Enhancing Cyber Security in Wireless Sensor Networks using ChatTracer in Large Language Models (LLMs) | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Enhancing Cyber Security in Wireless Sensor Networks using ChatTracer in Large Language Models (LLMs) Ayah Khaldi, Amani Krieshan, Firas Albalas This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7712006/v1 This work is licensed under a CC BY 4.0 License Status: Under Revision Version 1 posted 9 You are reading this latest preprint version Abstract Wireless Sensor Networks (WSNs) are crucial to applications in smart cities, agriculture, and healthcare; however, their open architecture makes them highly vulnerable to cyberattacks. To address this vulnerability, we introduce ChatTracer, a novel security framework leveraging a lightweight Large Language Model (LLM). Fine-tuned on the WSN-BFSF dataset using Low-Rank Adaptation (LoRA), our efficient DeepSeek model analyzes network communication patterns through natural language processing. ChatTracer achieves up to 99% accuracy in real-time detection of major threats like Blackhole, Flooding, and Selective Forwarding, providing a powerful and scalable defense for resource-constrained WSNs. Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 INTRODUCTION Wireless Sensor Networks (WSNs) are made up of many small sensor devices that collect and share data. These networks are used in many important areas like healthcare, smart cities, agriculture, and environmental monitoring. However, since they use wireless communication and often run in open or unsafe and risky environments, Wireless Sensor Networks (WSNs) are easy targets for cyberattacks. The vulnerability to high-risk attacks came from the open and unsecured environment of Wireless Sensor Networks (WSNs). According to [1], the five most common attacks are: Denial of Service (DoS), the overloading of the network by sending a huge number of messages, which causes the network to stop working and stop serving the clients. Sinkhole Attack, where a compromised node starts to take the role of collecting the data, and instead of forwarding to the appropriate destination, it drops or changes the collected data. Spoofing Attack where the role of the trusted node is stolen by a malicious node, and starts the attacks under the cover of the trusted node. Sybil Attack, where a malicious node takes multiple identities to take over control of the network, system, and platform, which causes a spreading of misinformation, authorizes malicious transactions, and disturbs services; finally, the Torrent Attack which can be considered as a type of DoS attacker, where a malicious node flood a huge number of requests for a server to discard the required work for the server. Recently, the use of Artificial Intelligence (AI) and Machine Learning (ML) techniques in detecting cyberattacks has been explored. These techniques can be used to detect and recognize attacks with high accuracy in identifying threats within WSNs by applying a training phase that utilizes these ML techniques [2]. Large Language Models (LLMs), as part of an Artificial Intelligence program that is trained on a huge set of data, are used by researchers to improve security. [3] introduced an efficient tool, ChatTracer, that uses the LLMs techniques to monitor and recognize the behavior of nodes in the network [4]. The main role of ChatTracer is to detect unusual activity, which can be considered an attack indication. It tries to trigger changes or suspicious patterns in the information exchange between nodes by using the previous understanding of LLMs about natural languages. This method can help in detecting some cyberattacks like sinkholes, Sybil, and spoofing. Using recent LLMs models like ChatTracer will make the WSNs environment more secure and dynamically discover and respond to new attacks. Unlike traditional cybersecurity approaches, the proposed approach in this paper gives a flexible and dynamic approach to detect already known attacks and be able to adapt to new attacks by analyzing the information exchange behavior in a real-world environment. The previous achievement is done by exploring how LLMs method, ChatTracer, will help in detecting previous attacks and predict new attacks dynamically. Due to the wide use of WSN in our daily lives, the risk of attacks on this type of network is an ongoing issue that needs to be addressed and mitigated. Our research focuses on bridging the gap between modern approaches in AI and real-world security needs. The approach used in our research is LLMs through the ChatTracer tool to determine the level of accuracy this idea will help in protect and