Professional Documents
Culture Documents
1 s2.0 S0167739X23000298 Main
1 s2.0 S0167739X23000298 Main
article info a b s t r a c t
Article history: Long Range (LoRa) communications are gaining popularity in the Industrial Internet of Things (IIoT)
Received 11 September 2022 domain due to their large coverage and high energy efficiency. However, LoRa-enabled IIoT networks
Received in revised form 15 December 2022 are susceptible to cyberattacks mainly due to their wide transmission window and freely operated
Accepted 28 January 2023
frequency band. This has led to several categories of cyberattacks. However, existing anomaly detection
Available online 14 February 2023
systems are inefficient in detecting particularly impersonation attacks due to the dense deployment,
Keywords: heterogeneous IIoT devices and manufacturers involved.
Anomaly detection In this work, we introduce Hawk, a distributed anomaly detection system for detecting com-
Carrier frequency offset promised devices in LoRa-enabled IIoT. Hawk first measures a device-type specific physical layer
Federated learning feature, Carrier Frequency Offset (CFO) and then leverages the CFO for fingerprinting the device,
Industrial IoT and consequently detecting anomalous deviations in the device’s CFO behavior, potentially caused by
LoRa communication adversaries. To aggregate the device-type specific CFO behavior profile efficiently, Hawk uses federated
learning, a distributed machine learning approach. To the best of our knowledge, Hawk is the first to
utilise a federated learning method for anomaly-based intrusion detection in LoRa-enabled IIoT. We
perform extensive experiments on a real-world dataset collected using 60 LoRa devices, primarily to
assess the effectiveness of Hawk against emerging new and unknown attacks. The results show that
Hawk improves the detection accuracy by more than 8% compared to the state-of-the-art solutions.
Additionally, Hawk reduces the storage overhead by more than 40%, and exhibits significant robustness
against cyberattack.
© 2023 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license
(http://creativecommons.org/licenses/by/4.0/).
https://doi.org/10.1016/j.future.2023.01.021
0167-739X/© 2023 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336
susceptible to tampering or forging. Once an adversary compro- making it more reliable for smart manufacturing scenarios. Fur-
mises a legitimate IIoT device, it can masquerade as the legit- ther, the increase in computational complexity is insignificant
imate IIoT device and launch cyberattacks, e.g., DoS. To defend as fine-grained CFO estimation is commonly an embedded func-
against cyberattacks, several security schemes use cryptographic tion for signal recovery in LoRa-enabled IIoT. Hawk builds a
mechanisms, like message authentication code [4] and encryption device-type specific anomaly detection model using FL, which
technique [5] in LoRa-enabled networks. Although cryptographic is a baseline of the devices’ normal CFO behavior, based on the
mechanisms are successful to authenticate, it is possible for an extracted fingerprints to achieve accurate detection of attacks.
adversary to apply reverse engineering for retrieving security The contributions of this work are as follows:
keys and launching DoS attacks [6]. Hence, as an alternative
• To the best of our knowledge, we are the first to present a
to existing cryptographic solutions, Intrusion Detection Systems
comprehensive analysis of CFO-based IDS for LoRa-enabled
(IDSs) leveraging radio fingerprinting [1], a non-cryptographic ap-
IIoT. Based on our analysis, we design a scalable radio fin-
proach, have recently received significant attention to deal with
gerprinting framework based on a deep metric learning-
cybersecurity. Radio fingerprinting uses the device-type specific
powered CFO extractor.
signal imperfections introduced by the radio frequency circuitry
• We propose Hawk, a novel distributed anomaly-based IDS,
in the physical layer [7] to obtain a fingerprint of the IIoT device,
which builds device-type specific detection models based on
which is intrinsic to the analogue device and cannot be imitated
the devices’ normal CFO behavior for detecting the adver-
by the adversaries. These imperfections include Carrier Frequency
sary. Hawk is the first to apply FL for aggregating anomaly-
Offset (CFO), In-phase and Quadrature (IQ) imbalance, phase er-
detection profiles for detecting the adversary in LoRa-enabled
ror, time–frequency statistics, and power amplifier non-linearity, IIoT.
among others. One of the major benefits of radio fingerprinting • We perform extensive experiments on a real-world LoRa-
based IDS is that it offers security without generating computa- enabled IIoT Deployment dataset [19]. The results show that
tional overhead on the IIoT devices. This primarily motivates us to Hawk achieves the highest detection accuracy of 97.36%
design an IDS by leveraging radio fingerprinting in LoRa-enabled while enjoying the least system complexity and the lowest
IIoT. training time (27 min).
In recent years, several intrusion detection schemes were pro-
posed [8,9] by leveraging radio fingerprinting in IIoT. It is worth Organization. We organize the rest of the paper as follows.
noting that designed IIoT devices have a well-defined and stable Section 2 reviews the related work. In Section 3, we present the
radio signature. However, the features of radio signature change system model. Section 4 describes the detail design of Hawk. In
significantly when an IIoT device is compromised [10,11]. There- Section 5, we evaluate the performance of Hawk and compare
fore, extracting the feature is the most critical aspect of radio them to the state-of-the-art. Finally, Section 6 concludes this
fingerprinting based intrusion detection. Recently, several hand- work.
crafted features have been assumed, including IQ imbalance [12,
13], time–frequency statistics [14,15], amplifier non-linear char- 2. Related work
acteristics [16,17] and CFO [18,19], while designing intrusion
detection scheme. However, most of these schemes exhibit a high Nowadays, there has been a substantial increase in interest
false alarm rate and often need manual modification [20], making among the researchers in the design of IDS tailored particularly
it unsuitable in practice. Further, training a model characterizing for the IIoT networks. We present here some works more relevant
normal device (we use device and IIoT device interchangeably) in our context.
