Context aware intrusion detection for building automation systems

Zhiwen Pan, Salim Hariri, Jesus Pacheco

Research output: Contribution to journalArticlepeer-review

36 Scopus citations


The Internet of Things (IoT) will connect not only computers and mobile devices, but also smart cities, buildings, and homes, as well as electrical grids, gas, and water networks, automobiles, airplanes, etc. IoT will lead to extensive interconnection between Building Automation Systems (BAS) communication protocols and the Internet. The connection to Internet and public networks increases significantly the risk of the BAS networks being attacked, since there's a significant lack of detection and defensive mechanisms for BAS networks. In this paper, we present a framework for a context-aware intrusion detection of a widely deployed Building Automation and Control network. We developed runtime models for service interactions and functionality patterns by modeling the heterogeneous information that is continuously acquired from building assets into a novel BAS context aware data structure. Our IDS performs anomaly based behavior analysis to accurately detect anomalous events triggered by cyber-attacks or any functional failure. An attack classification and severity analysis of detected attacks allow our IDS to automatically launch protective countermeasures. We evaluate our approach in the Smart Building testbed developed at the University of Arizona Center for Cloud and Autonomic Computing, by launching several cyber-attacks that exploit the generic vulnerabilities of BACnet protocol.

Original languageEnglish (US)
Pages (from-to)181-201
Number of pages21
JournalComputers and Security
StatePublished - Aug 2019


  • Context awareness
  • Data mining
  • Internet of Things
  • Intrusion detection
  • Network security
  • Supervised learning

ASJC Scopus subject areas

  • General Computer Science
  • Law


Dive into the research topics of 'Context aware intrusion detection for building automation systems'. Together they form a unique fingerprint.

Cite this