Advanced networking technology and increasing information services have led to extensive interconnection between Building Automation Systems (BAS) communication protocols and Internet, which makes Fog computing service a potential solution for automation of building end devices. However, the connection to Internet and public networks increases significantly the risk of the BAS networks being attacked due mainly to the significant increase in the attack surface. In this paper, we present an anomaly based Intrusion Detection System (IDS) that combines context awareness and Cyber DNA techniques to detect network misbehavior from security and functionality perspectives. We developed runtime models for service interactions and functionality patterns by modeling the information that is continuously acquired from building assets into two novel data structures: Protocol Context Aware and sensor-DNA. Our IDS uses Anomaly Behavior Analysis techniques to accurately detect anomalous events triggered by cyber-attacks or any failure. A classification of detected attacks allow our IDS to automatically launch protective countermeasures. We evaluate our approach in the Smart Building testbed developed at the University of Arizona Center for Cloud and Autonomic Computing, by launching several cyber-attacks that exploit the generic vulnerabilities of BAS.