Future Generation Computer Systems 143 (2023) 322–336

Contents lists available at ScienceDirect

Future Generation Computer Systems

journal homepage: www.elsevier.com/locate/fgcs

Radio fingerprinting for anomaly detection using federated learning in

LoRa-enabled Industrial Internet of Things
∗
Subir Halder , Thomas Newe
Confirm Smart Manufacturing Centre and Department of Electronic and Computer Engineering, University of Limerick, Ireland

article info a b s t r a c t

Article history: Long Range (LoRa) communications are gaining popularity in the Industrial Internet of Things (IIoT)
Received 11 September 2022 domain due to their large coverage and high energy efficiency. However, LoRa-enabled IIoT networks
Received in revised form 15 December 2022 are susceptible to cyberattacks mainly due to their wide transmission window and freely operated
Accepted 28 January 2023
frequency band. This has led to several categories of cyberattacks. However, existing anomaly detection
Available online 14 February 2023
systems are inefficient in detecting particularly impersonation attacks due to the dense deployment,
Keywords: heterogeneous IIoT devices and manufacturers involved.
Anomaly detection In this work, we introduce Hawk, a distributed anomaly detection system for detecting com-
Carrier frequency offset promised devices in LoRa-enabled IIoT. Hawk first measures a device-type specific physical layer
Federated learning feature, Carrier Frequency Offset (CFO) and then leverages the CFO for fingerprinting the device,
Industrial IoT and consequently detecting anomalous deviations in the device’s CFO behavior, potentially caused by
LoRa communication adversaries. To aggregate the device-type specific CFO behavior profile efficiently, Hawk uses federated
learning, a distributed machine learning approach. To the best of our knowledge, Hawk is the first to
utilise a federated learning method for anomaly-based intrusion detection in LoRa-enabled IIoT. We
perform extensive experiments on a real-world dataset collected using 60 LoRa devices, primarily to
assess the effectiveness of Hawk against emerging new and unknown attacks. The results show that
Hawk improves the detection accuracy by more than 8% compared to the state-of-the-art solutions.
Additionally, Hawk reduces the storage overhead by more than 40%, and exhibits significant robustness
against cyberattack.
© 2023 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license
(http://creativecommons.org/licenses/by/4.0/).

1. Introduction process failure and safety of human beings, early cyberattack

The introduction of Industrial Internet of Things (IIoT) cou-
pled with Internet, cloud computing and machine learning into
the smart manufacturing space has changed all aspects of the
production process. For instance, smart manufacturing appli-
cations that integrate smart switches, thermostats, robots and
cloud manufacturers to monitor and interact with production
systems to improve productivity, delivery, reduced labor and en-
ergy costs. While smart manufacturing and logistics have equally
adopted IIoT, significant concerns have increased about the se-
curity and privacy of digitally augmented manufacturing spaces.
Particularly, due to the weak security protection capability of
IIoT devices, several attack surfaces and complex application
environments, smart manufacturing spaces are exposed to cyber-
attacks [1]. Once an IIoT device is under attack, it might end up
causing chaos in the supply chain and even affecting the safety
of human beings. Hence, as a precaution for future production
∗ Corresponding author.
E-mail addresses: subir.halder@ul.ie (S. Halder), thomas.newe@ul.ie
(T. Newe).
detection is of significant importance.
In the IIoT setting, to connect several hundreds of low-power
IIoT devices, wireless networks are necessary to deliver robust
operations and larger coverage with high energy efficiency. Ad-
ditionally, it is expected that IIoT devices will provide service
for a span of typically five to ten years with limited or without
any maintenance. To support these requirements, Low-Power
Wide-Area Networks (LPWANs) [2] have been developed. Among
all available LPWANs, Long Range (LoRa) communication [2] is
widely used as it is an open-source technology in the physical
layer, robust in the unlicensed sub-GHz Industrial band, and
offers noise free, fading resilient and long range communication.
However, LoRa-enabled IIoT is vulnerable to cyberattacks, and the
reason is two-fold. First, LoRa communication uses unlicensed
sub-GHz Industrial band, which is essentially susceptible to active
attacks. Second, LoRa communication has a wider transmission
window than conventional wireless techniques, e.g., WiFi, which
gives sufficient time for an adversary to launch cyberattacks, like
Denial of Service (DoS).
Traditional security schemes rely on software addresses like
media access control and/or internet protocol [3], which are