Machine Learning-based IDS. In the recent past, significant
behavior is aggravated in the IIoT setting as there are hundreds
achievements have been made in cyberattack detection by de-
of IIoT devices, which makes it challenging to detect anomalous
signing numerous approaches using radio fingerprinting coupled
behavior that deviates from normal behavior. In this context, we
with ML. For example, many radio fingerprinting based intru-
argue that Federated Learning (FL) [21,22] is a suitable tool for
sion detection schemes [7,18,29] have been proposed using Sup-
distributed training of Machine Learning (ML) model and subse-
port Vector Machine (SVM). To fingerprint LoRa devices, a novel
quent detection of anomalous behavior. In FL, every local node
method has been introduced in [7]. They used SVM to uniquely
uses its locally collected data to train a local model and sends the
distinguish devices by analyzing their radio signals. The experi-
local model to a central aggregator node. The central aggregator
mental results reveal that the proposed method achieves signifi-
node aggregates the received local models into a global model
cant classification accuracy. To detect malicious application(s) or
using a federated average algorithm, and then transmits back the malware within an IoT environment, a threat hunting model has
global model to the local nodes. As the local node does not send been designed using multikernel SVM in [29]. The authors use
raw data to the central aggregator node, FL gives us significant a meta-heuristic feature selection technique to extract optimum
privacy benefit [23]. This is specifically critical in IIoT if behavioral features and minimize computational overhead. Wang et al. [18]
data of IIoT devices are compromised, adversaries can profile the proposed SLoRa, a lightweight benign device detection scheme.
production and operational related data of the manufacturing SLoRa uses two radio fingerprinting features, i.e., CFO and link
company, hence potentially violating privacy. Further, we can signature, to identify a benign device. To improve the intrusion
quickly generate an accurate model using FL even for IIoT devices detection performance, SLoRa extracts the two features using
that usually generate data infrequently as central aggregator node SVM model. A novel device fingerprinting technique has been
aggregates locally trained models. designed to identify LoRa devices in [19,37] by exploiting spectro-
Contributions. In this paper, we present Hawk, a distributed gram and Convolutional Neural Network (CNN). Even though the
IDS for detecting compromised devices in LoRa-enabled IIoT. It proposed ML based IDSs have shown improvement in detection
uses a novel device-type specific radio fingerprint to achieve ac- accuracy, they are limited in application due to the lack of labeled
curate detection of adversaries. Particularly, Hawk exploits hard- training data. Further, the proposed SVM-based approaches have
ware imperfections of IIoT devices, where signals sent by such poor performance for data with class imbalance.
hardware produce offset in frequency at the receiver and measure To detect intrusion in IIoT, Huong et al. [34] designed an
fine-grained CFOs of transmitting devices, which are then used to anomaly detection technique based on FL architecture. The pro-
fingerprint the devices. The rationale behind CFO is that it is more posed technique uses a hybrid model, a combination of Varia-
reliant on the hardware behavior than channel behavior [24], tional Autoencoder (VAE) and Long–Short Term Memory (LSTM),
323
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336
Table 1
Comparing the existing IDS approaches.
IDS approaches Feature extraction method Impersonation detection High accuracy Robust detection Task agnostic
Rule-based Preconfigured fix rules [25,26] ✕ ✓ ✕ ✕
Payload statistic [27,28] ✓ ✓ ✕ ✓
Packet level Packet header fields [21,29,30] ✓ ✓ ✕ ✓
Context statistic [31–33] ✓ ✓ ✕ ✕
ML-based
Flow level statistic [34–36] ✓ ✕ ✕ ✕
Flow level Frequency domain features [18,37] ✓ ✓ ✕ ✕
Hawk ✓ ✓ ✓ ✓
to improve detection accuracy. Further, to reduce computational used to generate traffic signature and subsequent device finger-
complexity, they determined an optimized threshold using Kernel printing in [28]. The experimental results show that the proposed
Quantile Estimator. Similar to [34], Lin et al. [36] proposed an approach improves the detection accuracy significantly.
anomaly detection technique based on VAE-LSTM hybrid model. Other Approaches. Many novel security mechanisms have
One of the advantages of using hybrid model is that several types been proposed for IIoT network in the recent past. For example,
of anomalies that might span over multiple time scales can be de- Shen et al. [39] proposed an IDS for malware detection in fog-
tected efficiently. Ahn et al. [31] designed Hawknet, a lightweight cloud-based IoT networks. They further designed a multistage
Artificial Neural Network (ANN) based distributed IDS. Hawknet privacy-preserved game for malware detection by leveraging sig-
leverages network behavior context for detecting attacks on IoT naling game. To reduce false alarm and power consumption, Liu
devices. In [32], Zhu et al. proposed a malicious packet detec- et al. [40] designed two-layer gateway-enabled IDSs for sensor-
tion technique by leveraging packet context profile. Particularly, cloud computing scenario. They further designed a game theo-
the proposed system trained a Recurrent Neural Network (RNN) retic method to solve the cooperative defense decision-making
model using the header field information of the inter- and intra- problem among IDSs. Similar to [40], a signaling game model
packet contexts. Cui et al. [33] proposed a differentially private has been developed for predicting the probability of IoT malware
decentralized and asynchronous FL model using a modified gen- dissemination in [41]. Recently, Cheng et al. [42] designed an
erative adversarial net. They also integrated blockchain with the active defense control method for the stability of switched hy-
proposed model and designed a decentralized anomaly detection brid power system using Lie-algebraic method under DoS attack
method, in which the global aggregation of FL is attained by the scenario. In [43], authors designed a virtual network embedding
consensus of blockchain. algorithm for the security of IIoT nodes by leveraging resource
Traffic Classification. The number of analyses on the IIoT knowledge description and deep reinforcement learning. Particu-
fingerprinting through network traffic has been increasing every larly, the proposed algorithm utilises social attribute perception
day. Several studies have examined the device-type identification to guarantee the security of nodes and utilises resource knowl-
problem [21,27,30] through network traffic. To improve anomaly edge description to optimize resource overhead. Qu et al. [44]
detection in network traffic, Yan et al. [8] proposed a hinge proposed a blockchain-assisted adaptive asynchronous FL model
for privacy-preserving and decentralized digital twin networks.
classification algorithm based on mini-batch gradient descent.
