Specification Mining for Intrusion Detection in Networked Control Systems

M. Caselli, Emmanuele Zambon, Johanna Amann, Robin Sommer, Frank Kargl

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    32 Citations (Scopus)
    158 Downloads (Pure)


    This paper discusses a novel approach to specification-based intrusion detection in the field of networked control systems. Our approach reduces the substantial human effort required to deploy a specification-based intrusion detection system by automating the development of its specification rules. We observe that networked control systems often include comprehensive documentation used by operators to manage their infrastructures. Our approach leverages the same documentation to automatically derive the specification rules and continuously monitor network traffic. In this paper, we implement this approach for BACnet-based building automation systems and test its effectiveness against two real infrastructures deployed at the University of Twente and the Lawrence Berkeley National Laboratory (LBNL). Our implementation successfully identifies process control mistakes and potentially dangerous misconfigurations. This confirms the need for an improved monitoring of networked control system infrastructures.
    Original languageEnglish
    Title of host publicationProceedings of the 25th USENIX Security Symposium
    PublisherUSENIX Association
    Number of pages16
    ISBN (Print)978-1-931971-32-4
    Publication statusPublished - 2016
    Event25th USENIX Security Symposium 2016 - Austin, United States
    Duration: 10 Aug 201612 Aug 2016
    Conference number: 25


    Conference25th USENIX Security Symposium 2016
    Abbreviated titleUSENIX Security
    Country/TerritoryUnited States


    • SCS-Cybersecurity
    • EC Grant Agreement nr.: FP7/607093
    • IR-102119
    • METIS-319471
    • EWI-27407


    Dive into the research topics of 'Specification Mining for Intrusion Detection in Networked Control Systems'. Together they form a unique fingerprint.

    Cite this