https://doi.org/10.1016/j.future.2023.01.021
0167-739X/© 2023 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
S. Halder and T. Newe
susceptible to tampering or forging. Once an adversary compro-
mises a legitimate IIoT device, it can masquerade as the legit-
imate IIoT device and launch cyberattacks, e.g., DoS. To defend
against cyberattacks, several security schemes use cryptographic
mechanisms, like message authentication code [4] and encryption
technique [5] in LoRa-enabled networks. Although cryptographic
mechanisms are successful to authenticate, it is possible for an
adversary to apply reverse engineering for retrieving security
keys and launching DoS attacks [6]. Hence, as an alternative
to existing cryptographic solutions, Intrusion Detection Systems
(IDSs) leveraging radio fingerprinting [1], a non-cryptographic ap-
proach, have recently received significant attention to deal with
cybersecurity. Radio fingerprinting uses the device-type specific
signal imperfections introduced by the radio frequency circuitry
in the physical layer [7] to obtain a fingerprint of the IIoT device,
which is intrinsic to the analogue device and cannot be imitated
by the adversaries. These imperfections include Carrier Frequency
Offset (CFO), In-phase and Quadrature (IQ) imbalance, phase er-
ror, time–frequency statistics, and power amplifier non-linearity,
among others. One of the major benefits of radio fingerprinting
based IDS is that it offers security without generating computa-
tional overhead on the IIoT devices. This primarily motivates us to
design an IDS by leveraging radio fingerprinting in LoRa-enabled
IIoT.
In recent years, several intrusion detection schemes were pro-
posed [8,9] by leveraging radio fingerprinting in IIoT. It is worth
noting that designed IIoT devices have a well-defined and stable
radio signature. However, the features of radio signature change
significantly when an IIoT device is compromised [10,11]. There-
fore, extracting the feature is the most critical aspect of radio
fingerprinting based intrusion detection. Recently, several hand-
crafted features have been assumed, including IQ imbalance [12,
13], time–frequency statistics [14,15], amplifier non-linear char-
acteristics [16,17] and CFO [18,19], while designing intrusion
detection scheme. However, most of these schemes exhibit a high
false alarm rate and often need manual modification [20], making
it unsuitable in practice. Further, training a model characterizing
normal device (we use device and IIoT device interchangeably)
behavior is aggravated in the IIoT setting as there are hundreds
of IIoT devices, which makes it challenging to detect anomalous
behavior that deviates from normal behavior. In this context, we
argue that Federated Learning (FL) [21,22] is a suitable tool for
distributed training of Machine Learning (ML) model and subse-
quent detection of anomalous behavior. In FL, every local node
uses its locally collected data to train a local model and sends the
local model to a central aggregator node. The central aggregator
node aggregates the received local models into a global model
using a federated average algorithm, and then transmits back the
global model to the local nodes. As the local node does not send
raw data to the central aggregator node, FL gives us significant
privacy benefit [23]. This is specifically critical in IIoT if behavioral
data of IIoT devices are compromised, adversaries can profile the
production and operational related data of the manufacturing
company, hence potentially violating privacy. Further, we can
quickly generate an accurate model using FL even for IIoT devices
that usually generate data infrequently as central aggregator node
aggregates locally trained models.
Contributions. In this paper, we present Hawk, a distributed
IDS for detecting compromised devices in LoRa-enabled IIoT. It
uses a novel device-type specific radio fingerprint to achieve ac-
curate detection of adversaries. Particularly, Hawk exploits hard-
ware imperfections of IIoT devices, where signals sent by such
hardware produce offset in frequency at the receiver and measure
fine-grained CFOs of transmitting devices, which are then used to
fingerprint the devices. The rationale behind CFO is that it is more
reliant on the hardware behavior than channel behavior [24],
323
Future Generation Computer Systems 143 (2023) 322–336
making it more reliable for smart manufacturing scenarios. Fur-
ther, the increase in computational complexity is insignificant
as fine-grained CFO estimation is commonly an embedded func-
tion for signal recovery in LoRa-enabled IIoT. Hawk builds a
device-type specific anomaly detection model using FL, which
is a baseline of the devices’ normal CFO behavior, based on the
extracted fingerprints to achieve accurate detection of attacks.
The contributions of this work are as follows:
• To the best of our knowledge, we are the first to present a
comprehensive analysis of CFO-based IDS for LoRa-enabled
IIoT. Based on our analysis, we design a scalable radio fin-
gerprinting framework based on a deep metric learning-
powered CFO extractor.
• We propose Hawk, a novel distributed anomaly-based IDS,
which builds device-type specific detection models based on
the devices’ normal CFO behavior for detecting the adver-
sary. Hawk is the first to apply FL for aggregating anomaly-
detection profiles for detecting the adversary in LoRa-enabled
IIoT.
• We perform extensive experiments on a real-world LoRa-
enabled IIoT Deployment dataset [19]. The results show that
Hawk achieves the highest detection accuracy of 97.36%
while enjoying the least system complexity and the lowest
training time (27 min).
Organization. We organize the rest of the paper as follows.
Section 2 reviews the related work. In Section 3, we present the
system model. Section 4 describes the detail design of Hawk. In
Section 5, we evaluate the performance of Hawk and compare
them to the state-of-the-art. Finally, Section 6 concludes this
work.
2. Related work
Nowadays, there has been a substantial increase in interest
among the researchers in the design of IDS tailored particularly
for the IIoT networks. We present here some works more relevant
in our context.
Machine Learning-based IDS. In the recent past, significant
achievements have been made in cyberattack detection by de-
signing numerous approaches using radio fingerprinting coupled
with ML. For example, many radio fingerprinting based intru-
sion detection schemes [7,18,29] have been proposed using Sup-
port Vector Machine (SVM). To fingerprint LoRa devices, a novel
method has been introduced in [7]. They used SVM to uniquely
distinguish devices by analyzing their radio signals. The experi-
mental results reveal that the proposed method achieves signifi-
cant classification accuracy. To detect malicious application(s) or
malware within an IoT environment, a threat hunting model has
been designed using multikernel SVM in [29]. The authors use
a meta-heuristic feature selection technique to extract optimum
features and minimize computational overhead. Wang et al. [18]
proposed SLoRa, a lightweight benign device detection scheme.
SLoRa uses two radio fingerprinting features, i.e., CFO and link
signature, to identify a benign device. To improve the intrusion
detection performance, SLoRa extracts the two features using
SVM model. A novel device fingerprinting technique has been
designed to identify LoRa devices in [19,37] by exploiting spectro-
gram and Convolutional Neural Network (CNN). Even though the
proposed ML based IDSs have shown improvement in detection
accuracy, they are limited in application due to the lack of labeled
training data. Further, the proposed SVM-based approaches have
poor performance for data with class imbalance.
To detect intrusion in IIoT, Huong et al. [34] designed an
anomaly detection technique based on FL architecture. The pro-
posed technique uses a hybrid model, a combination of Varia-
tional Autoencoder (VAE) and Long–Short Term Memory (LSTM),
S. Halder and T. Newe
Table 1
Comparing the existing IDS approaches.
IDS approaches Feature extraction method
Rule-based Preconfigured fix rules [25,26]
Payload statistic [27,28]
Packet level Packet header fields [21,29,30]
Context statistic [31–33]
ML-based
Flow level statistic [34–36]
Flow level Frequency domain features [18,37]
Hawk
to improve detection accuracy. Further, to reduce computational
complexity, they determined an optimized threshold using Kernel
Quantile Estimator. Similar to [34], Lin et al. [36] proposed an
anomaly detection technique based on VAE-LSTM hybrid model.
One of the advantages of using hybrid model is that several types
of anomalies that might span over multiple time scales can be de-
tected efficiently. Ahn et al. [31] designed Hawknet, a lightweight
Artificial Neural Network (ANN) based distributed IDS. Hawknet
leverages network behavior context for detecting attacks on IoT
devices. In [32], Zhu et al. proposed a malicious packet detec-
tion technique by leveraging packet context profile. Particularly,
the proposed system trained a Recurrent Neural Network (RNN)
model using the header field information of the inter- and intra-
packet contexts. Cui et al. [33] proposed a differentially private
decentralized and asynchronous FL model using a modified gen-
erative adversarial net. They also integrated blockchain with the
proposed model and designed a decentralized anomaly detection
method, in which the global aggregation of FL is attained by the
consensus of blockchain.
Traffic Classification. The number of analyses on the IIoT
fingerprinting through network traffic has been increasing every
day. Several studies have examined the device-type identification
problem [21,27,30] through network traffic. To improve anomaly
detection in network traffic, Yan et al. [8] proposed a hinge
classification algorithm based on mini-batch gradient descent.
The experimental results show that the proposed solution im-
proved the training efficiency and accuracy of the model. In [21],
the authors introduced DIOT, a self-learning anomaly detection
system for detecting compromised IoT devices through network
traffic analysis. DIOT learns anomaly detection models using FL.
Dong et al. [30] examined the privacy leakage issue by evaluating
network traffic in complex and realistic IoT networks. The re-
sult reveals that by utilizing the temporal relationships between
packets of individual devices, one can reliably identify the device.
Similar to [30], Perdisci et al. [27] designed IoTFinder, an IoT de-
vice identification system by fingerprinting DNS traffic. IoTFinder
leverages an ML approach to improve the identification accuracy.
Unlike earlier works, as a promising security approach, traditional
fixed rule based method has been developed for malicious traffic
detection in [25,26]. Although traditional fixed rule based meth-
ods can achieve high accuracy, they are computationally intensive
for resource-constraint IIoT devices.
Meanwhile, several approaches have been proposed for im-
proving the security of IIoT [9,35,38]. Particularly, Abdel-Basset
et al. [9] designed a deep learning model to identify intrusions
from network traffic. The model learns the local representa-
tions of network traffic using Gated Recurrent Units (GRUs). Lu
et al. [38] introduced a deep belief network based cyberattack
detection scheme for industrial system. They used an evolution-
ary algorithm to automatically tune the adjustable parameters
of the deep belief network. The authors in [35] designed a deep
anomaly detection framework by exploiting FL. They used CNN
to capture fine-grained features from network traffic. To reduce
the communication overhead, they also proposed a gradient com-
pression mechanism. A locality-sensitive hash function has been
Future Generation Computer Systems 143 (2023) 322–336
Impersonation detection High accuracy Robust detection Task agnostic
✕ ✓ ✕ ✕
✓ ✓ ✕ ✓
✓ ✓ ✕ ✓
✓ ✓ ✕ ✕
✓ ✕ ✕ ✕
✓ ✓ ✕ ✕
✓ ✓ ✓ ✓
used to generate traffic signature and subsequent device finger-
printing in [28]. The experimental results show that the proposed
approach improves the detection accuracy significantly.
Other Approaches. Many novel security mechanisms have
been proposed for IIoT network in the recent past. For example,
Shen et al. [39] proposed an IDS for malware detection in fog-
cloud-based IoT networks. They further designed a multistage
privacy-preserved game for malware detection by leveraging sig-
naling game. To reduce false alarm and power consumption, Liu
et al. [40] designed two-layer gateway-enabled IDSs for sensor-
cloud computing scenario. They further designed a game theo-
retic method to solve the cooperative defense decision-making
problem among IDSs. Similar to [40], a signaling game model
has been developed for predicting the probability of IoT malware
dissemination in [41]. Recently, Cheng et al. [42] designed an
active defense control method for the stability of switched hy-
brid power system using Lie-algebraic method under DoS attack
scenario. In [43], authors designed a virtual network embedding
algorithm for the security of IIoT nodes by leveraging resource
knowledge description and deep reinforcement learning. Particu-
larly, the proposed algorithm utilises social attribute perception
to guarantee the security of nodes and utilises resource knowl-
edge description to optimize resource overhead. Qu et al. [44]
proposed a blockchain-assisted adaptive asynchronous FL model
for privacy-preserving and decentralized digital twin networks.
They used an improved Markov decision process during global
model aggregation. For secure data sharing, Shen et al. [45] in-
troduced an evolutionary privacy preservation learning technique
in an edge-enabled IoT network. They also developed optimal
privacy preservation strategies to protect node privacy.
Difference from existing works. Our work differs from the
aforementioned works in several ways. First, we use CFO as a
device-type specific radio fingerprint to identify a specific benign
device. Second, our designed IDS performs dynamic detection of
any unknown cyberattacks that deviate from the normal behavior
of the IIoT device, as it only models normal network traffic. Third,
we use GRU, which can be learned utilizing a small amount
of training data, allowing Hawk to be trained faster, and work
in almost real-time anomaly detection in live network traffic.
Last but not the least, we perform experiments on real-world
Deployment dataset collected using LoRa devices, whereas, most
of the previous works used non-LoRa devices. Table 1 summarizes
and compares rule-based and typical ML based IDS approaches,
including our proposed, Hawk. In Table 1, by robust detection, we
mean that an IDS can detect various active attacks on the avail-
ability (e.g., DoS attacks) and integrity (e.g., false data injection
attack) [18]. Whereas, by high accuracy, we mean that an IDS
achieves detection accuracy of over 85% [46].
3. System overview
This section briefly discusses the models used in Hawk. Par-
ticularly, Section 3.1 presents the system model. Section 3.2 in-
troduces the threat model. We then present a brief discussion on
the GRU model in Section 3.3. Finally, in Section 3.4, we present
the assumptions.
324
S. Halder and T. Newe
Fig. 1. The Hawk system model.
3.1. System model
This work assumes a smart manufacturing environment, where
hundreds of heterogeneous devices are connected through a LoRa
network, as shown in Fig. 1. Hawk is based on training a model
with CFOs in a device’s communication flows and identifying
abnormal CFOs caused by the adversary that are inconsistent with
the normal communications of the device in question. We use an
FL approach to train the model for anomaly detection. The Hawk
system comprises of two main modules, namely, local security
service and remote security service. To adopt the FL approach, the
local security service locally trains the anomaly detection model,
which it sends to the remote security service, who aggregates
them to a global detection model and disseminates this global
detection model back to the local security service. Since both the
local security service and remote security service perform several
crucial functionalities in the FL approach, any change in their
location has serious consequences on the performance of Hawk.
Hence, we assume that both the modules are static in Hawk. The
major functionalities of the two modules are as follows.
1. Local Security Service. It monitors the devices and per-
forms anomaly detection to identify compromised devices
and impersonation attacks in the network. In Hawk, the
local security service acts as a local access point to the
Internet, to which the devices are connected through the
LoRa network. It consists of an anomaly detection compo-
nent. In Hawk, once a new device is connected to the net-
work, the local security service obtains a radio fingerprint
to uniquely identify the device. The anomaly detection
component observes the communication of devices and
detects any deviation in normal communication behavior
that is potentially caused by an adversary.
325
Future Generation Computer Systems 143 (2023) 322–336
2. Remote Security Service. It aggregates the device-type
specific anomaly detection model trained by the local secu-
rity service in the system. In Hawk, remote security service
can be a service provider, e.g., Google, Microsoft, Amazon.
Once a new device is found in the local network, the lo-
cal security service identifies its device-type specific radio
fingerprint and retrieves the subsequent anomaly detection
model for this specific device from the remote security ser-
vice. Additionally, the remote security service aggregates
and updates the device-type specific radio fingerprinting
anomaly detection models provided by the local security
service.
During the operation of Hawk, we train the anomaly detection
model iteratively to gradually improve the accuracy of the detec-
tion model, as additional training data become available. We can
perform this repetitive training procedure either regularly or until
the global detection model attains a certain level of convergence,
e.g., the detection model does not improve considerably anymore.
We discuss more details about the FL approach in Section 4.4.
3.2. Threat model
The primary goal of Hawk is to detect attacks on IIoT devices
so that the incident response team can take suitable counter-
measure, e.g., by thwarting the targeted devices from being com-
promised or separating compromised devices from the rest of
the network. This work assumes an attacker (insider or outsider)
capable of inserting spoofed devices into a LoRa-enabled IIoT
infrastructure. The illegitimate devices spoof real IIoT devices and
try to gain access to restricted services of the network and per-
form malicious activities [47]. These malicious activities may in-
clude: (1) compromising the functionality of the system (e.g., DoS
attacks), (2) injecting false physical measurements (e.g., replay
attack), and (3) building the conditions to facilitate new types
of attacks in the future. In a typical attack scenario in LoRa-
enabled IIoT, a legitimate device transmits the sensed data to the
local security service. Instantly, two time windows are set at the
device end to receive an acknowledgment from the local security
service. During this procedure, an active attacker who has a prior
knowledge of the LoRa communication protocol and the legiti-
mate device, e.g., carrier frequency and coding strategy, can infer
communication by leveraging an omnidirectional antenna [48].
An attacker then utilises a directional antenna for impersonating
a trusted device to send false data packets, e.g., spoofing data,
DoS command. Once the local security service accepts the DoS
command or spoofing data from the impersonating device, it
ultimately results in unauthorized access to legitimate devices.
We assume that Hawk does not have any prior knowledge of
threats. We do not assume insiders that have access and can com-
promise real devices used in the network. However, we consider
that attackers use spoofed devices that imitate real IIoT system
operations to gain access to the network.
3.3. Gated recurrent units
This section presents an overview of the deep ML model used
in Hawk. As mentioned earlier, we use an FL algorithm, which is
generally used in models based on stochastic gradient descent to
train Deep Neural Networks (DNNs) [49]. Since network traffic is
a time series data in IIoT, DNNs are unable to simulate changes
in time series. To deal with this issue, we use GRU, a variation
of RNNs, as our training model for the FL algorithm. GRU model
has several advantages, (i) requires few parameters to train, (ii)
computationally inexpensive and (iii) needs less time to train.
However, there are a few limitations in the GRU model, e.g., poor
S. Halder and T. Newe
Fig. 2. Illustration of GRU model.
optimization of initial weights and convergence speed. We argue
that parameter optimization method using genetic algorithm has
a great potential to improve the initial weight optimization and
convergence speed of the GRU model. Note that the parameter
optimization in GRU model is beyond the scope of this paper.
The architecture of GRUs typically consists of two gates, reset
and update, as shown in Fig. 2 [50]. Gate monitors the traffic
flow and controls the learning process, which allows the network
to understand from long-term dependencies. In GRU model, the
required parameters are determined as follows:
rt = σ (wr · [ht −1 , xt ]) , (1)
zt = σ (wz · [ht −1 , xt ]) , (2)
ĥt = tanh (wh · [rt × ht −1 , xt ]) , (3)
ht = (1 − zt ) × ht −1 + zt × ĥt , (4)
where x is the input, h is the output, σ is a sigmoid function,
w is the weight matrix and ĥ is the candidate output, which is
created by tanh layer. In the above equations, the subscript t
and t − 1 signifies the present timestamp and last timestamp,
respectively. In Eqs. (1) and (2), both rt and zt are representing
the result of the sigmoid layer. However, rt defines how to merge
new input information with earlier memory, whereas zt describes
how much of the earlier information requires to be conserved at
the present timestamp.
3.4. Assumption
In this work, we assume that an adversary can compromise
one or more devices in different local networks under a local
security service. We also assume that a compromised device
can inject arbitrary traffic in the LoRa network. Furthermore,
we assume that an adversary has complete knowledge of the
operations and parameters of the Hawk. However, an adversary
cannot compromise Hawk. As the local security service is the
device implementing security in the smart manufacturing envi-
ronment, we assume that an adversary cannot compromise the
local security service. We also consider that Hawk uses a defense
mechanism against the label leakage risk in the FL approach [51].
4. Hawk design
This section presents the technical details of Hawk. In par-
ticular, Section 4.1 presents an overview of Hawk. Section 4.2
326
Future Generation Computer Systems 143 (2023) 322–336
discusses the CFO estimation procedure adapted in Hawk. Sec-
tion 4.3 presents our model training approach. We describe the
device enrollment and authentication procedures in Section 4.4.
Finally, we illustrate the anomaly detection approach in Sec-
tion 4.5.
4.1. Hawk in a nutshell
Hawk is an anomaly detection system that monitors the CFOs
of devices, and validates whether there is any significant devia-
tion in them. Our proposed system involves three stages, namely,
training, enrollment and authentication. In the training stage,
Hawk trains the FL model using a large number of labeled pack-
ets, which are collected from numerous training devices (see
Section 4.3). In the enrollment stage, the authorized devices are
needed to send several packets for enrollment before joining the
network (see Section 4.4). Hawk first preprocesses these enroll-
ment packets. Then, the fingerprints are extracted and stored in
a database located in the local security service. Finally, in the
authentication stage, Hawk first checks the extracted fingerprint
with the FL model. Once a device is successfully authenticated,
it is allowed administrative access to the network, otherwise,
declared as a malicious device (see Section 4.5).
In LoRa-enabled IIoT, each device generally has its own quartz
crystal clock. Due to variations in the clock’s hardware crystal,
devices have an inherent drift in frequency value. Therefore,
the receiving device performs down-conversion with a different
frequency than the up-conversion at the transmitting device,
resulting in CFO of the signals, which is unique for a specific
device. Hawk leverages this uniqueness and trains the model
without the need to manually label the communication patterns
of a particular device. Since IIoT devices are usually single purpose
with only a few distinct functions, their communication behavior
models are quite static and limited, allowing the model to pre-
cisely capture all possible normal CFO behaviors of a specific IIoT
device-type. Hence, the model trained in Hawk is less prone to
triggering false alarms. Further, this approach can reliably map
IIoT devices to a device-type specific model of normal behavior
that Hawk uses to effectively detect anomalous devices. Hawk
uses an FL approach to implement the distributed learning of
models from various devices. In Hawk, the successful detection
of an adversary depends on the fine-grain estimation of CFO. Es-
timating fine-grained CFOs is challenging, as there are two main
factors affecting the frequency of a quartz crystal clock, i.e., noise
and drift (e.g., ageing and temperature) [52]. To compensate the
noise and drift, similar to [18], we follow an adaptive CFO update
approach as described in Section 5.1.2.
4.2. IIoT device’s radio fingerprinting features
In the recent past, several approaches [53,54] have been pro-
posed for intrusion detection in IIoT using radar, vision, sound
and radio signals. However, due to the advent of noiseless IIoT
devices, the sound based approaches are often unable to detect
intruders. Additionally, environment and lights have a significant
effect on visual based approaches. These motivate us to use a
radio signal based approach as a feasible technique to authenti-
cate devices in LoRa-enabled IIoT. LoRa-enabled IIoT device uses
Chirp Spread Spectrum (CSS) modulation in physical layer, which
employs linear chirps for communication. Note that the frequency
increases or decreases linearly with time in CSS modulation. In
Hawk, we utilise the preamble part of LoRa packets to obtain fine-
grain CFO estimation. Let u[nTs ] and y[nTs ] be the transmitted
baseband signal and the received baseband signal in digital form,
respectively, where n is the number of samples and Ts is the
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336