discovering cyberattacks for WSNs. We focus on answering three simple questions: Can LLMs and ChatTracer help make WSNs more secure? Can ChatTracer detect and tell the difference between different types of attacks? Can ChatTracer work in real time to quickly find and respond to attacks? By answering these questions, we want to show that ChatTracer is a smart and helpful tool for keeping WSNs safe. LITERATURE AND RELATED WORKS Many researchers between 2024 and 2025 have focused on improving the security of Wireless Sensor Networks (WSNs) using machine learning (ML) and deep learning (DL). WSNs are used in areas like smart cities, healthcare, and agriculture, but they are also vulnerable to cyberattacks. Below are some recent studies that help address these issues: Behiry and Aly (2024) [9] used a combination of SVD and PCA to reduce features and improve detection accuracy on NSL-KDD and CICIDS2017 datasets. Delwar et al. (2024) [10] provided a detailed review of Machine learning(ML) methods for detecting abnormal behavior, handling congestion, and saving energy in WSNs. Joo et al. (2025) [11] developed a fast and lightweight system to detect Denial-of-Service (DoS) attacks. Nandhini et al. (2024) [12] used threat intelligence data and deep learning models to detect advanced cyberattacks. Pramanick et al. (2025) [13] improved detection results on unbalanced datasets by combining multiple models using a building method. Qaisar et al. (2025) [14] applied Software Defined Networking (SDN) and Digital Twin technologies to detect battery-draining Depletion of Computation (DoC) attacks in sensor networks. Rahmati (2025) [15] focused on making AI models lightweight and explainable so they can run on small, low-power devices. These works help build smarter systems that protect Wireless Sensor Networks (WSNs) from cyber threats. Several new methods have also been introduced that use Large Language Models (LLMs) for network-related tasks: Cui et al. (2025) [6] proposed TrafficLLM, which uses LLMs to analyze network traffic and detect threats. Huo and Tang (2025) [4], and Farrukh et al. (2024) [2] studied how Large Language Models (LLMs) and multimodal can support continuous learning and intrusion detection. Wang et al. (2024) [3] introduced ChatTracer, a system that combines Large Language Models(LLMs) and Bluetooth Low Energy (BLE) packet data to track nearby devices in real time. To train and test such systems, researchers often use the WSN-BFSF dataset by Okur (2023) [16], which includes normal, flooding, blackhole, and selective forwarding attacks. METHODOLOGY Our methodology starts with the preprocessing of the latest Wireless Sensor Network dataset (WSN) WSNBFSF [16]. We conducted an attribute selection process to identify. rely only the most important features relevant to the network traffic analysis. And we transformed the numeric attributes into a single prompt to reflect network traffic behaviors to be compatible with large language models (LLMs). We split the final processed dataset into three subsets: training, validation, and testing in a 7:1:2 ratio, respectively, to ensure a balanced and effective evaluation. Then we started the DeepSeek model development process with a training process that aimed to enable the model to learn the traffic patterns and detect anomalies. Finally, we selected the trained DeepSeek model after the evaluation process and utilized it to implement ChatTracer as shown in Figure 1. A. Dataset The WSNBFSF dataset was created to study security threats in Wireless Sensor Networks (WSNs) [16]. It includes data collected from a simulated WSN environment, where three types of cyberattacks were tested: Blackhole, Flooding, and Selective Forwarding. These are common types of DDoS (Distributed Denial of Service) attacks. The dataset also contains normal network traffic, which makes it useful for comparing normal and malicious behavior. After processing the raw data, the final dataset includes 312,106 rows and 16 features (columns). Each row represents a record of network activity, and each feature gives specific information about the network’s status during that time. Here are some of the important features in the dataset: 1) Id: A unique number for each record. 2) Time: The time the data was collected. 3) Is an attack: Shows if the traffic is normal (0) or an attack (1). 4) Attack type: The type of attack (Blackhole, Flooding, or Selective Forwarding). 5) Packet loss: The number of data packets that were lost. 6) Delay: The time it took for the data to travel through the network. 7) Energy consumption: The amount of energy used by network nodes. 