They used an improved Markov decision process during global
The experimental results show that the proposed solution im-
model aggregation. For secure data sharing, Shen et al. [45] in-
proved the training efficiency and accuracy of the model. In [21],
troduced an evolutionary privacy preservation learning technique
the authors introduced DIOT, a self-learning anomaly detection
in an edge-enabled IoT network. They also developed optimal
system for detecting compromised IoT devices through network
privacy preservation strategies to protect node privacy.
traffic analysis. DIOT learns anomaly detection models using FL.
Difference from existing works. Our work differs from the
Dong et al. [30] examined the privacy leakage issue by evaluating
aforementioned works in several ways. First, we use CFO as a
network traffic in complex and realistic IoT networks. The re-
device-type specific radio fingerprint to identify a specific benign
sult reveals that by utilizing the temporal relationships between
device. Second, our designed IDS performs dynamic detection of
packets of individual devices, one can reliably identify the device.
any unknown cyberattacks that deviate from the normal behavior
Similar to [30], Perdisci et al. [27] designed IoTFinder, an IoT de-
of the IIoT device, as it only models normal network traffic. Third,
vice identification system by fingerprinting DNS traffic. IoTFinder we use GRU, which can be learned utilizing a small amount
leverages an ML approach to improve the identification accuracy. of training data, allowing Hawk to be trained faster, and work
Unlike earlier works, as a promising security approach, traditional in almost real-time anomaly detection in live network traffic.
fixed rule based method has been developed for malicious traffic Last but not the least, we perform experiments on real-world
detection in [25,26]. Although traditional fixed rule based meth- Deployment dataset collected using LoRa devices, whereas, most
ods can achieve high accuracy, they are computationally intensive of the previous works used non-LoRa devices. Table 1 summarizes
for resource-constraint IIoT devices. and compares rule-based and typical ML based IDS approaches,
Meanwhile, several approaches have been proposed for im- including our proposed, Hawk. In Table 1, by robust detection, we
proving the security of IIoT [9,35,38]. Particularly, Abdel-Basset mean that an IDS can detect various active attacks on the avail-
et al. [9] designed a deep learning model to identify intrusions ability (e.g., DoS attacks) and integrity (e.g., false data injection
from network traffic. The model learns the local representa- attack) [18]. Whereas, by high accuracy, we mean that an IDS
tions of network traffic using Gated Recurrent Units (GRUs). Lu achieves detection accuracy of over 85% [46].
et al. [38] introduced a deep belief network based cyberattack
detection scheme for industrial system. They used an evolution- 3. System overview
ary algorithm to automatically tune the adjustable parameters
of the deep belief network. The authors in [35] designed a deep This section briefly discusses the models used in Hawk. Par-
anomaly detection framework by exploiting FL. They used CNN ticularly, Section 3.1 presents the system model. Section 3.2 in-
to capture fine-grained features from network traffic. To reduce troduces the threat model. We then present a brief discussion on
the communication overhead, they also proposed a gradient com- the GRU model in Section 3.3. Finally, in Section 3.4, we present
pression mechanism. A locality-sensitive hash function has been the assumptions.
324
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336
1. Local Security Service. It monitors the devices and per- 3.3. Gated recurrent units
forms anomaly detection to identify compromised devices
and impersonation attacks in the network. In Hawk, the This section presents an overview of the deep ML model used
local security service acts as a local access point to the in Hawk. As mentioned earlier, we use an FL algorithm, which is
Internet, to which the devices are connected through the generally used in models based on stochastic gradient descent to
LoRa network. It consists of an anomaly detection compo- train Deep Neural Networks (DNNs) [49]. Since network traffic is
nent. In Hawk, once a new device is connected to the net- a time series data in IIoT, DNNs are unable to simulate changes
work, the local security service obtains a radio fingerprint in time series. To deal with this issue, we use GRU, a variation
to uniquely identify the device. The anomaly detection of RNNs, as our training model for the FL algorithm. GRU model
component observes the communication of devices and has several advantages, (i) requires few parameters to train, (ii)
detects any deviation in normal communication behavior computationally inexpensive and (iii) needs less time to train.
that is potentially caused by an adversary. However, there are a few limitations in the GRU model, e.g., poor
325
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336
sampling interval. We can mathematically express the basic chirp FL approach is that it is a privacy-preserving and communication
of y[nTs ] as: efficient approach. Most importantly, in FL, devices use their data
to perform local model training and share local model updates
y[nTs ] = u[nTs ]ej2π ftx t e−j2π frx nTs = u[nTs ]ej2π ∆fnTs ,
with a centralized entity, which aggregates them, thereby pre-
where ftx and frx are the carrier frequencies of transmitting and serving privacy. Further, in smart manufacturing scenarios, the
receiving IIoT devices, respectively, and ∆f = ftx −frx is the CFO. In FL approach is suitable as: (i) data is highly distributed in nature,
LoRa, the ideal instantaneous frequency of baseband signal u[nTs ] and (ii) different LoRa-enabled IIoT networks contribute distinct
increases linearly from − 2B to 2B due to CSS modulation, where B amounts of data. Note that the availability of training data at
is the channel bandwidth. However, in presence of ∆f , the actual every local security service depends on the duration that a device
instantaneous frequency of u[nTs ], f [nTs ] become: has been in the network, and the number of interactions be-
B B tween the device and local security service, which varies among
f [nTs ] = − nTs ,
+ ∆f + networks.