sampling interval. We can mathematically express the basic chirp FL approach is that it is a privacy-preserving and communication
of y[nTs ] as: efficient approach. Most importantly, in FL, devices use their data
to perform local model training and share local model updates
y[nTs ] = u[nTs ]ej2π ftx t e−j2π frx nTs = u[nTs ]ej2π ∆fnTs ,
with a centralized entity, which aggregates them, thereby pre-
where ftx and frx are the carrier frequencies of transmitting and serving privacy. Further, in smart manufacturing scenarios, the
receiving IIoT devices, respectively, and ∆f = ftx −frx is the CFO. In FL approach is suitable as: (i) data is highly distributed in nature,
LoRa, the ideal instantaneous frequency of baseband signal u[nTs ] and (ii) different LoRa-enabled IIoT networks contribute distinct
increases linearly from − 2B to 2B due to CSS modulation, where B amounts of data. Note that the availability of training data at
is the channel bandwidth. However, in presence of ∆f , the actual every local security service depends on the duration that a device
instantaneous frequency of u[nTs ], f [nTs ] become: has been in the network, and the number of interactions be-
B B tween the device and local security service, which varies among
f [nTs ] = − nTs ,
+ ∆f + networks.
2 T
Fig. 3 illustrates the FL process used in Hawk. In Step ➊, each
where T is the symbol duration. Due to linearity of f [nTs ], our local security service having connected devices of a specific type
course-grain estimation of ∆f is as follows: receives a detection profile for this type from the remote security
L−1 L−1 service. So, the remote security service sends the initial GRU
1∑ 1∑
∆fcg = f [nTs ] = f [nTs ], (5) model to the local security service. At the beginning of Hawk,
L L initial GRU model is random, otherwise it is already trained via
n=0 n=0
numerous rounds of the following process. In Step ➋, the local
where L is the symbol length, which is defined as:
security service trains the local GRU model using individual CFO
T 2α of the device. Once the training is completed, the local security
L= = ,
Ts BTs service generates the local GRU model parameter updates, and
where α is the spreading factor (7 ≤ α ≤ 12). Based on the send them to the remote security service in Step ➌. In Step ➍,
estimated ∆fcg , we can derive the compensated baseband signal the remote security service aggregates all the received local GRU
as follows: models to enhance the global GRU model, following the process
as defined in Definition 1. Finally, in Step ➎, the remote security
y′ [nTs ] = y[nTs ]e−j2π ∆fcg t = y[nTs ]e−j2π ∆fcg nTs . (6) service sends the updated global GRU model to the local security
service. The local security service then used the updated global
Note that the estimated ∆fcg in Eq. (5) contains residual fre-
GRU model to detect anomaly.
quency offset, which must be derived to achieve fine-grain CFO.
We employ the repeating property of preambles [37] to deter-
mine fine-grain CFO, ∆ffg . Based on the repeating property of Definition 1 (Global Model Aggregation). Given m participating
preambles, we estimate ∆ffg as: devices with their associated model weights ω1 , . . . , ωm trained
( L−1 ) by the corresponding number of CFO samples ∆ˆ f1 , . . . , ∆ˆ
fm . We
1 ∑ define the global model G, which aggregates the local models as
′∗
∆ffg = − ̸ y [nTs ] · y [(n + L)Ts ] ,
′
(7) follows:
2π Ts L
n=0 m
∑ ∆ˆfi
where ̸ · provides the angle of the variable and (·)∗ signifies con- G= ωi ,
jugation. We note that the estimation of ∆ffg in Eq. (7) becomes ∆ˆ
i=1
fac
more accurate by taking the average among all the upchirps in ∑m
where ∆ˆ
fac = ∆ˆ
fi .
the preamble. Since the phase of a signal can range from −π to i=1

