Timing attack detection on bacnet via a machine learning aproach

Michael N. Johnstone, Matthew Peacock, J. I. den Hartog

Research output: Contribution to conferencePaperAcademic

8 Citations (Scopus)


Building Automation Systems (BAS), alternatively known as Building Management Systems (BMS), which centralise the management of building services, are often connected to corporate networks and are routinely accessed remotely for operational management and emergency purposes. The protocols used in BAS, in particular BACnet, were not designed with security as a primary requirement, thus the majority of systems operate with sub-standard or non-existent security implementations. As intrusion is thus likely easy to achieve, intrusion detection systems should be put in place to ensure they can be detected and mitigated. Existing intrusion detection systems typically deal only with known threats (signature-based approaches) or suffer from a high false positive rate (anomaly-based approaches). In this paper we present an overview of the problem space with respect to BAS, and suggest that state aware machine learning techniques could be used to discover threats that comprise a collection of legitimate commands. We provide a first step showing that the concept can be used to detect an attack where legitimate write commands being sent in rapid succession may cause system failure. We capture the state as a 'time since last write' event and use a basic artificial neural network classifier to detect attacks.

Original languageEnglish
Number of pages8
Publication statusPublished - 2015
Event13th Australian Information Security Management Conference, AISM 2015 - Perth, Australia
Duration: 30 Nov 20152 Dec 2015


Conference13th Australian Information Security Management Conference, AISM 2015


  • Air Conditioning
  • Artificial Neural Networks
  • Building Automation
  • Heating Ventilation
  • Intrusion Detection
  • Security

Fingerprint Dive into the research topics of 'Timing attack detection on bacnet via a machine learning aproach'. Together they form a unique fingerprint.

Cite this