Attacker Identification In LoRaWAN Through Physical Channel Fingerprinting

LoRaWAN has recently emerged as one of the most important low-power wide area network (LPWAN) technologies due to its ability to combine long-distance communication with energy-efficient computations. LoRaWAN enables long-distance communication, allowing for new types of services in a variety of fields. There are several solutions available; LoRaWAN is arguably the most widely used. It promises ubiquitous connectivity in outdoor Internet of things (IoT) applications while keeping network structures and management simple. In the recent years this technology has received a great deal of support from the scientific community and industry. LoRaWAN is one of the technologies that is widely employed in a variety of industrial and critical monitoring applications, ranging from health and wellness monitoring [1], agriculture monitoring [2], wireless sensor networks [3], traffic monitoring [4], and smart city applications [5].

Apart from capacity and cost, one of the key challenges facing large-scale deployments in Wireless Sensor Network (WSN) is performance monitoring, therefore to assist network operators in managing and monitoring their networks in an efficient and effective manner while avoiding resource waste. Providing network traffic safety and security is a critical issue in a variety of today’s industries, and security is a critical component in many domains of daily life; thus, the goal of our work [6] has been to develop a method for detecting anomalies and attacks. It’s vital to remember that not every observed anomaly indicates a threat or an attack. Such observations should be reported to a network security officer for additional examination and a final determination of whether the anomaly represents a threat. The key objective is to be able to tell the difference between a hacker’s packets and one transmitted by a registered node. To accomplish this, we will collect metadata from various areas of the network, then analyze network performance, discover behavior patterns, and train machine learning models to detect and categorize anomalies and attacks in LoRaWAN network traffic monitoring. The main contribution of the presented work is that it adds a new level of security to the LoRaWAN network without changing the protocol or packet format.

     Fig. 1. The proposed network installation for LoRaWAN WSN.

Processing pipeline

FLoRa [17], an open-source framework for LoRa simulations in [18] OMNeT++ network simulator, was used to construct our dataset. FLoRa implements the physical and medium access control layers of the LoRa protocol, allows bidirectional communications, and provides end-to-end simulations, including backhaul network simulations.

The basic setup described in Fig.1 was used to create our dataset, in which we have devices distributed across the network, all of which are covered by three gateways. Our goal is to collect metadata from each of the three gateways for each received packet. For example, at three distinct gateways that cover the targeted sensor, we must measure the received SNR and RSSI for each sent packet from the targeted sensor. We need to obtain this information for all the packets sent by the network’s sensors. We also need to save the timestamps of the received signal, as well as the spreading factor, bandwidth, transmitter power, and frequency, as a time series for each sensor within the network.

The data from the three separate gateways should be cleaned first, then concatenated together depending on the received sequence number of each packet. As a result, the data should be prepared prior to the next phase of training the machine learning model. The data is then used to build a binary classifier that can discriminate the data origin, determining the source of the received packet. After the model has been developed and trained, it is evaluated to determine its accuracy in recognizing anomalies.


We have built a three-layer neural network model with input, hidden, and output layers of 12,4,1, respectively. The ReLU activation function was employed in the input and hidden layers, whereas the Sigmoid function was used in the output layer. The Binary cross-entropy function is utilized as a loss function, while Adam is used as an optimizer with a learning rate of 0.001.

As shown in Table I, we generated several datasets, each of which is for a group of nodes located at a specific distance from the target node. We chose the group5 dataset to train the chosen model because of the diversity of its nodes, which are distributed throughout the network in various positions, allowing the model to have a generalization feature for identifying anomalies. After shuffling the group5 dataset, we combine the target node’s group dataset with a subset of 20,000 samples from the group5. Then we split the new dataset into two groups for training and testing, 70 percent for training and 30 percent for testing, respectively. The number of training epochs is 50,000, and the batch size is 26000. 

Fig. 2. Loss and Accuracy vs number of epochs for training and validation sets.

Fig. 2 displays the evolution of the two primary metrics, loss and accuracy, against the epoch number, as a result of training.  The loss value is decaying as we execute more iterations in the left portion of the picture, indicating that the model is settling up to the desired objective. Furthermore, we can observe in the right picture that the training and validation curves have a similar tendency, which improves the accuracy to roughly 96%. Following that, we aim to test and validate the model differently after it’s been trained. As previously stated, the distance between two nodes and the generated features of those nodes are correlated. 