8) Packet delivery ratio: The percentage of packets that reached their destination. The data set is saved in CSV format, which makes it easy to load and use in machine learning projects. It is especially helpful for training models to detect and classify cyberattacks in WSNs, and it can support researchers in building more secure and reliable wireless networks. B. Dataset Preprocessing Before using the WSN-BFSF dataset for training a model, we cleaned and prepared the data using these steps: Prepare data 1) Load the Data: We started by loading the CSV file, which contains over 312,000 records. 2) Choose the Best Features: Some columns were not useful, so we kept only the important ones that help detect attacks better. 3) Fix Class Imbalance: There were more records for normal traffic than for attacks, so we balanced the data to make sure all types are treated fairly. 4) Normalize the Values: We scaled numbers like energy and packet size so they are all in a similar range, which helps the model learn better. 5) Convert Text to Numbers: Attack types (like ”Flooding” or ”Blackhole”) were changed into numbers so the model can understand them. 6) Save the Clean Data: Finally, we saved the new version of the dataset so it can be used for training and testing. Split data. After pre-processing, the data set was divided into three parts to train, validate, and test the model: 1) Training Set (70%) – This is the biggest part. It is used to teach the model. m → 21,406 records 2) Validation Set (10%) – This part helps us check how well the model is learning during training. → 3,058 records 3) Test Set (20%) – This part is used at the end to test how good the model is on new, unseen data. → 6,116 records The ratio used was 70:10:20 for train: validation: test. Training Data he training dataset contains 21,406 rows and 2 columns: 1) full text: This column contains a short instruction like “Analyze the following network data and identify the type of traffic...” It gives context or a prompt to the model. 2) response: This is the label or correct answer. It shows the traffic type: Normal → Normal behavior in the network Forwarding → Selective forwarding attack Blackhole → Blackhole attack (and possibly others like Flooding if included in the full dataset) C. Hyperparameter Tuning Process As part of fine tuning process we selected the deepseekai/DeepSeek-R1-Distill-Qwen-1.5B model since we are limited with hardware resources, we selected the most light DeepSeek-R1 with only 1.5B parameter version to allow us to perform effective performance. We selected these hyperparameters to train the model on with an evaluation epoch strategy: Number of epochs → 9 Batch size per device → 16 Learning rate → 3e-5, 1e-3 To further enhance training performance and reduce the memory requirements with our limited resources, we applied the Low-Rank Adaptation (LoRA) technique, which enables efficient fine-tuning of large models by updating a smaller number of trainable parameters. We also optimized the data loading using dataloader num workers for faster data retrieval during training. And we used gradient accumulation steps, which simulated larger batches by accumulating gradients before updating the model weights. D. ChatTracer The ChatTracer provides an interaction method to detect the normal WSN traffic in real time. We introduced ChatTracer V1, an interactive chatbot that Utilize the capabilities of our traiend deepseek-ai/DeepSeek-R1-Distill-Qwen- 1.5B model to analyze and detect the Wireless Sensor Network Fig. 4. ChatTracer V1 testing (WSN) traffic type through client natural language conversion generation inputs around 250 tokens with a small history. But the small 1.5 model’s parameter limitations caused some unexpected generation tokens that need more weights to generate more accurate context as outputs. E. Evaluation Metrics The evaluation process involved generating a maximum of 5 tokens to assess the performance of our trained model on test input samples. From the generated model outputs, we extracted the first predicted token as the model’s test predictions. Then we compared them to the ground truth labels and calculated the standard confusion matrix and the following key metrics: 1) Precision: The proportion of correctly predicted positive observations to the total predicted positives. 2) Recall: The proportion of correctly predicted positive observations to all actual positives. 3) F1-Score: The harmonic mean of precision and recall, providing a balanced measure of model performance. 