dPsTdxq7Bu3sYMuRPahRntwjw9v0l7o8hvt6fil20mPIbt/2Lp/Dn9mQXFb wM /PbmN1K919mnpmdFL4+8em7kpu8+2Wc7RLHK2tuy80HnAdeCdac uwer/xEfUni0LYVkvnVxW6EI6p6CVb2yVjJBo 1tTuP8ZB2LRQ4pNpanjWwFB7alT4MpLJfYSBfnc9IcKj1aRg0wYIQm5FNyf50VdYMnvcSJiL71gtSqA5iDkZC1hqhzxQlhp9agIlitjAgI6w sU2iopQYNn6fueCdPfN5cOC3PLflvfHXtpqlH0vOPe B8 jxnGfOlrPj7Dr7Dql9rH2ufa19q3+qf6l/r/8oQhcXypy7TmXUf/0BYHLRgA= </latexit>

SLIDE 13

Role-based Intrusion Detection

Roles (and other high-level attributes) can be used as features for different IDS modules:

Learning role-based behavior:

“All Controllers send beween 0 and 60 ReadProperty requests per hour”

Specifying attribute-based policies and consistency checks(*):

“Field Devices cannot initiate WriteProperty requests” “Devices with Vendor XYZ cannot be Controllers”

(*) Consistency checks help in finding misconfigured or misclassified devices

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 13

SLIDE 14

Intrusion Detection Results

We extend previous results[3] by detecting two previously undetected attacks: Snooping by new Controller: it sends

abnormally many ReadProperty requests for its role

Tampering by Field Device: it sends a

WriteProperty request Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 14

Wago 750-831 (Controller) FS-QS-1010 (Router) BMT-DIO 4/2 BMT-AI 8 BMT-AO 4 BACnet/IP BACnet/IP BACnet MS/TP BACnet MS/TP BACnet MS/TP Raspberry Pi Our Solution Wago BACnet Configurator (Workstation) Mango Automation (Workstation)

[3] D. Fauri et al., “Leveraging Semantics for Actionable Intrusion Detection in Building Automation Systems”, CRITIS ‘18

✔ ✔

Evaluation of our IDS on the real-life dataset showed good results for usability (~6.4 FP/h) and adaptability to new devices (~0.1 FP/h increase after cross validation)

SLIDE 15

Conclusion

We propose the use of high-level attributes (ex. roles) for enriching

situational awareness in heterogeneous systems;

Roles improve actionability of alerts and adaptability of detection

systems;

We intend to improve the granularity of this approach, and extend it

to other domains (ex. ICS) or other attributes

Role Inference + Anomaly Detection = Situational Awareness in BACnet Networks - D.Fauri et al. 15