π , the range of ∆ffg can be estimated using Eq. (7) as follows: FL Training. To train our GRU model, we propose a training
π B algorithm using FL. In Algorithm 1, m is the number of par-
|∆ffg | < = . ticipating devices, nTs is the data samples, Y is the dataset of
2π Ts L 2α+1
devices and G is the trained global model. At the initializing
It is worth mentioning that during LoRa transmission in a typical phase, the model parameters start to get initialized. During this
setting of α = 7 and B = 125 kHz, the frequency drift of the os- phase, both global and local models parameters are initialized
cillator is within ±488.3 Hz [37]. In contrast, the frequency drift to use them in the training procedure. The primary objective of
of the oscillator becomes nearly 8.68 kHZ for a carrier frequency our proposed algorithm is to find a global GRU model based on
of 868 MHz [55], which is significantly higher than 488.3 Hz. local models trained at the local security service. This reduces
Considering this oscillator behavior, we must use coarse-grain the communication overheads by limiting unnecessary sending of
estimation before fine-grain estimation to reduce the residual the number of updates to the local security Service. In Hawk, the
offset. Therefore, using Eqs. (5) and (7), our overall estimated CFO training only needs to be performed once as the trained model
is: can extract the unique fingerprint from newly joined (out-of-
∆ˆ
f = ∆fcg + ∆ffg library) devices. The training devices are not essentially the same
L−1
( L−1 ) devices as the ones for enrollment and authentication.
1∑ 1 ∑
′∗
= f [nTs ] − ̸ y [nTs ] · y [(n + L)Ts ] .
′
(8)
L 2 π Ts L 4.4. Enrollment and authentication
n=0 n=0

4.3. Model training approach
We train the GRU model using signals collected at local se-
curity service, by monitoring devices within a LoRa-enabled IIoT
network. Specifically, each local security service monitors the
devices to training device-type anomaly detection model. We use
FL to achieve distributed learning of models. The rationale behind
327
The authorized devices need to send several packets for en-
rollment before joining the network. Hawk first preprocesses
these enrollment packets. Then the fingerprints are extracted and
stored in a database located in the local security service. The
enrollment procedure can be considered as the training phase
of the GRU model, which basically learns all the training sam-
ples. Different from deep learning, GRU is computationally less
S. Halder and T. Newe
Fig. 3. Overview of federated learning approach.
intensive, which is necessary to significantly reduce the over-
all computational complexity. For example, Hawk collects 1000
packets from each device for enrollment (see Section 5.1.3).
In Hawk, authentication procedure consists of two parts,
namely, anomaly detection and device-type classification. The
anomaly detection decides whether the device is authorized
(previously enrolled) or not. We describe the anomaly detection
in the next section, i.e., Section 4.5. In contrast, the device-
type classification further determines its type. Once a device is
successfully authenticated, it is allowed administrative access to
the network (or, local security service).
4.5. Anomaly detection
By determining ∆ˆ f from observation of carrier frequencies,
we can fingerprint transmitter devices. We exploit this in de-
signing Hawk, a CFO-based IDS for LoRa-enabled IIoT. To de-
termine anomaly in ∆ˆ f , we process signals in batches of N
(e.g., 10) and compute the CFO in the kth signal using Eq. (8) as
∆ˆfk−N , ∆ˆfk−(N −1) , . . . , ∆ˆ
fk−1 . We then pre-trained a model using
GRU. Particularly, the GRU model calculates a probability estimate
pk for each CFO ∆ˆ fk based on the batch of N signals following
the approach as demonstrated in [21]. Note that GRU is a novel
method to RNNs, presently being a topic of significant research
interest. The rationale behind using GRU is that it is compu-
tationally less intensive and provides similar accuracy as other
328
Future Generation Computer Systems 143 (2023) 322–336
RNN methods. Finally, we evaluate the sequence of probability
estimates, i.e., p1 , p2 , . . . , pk to determine potential anomalies.
Specifically, if the occurrence probability pk of ∆ˆ fk falls below
a detection threshold, we conclude that the CFO sequence is
deemed anomalous and an alarm is generated.
Detection Process. As mentioned earlier, our intrusion de-
tection approach is based on estimating the anomaly occur-
rence probability by observing an individual signal given the
batch of received signals. The motivation behind this approach
is the recent observation in the work [37] that LoRa-enabled
IIoT device communications follow specific characteristic pat-
terns. Communication signal generated by adversary or IIoT mal-
ware, however, does not follow these patterns and can hence
be detected. In Hawk, the detection model first calculates an
occurrence probability pk of ∆ˆ fk given the batches of N signals
⟨∆ˆfk−N , ∆ˆ
fk−(N −1) , . . . , ∆ˆ
fk−1 ⟩ as follows:
pk = P ∆ˆ fk−N , ∆ˆ
fk |⟨∆ˆ fk−(N −1) , . . . , ∆ˆ
fk−1 ⟩ .
( )
(9)
In Eq. (9), parameter N is a property of the used GRU model and
signifies the length of the history, i.e., the number of CFOs that the
GRU model considers while calculating the probability estimate.
To detect an intrusion and subsequent generation of an alarm, we
define the anomalous signals as follows.
Definition 2 (Anomalous Signals). Baseband signal yk [nTs ] mapped
to CFO ∆ˆfk is anomalous, if its occurrence probability pk is below
a detection threshold δ , i.e., pk < δ .
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336

Algorithm 1: Model Training using FL model model for all N devices based on CFO, ˆ fk . We then estimate the
occurrence probability pk and anomaly generating threshold γ
INPUT: Pre-trained and device’s data
during the classification stage. Finally, we generate an intrusion
OUTPUT: Global model
alarm once the fraction of anomalous signals in Y is more than
INITIALIZING:
an anomaly generating threshold γ .
1: Pre-trained model → Federated server
{// Global model at server}
5. Experimental evaluation
2: Parameter = Federated server (m, nTs , Y , G)
{// Determine parameter values at server}
This section first introduces the implementation of Hawk,
3: Global model = Set (w, F , m)
followed by the detailed performance evaluation. Specifically,
4: Local model = Global model (Set (parameters))
Section 5.1 presents the experimental setup and dataset used to
{// Model sends from server to client and training begins}
evaluate the performance of the baseline schemes. Section 5.2
TRAINING:
introduces the evaluation metrics, followed by the FL setup in
5: Federated server = Get (Global model)
Section 5.3. We discuss the experimental results of Hawk in
6: Federated server → Send (Local model)
Section 5.4. Finally, we present the comparative experimental
{// Local model sends from server to client}
results in Section 5.5.
7: for i = 1 to m do
8: Each IIoT device = Train (Local model)
5.1. Experimental setup and dataset
{// Find and set model parameters at client}
9: return Local model parameters
We conduct an experiment on Ubuntu 18.04 with 16 GB RAM
{// Client to server}
in a Dell Latitude 5310 laptop with Intel Core i7 processor running
10: end for
at 4.9 GHz. To improve the reliability of experimental results,
11: return Updated model parameters
we repeated our experiments ten times. We conduct extensive
{// At server}
experiments and the data points in the plots are derived by
averaging the results of 50 independent runs.