2 T
Fig. 3 illustrates the FL process used in Hawk. In Step ➊, each
where T is the symbol duration. Due to linearity of f [nTs ], our local security service having connected devices of a specific type
course-grain estimation of ∆f is as follows: receives a detection profile for this type from the remote security
L−1 L−1 service. So, the remote security service sends the initial GRU
1∑ 1∑
∆fcg = f [nTs ] = f [nTs ], (5) model to the local security service. At the beginning of Hawk,
L L initial GRU model is random, otherwise it is already trained via
n=0 n=0
numerous rounds of the following process. In Step ➋, the local
where L is the symbol length, which is defined as:
security service trains the local GRU model using individual CFO
T 2α of the device. Once the training is completed, the local security
L= = ,
Ts BTs service generates the local GRU model parameter updates, and
where α is the spreading factor (7 ≤ α ≤ 12). Based on the send them to the remote security service in Step ➌. In Step ➍,
estimated ∆fcg , we can derive the compensated baseband signal the remote security service aggregates all the received local GRU
as follows: models to enhance the global GRU model, following the process
as defined in Definition 1. Finally, in Step ➎, the remote security
y′ [nTs ] = y[nTs ]e−j2π ∆fcg t = y[nTs ]e−j2π ∆fcg nTs . (6) service sends the updated global GRU model to the local security
service. The local security service then used the updated global
Note that the estimated ∆fcg in Eq. (5) contains residual fre-
GRU model to detect anomaly.
quency offset, which must be derived to achieve fine-grain CFO.
We employ the repeating property of preambles [37] to deter-
mine fine-grain CFO, ∆ffg . Based on the repeating property of Definition 1 (Global Model Aggregation). Given m participating
preambles, we estimate ∆ffg as: devices with their associated model weights ω1 , . . . , ωm trained
( L−1 ) by the corresponding number of CFO samples ∆ˆ f1 , . . . , ∆ˆ
fm . We
1 ∑ define the global model G, which aggregates the local models as
′∗
∆ffg = − ̸ y [nTs ] · y [(n + L)Ts ] ,
′
(7) follows:
2π Ts L
n=0 m
∑ ∆ˆfi
where ̸ · provides the angle of the variable and (·)∗ signifies con- G= ωi ,
jugation. We note that the estimation of ∆ffg in Eq. (7) becomes ∆ˆ
i=1
fac
more accurate by taking the average among all the upchirps in ∑m
where ∆ˆ
fac = ∆ˆ
fi .
the preamble. Since the phase of a signal can range from −π to i=1
π , the range of ∆ffg can be estimated using Eq. (7) as follows: FL Training. To train our GRU model, we propose a training
π B algorithm using FL. In Algorithm 1, m is the number of par-
|∆ffg | < = . ticipating devices, nTs is the data samples, Y is the dataset of
2π Ts L 2α+1
devices and G is the trained global model. At the initializing
It is worth mentioning that during LoRa transmission in a typical phase, the model parameters start to get initialized. During this
setting of α = 7 and B = 125 kHz, the frequency drift of the os- phase, both global and local models parameters are initialized
cillator is within ±488.3 Hz [37]. In contrast, the frequency drift to use them in the training procedure. The primary objective of
of the oscillator becomes nearly 8.68 kHZ for a carrier frequency our proposed algorithm is to find a global GRU model based on
of 868 MHz [55], which is significantly higher than 488.3 Hz. local models trained at the local security service. This reduces
Considering this oscillator behavior, we must use coarse-grain the communication overheads by limiting unnecessary sending of
estimation before fine-grain estimation to reduce the residual the number of updates to the local security Service. In Hawk, the
offset. Therefore, using Eqs. (5) and (7), our overall estimated CFO training only needs to be performed once as the trained model
is: can extract the unique fingerprint from newly joined (out-of-
∆ˆ
f = ∆fcg + ∆ffg library) devices. The training devices are not essentially the same
L−1
( L−1 ) devices as the ones for enrollment and authentication.
1∑ 1 ∑
′∗
= f [nTs ] − ̸ y [nTs ] · y [(n + L)Ts ] .
′
(8)
L 2 π Ts L 4.4. Enrollment and authentication
n=0 n=0
4.3. Model training approach The authorized devices need to send several packets for en-
rollment before joining the network. Hawk first preprocesses
We train the GRU model using signals collected at local se- these enrollment packets. Then the fingerprints are extracted and
curity service, by monitoring devices within a LoRa-enabled IIoT stored in a database located in the local security service. The
network. Specifically, each local security service monitors the enrollment procedure can be considered as the training phase
devices to training device-type anomaly detection model. We use of the GRU model, which basically learns all the training sam-
FL to achieve distributed learning of models. The rationale behind ples. Different from deep learning, GRU is computationally less
327
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336
intensive, which is necessary to significantly reduce the over- RNN methods. Finally, we evaluate the sequence of probability
all computational complexity. For example, Hawk collects 1000 estimates, i.e., p1 , p2 , . . . , pk to determine potential anomalies.
packets from each device for enrollment (see Section 5.1.3). Specifically, if the occurrence probability pk of ∆ˆ fk falls below
In Hawk, authentication procedure consists of two parts, a detection threshold, we conclude that the CFO sequence is
namely, anomaly detection and device-type classification. The deemed anomalous and an alarm is generated.
anomaly detection decides whether the device is authorized Detection Process. As mentioned earlier, our intrusion de-
(previously enrolled) or not. We describe the anomaly detection tection approach is based on estimating the anomaly occur-
in the next section, i.e., Section 4.5. In contrast, the device- rence probability by observing an individual signal given the
type classification further determines its type. Once a device is batch of received signals. The motivation behind this approach
is the recent observation in the work [37] that LoRa-enabled
successfully authenticated, it is allowed administrative access to
IIoT device communications follow specific characteristic pat-
the network (or, local security service).
terns. Communication signal generated by adversary or IIoT mal-
ware, however, does not follow these patterns and can hence
4.5. Anomaly detection be detected. In Hawk, the detection model first calculates an
occurrence probability pk of ∆ˆ fk given the batches of N signals
By determining ∆ˆ f from observation of carrier frequencies, ⟨∆ˆfk−N , ∆ˆ
fk−(N −1) , . . . , ∆ˆ
fk−1 ⟩ as follows:
we can fingerprint transmitter devices. We exploit this in de-
pk = P ∆ˆ fk−N , ∆ˆ
fk |⟨∆ˆ fk−(N −1) , . . . , ∆ˆ
fk−1 ⟩ .