4) Accuracy : The overall percentage of correct predictions. As for the ChatTracer evaluation, it is under end-user testing, and since the resource constraints and the use of the smaller 1.5B DeepSeek model, evaluation of ChatTracer is currently limited to informal testing with only user inputs. RESULT AND DISCUSSION While we are using two learning rates with the same 9 epochs and 16 batch size, we got huge difference results between 3e-5, and 1e-3 learning rates. With the 1e-3 learning rate, the model achieved a perfect classification performance. All class labels, Blackhole, Flooding, Forwarding, and normal, achieved precision, recall, and F1-scores of 1.00, with 99% accuracy, showing the model successfully captured the distinguishing features of each class as shown in the confusion Matrix. However, small samples have gotten unexpected tokens as predictions, such as Forwarding, Forwarding, and Forwardingackets. Although the model maintained an overall accuracy of 99%, the presence of these spurious classes significantly reduced the macro-averaged metrics, with macro precision, recall, and F1-score dropping to around 0.18. The small learning rate 3e-5 is never achieved the same as 1e-3, it produces more strange tokens for testing samples with an accuracy of 0.43% with an unclear confusion Matrix, and also it never detected Blackhole network attack. FUTURE WORKS As Future work we aim to enhance ChatTracer output performance and implement an interactive user interface with Reinforcement Learning integration for the ability to enhance the ChatTracer output and network detection. Furthermore, we open the ability to use a variety of network attack types and train a variety of LLM models with large parameters. CONCLUSION In this study, we proposed a new method to improve the security of Wireless Sensor Networks (WSNs) using ChatTracer, a system based on Large Language Models (LLMs). By training and fine-tuning a lightweight DeepSeek model on the WSN-BFSF dataset, we demonstrated that LLMs can successfully detect different types of attacks, such as Blackhole, Flooding, and Selective Forwarding. The model achieved high accuracy even with limited computational resources. This shows that ChatTracer can serve as an effective and intelligent security tool for real-world WSN environments. This research aimed to answer the following questions: • Do LLMs and ChatTracer provide secure solutions for WSNs? Yes — our results show that LLMs can effectively analyze WSN traffic, and ChatTracer can offer an intelligent layer of security. • Can ChatTracer identify and classify different types of WSN attacks? Yes — the trained model was able to classify common WSN attacks such as Flooding, Forwarding, and Blackhole with up to 99% accuracy. • Can ChatTracer be used in real-time to detect and respond to WSN attacks effectively? Yes — although tested in a controlled environment, ChatTracer’s fast prediction time and lightweight design make it suitable for real-time use. In conclusion, ChatTracer shows that combining large language models (LLMs) with Wireless Sensor Network(WSN) security offers a smart, flexible, and modern solution to handle current and future cyberattacks. References Alotaibi, Elham, Rejwan Bin Sulaiman, and Mohammed Almaiah. ”Assessment of cybersecurity threats and defense mechanisms in wireless sensor networks.” Journal of Cyber Security and Risk Auditing 2025.1 (2025): 47-59. Al Sukkar, Ghadeer, and Saleh Al-Sharaeh. ”Enhancing Security in Wireless Sensor Networks: A Machine Learning-based DoS Attack Detection.” Engineering, Technology & Applied Science Research 15.1 19712-19719. Wang, Qijun, et al. “ChatTracer: Large Language Model Powered Real-time Bluetooth Device Tracking System.” arXiv preprint arXiv:2403.19833 (2024). Huo, Yukang, and Hao Tang. ”When Continue Learning Meets Multimodal Large Language Model: A Survey.” arXiv preprint arXiv:2503.01887 (2025). Karpurasundharapondian, P., and M. Selvi. ”A comprehensive survey on optimization techniques for efficient cluster-based routing in WSN.” Peer-to-Peer Networking and Applications 17.5 (2024): 3080-3093. Cui, Tianyu, et al. ”TrafficLLM: Enhancing Large Language Models for Network Traffic Analysis with Generic Traffic Representation.” arXiv preprint arXiv:2504.04222 (2025). Jia, Runliang, and Haiyu Zhang. ”Wireless sensor network (WSN) model targeting energy efficient wireless sensor networks node coverage.” IEEe Access 12 (2024): 27596-27610. Tawfeek, Medhat A., et al. ”Improving energy efficiency and routing reliability in wireless sensor networks using modified ant colony optimization.” EURASIP Journal on Wireless Communications and Networking 2025.1 (2025): 22. Behiry, Mohamed H., and Mohammed Aly. ”Cyberattack detection in wireless sensor networks using a hybrid feature reduction technique with AI and machine