@Article{cmc.2026.079318,
AUTHOR = {Hsuan-Chih Ku, Jyun-Kai Yang, Pang-Wei Tsai, Shih-Hsiung Lee},
TITLE = {Towards Threat Identification for the BACnet Protocol Using Large Language Models},
JOURNAL = {Computers, Materials \& Continua},
VOLUME = {},
YEAR = {},
NUMBER = {},
PAGES = {{pages}},
URL = {http://www.techscience.com/cmc/online/detail/26961},
ISSN = {1546-2226},
ABSTRACT = {With the rapid proliferation of the Industrial Internet of Things (IIoT), Building Automation Systems (BAS) and Industrial Control Systems (ICS) are increasingly exposed to sophisticated cyber threats. Conventional Intrusion Detection Systems (IDS) often encounter significant limitations when addressing emerging or hybrid attack patterns, primarily due to delayed signature updates and high false-positive rates. Meanwhile, existing anomaly detection approaches frequently lack sufficient awareness of the physical domain, making them ineffective in identifying falsification attacks that comply with communication protocol specifications while violating underlying physical laws. To address these challenges, this study proposes a hybrid threat detection architecture that integrates Retrieval-Augmented Generation (RAG) with a Physics Rule Engine. The proposed approach leverages the semantic reasoning capabilities of Large Language Models (LLMs) to enhance protocol-level threat interpretation, while incorporating physical constraints to validate system behavior at the cyber–physical level. The core contribution of this work lies in employing an LLM to transform unstructured BACnet packet data into structured reasoning representations using the DSPy framework. These representations are subsequently examined through physics-based validation rules derived from thermodynamics and fluid mechanics, enabling the detection of attacks that are logically valid at the protocol layer but implausible in the physical domain. This layered verification process effectively reduces spurious alerts and improves detection reliability. Experimental evaluations conducted under various BACnet attack scenarios demonstrate that the proposed system, implemented with the Mistral-7B model, achieves an accuracy of 95.12% and an F1-score of 96.0%. Compared with a baseline LLM-only approach without physical validation, the proposed method significantly lowers the false-positive rate. Moreover, the system is capable of automatically generating evidence chains that support explainable security forensics, thereby enhancing situational awareness for security operators. The results of this study suggest that the integration of domain knowledge with generative AI constitutes a promising and effective strategy for strengthening the resilience of critical cyber–physical infrastructures.},
DOI = {10.32604/cmc.2026.079318}
}