Algorithm 2: Anomaly detection 5.1.1. Dataset

INPUT: Y , G, F , γ To measure the performance, we used a real-world Deploy-
OUTPUT: Intrusion alarm ment dataset [19], which was generated from 60 LoRa-enabled
IIoT devices of four models. Table 2 presents the detailed in-
1: for k = 1 to N do formation about the four device models. The data collection for
2: Calculate pk each device was performed for around 1 h and repeated for four
fk ∈F |pk <δ}|
|{∆ˆ
3: if N
> γ then consecutive days. For each device, 3000 packets were collected
4: return Intrusion by setting the transmission interval as 1 s in an indoor environ-
5: else ment with LOS between the device and the receiver. During data
6: return ¬ Intrusion collection, the receiver (i.e., local security service) was a USRP
7: end if N210 Software Defined Radio (SDR) and configured with α = 7,
8: end for B = 125 kHz, carrier frequency 868.1 MHz and sampling rate
1 MS/s. The Deployment dataset contains 26 sub-datasets, each
of which is an Hierarchical Data Format version 5 (HDF5) file.
Each HDF5 file consists of a number of LoRa packets (IQ samples
We conducted an extensive experimental analysis of the prob- of preamble part) and respective device indexes. The preamble
ability estimates given by device-type specific detection models part of LoRa signals in the dataset contains 8192 IQ samples. To
for both malicious and benign traffic for the datasets illustrated avoid the processing of complex numbers by the FL model, IQ data
in Section 5. We found that δ = 0.014 provides a significant samples have been divided into I (real part) and Q (imaginary
difference between benign and malicious traffic for IIoT devices. part) branches. Hence, the input dimension of the FL model in
This motivates us to set δ = 0.014 for distinguishing benign Hawk is 2 × 8192. We present the structure of the raw HDF5
and malicious traffic in our work. Note that triggering an alarm dataset in Fig. 4. Note that the LoRa frame begins with preamble
signal each time a malicious signal is monitored would lead to comprising of 8 standard upchirps.
several false positive detections. The increase in false positive
detections will further intensify as a benign signal might contain 5.1.2. Feature selection
noise that is not included by the GRU model, resulting in low To perform classification experiments, Hawk leverages a phys-
occurrence probability estimation. Therefore, to avoid triggering ical layer feature, i.e., CFO. To estimate the fine-grain CFO from IQ
a false alarm, Hawk generates an alarm signal only in the case samples in the Deployment dataset, we used Eq. (8) and follow
where a significant number of signals in a batch of consecu- the same procedure as proposed in [13]. While mapping CFOs
tive signals are anomalous. We define the anomaly triggering corresponding to the 60 unique devices, we follow the approach
condition as follows. used in [21]. To reduce the channel effect and to ensure efficient
measurement of CFO variations, each device is connected with
Definition 3 (Anomaly Triggering Condition). Given a batch of N the USRP N210 SDR receiver by a 40 dB attenuator. Note that
consecutive signals Y = (y1 [nTs ], . . . , yN [nTs ]) and their corre- CFO experience variations due to noise and drift. Therefore, dif-
sponding CFOs F = (∆ˆ f1 , . . . , ∆ˆ fN ), we generate an alarm signal, ferentiating the drift in CFO measurement between an anomaly
if the fraction of anomalous signals in Y is more than an anomaly and benign that the model needs update is a significant chal-
|{∆ˆfk ∈F |pk <δ}| lenge. To overcome this challenge, we used an update strategy
generating threshold γ , i.e., N
> γ.
to accommodate the legitimate changes in CFO. Particularly, we
We propose an intrusion detection approach in Algorithm 2 set a history of M recently measured CFOs between the local
to identify anomaly by the RNN classifier. We initially build a security service and ith device, denoted as Ci . Let fi denotes the
329
S. Halder and T. Newe Future Generation Computer Systems 143 (2023) 322–336

LoRa+Link signature. Wang et al. [18] used link signature

for fingerprinting devices. Link signature has been extensively
utilised as another fingerprint for intrusion detection in wireless
network. They used SVM model for anomaly detection. While
implementing, we first train the SVM model, which involves
determining a special matrix based on the CFO of a transmitting
device extracted from the Deployment dataset. We used the same
procedure to calculate the special matrix as described in [18]. If
the CFO derived by the SVM model using the pair of a received
frame’s slope gradient and truncation rate is equals to the directly
measured CFO, we consider the corresponding transmitting de-
vice is legitimate. Unless specified otherwise, we use the same
parameter values during the experimentation as mentioned in
Section 5.1.3.
Hybrid model. Huong et al. [34] used a hybrid VAE-LSTM
model for anomaly detection in smart manufacturing. Since VAE-
LSTM model follows unsupervised learning and requires no la-
beled data, the proposed scheme is efficient for detecting a new
anomaly. While implementing, we consider the Hybrid model
consisting of four hidden layers formed of Linear with ReLU
Fig. 4. Overview of dataset structure.
activation followed by fully-connected and sigmoid activation in
the out layer. The model parameters used in the experimentation
are: neurons unit for layers as 128/64/32/8 and batch size as 32.
Table 2
LoRa device information. We assume that a test input sample is malicious if it exceeds
Device index Model Chipset
the threshold 0.25, which is calculated using the Kernel Quantile
Estimator method. Unless specified otherwise, we use the same
D1-D45 Pycom LoPy4 SX1276
D46-D50 mbed SX1261 shield SX1261 parameter values during the experimentation as mentioned in
D51-D55 Pycom FiPy SX1272 Section 5.1.3.
D56-D60 Dragino SX1276 shield SX1276
5.2. Evaluation metrics

