Anomaly Detection in BACnet systems
THE-driven Classification Model
Introduction
The THE classification for BACnet traffic data was proposed in the paper titled Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic Analysis by Dr. Zheng and Dr. Reddy. The method involves splitting all network data into three categories:
​
Time-driven: normally generated by scheduled control programs that trigger service requests according to different timers. Such traffic presents time regularity and is not affected by real-time events of the network
Human-driven: requests that are directly generated by humans or through control programs
Event-driven: service requests that are not generated by timers or humans. It depends on a broad range of events such as Change-of-Value (COV) on objects, system status change (normal/offnormal/fault), device failures, receiving alarms and other service messages.
Referenced from Z. Zheng and A. Reddy, "Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic Analysis", ICCCN, July 2017. (Link)​
Model Implementation
As part of understanding BACnet traffic, the THE classiffication helped decide on two different strategies for our machine learning model. Time-based events thus were treated separately from Human and Event based requests. This is an obvious step in hindsight, as frequency based detection and finding other patterns in the message traffic work a little differently from each other in our algorithm.
Read the Algorithm section for the full picture!