Open Access
ARTICLE
Towards Threat Identification for the BACnet Protocol Using Large Language Models
Hsuan-Chih Ku1, Jyun-Kai Yang1, Pang-Wei Tsai1, Shih-Hsiung Lee2,*
1 Department of Electrical Engineering, National Cheng Kung University, Tainan, Taiwan
2 Department of Intelligent Commerce, National Kaohsiung University of Science and Technology, Kaohsiung, Taiwan
* Corresponding Author: Shih-Hsiung Lee. Email: 
Computers, Materials & Continua https://doi.org/10.32604/cmc.2026.079318
Received 19 January 2026; Accepted 30 April 2026; Published online 25 May 2026
Abstract
With the rapid proliferation of the Industrial Internet of Things (IIoT), Building Automation Systems (BAS) and Industrial Control Systems (ICS) are increasingly exposed to sophisticated cyber threats. Conventional Intrusion Detection Systems (IDS) often encounter significant limitations when addressing emerging or hybrid attack patterns, primarily due to delayed signature updates and high false-positive rates. Meanwhile, existing anomaly detection approaches frequently lack sufficient awareness of the physical domain, making them ineffective in identifying falsification attacks that comply with communication protocol specifications while violating underlying physical laws. To address these challenges, this study proposes a hybrid threat detection architecture that integrates Retrieval-Augmented Generation (RAG) with a Physics Rule Engine. The proposed approach leverages the semantic reasoning capabilities of Large Language Models (LLMs) to enhance protocol-level threat interpretation, while incorporating physical constraints to validate system behavior at the cyber–physical level. The core contribution of this work lies in employing an LLM to transform unstructured BACnet packet data into structured reasoning representations using the DSPy framework. These representations are subsequently examined through physics-based validation rules derived from thermodynamics and fluid mechanics, enabling the detection of attacks that are logically valid at the protocol layer but implausible in the physical domain. This layered verification process effectively reduces spurious alerts and improves detection reliability. Experimental evaluations conducted under various BACnet attack scenarios demonstrate that the proposed system, implemented with the Mistral-7B model, achieves an accuracy of 95.12% and an F1-score of 96.0%. Compared with a baseline LLM-only approach without physical validation, the proposed method significantly lowers the false-positive rate. Moreover, the system is capable of automatically generating evidence chains that support explainable security forensics, thereby enhancing situational awareness for security operators. The results of this study suggest that the integration of domain knowledge with generative AI constitutes a promising and effective strategy for strengthening the resilience of critical cyber–physical infrastructures.
Keywords
Threat identification; BACnet protocol; large language models
Login
Register
Submit a Paper
Propose a Special lssue
Download PDF
Downloads
Citation Tools