As illustrated in Fig.3, when the distance between any two nodes in the network is tiny, both of them begin to create similar features. As a result, we must test our model’s accuracy in detecting anomalies in relation to the distance between the attacker and the target node. 

Fig. 3. Time-series for selected features of 3 different sensors at different positions.

After testing the model on various datasets, we obtained the result shown in Fig.4, which depicts the confusion matrix of the four datasets. As a result, regardless of the distance between the target and the attacker, the model is capable of detecting packets sent from the target as positive classification. The main issue for us is false-negative classification, in which samples from the attacker are classified as data from the target node. which is considered a system failure due to the inability to distinguish between data belonging to the attackers and data belonging to the target node. The distance between the attacker and the target node has the greatest influence on the false-negative ratio. Ultimately, if the distance between the target node and the attacker is greater than 5 meters, the model accuracy of detection of the anomaly is greater than 99 percent, while it drops to nearly 50 percent if the distance is less than 1 meter.

Fig. 4. Confusion matrix for different attacker positions.


Security is a major concern for WSNs. In this work, we demonstrate that using behavioral security is extremely effective for detecting attacks. We’ve shown that if we gather information from a network with at least three gateways covering each sensor and use it to train a binary classifier to discriminate between an attacker’s packets and ones delivered by a targeted node. The results show that if the distance between the target sensor and the attacker position is above 5 meters, the model can distinguish between the targeted data and the one sent by the attacker with roughly 100 percent accuracy. But if the distance is less than 2 meters, the model will fail with a 50 percent accuracy. This research is based on multi-model approaches to classification, with one model for each registered node. The following step is to investigate one model Binary classification-based approach to distinguish between traffic generated by registered nodes and non-registered nodes. We also intend to investigate the possibility of sensor identification using the collected metadata in the future.



[1] P. A. Catherwood, D. Steele, M. Little, S. Mccomb, and J. McLaughlin, “A community-based iot personalized wireless healthcare solution trial,” IEEE journal of translational engineering in health and medicine, vol. 6, pp. 1–13, 2018.

[2] H. M. Jawad, R. Nordin, S. K. Gharghan, A. M. Jawad, and M. Ismail, “Energy-efficient wireless sensor networks for precision agriculture: A review,” Sensors, vol. 17, no. 8, p. 1781, 2017.

[3] A. J. Wixted, P. Kinnaird, H. Larijani, A. Tait, A. Ahmadinia, and N. Strachan, “Evaluation of lora and lorawan for wireless sensor networks,” in 2016 IEEE SENSORS, pp. 1–3, IEEE, 2016.

[4] V. Sharma, I. You, G. Pau, M. Collotta, J. D. Lim, and J. N. Kim, “Lorawan-based energy-efficient surveillance by drones for intelligent transportation systems,” Energies, vol. 11, no. 3, p. 573, 2018.

[5] G. Pasolini, C. Buratti, L. Feltrin, F. Zabini, C. De Castro, R. Verdone, and O. Andrisano, “Smart city pilot projects using lora and ieee802. 15.4 technologies,” Sensors, vol. 18, no. 4, p. 1118, 2018.

[6] S. Alfayoumi and X. Vilajosana, “Attacker Identification In LoRaWAN Through Physical Channel Fingerprinting,” 2022 IEEE 95th Vehicular Technology Conference: (VTC2022-Spring), 2022, pp. 1-5, doi: 10.1109/VTC2022-Spring54318.2022.9860674.

Sobhi Alfayoumi

Sobhi is a Palestinian from Gaza city. He got his Bachelor’s degree in Communications & Computer Engineering from Al-Azhar University-Gaza – AUG, then he finished his Master’s degree from the University of Padova, Italy. After his graduation, he worked as a machine learning engineer in Italy and then he moved to Spain to work as a researcher at Imdea network institution. Now, he is a PhD student at Worldsensing in Spain, where his research focuses on applied machine learning for resource orchestration in a large wireless network.