initial measured CFO based on the signal frequency conveyed To assess the performance of all the three schemes, we com-
pare the performance of the trained model predictions with real
from ith device, and Hawk obtains a device set according to the
labels based on the following metrics: True Positive (TP), False
comparison similarity as Ci−1 , Ci , Ci+1 . However, due to the noise
Positive (FP), True Negative (TN) and False Negative (FN). TP and
and drift, the carrier frequency in the crystal oscillator undergoes
TN denote the number of instances, where the ML model has
certain changes. Let us assume that the estimated CFO at the
predicted match with real labels. Whereas, FP and FN calculate
local security service side shifts to the next frequency fi+1 , corre-
the number of cases, where the ML model has predicted erro-
sponding to the (i + 1)-th device. In this case, device set becomes
neous values. Additionally, we measured Hawk and compared
Ci+1 , Ci−1 , Ci according to the CFO estimation. Combining these
the results against the baseline approaches using the following
two sets of CFO history, Hawk can still believe that the signal
metrics.
is transmitted from ith device. To limit memory usage, Hawk
replaces the old CFO measurement with the newest measured • Accuracy. It is the ratio of the accurately classified samples
CFO. In our experiment, we set M = 32. by the model and the total input samples. It is computed as
follows:
5.1.3. Model training TP + TN
We trained our learning model using 1000 packets from each Accuracy =
TP + FP + TN + FN
of D1-D40 in the Deployment dataset augmented by multipath
effects. We used Adam as the model optimizer and set the initial • Precision. It denotes the percentage of traffic samples that
learning rate as 0.001. The learning rate decays every time the are classified by the model. It is the ratio of the accu-
validation loss does not decrease for 10 epochs with a drop factor rately predicted positive outcomes and the total number of
of 0.3. We chose the number of epochs that each IIoT device positive predictions. It is determined as follows:
trains its local model as 15 and set the number of communication TP
rounds between devices and local security service as 4. Hence, the Precision =
TP + FP
local models are trained with 60 epochs. We set the mini-batch
size to 32 and the L2 regularization factor as 0.0001. The model • Recall. It signifies the percentage of true positives precisely
training stops once the maximum 60 epochs are achieved. We im- categorized by the model. It is the ratio of the accurately
plemented the learning model using Keras. For device enrollment predicted positive outcomes and the total outcomes in a
before joining the system, we extracted 100 packets from each given class. It is derived as follows:
device. Additionally, we extracted 100 packets from each device TP
for authentication. In Hawk, the learning model only needs to be Recall =
trained once. However, enrollment and authentication have been TP + FN
performed several times to evaluate system performance. • F1-Score. It is the Harmonic mean of the precision and
recall. It is determined as follows:
5.1.4. Baseline schemes Precision × Recall
We compare Hawk with two baseline schemes: F 1 − Score = 2 ×
Precision + Recall
330
S. Halder and T. Newe
Fig. 5. The average CFO drifts over the four days.
In this work, we want to maximize Accuracy, as otherwise
Hawk becomes unusable, since the user will receive a significant
number of false alarms. We seek to maximize Precision, so that
Hawk can detect as many attacks as possible.
5.3. FL setup
We use PySyft deep learning framework for FL feature and
GRUs as our ML neural network. We further use PyTorch deep
learning framework to implement the non-FL deep learning
framework. For chosen m number of devices, we generate virtual
instances using PySyft, and to simulate the central FL server, we
create a dedicated instance to enable sharing of trained model
parameters between the local FL model and the global FL server.
Note that the local FL model for each device-type and the global
FL server are trained in the local security service and remote
security service, respectively. During FL implementation, we use
Mini − Batch Aggregation [23] for the interaction between the
local and global FL models. In Mini − Batch Aggregation, a single
mini-batch of data is used to train the local model before sending
the local model to the global server for aggregation. We set the
local mini-batch size to 20. The local model then receives the new
aggregated global model, with which the training can continue.
We repeated this process 60 epochs till the full training set is
achieved. In Hawk, ML model consists of six layers: an input layer,
four hidden layers (contain 128 neurons each) and an output
layer. The size of the input layer is the same as the number of
network traffic features in the training data. Note that we used
one network traffic feature, i.e., CFO during model training. The
size of the output layer is the same as the number of classes of
network traffic in the training data.
5.4. Performance evaluation of Hawk
In this section, we experimentally demonstrate the feasibility
of adopting CFO in association with FL for detecting malicious
devices.
5.4.1. CFO drift
We first measure the CFO drifts from the Deployment dataset
for devices D1∼D10 to notice how the CFO changes over the
four days. While plotting, we extract the CFO of the packets
gathered on the same day and determine the average value.
Fig. 5 shows that the CFO drift remains relatively stable over the
days. Although, in Figs. 5(a) and 5(b), D5, D9 and D10 exhibit
slight variation in the CFO drift, however this is reasonable as
the oscillator is temperature sensitive. To avoid any drift due to
CFO variation, we use CFO update using the adaptive approach
331
Future Generation Computer Systems 143 (2023) 322–336
as discussed in Section 5.1.2. Interestingly, the plot shows that
the CFO drift for each of the device is unique and remains in
a particular range for a specific device-type. This signifies that
Hawk can use CFO drift to uniquely distinguish device-type.
5.4.2. Efficiency of federated learning
In this section, we first study the appropriate value for the
anomaly triggering threshold γ . To perform this study, we con-
sider the trained model as described in Section 5.1.3, where
1000 benign packets from each of D1-D40 were extracted from
the Deployment dataset. Whereas we obtain 500 packets from
each of D46-D60 as malicious samples from the same dataset. To
chose a suitable value of γ , we perform a series of classification
experiments by varying γ and measure two vital metrics from the
Receiver Operating Characteristic (ROC) curve, namely, the Area
Under the ROC (AUROC) and the Equal Error Rate (EER). Note that
the ROC curve plots True Positive Rate (TPR) against False Positive
Rate (FPR). The value of AUROC signifies the area under the ROC
curve, and the bigger it is, the superior the system performance.
Whereas EER suggests a point in the ROC curve, where FPR is
equal to (1-TPR) and the smaller it is, the superior is the system
performance. We calculate TPR and FPR using the Deployment
dataset for a fixed batch size of 32, where TPR = TPTP+FN
and FPR =
FP
FP +TN
. Fig. 6 shows that AUROC is rapidly increasing initially
against γ . We notice that the AUROC plot is almost completely
plateaued after γ = 0.48. This signifies that the classification
result does not deviate after γ = 0.48. We measure the AUROC
and EER from the plot as 0.923 and 0.025, respectively. Thus, we
chose γ = 0.5. Following a similar approach, we determined
δ = 0.014.
As mentioned earlier, FL is more privacy-preserving for users
as it does not require sharing its training data. Nevertheless,
this might result in a loss of accuracy of the developed model
compared to training the model using a centralized approach. To
measure this potential loss in accuracy, we trained three feder-
ated models using the training datasets generated from D1-D55.
We divided the entire dataset among 45 (D1-D45), 5 (D46-D50)
and 5 (D51-D55) devices and compared these with a model
trained using a centralized learning [36]. Table 3 shows the effec-
tiveness of using FL compared to centralized learning. We notice
that centralized training provides slightly superior accuracy com-
pared to FL. We also notice that TPR is decreasing slowly with
the increase of devices in FL. However, FPR is maintaining the
same value 0.00% for both federated and centralized learning.
This slight drop in TPR for FL is not a concern, as sufficiently
large packet batches would even generate an alarm for any attack
phase.
S. Halder and T. Newe
Table 3
Effectiveness of using federated learning over centralized approach.
Type Federated learning
D1-D45 devices D46-D50 devices D51-D55 devices
FPR 0.00% 0.00% 0.00%
TPR 95.83% 95.62% 95.45%
Fig. 6. AUROC under varying γ and δ = 0.014.
5.4.3. Capability of malicious device detection
During evaluation, we are interested to investigate the per-
formance of malicious device detection under varying number
of training devices. Therefore, we consider that the system is
inaccessible for malicious devices during the training process. We
train two more models, namely, Model 2 and Model 3 in addition
to the model (henceforth, Model 1) described in Section 5.1.3.
We extract 1000 packets from each of D1-D20 and D1-D10 while
training Model 2 and Model 3, respectively. To measure the per-
formance of all the three models under more realistic scenarios, it
is best to implement the malicious device with similar hardware
characteristics as the benign device. Hence, we particularly chose
D1-D40 as benign devices and D41-D45 as malicious devices,
which are all Pycom LoPy4 devices. Our identification dataset
contains 500 packets from each of D1-D45 extracted from the
Deployment dataset. We plot the ROC curve in Fig. 7 to evaluate
the malicious device detection performance of Model 1, 2 and 3.
The plot exhibits that the AUROC and EER of Model 1 as 0.942
and 0.031, respectively. Whereas we observe the AUROC and EER
of Model 2 as 0.926 and 0.054, respectively. Finally, we notice
the worst results from Model 3, where the AUROC and EER of
Model 3 are 0.906 and 0.127, respectively. These results validate
the superior malicious device detection performance of Model
1. Thus, henceforth, by the performance of Hawk, we mean the
performance of Model 1.
5.4.4. Capability of malicious device-type detection
To achieve good system performance for detecting imperson-
ating device, it is essential for Hawk to extract fingerprint from
newly joined or previously unseen devices. In ML, the rule of
thumb is that the more data for model training, the better gener-
alization ability. We select three groups of devices for evaluating
the device-type detection performance as follows:
• Intruder Set 1 [Known Devices]. D1-D20 are devices present
during our model training. Thus, these devices are used to
measure the performance of our training model on known
malicious devices, which already had access to the network
but gets compromised.
Future Generation Computer Systems 143 (2023) 322–336
Centralize
learning
0.00%
96.14%
Fig. 7. ROC curve of malicious device detection.
Fig. 8. Performance of fingerprint extractor.
• Intruder Set 2 [Unknown Devices, same manufacturer].
D41-D45 are devices with the same device model, i.e., Py-
com LoPy4 but did not participate during our model train-