( )
signing Hawk, a CFO-based IDS for LoRa-enabled IIoT. To de- (9)
termine anomaly in ∆ˆ f , we process signals in batches of N In Eq. (9), parameter N is a property of the used GRU model and
(e.g., 10) and compute the CFO in the kth signal using Eq. (8) as signifies the length of the history, i.e., the number of CFOs that the
∆ˆfk−N , ∆ˆfk−(N −1) , . . . , ∆ˆ
fk−1 . We then pre-trained a model using GRU model considers while calculating the probability estimate.
GRU. Particularly, the GRU model calculates a probability estimate To detect an intrusion and subsequent generation of an alarm, we
pk for each CFO ∆ˆ fk based on the batch of N signals following define the anomalous signals as follows.
the approach as demonstrated in [21]. Note that GRU is a novel
method to RNNs, presently being a topic of significant research Definition 2 (Anomalous Signals). Baseband signal yk [nTs ] mapped
interest. The rationale behind using GRU is that it is compu- to CFO ∆ˆfk is anomalous, if its occurrence probability pk is below
tationally less intensive and provides similar accuracy as other a detection threshold δ , i.e., pk < δ .
328
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336
Algorithm 1: Model Training using FL model model for all N devices based on CFO, ˆ fk . We then estimate the
occurrence probability pk and anomaly generating threshold γ
INPUT: Pre-trained and device’s data
during the classification stage. Finally, we generate an intrusion
OUTPUT: Global model
alarm once the fraction of anomalous signals in Y is more than
INITIALIZING:
an anomaly generating threshold γ .
1: Pre-trained model → Federated server
{// Global model at server}
5. Experimental evaluation
2: Parameter = Federated server (m, nTs , Y , G)
{// Determine parameter values at server}
This section first introduces the implementation of Hawk,
3: Global model = Set (w, F , m)
followed by the detailed performance evaluation. Specifically,
4: Local model = Global model (Set (parameters))
Section 5.1 presents the experimental setup and dataset used to
{// Model sends from server to client and training begins}
evaluate the performance of the baseline schemes. Section 5.2
TRAINING:
introduces the evaluation metrics, followed by the FL setup in
5: Federated server = Get (Global model)
Section 5.3. We discuss the experimental results of Hawk in
6: Federated server → Send (Local model)
Section 5.4. Finally, we present the comparative experimental
{// Local model sends from server to client}
results in Section 5.5.
7: for i = 1 to m do
8: Each IIoT device = Train (Local model)
5.1. Experimental setup and dataset
{// Find and set model parameters at client}
9: return Local model parameters
We conduct an experiment on Ubuntu 18.04 with 16 GB RAM
{// Client to server}
in a Dell Latitude 5310 laptop with Intel Core i7 processor running
10: end for
at 4.9 GHz. To improve the reliability of experimental results,
11: return Updated model parameters
we repeated our experiments ten times. We conduct extensive
{// At server}
experiments and the data points in the plots are derived by
averaging the results of 50 independent runs.
initial measured CFO based on the signal frequency conveyed To assess the performance of all the three schemes, we com-
pare the performance of the trained model predictions with real
from ith device, and Hawk obtains a device set according to the
labels based on the following metrics: True Positive (TP), False
comparison similarity as Ci−1 , Ci , Ci+1 . However, due to the noise
Positive (FP), True Negative (TN) and False Negative (FN). TP and
and drift, the carrier frequency in the crystal oscillator undergoes
TN denote the number of instances, where the ML model has
certain changes. Let us assume that the estimated CFO at the
predicted match with real labels. Whereas, FP and FN calculate
local security service side shifts to the next frequency fi+1 , corre-
the number of cases, where the ML model has predicted erro-
sponding to the (i + 1)-th device. In this case, device set becomes
neous values. Additionally, we measured Hawk and compared
Ci+1 , Ci−1 , Ci according to the CFO estimation. Combining these
the results against the baseline approaches using the following
two sets of CFO history, Hawk can still believe that the signal
metrics.
is transmitted from ith device. To limit memory usage, Hawk
replaces the old CFO measurement with the newest measured • Accuracy. It is the ratio of the accurately classified samples
CFO. In our experiment, we set M = 32. by the model and the total input samples. It is computed as
follows:
5.1.3. Model training TP + TN
We trained our learning model using 1000 packets from each Accuracy =
TP + FP + TN + FN
of D1-D40 in the Deployment dataset augmented by multipath
effects. We used Adam as the model optimizer and set the initial • Precision. It denotes the percentage of traffic samples that
learning rate as 0.001. The learning rate decays every time the are classified by the model. It is the ratio of the accu-
validation loss does not decrease for 10 epochs with a drop factor rately predicted positive outcomes and the total number of
of 0.3. We chose the number of epochs that each IIoT device positive predictions. It is determined as follows:
trains its local model as 15 and set the number of communication TP
rounds between devices and local security service as 4. Hence, the Precision =
TP + FP
local models are trained with 60 epochs. We set the mini-batch
size to 32 and the L2 regularization factor as 0.0001. The model • Recall. It signifies the percentage of true positives precisely
training stops once the maximum 60 epochs are achieved. We im- categorized by the model. It is the ratio of the accurately
plemented the learning model using Keras. For device enrollment predicted positive outcomes and the total outcomes in a
before joining the system, we extracted 100 packets from each given class. It is derived as follows:
device. Additionally, we extracted 100 packets from each device TP
for authentication. In Hawk, the learning model only needs to be Recall =
trained once. However, enrollment and authentication have been TP + FN
performed several times to evaluate system performance. • F1-Score. It is the Harmonic mean of the precision and
recall. It is determined as follows:
5.1.4. Baseline schemes Precision × Recall
We compare Hawk with two baseline schemes: F 1 − Score = 2 ×
Precision + Recall
330
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336
In this work, we want to maximize Accuracy, as otherwise as discussed in Section 5.1.2. Interestingly, the plot shows that
Hawk becomes unusable, since the user will receive a significant the CFO drift for each of the device is unique and remains in
number of false alarms. We seek to maximize Precision, so that a particular range for a specific device-type. This signifies that
Hawk can detect as many attacks as possible. Hawk can use CFO drift to uniquely distinguish device-type.
