Decoding BACnet Packets: A Large Language Model Approach for Packet Interpretation
Rashi Sharma, Hiroyuki Okada, Tatsumi Oba, Karthikk Subramanian, Naoto Yanai, Sugiri Pranata
TL;DR
The paper tackles the challenge of explaining ICS BACnet traffic to SOC analysts by generating readable per-packet summaries. It introduces a Retrieval-Augmented Generation (RAG) pipeline that preprocesses BACnet packets, maps device information, and fuses service-database context with FAISS-based retrieval to condition an LLM-generated packet summary. Key contributions include the end-to-end architecture, dual-context extraction (service and RAG), and empirical evaluation via human judgments showing improved informativeness with preserved accuracy. The work enables faster triage, better analyst training, and clearer reporting, with potential to extend beyond BACnet to other ICS protocols and to incorporate IDS-related context.
Abstract
The Industrial Control System (ICS) environment encompasses a wide range of intricate communication protocols, posing substantial challenges for Security Operations Center (SOC) analysts tasked with monitoring, interpreting, and addressing network activities and security incidents. Conventional monitoring tools and techniques often struggle to provide a clear understanding of the nature and intent of ICS-specific communications. To enhance comprehension, we propose a software solution powered by a Large Language Model (LLM). This solution currently focused on BACnet protocol, processes a packet file data and extracts context by using a mapping database, and contemporary context retrieval methods for Retrieval Augmented Generation (RAG). The processed packet information, combined with the extracted context, serves as input to the LLM, which generates a concise packet file summary for the user. The software delivers a clear, coherent, and easily understandable summary of network activities, enabling SOC analysts to better assess the current state of the control system.