learning methods.” Journal of Big Data 11.1 (2024): Delwar, Tahesin Samira, et al. ”The intersection of machine learning and wireless sensor network security for cyber-attack detection: a detailed analysis.” Sensors 24.19 (2024): 6377. Joo, Soyoung, et al. ”Machine Learning-Based Detection and Selective Mitigation of Denial-of-Service Attacks in Wireless Sensor Networks.” Computers, Materials & Continua 82.2 (2025). Nandhini, S., A. Rajeswari, and N. R. Shanker. ”Cyber attack detection in IOT-WSN devices with threat intelligence using hidden and connected layer-based architectures.” Journal of Cloud Computing 13.1 (2024): 159. Pramanick, Neha, et al. ”Leveraging stacking machine learning models and optimization for improved cyberattack detection.” Scientific Reports 15.1 (2025): 1-23. Qaisar, Muhammad Umar Farooq, et al. ”Integration of SDN and Digital Twin for the Intelligent Detection of DoC Attacks in WRSNs.” arXiv preprint arXiv:2503.06164 (2025). Rahmati, Milad. ”Towards Explainable and Lightweight AI for Real-Time Cyber Threat Hunting in Edge Networks.” arXiv preprint arXiv:2504.16118 (2025). Okur, Celil. WSN-BFSF Dataset. Kaggle, 2023, https://www.kaggle.com/datasets/celilokur/wsnbfsfdataset. Accessed 18 May 2025. Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Revision Version 1 posted Editorial decision: Revision requested 18 Oct, 2025 Reviews received at journal 17 Oct, 2025 Reviewers agreed at journal 17 Oct, 2025 Reviews received at journal 16 Oct, 2025 Reviewers agreed at journal 09 Oct, 2025 Reviewers invited by journal 09 Oct, 2025 Editor assigned by journal 27 Sep, 2025 Submission checks completed at journal 26 Sep, 2025 First submitted to journal 25 Sep, 2025 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7712006","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":531612692,"identity":"4d72eea7-4ec6-4428-942a-984a8f953031","order_by":0,"name":"Ayah Khaldi","email":"","orcid":"","institution":"Jordan University of Science and Technology","correspondingAuthor":false,"prefix":"","firstName":"Ayah","middleName":"","lastName":"Khaldi","suffix":""},{"id":531612694,"identity":"bd86312c-a818-4009-94c1-dd50fd4a2b04","order_by":1,"name":"Amani Krieshan","email":"","orcid":"","institution":"Jordan University of Science and Technology","correspondingAuthor":false,"prefix":"","firstName":"Amani","middleName":"","lastName":"Krieshan","suffix":""},{"id":531612696,"identity":"6a95dacb-d6bf-4d54-b0b7-a55776e77361","order_by":2,"name":"Firas Albalas","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA/ElEQVRIiWNgGAWjYBAC9gYGxsMMDBYgVgJE6AADgwE+LTxABUAtEiAWUEsCSVokQMqhWvACHvbDDw4X1EjIy8988Ezy5w8GOb4bCQwFH/Bp4UkzODzjmIThhtsJadI8CQzGkkAthjPwaLFnSDA4zMMmwbhBGqgF6LDEDUAtxjz4bOF//uEwzz8J+/kzD6RJ/khgqCesRSLH4DBvm0Riww2GNAmgwxIMCGt5U3B4Zp9E8oYzCcnWPGkShjPPPGzA6xce/vSNjwu+2djObz+TePOHjY083/HkYwb4QgxZdwIDOIIYGNvwRiUSYD8AYzE/IFLLKBgFo2AUjAwAAPy4TvJoURhTAAAAAElFTkSuQmCC","orcid":"","institution":"Jordan University of Science and Technology","correspondingAuthor":true,"prefix":"","firstName":"Firas","middleName":"","lastName":"Albalas","suffix":""}],"badges":[],"createdAt":"2025-09-25 10:53:13","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7712006/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7712006/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":94097553,"identity":"7ba5934a-057e-4d84-ba1e-7d3d4b91b9d3","added_by":"auto","created_at":"2025-10-22 10:22:17","extension":"docx","order_by":0,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":444215,"visible":true,"origin":"","legend":"","description":"","filename":"EnhancingCyberSecurityinWirelessSensorNetworksmod.docx","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/df936cbae9cb3efe3d04f00b.docx"},{"id":94097391,"identity":"6221c777-124d-47eb-b067-2a60d34a7ea8","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"json","order_by":1,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":4281,"visible":true,"origin":"","legend":"","description":"","filename":"b4e0af4c2e0942c9a3488438e5952f64.json","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/adfdb1ad8b28cf0a68178271.json"},{"id":94097396,"identity":"43645707-8cb1-47d1-b780-507e6b9a17e9","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"xml","order_by":2,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":46680,"visible":true,"origin":"","legend":"","description":"","filename":"b4e0af4c2e0942c9a3488438e5952f641enriched.xml","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/a3068568058f69e6e04551aa.xml"},{"id":94098161,"identity":"79b6273d-6386-4adc-9ce6-79a1526356f2","added_by":"auto","created_at":"2025-10-22 10:30:17","extension":"jpeg","order_by":3,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":58010,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage1.