Table 3
Effectiveness of using federated learning over centralized approach.
Type Federated learning Centralize
D1-D45 devices D46-D50 devices D51-D55 devices learning
Fig. 10. Detection accuracy under different number of IIoT devices. Fig. 11. Detection accuracy under varying communication round.
Table 4
time-consuming, as the gating mechanism it uses requires long- System complexity and required training time.
term computation. Moreover, SVM has lower performance than Scheme Storage space (kb) Amount of parameters Training time (min)
GRU and VAE-LSTM as it suffers from poor feature extraction Hawk 6,352 1,627,073 27
capability. LLink 10,244 3,354,719 46
Hybrid 15,018 5,283,557 94
Declaration of competing interest [19] G. Shen, J. Zhang, A. Marshall, J. Cavallaro, Towards scalable and channel-
robust radio frequency fingerprint identification for LoRa, IEEE Trans. Inf.
Forensics Secur. 17 (2022) 774–787.
The authors declare that they have no known competing finan-
[20] R. Xie, W. Xu, Y. Chen, J. Yu, A. Hu, D.W.K. Ng, A.L. Swindlehurst, A gener-
cial interests or personal relationships that could have appeared alizable model-and-data driven approach for open-set RFF authentication,
to influence the work reported in this paper. IEEE Trans. Inf. Forensics Secur. 16 (2021) 4435–4450.
[21] T.D. Nguyen, S. Marchal, M. Miettinen, H. Fereidooni, N. Asokan, A.-R.
Data availability Sadeghi, DÏoT: A federated self-learning anomaly detection system for IoT,
in: Proc. of 39th IEEE ICDCS, 2019, pp. 756–767.
[22] V. Mothukuri, R.M. Parizi, S. Pouriyeh, Y. Huang, A. Dehghantanha, G.
No data was used for the research described in the article. Srivastava, A survey on security and privacy of federated learning, Future
Gener. Comput. Syst. 115 (2021) 619–640.
Acknowledgments [23] V. Rey, P.M.S. Sánchez, A.H. Celdrán, G. Bovet, Federated learning for
malware detection in IoT devices, Comput. Netw. 204 (2022) 108693.
This work has received funding from the European Union’s [24] W. Hou, X. Wang, J.-Y. Chouinard, A. Refaey, Physical layer authentication
for mobile systems with time-varying carrier frequency offsets, IEEE Trans.
Horizon 2020 research and innovation programme under the
Commun. 62 (5) (2014) 1658–1667.
Marie Skłodowska-Curie grant agreement No. 847577; and a re- [25] H. Li, H. Hu, G. Gu, G.-J. Ahn, F. Zhang, vNIDS: Towards elastic security with
search grant from Science Foundation Ireland (SFI) under Grant safe and efficient virtualization of network intrusion detection systems, in:
Number 16/RC/3918 (Ireland’s European Structural and Invest- Proc. of ACM CCS, 2018, pp. 17–34.
ment Funds Programmes and the European Regional Develop- [26] H. Haugerud, H.N. Tran, N. Aitsaadi, A. Yazidi, A dynamic and scalable
parallel network intrusion detection system using intelligent rule ordering
ment Fund 2014–2020).
and network function virtualization, Future Gener. Comput. Syst. 124
(2021) 254–267.
References [27] R. Perdisci, T. Papastergiou, O. Alrawi, M. Antonakakis, IoTFinder: Efficient
large-scale identification of IoT devices via passive DNS traffic analysis, in:
[1] P.M.S. Sánchez, J.M.J. Valero, A.H. Celdrán, G. Bovet, M.G. Pérez, G.M. Pérez, Proc. of IEEE EuroS&P, 2020, pp. 474–489.
A survey on device behavior fingerprinting: Data sources, techniques, [28] B. Charyyev, M.H. Gunes, Locality-sensitive IoT network traffic finger-
application scenarios, and datasets, IEEE Commun. Surv. Tutor. 23 (2) printing for device identification, IEEE Internet Things J. 8 (3) (2021)
(2021) 1048–1077. 1272–1281.
[2] J.P.S. Sundaram, W. Du, Z. Zhao, A survey on LoRa networking: Research [29] H. Haddadpajouh, A. Mohtadi, A. Dehghantanaha, H. Karimipour, X. Lin,
problems, current solutions, and open issues, IEEE Commun. Surv. Tutor. K.-K.R. Choo, A multi-kernel and meta-heuristic feature selection approach
22 (1) (2019) 371–388. for IoT malware threat hunting in the edge layer, IEEE Internet Things J.
[3] M. Shen, K. Ye, X. Liu, L. Zhu, J. Kang, S. Yu, Q. Li, K. Xu, Machine learning- 8 (6) (2021) 4540–4547.
powered encrypted network traffic analysis: A comprehensive survey, IEEE [30] S. Dong, Z. Li, D. Tang, J. Chen, M. Sun, K. Zhang, Your smart home can’t
Commun. Surv. Tutor. (2022) 1–38, http://dx.doi.org/10.1109/COMST.2022. keep a secret: Towards automated fingerprinting of IoT traffic, in: Proc. of
3208196. 15th ACM AsiaCCS, 2020, pp. 47–59.