ing. We utilised these devices to validate the performance
of our model on unknown malicious devices.
• Intruder Set 3 [Unknown Devices, distinct manufactur-
ers]. D46-D60 are devices produced by distinct manufac-
turers, whose hardware specifications are different from
training devices D1-D40. Detecting unknown malicious de-
vices from distinct manufactures is the most challenging
scenario as it needs a significantly higher generalization
ability of the ML model.
The performance results of the malicious device detection by
the Models 1, 2 and 3 on the above three sets of malicious
device-types are exhibited in Fig. 8. We observe the superior per-
formance of Model 1. Particularly, the overall accuracy of Model 1
for detecting Intruder Set 1, 2 and 3 is 97.34%, 96.72% and 94.82%,
respectively. The plot reveals that Model 1, 2 and 3 perform
exceptionally on Intruder Set 1 and 2. The accuracy of 96.72% for
detecting D41-D45 signifies that Model 1 can efficiently extract
fingerprints from D41-D45 devices those ware absent during
training. However, we observe the degraded performance of all
three models while detecting Intruder Set 3. This is due to the
hardware specification of Intruder Set 3, i.e., D46-D60, which
is significantly different from the training device model (Pycom
LoPy4). In summary, we need to include more devices during
training to achieve superior performance in case of unknown
devices.
332
S. Halder and T. Newe
Fig. 9. Comparison of detection models based on the training dataset.
5.4.5. Efficiency and scalability of Hawk
Conventional IDS utilises a single model while modeling le-
gitimate behavior, which eventually suffers from high FPR [21].
This reality makes such IDS incompetent for real-world deploy-
ments with several hundreds of different device-types. Hawk
does possess this limitation, since it uses a dedicated detection
model for a specific device-type. Particularly, each of these mod-
els aims only on radio signature behavior, i.e., ∆ˆ f , of a single
device, resulting in more specific and precise behavioral models,
independent of several device-types managed by the system. To
determine the benefit of using a detection model as followed
in Hawk compared to using a single model for all devices, we
built a single model on the entire Deployment dataset utilizing
4-fold cross-validation and then determined detection accuracy.
The experimental results reveal that FPR increases from 0% to
0.56%, while TPR increases from 94.22% to 95.86%.
5.4.6. Processing performance of GRU
This section measures the processing performance of GRU in
absence of particular optimizations. We run our experiment on
a laptop as specified in Section 5.1. We observe that training a
model for one device takes an average of 118 min when con-
sidering four day data in the Deployment dataset. We further
observe that average processing time per packet for prediction is
around 1.362 ms. All these results indicate that model training is
realistic to attain in real-life smart manufacturing scenario, since
training will be performed gradually as data are gathered from
the network over extended periods.
333
Future Generation Computer Systems 143 (2023) 322–336
5.5. Comparative performance evaluation
To validate the effectiveness of our proposed Hawk, we com-
pare its performance against the recently introduced two
state-of-the-art realizations, LLink [18] and Hybrid [34] (see Sec-
tion 5.1.4).
5.5.1. Performance of models
We use accuracy, precision, recall, and F1-score to evaluate
the performance of the various decision models. While measuring
the performance, we consider the three intruder set of devices
as described in Section 5.4.4. The experimental results in Fig. 9
show that our proposed Hawk has the highest detection accuracy,
precision, recall, and F1-score irrespective of the intruder sets.
About the performance of ML models, GRU outperforms SVM and
VAE-LSTM. Specifically, the classification performance of Hawk
is 10%∼15% and 6%∼8% higher than LLink and Hybrid, respec-
tively, for Intruder Set 1. We also notice similar performance
improvement in Hawk compared to LLink and Hybrid for both
Intruder Set 2 and 3. This is because Hawk inherits the intrusion
detection advantages of GRU, which combines the advantages
of both spatial learning and sequential learning. The plots show
that there is a significant performance gap between Hawk, LLink
and Hybrid on the Intruder Set 3. It is due to the hardware
specifications of D46-D60 are significantly different from the
training devices (LoPy4). We also notice that SVM and VAE-LSTM
exhibit comparable performance. It is because VAE-LSTM is more
S. Halder and T. Newe
Fig. 10. Detection accuracy under different number of IIoT devices.
time-consuming, as the gating mechanism it uses requires long-
term computation. Moreover, SVM has lower performance than
GRU and VAE-LSTM as it suffers from poor feature extraction
capability.
5.5.2. The effect of number of IIoT devices on models
This section explores the impact of the number of devices
on the different ML models. We plot the classification accuracy
in Fig. 10. The plot reveals that an increase in the number of
devices adversely affect the performance of LLink and Hybrid.
The possible reason is that the increasing number of devices
bring more updated parameters, creating more overheads for the
server to execute simultaneous model parameter aggregation.
Additionally, these overheads can influence the upload of critical
device parameters, decreasing the accuracy of the global model.
In contrast, Hawk determines γ and δ judiciously, which poten-
tially reduces the number of participating devices. In this way,
Hawk updates the ML model, ensuring model training reliability.
5.5.3. Communication efficiency
This section measures the learning speed of the FL algorithm
used in Hawk via communication rounds. We also compare the
classification accuracy of the learning algorithms used in LLink
and Hybrid under varying number of communication rounds
and the same is plotted in Fig. 11. The plot shows that Hawk
achieves superior performance and quickest learning speed un-
der the same communication round. Alternatively, Hawk needs
fewer communication rounds than LLink and Hybrid to achieve
model convergence. In summary, Hawk improves the classifi-
cation accuracy by 11.36% and 9.52% than LLink and Hybrid,
respectively.
5.5.4. System complexity and training time
This section measures the system complexity and time re-
quired to train the ML models. To measure the system complexity,
we use storage space and amount of parameters. Table 4 shows
that Hawk requires the least amount of parameters, and the
trained ML model takes less storage space. Particularly, in Hawk,
the trained ML model needs 37.98% and 57.70% less storage space
compared to LLink and Hybrid, respectively. Likewise, Hawk im-
proves the amount of parameters by 51.49% and 69.20% compared
to LLink and Hybrid, respectively. In summary, the results in-
dicate that radio fingerprint based system is less complex and
requires few parameters, which ultimately helps to reduce the
authentication time of the IDS.
334
Future Generation Computer Systems 143 (2023) 322–336
Fig. 11. Detection accuracy under varying communication round.
Table 4
System complexity and required training time.
Scheme Storage space (kb) Amount of parameters Training time (min)
Hawk 6,352 1,627,073 27
LLink 10,244 3,354,719 46
Hybrid 15,018 5,283,557 94
The training time is another crucial parameter for measuring
the performance of a ML model. In Table 4, we notice that the
GRU-based Hawk needs 27 mins for training, which is only a
trisect of the VAE-LSTM-based Hybrid scheme. Further, Table 4
exhibits that GRU-based Hawk improves training time by 41.30%
compared to SVM-based LLink.
6. Conclusion
This paper introduces Hawk, a distributed anomaly detection
system that utilises CFO of radio signature to enable robust ma-
licious device detection. The radio signature enables Hawk to
achieve both high detection accuracy and low system complex-
ity. We design a novel technique by making full use of LoRa’s
communication mechanism to estimate fine-grained CFOs for fin-
gerprinting device, which ensures robust detection and thwarts
attackers from evading detection. Hawk then leverages the de-
rived fingerprints to construct a baseline of device’s normal CFO
behavior using FL. Hawk learns anomaly detection models au-
tonomously using data captured by 60 LoRa devices of four mod-
els and a USRP N210 SDR as the receiver. Extensive experiments
show that Hawk achieves better intrusion detection accuracy,
efficiency and robustness than two state-of-the-art realizations.
Particularly, Hawk achieves 97.46% accuracy and 98.27% precision
using 6352 kb storage space and 27 min training time.
Due to the limited availability of suitable dataset on CFO for
LoRa-enabled IIoT, the performance of Hawk is measured using
only the publicly available Deployment dataset. In future, we
aim to setup a real-world experimental environment to measure
the performance of Hawk. We design Hawk to defend against
active attacks. The challenge of dealing with passive attacks,
e.g., eavesdropping, information leakage, remains an open prob-
lem. We further plan to design a parameter optimization method
for improving our GRU model.
CRediT authorship contribution statement
Subir Halder: Conceptualization, Formal analysis, Funding ac-
quisition, Methodology, Software, Validation, Writing – original
draft. Thomas Newe: Funding acquisition, Supervision, Writing –
reviewing and editing.
S. Halder and T. Newe
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared
to influence the work reported in this paper.
Data availability
No data was used for the research described in the article.
Acknowledgments
This work has received funding from the European Union’s
Horizon 2020 research and innovation programme under the
Marie Skłodowska-Curie grant agreement No. 847577; and a re-
search grant from Science Foundation Ireland (SFI) under Grant
Number 16/RC/3918 (Ireland’s European Structural and Invest-
ment Funds Programmes and the European Regional Develop-
ment Fund 2014–2020).
References
[1] P.M.S. Sánchez, J.M.J. Valero, A.H. Celdrán, G. Bovet, M.G. Pérez, G.M. Pérez,
A survey on device behavior fingerprinting: Data sources, techniques,
application scenarios, and datasets, IEEE Commun. Surv. Tutor. 23 (2)
(2021) 1048–1077.
[2] J.P.S. Sundaram, W. Du, Z. Zhao, A survey on LoRa networking: Research
problems, current solutions, and open issues, IEEE Commun. Surv. Tutor.
22 (1) (2019) 371–388.
[3] M. Shen, K. Ye, X. Liu, L. Zhu, J. Kang, S. Yu, Q. Li, K. Xu, Machine learning-
powered encrypted network traffic analysis: A comprehensive survey, IEEE
Commun. Surv. Tutor. (2022) 1–38, http://dx.doi.org/10.1109/COMST.2022.
3208196.
[4] D. Heeger, J. Plusquellic, Analysis of IoT authentication over LoRa, in: Proc.
of 16th DCOSS, 2020, pp. 458–465.
[5] C. Zhang, J. Yue, L. Jiao, J. Shi, S. Wang, A novel physical layer encryption
algorithm for LoRa, IEEE Commun. Lett. 25 (8) (2021) 2512–2516.
[6] K. Liu, M. Yang, Z. Ling, H. Yan, Y. Zhang, X. Fu, W. Zhao, On manually
reverse engineering communication protocols of linux-based IoT systems,
IEEE Internet Things J. 8 (8) (2021) 6815–6827.
[7] P. Robyns, E. Marin, W. Lamotte, P. Quax, D. Singelée, B. Preneel, Physical-
layer fingerprinting of LoRa devices using supervised and zero-shot
learning, in: Proc. of 10th ACM WiSec, 2017, pp. 58–63.
[8] X. Yan, Y. Xu, X. Xing, B. Cui, Z. Guo, T. Guo, Trustworthy network anomaly
