Final-Year Design Project · 2024–25 NED University · Telecommunications Engineering

Edge AI · Imitation Learning · LoRa Physical Layer

When the radio gets jammed,
the network
heals itself.

SHARC is a TinyML system that listens for radio-frequency interference, classifies the attack pattern, and rewrites its own radio parameters — frequency, spreading factor, packet cadence — without a human, a server, or a cloud connection. It does this on a $5 microcontroller in under 10 milliseconds.

See the results Read the paper
Test accuracy
98.69%
Model size
20.8KB
Inference latency
<10ms
Channel states
4classes
scroll
01 / Problem

A radio you can silence for the price of a coffee.

LoRa is the radio backbone for millions of low-power IoT deployments — agriculture, utilities, conservation, healthcare in the field. Long range, multi-year batteries, license-free spectrum. It is also structurally undefended.

The physical layer relies on Chirp Spread Spectrum modulation. Two packets at the same spreading factor collide — and only one survives, whichever arrives stronger at the receiver. An attacker with a $5 module, a battery, and a known transmit power can drive the packet-delivery rate of an entire network to zero. Prior work has confirmed this with off-the-shelf hardware.

Worse: a reactive jammer doesn't need to be on the air all the time. It listens for the preamble, fires a short burst, and stays invisible 99% of the time. PDR ends up in the 0.2–0.5 range — degraded enough to break the network, intermittent enough to look like ordinary RF noise.

01

Single-channel jammer

Floods 433 MHz continuously at +17 dBm. Channel occupancy ≈ 100%. Receiver decodes nothing.

  • PDR0.00
  • SNR−35 dB
  • SignatureTotal collapse
02

Channel-hopping jammer

Sweeps 8 sub-channels every ~4s. Each channel briefly clean, briefly hostile. Looks like ordinary multi-path on first glance.

  • PDR0.70–0.90
  • RSSI var700–1200
  • SignatureHigh RSSI variance
03

Reactive jammer

Listens for ValidHeader IRQ, fires a 500ms burst, cools down 3s. Stealthy. Devastates targeted links.

  • PDR0.20–0.50
  • SNR var300–500
  • SignatureIrregular inter-arrival
02 / Approach

Don't classify the attack. Imitate the expert.

Most jamming-detection papers stop at classification: "this is reactive jamming." That's useful information that nobody can act on. We took a different path.

Behavioural Cloning — a form of imitation learning — trains a small neural network not to label attacks, but to recommend the same response a domain expert would. The model maps eight RF observables directly to three binary actions: hop frequency, change spreading factor, randomise transmission interval. The expert policy gets baked into 20.8 kilobytes of TFLite weights.

Training is supervised and offline. Inference is on-device. No reward signal. No cloud. No backhaul. The model sees a feature vector, returns three bits, and a back-channel command frame carries those bits to the transmitter. Both nodes change parameters in the same packet cycle.

How the system fits together
FIG. 01 · Behavioural Cloning · 8 → 32 → 64 → 32 → 3
8 features 32 64 32 3 actions hop frequency change SF randomise interval rssi pktRSSI snr pdr freqErr interArr rssiVar snrVar

The expert policy, in three rows.

Condition freq_hop sf_change interval_rand Why
Clean 0 0 0 No attack. Don't disrupt a working link.
Single-channel 1 0 0 Channel blocked. Vacate. SF change is wasted here.
Channel-hopping 1 1 0 Jammer follows freq. New SF changes collision profile.
Reactive 0 1 1 Preamble detector is SF-locked. Timing jitter breaks it.
03 / System

Three nodes. One closed loop.

Hardware

  • MCUESP32-S3N16R8 · 240 MHz · 8 MB PSRAM
  • RadioSX1278 Ra-02 · 433 MHz ISM
  • SPISCK 13 · MISO 12 · MOSI 9 · CS 10
  • PowerTargeting <3W operating

Radio config

  • Centre freq433.0 MHz (adaptive 4 ch.)
  • SF / BW / CRSF12 · 125 kHz · 4/5
  • TX power+2 dBm (Tx) · +17 dBm (jammer)
  • PDR window20 packets

ML pipeline

  • ModelDense 8→32→64→32→3 · sigmoid
  • LossBinary cross-entropy (multi-label)
  • OptimiserAdam · lr 1e-3 · early stop
  • DeployTFLite Micro · 20.8 KB
04 / Results

A jam, a detection, a recovery — in under five packets.

FIG. 02 · Packet Delivery Rate · attack & recovery cycle PDR Detection Adaptation
1.00 0.75 0.50 0.25 0.00 0s 10 20 30 40s REACTIVE ATTACK ↓ detected (t = 12.4s) ↓ adapted
t · seconds since start
Test accuracy 98.69% across all three binary action outputs on the held-out test set
Clean 1.00 / 1.00 / 1.00 prec · rec · F1
Single-channel 1.00 / 1.00 / 1.00 prec · rec · F1
Channel-hopping 0.97 / 1.00 / 0.98 prec · rec · F1
Reactive 1.00 / 0.97 / 0.98 prec · rec · F1
  • TFLite model size20.8 KB
  • RAM during inference< 5 KB
  • Inference latency< 10 ms
  • Flash utilisation< 0.13% of 16 MB
  • PSRAM headroom> 7.9 MB
  • Training time (CPU)2–5 minutes
05 / Hardware

A real board. Not a render.

