The University of Arizona

Anomaly Behavior Analysis for Building Automation Systems

By Zhiwen Pan

Figure 1 Advances in mobile and pervasive computing, electronics technology, and the exponential growth in Internet applications and services extends Cloud computing and services to the edge of the network that we refer to as the Fog computing. Since Fog host services at network edge, its advantages include low service latency, high quality of services, support for mobility, awareness of location, and easier implementation of security measures. Building automation Systems (BAS) is an important service for IoT and Fog computing. BAS aim at integrating building equipment with sensors, actuators, and control devices to achieve reliable and efficient operations, and to significantly reduce operational costs. Its implementations range from services for occupants’ comfort to critical services such as fire detection, physical access control, and power management. A recent trend of BAS is to construct interconnection between smart buildings and off-site partners such as equipment vendors, and energy service contractors, so that those smart infrastructures can work together as Fog assets to ensure reliability. However, with the use IoT techniques in BAS, we are experiencing big challenges to secure and protect such advanced information services due to the significant increase in the attack surface. Even devices which are intended to be completely operated in Local Area Network (LAN) are sometimes likely to be IP connected because of careless configuration or special needs (e.g. they need to be remotely monitored). There is a huge risk that malicious people may compromise these devices, and launch attacks with high impact . Common threats for BAS network (e.g. network sniffing, port scanning, packet injection, replay attack, Man-In-the-Middle, etc. ) can cause disruptions, malfunctions, or even life threatening scenarios, e.g. the fire detection system can be isolates by using a Denial of Service (DoS) attack. Since there is no intrusion detection and prevention available for BAS network, proposing a reliable security mechanism which can monitor the behavior of BAS assets, becomes a major issue.

In this project, we present an intrusion detection system (IDS) for BAS protocols and sensors, based on the concept of anomaly behavior analysis (ABA). In our approach (see figure ), the information from BAS protocol is continuously monitored to extract its features (e.g. packet flow amount, header, payload, etc.) which are used to describe the behavior of BAS assets. The collected features are modeled into two types of data structures: Protocol Context Aware Data Structure (PCADS) and Sensor-DNA (s-DNA). Behavior analysis methods including Discrete Wavelets Transform (DWT) and rule based abnormal behavior analysis are implemented for detecting anomaly BAS behaviors based on the two models.


Jesus Pacheco, Pratik Satam, and Cihan Tunc

go back