Developing a Comprehensive BACnet Attack Dataset: A Step Towards Improved Cybersecurity in Building Automation Systems

Abstract

With the development of smart buildings, the risks of cyber-attacks against them have also increased. One of the popular and evolving protocols used for communication between devices in smart buildings, especially HVAC systems, is the BACnet protocol. Machine learning algorithms and neural networks require datasets of normal traffic and real attacks to develop intrusion detection (IDS) and prevention (IPS) systems that can detect anomalies and prevent attacks. Real traffic datasets for these networks are often unavailable due to confidentiality reasons. To address this, we propose a framework that uses existing real datasets and converts them into BACnet protocol network traffic with detailed network behaviour. In this method, a virtual machine is prepared for each controller based on real scenarios, and by creating a simulator for the controller on the virtual machine, real data previously collected under real conditions from existing datasets is injected into the network with the same date and time during the simulation. We performed three types of attacks, including Falsifying, Modifying, and covert channel attacks on the network. For covert channel attacks, the message was modelled in three forms: Plain text, hashed using SHA3-256, and encrypted using AES-256. Network traffic was recorded using Wireshark software in pcap format. The advantage of the generated dataset is that since we used real data, the data behaviour aligns with real conditions.