The custom PCB carries the ESP32-S3, the SX1278 Ra-02, AES-accelerated crypto, and a power stage targeting sustained operation under 3 watts. Drag to rotate. The geometry below is the actual model.

  • 01

    ESP32-S3N16R8

    Dual-core Xtensa LX7 at 240 MHz with 8 MB PSRAM — enough headroom for the 64-unit hidden layer that standard ESP32 variants cannot accommodate in SRAM.

  • 02

    SX1278 Ra-02

    433 MHz transceiver with full CSS modulation support, direct-register access for fine control over LDRO, CRC, and IRQ behaviour.

  • 03

    Hardware AES

    On-chip cryptographic acceleration for AES — payload-layer protection is handled in dedicated silicon, not stolen from the ML inference budget.

  • 04

    Cost target

    Built from off-the-shelf modules. A fraction of the cost of legacy frequency-hopping radios — and reprogrammable from a laptop.

06 / Applications

Where a jam is the difference between a number and a consequence.

01
Healthcare

Remote patient monitoring

Wearable ECG, SpO₂, glucose telemetry over LoRa in field clinics and rural hospitals. Medical equipment EMI looks a lot like reactive jamming — SHARC distinguishes the two and adapts SF or interval before an alarm is missed.

reactivesingle-channel
02
Defence & ISR

Battlefield sensor networks

Unattended seismic, acoustic, IR tripwires reporting to a forward operating base. Adversaries actively deploy jammers as precursor to incursion. SHARC's no-cloud, edge-resident inference is built for D3 RF environments.

all three
03
Precision agriculture

Distributed soil & irrigation

Hundreds of sensors per gateway across hectares of farmland. Frequency-agile drone payloads and adjacent farms' gateways create exactly the channel-hopping profile in the training set. Hop + SF change recovers PDR.

channel-hoppingsingle-channel
04
Critical infrastructure

Pipeline & grid monitoring

Pressure, flow, valve, leak sensors across hundreds of km. RF disruption paired with physical sabotage is a real threat model. Multi-feature inference separates accidental industrial EMI from deliberate reactive attacks.

reactivesingle-channel
05
Conservation

Anti-poaching collar networks

GPS collars on endangered megafauna in remote reserves. Poaching crews use $50 jammers to blind ranger networks before incursion. Single-channel jam → instant frequency hop → animals stay visible.

single-channel
06
Disaster response

SAR mesh communication

Portable LoRa nodes in earthquake or wildfire zones. The 433 MHz band becomes packed with amateur, emergency, and relief traffic. Looks like channel-hopping. SHARC moves the mesh to a clear sub-channel autonomously.

channel-hoppingreactive
07
Smart cities

Utility & parking sensors

Dense urban LoRaWAN — thousands of meters per gateway. Customers occasionally jam their own smart meters to dispute bills. SHARC hops, recovers, and writes a tamper-evident log entry for the utility operator.

single-channelchannel-hopping
08
Autonomous systems

UAV / UGV telemetry

A reactive jammer on the telemetry link forces a lost-link failsafe and the mission ends without anyone being shot at. SF cycling defeats SF-locked preamble detectors; interval randomisation defeats timing prediction.

reactivesingle-channel
07 / Publication

The work, written down.

Conference paper · submitted

Behavioural Cloning-Based Anti-Jamming Action Recommendation for LoRa IoT Networks Using Embedded TinyML

Syed Ali un Naqi Naqvi · Shahzaib Raza · Mohammad Shayan · Syed Muhammad Aun Hasan Naqavi · Aamir Zeb Shaikh

An autonomous anti-jamming system for LoRa IoT networks employing Behavioural Cloning to recommend and execute targeted radio-parameter adaptations without human intervention. A compact multi-label BC model maps observed RF conditions directly to a three-dimensional binary action vector — converted to TensorFlow Lite and deployed as a 20.8 KB TinyML artefact on an ESP32-S3, achieving 98.69% test accuracy across four channel states.

Affiliation · NED University of Engineering & Technology, Karachi Department · Telecommunications Engineering
Companion paper

Evaluation of Low-Cost Jamming Attacks on the LoRa Physical Layer

Mohammad Shayan · Muhammad Aun Hasan · Ali-Un-Naqi Naqvi · Shahzaib Raza · Aamir Z. Shaikh

The empirical groundwork. An experimental evaluation of three jamming strategies against a LoRa link on ESP32 + SX1278 testbeds. Demonstrates that a $50 adversary can drive PDR to zero across all six spreading factors — motivating the need for the autonomous recommendation system above.

08 / Team

Four engineers. One supervisor. One radio.

MS

Mohammad Shayan

System Design · Firmware

TC-22038

AN

Syed Ali un Naqi Naqvi

ML Pipeline · Hardware

TC-22029

SR

Shahzaib Raza

Data & Evaluation

TC-22037

AH

Syed M. Aun Hasan

Research · Documentation

TC-22039

Supervisor

Dr. Aamir Zeb Shaikh

Associate Professor · Department of Telecommunications Engineering · NED University of Engineering & Technology

09 / Contact

Have a network worth protecting? Let's talk.

We're actively looking for partners with real RF environments — agriculture, conservation, utilities, infrastructure — to test the system in conditions we haven't seen in the lab.

If you have a deployment that needs resilience against interference (deliberate or otherwise), we'd like to hear what it looks like. Demonstrations, technical Q&A, hardware reviews — all on the table.

Direct help.nexsys@gmail.com

We aim to respond within 24 hours. No automated follow-ups.