[4] D. Heeger, J. Plusquellic, Analysis of IoT authentication over LoRa, in: Proc. [31] S. Ahn, H. Yi, Y. Lee, W.R. Ha, G. Kim, Y. Paek, Hawkware: Network
of 16th DCOSS, 2020, pp. 458–465. intrusion detection based on behavior analysis with ANNs on an IoT device,
[5] C. Zhang, J. Yue, L. Jiao, J. Shi, S. Wang, A novel physical layer encryption in: Proc. of 57th ACM/IEEE DAC, 2020, pp. 1–6.
algorithm for LoRa, IEEE Commun. Lett. 25 (8) (2021) 2512–2516. [32] S. Zhu, S. Li, Z. Wang, X. Chen, Z. Qian, S.V. Krishnamurthy, K.S. Chan,
[6] K. Liu, M. Yang, Z. Ling, H. Yan, Y. Zhang, X. Fu, W. Zhao, On manually A. Swami, You do (not) belong here: detecting DPI evasion attacks with
reverse engineering communication protocols of linux-based IoT systems, context learning, in: Proc. of 16th CoNEXT, 2020, pp. 183–197.
IEEE Internet Things J. 8 (8) (2021) 6815–6827. [33] L. Cui, Y. Qu, G. Xie, D. Zeng, R. Li, S. Shen, S. Yu, Security and privacy-
[7] P. Robyns, E. Marin, W. Lamotte, P. Quax, D. Singelée, B. Preneel, Physical- enhanced federated learning for anomaly detection in IoT infrastructures,
layer fingerprinting of LoRa devices using supervised and zero-shot IEEE Trans. Ind. Inform. 18 (5) (2022) 3492–3500.
learning, in: Proc. of 10th ACM WiSec, 2017, pp. 58–63.
[34] T.T. Huong, T.P. Bac, D.M. Long, T.D. Luong, N.M. Dan, B.D. Thang, K.P. Tran,
[8] X. Yan, Y. Xu, X. Xing, B. Cui, Z. Guo, T. Guo, Trustworthy network anomaly
et al., Detecting cyberattacks using anomaly detection in industrial control
detection based on an adaptive learning rate and momentum in IIoT, IEEE
systems: A federated learning approach, Comput. Ind. 132 (2021) 103509.
Trans. Ind. Inform. 16 (9) (2020) 6182–6192.
[35] Y. Liu, S. Garg, J. Nie, Y. Zhang, Z. Xiong, J. Kang, M.S. Hossain, Deep
[9] M. Abdel-Basset, V. Chang, H. Hawash, R.K. Chakrabortty, M. Ryan, Deep-
anomaly detection for time-series data in industrial IoT: A communication-
IFS: Intrusion detection approach for IIoT traffic in fog environment, IEEE
efficient on-device federated learning approach, IEEE Internet Things J. 8
Trans. Ind. Inform. 17 (11) (2021) 7704–7715.
(8) (2021) 6348–6358.
[10] D. Formby, P. Srinivasan, A.M. Leonard, J.D. Rogers, R.A. Beyah, Who’s in
[36] S. Lin, R. Clark, R. Birke, S. Schönborn, N. Trigoni, S. Roberts, Anomaly
control of your control system? Device fingerprinting for cyber-physical
detection for time series using vae-lstm hybrid model, in: Proc. of IEEE
systems, in: Proc. of NDSS, 2016, pp. 1–15.
ICASSP, 2020, pp. 4322–4326.
[11] L. Babun, H. Aksu, A.S. Uluagac, CPS device-class identification via be-
[37] G. Shen, J. Zhang, A. Marshall, L. Peng, X. Wang, Radio frequency fingerprint
havioral fingerprinting: from theory to practice, IEEE Trans. Inf. Forensics
identification for LoRa using deep learning, IEEE J. Sel. Areas Commun. 39
Secur. 16 (2021) 2413–2428.
(8) (2021) 2604–2616.
[12] J.M. McGinthy, L.J. Wong, A.J. Michaels, Groundwork for neural network-
based specific emitter identification authentication for IoT, IEEE Internet [38] K.-D. Lu, G.-Q. Zeng, X. Luo, J. Weng, W. Luo, Y. Wu, Evolutionary deep
Things J. 6 (4) (2019) 6429–6440. belief network for cyber-attack detection in industrial automation and
[13] J. Zhang, R. Woods, M. Sandell, M. Valkama, A. Marshall, J. Cavallaro, Radio control system, IEEE Trans. Ind. Inform. 17 (11) (2021) 7618–7627.
frequency fingerprint identification for narrowband systems, modelling [39] S. Shen, L. Huang, H. Zhou, S. Yu, E. Fan, Q. Cao, Multistage signaling
and classification, IEEE Trans. Inf. Forensics Secur. 16 (2021) 3974–3987. game-based optimal detection strategies for suppressing malware diffusion
[14] D.R. Reising, M.A. Temple, J.A. Jackson, Authorized and rogue device dis- in fog-cloud-based IoT networks, IEEE Internet Things J. 5 (2) (2018)
crimination using dimensionally reduced RF-DNA fingerprints, IEEE Trans. 1043–1054.
Inf. Forensics Secur. 10 (6) (2015) 1180–1192. [40] J. Liu, J. Yu, S. Shen, Energy-efficient two-layer cooperative defense scheme
[15] Z. Ren, P. Ren, T. Zhang, Deep RF device fingerprinting by semi-supervised to secure sensor-clouds, IEEE Trans. Inf. Forensics Secur. 13 (2) (2018)
learning with meta pseudo time-frequency labels, in: Proc. of IEEE WCNC, 408–420.
