Towards a Protocol-Aware Intrusion Detection System for LoRaWAN Networks

The increasing reliance of Internet of Things (IoT) applications on low-power wide-area network technologies, particularly LoRaWAN, has amplified the need for intrusion detection approaches that go beyond attack-specific signatures and generic traffic anomalies. Existing IoT intrusion detection systems are often tailored to individual threat scenarios or rely on statistical indicators, which limits their ability to capture protocol-level misuse in a systematic and interpretable manner. This paper addresses this gap by proposing a methodology for protocol-aware anomaly detection based on a digital twin abstraction of LoRaWAN communication behavior. The approach models the Over-The-Air Activation (OTAA) procedure as a finite-state machine that serves as a lightweight, protocol-specific digital twin, encoding expected message sequences and specification-driven constraints. Rather than targeting individual attacks, observed network events are continuously validated against the modeled state evolution, enabling the identification of deviations that indicate anomalous or non-conformant behavior. Illustrative examples include replay attempts, integrity violations, and inconsistencies in protocol parameters, although the framework is not limited to predefined attack categories. The results demonstrate that state-machine-based digital twins provide a structured and extensible foundation for intrusion detection and can be integrated into SOC (Security Operation Center) oriented monitoring environments. Overall, the study highlights the methodological advantages of digital-twin-driven, state-aware detection for improving protocol compliance monitoring and interpretability in LoRaWAN-based IoT networks. Unlike prior LoRaWAN IDS approaches, the proposed model enables the detection of protocol-conformant yet semantically invalid behaviors that remain invisible to packet-centric or statistical detectors.