Long Range (LoRa) communications are gaining popularity in the Industrial Internet of Things (IIoT) domain due to their large coverage and high energy efficiency. However, LoRa-enabled IIoT networks are susceptible to cyberattacks mainly due to their wide transmission window and freely operated frequency band. This has led to several categories of cyberattacks. However, existing anomaly detection systems are inefficient in detecting particularly impersonation attacks due to the dense deployment, heterogeneous IIoT devices and manufacturers involved.In this work, we introduce Hawk, a distributed anomaly detection system for detecting compromised devices in LoRa-enabled IIoT. Hawk first measures a device-type specific physical layer feature, Carrier Frequency Offset (CFO) and then leverages the CFO for fingerprinting the device, and consequently detecting anomalous deviations in the device’s CFO behavior, potentially caused by adversaries. To aggregate the device-type specific CFO behavior profile efficiently, Hawk uses federated learning, a distributed machine learning approach. To the best of our knowledge, Hawk is the first to utilise a federated learning method for anomaly-based intrusion detection in LoRa-enabled IIoT. We perform extensive experiments on a real-world dataset collected using 60 LoRa devices, primarily to assess the effectiveness of Hawk against emerging new and unknown attacks. The results show that Hawk improves the detection accuracy by more than 8% compared to the state-of-the-art solutions. Additionally, Hawk reduces the storage overhead by more than 40%, and exhibits significant robustness against cyberattack.
Read full abstract