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/45ed226a9d90696067dcc859.jpeg"},{"id":94097390,"identity":"5d95a832-22c8-4a81-b9eb-d491736706c3","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"jpeg","order_by":4,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":56353,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage2.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/96f0cb8e127f93152dcec18b.jpeg"},{"id":94098163,"identity":"edf9498f-d25a-4443-ba78-66ee7b20b59f","added_by":"auto","created_at":"2025-10-22 10:30:17","extension":"jpeg","order_by":5,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":49038,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage3.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/2a891cbb217f69e009de2a1c.jpeg"},{"id":94097394,"identity":"7039797b-9bdd-4725-9809-1c2d9134d352","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"jpeg","order_by":6,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":178389,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage4.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/4ae1f9eb9990f79931abe225.jpeg"},{"id":94097399,"identity":"eced48ca-ef7f-4c16-bcf5-e1c54cf656bc","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"jpeg","order_by":7,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":35044,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage5.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/fb9fe91b35157c55cfb7b5d5.jpeg"},{"id":94097403,"identity":"93f12f2c-cc00-4c6f-b009-c033372b2a1a","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"jpeg","order_by":8,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":35949,"visible":true,"origin":"","legend":"","description":"","filename":"floatimage6.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/6eb6d058e2b4dd69e3ad2924.jpeg"},{"id":94097557,"identity":"a01ed59e-202e-4752-aee8-068f336d937d","added_by":"auto","created_at":"2025-10-22 10:22:17","extension":"png","order_by":9,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":45055,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage1.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/970eb2ac2de20d0ded0e2b4e.png"},{"id":94098165,"identity":"f2f7d660-acc3-4bdb-9028-01b357f00e01","added_by":"auto","created_at":"2025-10-22 10:30:17","extension":"png","order_by":10,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":15704,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage2.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/dd5c72a0aa2225d87f51f08d.png"},{"id":94098443,"identity":"dd7c4c5a-ecc4-42d7-a830-5da484a80e0e","added_by":"auto","created_at":"2025-10-22 10:38:18","extension":"png","order_by":11,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":14740,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage3.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/6bdc4bfd5b36da623a2211e5.png"},{"id":94097404,"identity":"389162c0-5a02-44d1-ae7c-1ec0af4669e7","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"png","order_by":12,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":49245,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage4.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/ed56ec6f4e1598d5913d7157.png"},{"id":94097555,"identity":"77e99560-d721-434b-bcf6-71b9b02125d3","added_by":"auto","created_at":"2025-10-22 10:22:17","extension":"png","order_by":13,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":11296,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage5.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/1553df9d5477030e08961e16.png"},{"id":94097398,"identity":"1754e934-0f61-4cbc-a847-0bde9e9ca1a1","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"png","order_by":14,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":11597,"visible":true,"origin":"","legend":"","description":"","filename":"Onlinefloatimage6.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/8a63760472f343cc47b6c466.png"},{"id":94097405,"identity":"6fd4204f-8166-4203-b62f-5baf26169835","added_by":"auto","created_at":"2025-10-22 10:14:18","extension":"xml","order_by":15,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":44479,"visible":true,"origin":"","legend":"","description":"","filename":"b4e0af4c2e0942c9a3488438e5952f641structuring.xml","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/c8112a764c4125bc708a9b9c.xml"},{"id":94097406,"identity":"4896970d-6909-4e8e-b70f-a4c802116273","added_by":"auto","created_at":"2025-10-22 10:14:18","extension":"html","order_by":16,"title":"","display":"","copyAsset":false,"role":"acdc-reference","size":54199,"visible":true,"origin":"","legend":"","description":"","filename":"earlyproof.html","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/496ce9d845b2bd827fa6a896.html"},{"id":94097384,"identity":"d37ab409-17b4-4ea4-b27c-2bad4b208b66","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":52150,"visible":true,"origin":"","legend":"\u003cp\u003eWSN Methodology\u003c/p\u003e","description":"","filename":"1.