2022, pp. 2369–2374. [41] Y. Shen, S. Shen, Z. Wu, H. Zhou, S. Yu, Signaling game-based availabil-
[16] J. Sun, W. Shi, Z. Yang, J. Yang, G. Gui, Behavioral modeling and lin- ity assessment for edge computing-assisted IoT systems with malware
earization of wideband RF power amplifiers using BiLSTM networks for 5G dissemination, J. Inf. Secur. Appl. 66 (2022) 103140.
wireless systems, IEEE Trans. Veh. Technol. 68 (11) (2019) 10348–10356. [42] Z. Cheng, D. Yue, S. Shen, S. Hu, L. Chen, Secure frequency control of hybrid
[17] J. Gong, X. Xu, Y. Lei, Unsupervised specific emitter identification method power system under DoS attacks via Lie algebra, IEEE Trans. Inf. Forensics
using radio-frequency fingerprint embedded InfoGAN, IEEE Trans. Inf. Secur. 17 (2022) 1172–1184.
Forensics Secur. 15 (2020) 2898–2913. [43] P. Zhang, P. Gan, N. Kumar, C.-H. Hsu, S. Shen, S. Li, RKD-VNE: Virtual
[18] X. Wang, L. Kong, Z. Wu, L. Cheng, C. Xu, G. Chen, SLoRa: towards secure network embedding algorithm assisted by resource knowledge description
LoRa communications with fine-grained physical layer features, in: Proc. and deep reinforcement learning in IIoT scenario, Future Gener. Comput.
of 18th ACM SenSys, 2020, pp. 258–270. Syst. 135 (2022) 426–437.
335
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336
[44] Y. Qu, L. Gao, Y. Xiang, S. Shen, S. Yu, FedTwin: Blockchain-enabled Subir Halder received his Ph.D. degrees in Computer
adaptive asynchronous federated learning for digital twin networks, IEEE Science and Technology from Indian Institute of Engi-
Netw. (2022) 1–8, http://dx.doi.org/10.1109/MNET.105.2100620. neering Science and Technology, India in 2015. He is
[45] Y. Shen, S. Shen, Q. Li, H. Zhou, Z. Wu, Y. Qu, Evolutionary privacy- currently a Marie Skłodowska Curie fellow at University
preserving learning strategies for edge-based IoT data sharing schemes, of Limerick, Ireland. Prior to that, he was a Postdoc-
Digit. Commun. Netw. (2022) 1–18, http://dx.doi.org/10.1016/j.dcan.2022. toral Researcher at University of Padua, Italy. He has
05.004. worked as an Assistant Professor in the Department
[46] Z. Chiba, N. Abghour, K. Moussaid, M. Rida, et al., Intelligent approach of CSE, Dr. B. C. Roy Engineering College, India during
to build a Deep Neural Network based IDS for cloud environment using 2007–2017. His research interests include security and
combination of machine learning algorithms, Comput. Secur. 86 (2019) privacy in cyber physical systems, IoT, autonomous
291–317. vehicle, controller area network, and Industry 4.0. He
[47] E. Anthi, L. Williams, A. Javed, P. Burnap, Hardening machine learning has co-authored more than 50 papers in reputed international peer-reviewed
denial of service (DoS) defences against adversarial attacks in IoT smart conferences and journals in his field.
home networks, Comput. Secur. 108 (2021) 102352.
[48] X. Yang, E. Karampatzakis, C. Doerr, F. Kuipers, Security vulnerabilities in
LoRaWAN, in: Proc. of 3rd IEEE/ACM IoTDI, 2018, pp. 129–140.
[49] Z. Chen, N. Lv, P. Liu, Y. Fang, K. Chen, W. Pan, Intrusion detection for Dr Thomas Newe is an Associate Professor in Computer
wireless edge networks based on federated learning, IEEE Access 8 (2020) Engineering in the Department of Electronic & Com-
217463–217472. puter Engineering at The University of Limerick and is a
[50] C. Olah, Understanding LSTM networks, 2021, Updated 27 August funded investigator in three SFI Centres; Confirm-Smart
2015 [Blog] https://colah.github.io/posts/2015-08-Understanding-LSTMs/. Manufacturing Centre, Lero-Software Research Centre,
(Accessed 6 August 2021). and MaREI-Marine and Renewable Energy Research
[51] A. Wainakh, F. Ventola, T. Müßig, J. Keim, C.G. Cordero, E. Zimmer, T. Centre. He holds a B.Eng. in Computer Engineering, a
Grube, K. Kersting, M. Mühlhäuser, User-level label leakage from gradients Masters in Engineering in Security Protocol Design and
in federated learning, Proc. Priv. Enhanc. Technol. 2022 (2) (2022) 227–244. a Ph.D. in Formal Logics for Security Protocol Verifi-
[52] C. Li, Z. Cao, LoRa networking techniques for large-scale and long-term cation. He has been a University of Limerick faculty
IoT: A down-to-top survey, ACM Comput. Surv. 55 (3) (2022) 1–36. member since 1994. Tom is a board member of Cyber
[53] R. Heartfield, G. Loukas, A. Bezemskij, E. Panaousis, Self-configurable cyber- Ireland, an initiative which brings together Industry, Academia and Government
physical intrusion detection for smart homes using reinforcement learning, to represent the needs of the Cyber Security Ecosystem in Ireland, and a founding
IEEE Trans. Inf. Forensics Secur. 16 (2020) 1720–1735. member of Cyber Skills, a project which aims to address the global shortage of
[54] K. Yu, L. Tan, S. Mumtaz, S. Al-Rubaye, A. Al-Dulaimi, A.K. Bashir, F.A. Khan, cybersecurity professionals. His research interest includes many topics under
Securing critical infrastructures: Deep-learning-based threat detection in the general areas of data security for Wireless Sensor Networks, the Internet of
IIoT, IEEE Commun. Mag. 59 (10) (2021) 76–82. Things and Smart Collaborative Robotics. He has graduated 15 Ph.D. students
[55] Semtech, LoRa modulation crystal oscillator guidance, AN1200.14, Rev in the broad area of network and data security and his students are funded
2, July 2017, 2021, [Online] https://lora-developers.semtech.com/library/ from a variety of sources including: EU, SFI, IRC, Internationally and industrially
product-documents/. (Accessed 6 May 2021). funded.
336