detection based on an adaptive learning rate and momentum in IIoT, IEEE
Trans. Ind. Inform. 16 (9) (2020) 6182–6192.
[9] M. Abdel-Basset, V. Chang, H. Hawash, R.K. Chakrabortty, M. Ryan, Deep-
IFS: Intrusion detection approach for IIoT traffic in fog environment, IEEE
Trans. Ind. Inform. 17 (11) (2021) 7704–7715.
[10] D. Formby, P. Srinivasan, A.M. Leonard, J.D. Rogers, R.A. Beyah, Who’s in
control of your control system? Device fingerprinting for cyber-physical
systems, in: Proc. of NDSS, 2016, pp. 1–15.
[11] L. Babun, H. Aksu, A.S. Uluagac, CPS device-class identification via be-
havioral fingerprinting: from theory to practice, IEEE Trans. Inf. Forensics
Secur. 16 (2021) 2413–2428.
[12] J.M. McGinthy, L.J. Wong, A.J. Michaels, Groundwork for neural network-
based specific emitter identification authentication for IoT, IEEE Internet
Things J. 6 (4) (2019) 6429–6440.
[13] J. Zhang, R. Woods, M. Sandell, M. Valkama, A. Marshall, J. Cavallaro, Radio
frequency fingerprint identification for narrowband systems, modelling
and classification, IEEE Trans. Inf. Forensics Secur. 16 (2021) 3974–3987.
[14] D.R. Reising, M.A. Temple, J.A. Jackson, Authorized and rogue device dis-
crimination using dimensionally reduced RF-DNA fingerprints, IEEE Trans.
Inf. Forensics Secur. 10 (6) (2015) 1180–1192.
[15] Z. Ren, P. Ren, T. Zhang, Deep RF device fingerprinting by semi-supervised
learning with meta pseudo time-frequency labels, in: Proc. of IEEE WCNC,
2022, pp. 2369–2374.
[16] J. Sun, W. Shi, Z. Yang, J. Yang, G. Gui, Behavioral modeling and lin-
earization of wideband RF power amplifiers using BiLSTM networks for 5G
wireless systems, IEEE Trans. Veh. Technol. 68 (11) (2019) 10348–10356.
[17] J. Gong, X. Xu, Y. Lei, Unsupervised specific emitter identification method
using radio-frequency fingerprint embedded InfoGAN, IEEE Trans. Inf.
Forensics Secur. 15 (2020) 2898–2913.
[18] X. Wang, L. Kong, Z. Wu, L. Cheng, C. Xu, G. Chen, SLoRa: towards secure
LoRa communications with fine-grained physical layer features, in: Proc.
of 18th ACM SenSys, 2020, pp. 258–270.
335
Future Generation Computer Systems 143 (2023) 322–336
[19] G. Shen, J. Zhang, A. Marshall, J. Cavallaro, Towards scalable and channel-
robust radio frequency fingerprint identification for LoRa, IEEE Trans. Inf.
Forensics Secur. 17 (2022) 774–787.
[20] R. Xie, W. Xu, Y. Chen, J. Yu, A. Hu, D.W.K. Ng, A.L. Swindlehurst, A gener-
alizable model-and-data driven approach for open-set RFF authentication,
IEEE Trans. Inf. Forensics Secur. 16 (2021) 4435–4450.
[21] T.D. Nguyen, S. Marchal, M. Miettinen, H. Fereidooni, N. Asokan, A.-R.
Sadeghi, DÏoT: A federated self-learning anomaly detection system for IoT,
in: Proc. of 39th IEEE ICDCS, 2019, pp. 756–767.
[22] V. Mothukuri, R.M. Parizi, S. Pouriyeh, Y. Huang, A. Dehghantanha, G.
Srivastava, A survey on security and privacy of federated learning, Future
Gener. Comput. Syst. 115 (2021) 619–640.
[23] V. Rey, P.M.S. Sánchez, A.H. Celdrán, G. Bovet, Federated learning for
malware detection in IoT devices, Comput. Netw. 204 (2022) 108693.
[24] W. Hou, X. Wang, J.-Y. Chouinard, A. Refaey, Physical layer authentication
for mobile systems with time-varying carrier frequency offsets, IEEE Trans.
Commun. 62 (5) (2014) 1658–1667.
[25] H. Li, H. Hu, G. Gu, G.-J. Ahn, F. Zhang, vNIDS: Towards elastic security with
safe and efficient virtualization of network intrusion detection systems, in:
Proc. of ACM CCS, 2018, pp. 17–34.
[26] H. Haugerud, H.N. Tran, N. Aitsaadi, A. Yazidi, A dynamic and scalable
parallel network intrusion detection system using intelligent rule ordering
and network function virtualization, Future Gener. Comput. Syst. 124
(2021) 254–267.
[27] R. Perdisci, T. Papastergiou, O. Alrawi, M. Antonakakis, IoTFinder: Efficient
large-scale identification of IoT devices via passive DNS traffic analysis, in:
Proc. of IEEE EuroS&P, 2020, pp. 474–489.
[28] B. Charyyev, M.H. Gunes, Locality-sensitive IoT network traffic finger-
printing for device identification, IEEE Internet Things J. 8 (3) (2021)
1272–1281.
[29] H. Haddadpajouh, A. Mohtadi, A. Dehghantanaha, H. Karimipour, X. Lin,
K.-K.R. Choo, A multi-kernel and meta-heuristic feature selection approach
for IoT malware threat hunting in the edge layer, IEEE Internet Things J.
8 (6) (2021) 4540–4547.
[30] S. Dong, Z. Li, D. Tang, J. Chen, M. Sun, K. Zhang, Your smart home can’t
keep a secret: Towards automated fingerprinting of IoT traffic, in: Proc. of
15th ACM AsiaCCS, 2020, pp. 47–59.
[31] S. Ahn, H. Yi, Y. Lee, W.R. Ha, G. Kim, Y. Paek, Hawkware: Network
intrusion detection based on behavior analysis with ANNs on an IoT device,
in: Proc. of 57th ACM/IEEE DAC, 2020, pp. 1–6.
[32] S. Zhu, S. Li, Z. Wang, X. Chen, Z. Qian, S.V. Krishnamurthy, K.S. Chan,
A. Swami, You do (not) belong here: detecting DPI evasion attacks with
context learning, in: Proc. of 16th CoNEXT, 2020, pp. 183–197.
[33] L. Cui, Y. Qu, G. Xie, D. Zeng, R. Li, S. Shen, S. Yu, Security and privacy-
enhanced federated learning for anomaly detection in IoT infrastructures,
IEEE Trans. Ind. Inform. 18 (5) (2022) 3492–3500.
[34] T.T. Huong, T.P. Bac, D.M. Long, T.D. Luong, N.M. Dan, B.D. Thang, K.P. Tran,
et al., Detecting cyberattacks using anomaly detection in industrial control
systems: A federated learning approach, Comput. Ind. 132 (2021) 103509.
[35] Y. Liu, S. Garg, J. Nie, Y. Zhang, Z. Xiong, J. Kang, M.S. Hossain, Deep
anomaly detection for time-series data in industrial IoT: A communication-
efficient on-device federated learning approach, IEEE Internet Things J. 8
(8) (2021) 6348–6358.
[36] S. Lin, R. Clark, R. Birke, S. Schönborn, N. Trigoni, S. Roberts, Anomaly
detection for time series using vae-lstm hybrid model, in: Proc. of IEEE
ICASSP, 2020, pp. 4322–4326.
[37] G. Shen, J. Zhang, A. Marshall, L. Peng, X. Wang, Radio frequency fingerprint
identification for LoRa using deep learning, IEEE J. Sel. Areas Commun. 39
(8) (2021) 2604–2616.
[38] K.-D. Lu, G.-Q. Zeng, X. Luo, J. Weng, W. Luo, Y. Wu, Evolutionary deep
belief network for cyber-attack detection in industrial automation and
control system, IEEE Trans. Ind. Inform. 17 (11) (2021) 7618–7627.
[39] S. Shen, L. Huang, H. Zhou, S. Yu, E. Fan, Q. Cao, Multistage signaling
game-based optimal detection strategies for suppressing malware diffusion
in fog-cloud-based IoT networks, IEEE Internet Things J. 5 (2) (2018)
1043–1054.
[40] J. Liu, J. Yu, S. Shen, Energy-efficient two-layer cooperative defense scheme
to secure sensor-clouds, IEEE Trans. Inf. Forensics Secur. 13 (2) (2018)
408–420.
[41] Y. Shen, S. Shen, Z. Wu, H. Zhou, S. Yu, Signaling game-based availabil-
ity assessment for edge computing-assisted IoT systems with malware
dissemination, J. Inf. Secur. Appl. 66 (2022) 103140.
[42] Z. Cheng, D. Yue, S. Shen, S. Hu, L. Chen, Secure frequency control of hybrid
power system under DoS attacks via Lie algebra, IEEE Trans. Inf. Forensics
Secur. 17 (2022) 1172–1184.
[43] P. Zhang, P. Gan, N. Kumar, C.-H. Hsu, S. Shen, S. Li, RKD-VNE: Virtual
network embedding algorithm assisted by resource knowledge description
and deep reinforcement learning in IIoT scenario, Future Gener. Comput.
Syst. 135 (2022) 426–437.
S. Halder and T. Newe
[44] Y. Qu, L. Gao, Y. Xiang, S. Shen, S. Yu, FedTwin: Blockchain-enabled
adaptive asynchronous federated learning for digital twin networks, IEEE
Netw. (2022) 1–8, http://dx.doi.org/10.1109/MNET.105.2100620.
[45] Y. Shen, S. Shen, Q. Li, H. Zhou, Z. Wu, Y. Qu, Evolutionary privacy-
preserving learning strategies for edge-based IoT data sharing schemes,
Digit. Commun. Netw. (2022) 1–18, http://dx.doi.org/10.1016/j.dcan.2022.
05.004.
[46] Z. Chiba, N. Abghour, K. Moussaid, M. Rida, et al., Intelligent approach
to build a Deep Neural Network based IDS for cloud environment using
combination of machine learning algorithms, Comput. Secur. 86 (2019)
291–317.
[47] E. Anthi, L. Williams, A. Javed, P. Burnap, Hardening machine learning
denial of service (DoS) defences against adversarial attacks in IoT smart
home networks, Comput. Secur. 108 (2021) 102352.
[48] X. Yang, E. Karampatzakis, C. Doerr, F. Kuipers, Security vulnerabilities in
LoRaWAN, in: Proc. of 3rd IEEE/ACM IoTDI, 2018, pp. 129–140.
[49] Z. Chen, N. Lv, P. Liu, Y. Fang, K. Chen, W. Pan, Intrusion detection for
wireless edge networks based on federated learning, IEEE Access 8 (2020)
217463–217472.
[50] C. Olah, Understanding LSTM networks, 2021, Updated 27 August
2015 [Blog] https://colah.github.io/posts/2015-08-Understanding-LSTMs/.
(Accessed 6 August 2021).
[51] A. Wainakh, F. Ventola, T. Müßig, J. Keim, C.G. Cordero, E. Zimmer, T.
Grube, K. Kersting, M. Mühlhäuser, User-level label leakage from gradients
in federated learning, Proc. Priv. Enhanc. Technol. 2022 (2) (2022) 227–244.
[52] C. Li, Z. Cao, LoRa networking techniques for large-scale and long-term
IoT: A down-to-top survey, ACM Comput. Surv. 55 (3) (2022) 1–36.
[53] R. Heartfield, G. Loukas, A. Bezemskij, E. Panaousis, Self-configurable cyber-
physical intrusion detection for smart homes using reinforcement learning,
IEEE Trans. Inf. Forensics Secur. 16 (2020) 1720–1735.
[54] K. Yu, L. Tan, S. Mumtaz, S. Al-Rubaye, A. Al-Dulaimi, A.K. Bashir, F.A. Khan,
Securing critical infrastructures: Deep-learning-based threat detection in
IIoT, IEEE Commun. Mag. 59 (10) (2021) 76–82.
[55] Semtech, LoRa modulation crystal oscillator guidance, AN1200.14, Rev
2, July 2017, 2021, [Online] https://lora-developers.semtech.com/library/
product-documents/. (Accessed 6 May 2021).
336
Future Generation Computer Systems 143 (2023) 322–336
Subir Halder received his Ph.D. degrees in Computer
Science and Technology from Indian Institute of Engi-
neering Science and Technology, India in 2015. He is
currently a Marie Skłodowska Curie fellow at University
of Limerick, Ireland. Prior to that, he was a Postdoc-
toral Researcher at University of Padua, Italy. He has
worked as an Assistant Professor in the Department
of CSE, Dr. B. C. Roy Engineering College, India during
2007–2017. His research interests include security and
privacy in cyber physical systems, IoT, autonomous
vehicle, controller area network, and Industry 4.0. He
has co-authored more than 50 papers in reputed international peer-reviewed
conferences and journals in his field.
Dr Thomas Newe is an Associate Professor in Computer
Engineering in the Department of Electronic & Com-
puter Engineering at The University of Limerick and is a
funded investigator in three SFI Centres; Confirm-Smart
Manufacturing Centre, Lero-Software Research Centre,
and MaREI-Marine and Renewable Energy Research
Centre. He holds a B.Eng. in Computer Engineering, a
Masters in Engineering in Security Protocol Design and
a Ph.D. in Formal Logics for Security Protocol Verifi-
cation. He has been a University of Limerick faculty
member since 1994. Tom is a board member of Cyber
Ireland, an initiative which brings together Industry, Academia and Government
to represent the needs of the Cyber Security Ecosystem in Ireland, and a founding
member of Cyber Skills, a project which aims to address the global shortage of
cybersecurity professionals. His research interest includes many topics under
the general areas of data security for Wireless Sensor Networks, the Internet of
Things and Smart Collaborative Robotics. He has graduated 15 Ph.D. students
in the broad area of network and data security and his students are funded
from a variety of sources including: EU, SFI, IRC, Internationally and industrially
funded.