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/341351f973b4ac0c27664fed.png"},{"id":94097549,"identity":"c742d10c-abea-4e41-a153-256db20195c4","added_by":"auto","created_at":"2025-10-22 10:22:17","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":32770,"visible":true,"origin":"","legend":"\u003cp\u003eChoose the Best Features.\u003c/p\u003e","description":"","filename":"2.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/35da1060dc1c00d60526ee6a.png"},{"id":94097386,"identity":"bf244426-4fae-436d-b16a-4971fa35b8f1","added_by":"auto","created_at":"2025-10-22 10:14:17","extension":"png","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":22556,"visible":true,"origin":"","legend":"\u003cp\u003eFix Class Imbalance before and after balance\u003c/p\u003e","description":"","filename":"3.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/f1409ea177d1a37ea2b19803.png"},{"id":94097550,"identity":"a33c604e-e2da-4dd2-b45d-dc823ae8f8a2","added_by":"auto","created_at":"2025-10-22 10:22:17","extension":"png","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":50806,"visible":true,"origin":"","legend":"\u003cp\u003eChatTracer V1 testing\u003c/p\u003e","description":"","filename":"4.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/746e4ac16a8e1a5022276dac.png"},{"id":94097552,"identity":"e2278654-a5fb-467d-b452-5b6614365738","added_by":"auto","created_at":"2025-10-22 10:22:17","extension":"png","order_by":5,"title":"Figure 5","display":"","copyAsset":false,"role":"figure","size":57378,"visible":true,"origin":"","legend":"\u003cp\u003eThe confusion Matrix for 1e-3 learning rate\u003c/p\u003e","description":"","filename":"5.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/4616b90352a3eb8ecdb1f65d.png"},{"id":94098162,"identity":"836ace9a-6410-417f-9a38-b7a94cede954","added_by":"auto","created_at":"2025-10-22 10:30:17","extension":"png","order_by":6,"title":"Figure 6","display":"","copyAsset":false,"role":"figure","size":56838,"visible":true,"origin":"","legend":"\u003cp\u003eThe confusion Matrix for 3e-5 learning rate\u003c/p\u003e","description":"","filename":"6.png","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/ffb3f243dfaded1cd7480347.png"},{"id":94098638,"identity":"4f49f450-d9f6-4061-91d9-b0c9c0dff690","added_by":"auto","created_at":"2025-10-22 10:38:30","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":605591,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7712006/v1/4eb7ae5c-408e-4592-9dd4-e54432eb58d3.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Enhancing Cyber Security in Wireless Sensor Networks using ChatTracer in Large Language Models (LLMs)","fulltext":[{"header":" INTRODUCTION","content":"\u003cp\u003eWireless Sensor Networks (WSNs) are made up of many small sensor devices that collect and share data. These networks are used in many important areas like healthcare, smart cities, agriculture, and environmental monitoring. However, since they use wireless communication and often run in open or unsafe and risky environments, Wireless Sensor Networks (WSNs) are easy targets for cyberattacks. The vulnerability to high-risk attacks came from the open and unsecured environment of Wireless Sensor Networks (WSNs).\u003c/p\u003e\n\u003cp\u003eAccording to [1], the five most common attacks are: Denial of Service (DoS), the overloading of the network by sending a huge number of messages, which causes the network to stop working and stop serving the clients. Sinkhole Attack, where a compromised node starts to take the role of collecting the data, and instead of forwarding to the appropriate destination, it drops or changes the collected data. Spoofing Attack where the role of the trusted node is stolen by a malicious node, and starts the attacks under the cover of the trusted node. Sybil Attack, where a malicious node takes multiple identities to take over control of the network, system, and platform, which causes a spreading of misinformation, authorizes malicious transactions, and disturbs services; finally, the Torrent Attack which can be considered as a type of DoS attacker, where a malicious node flood a huge number of requests for a server to discard the required work for the server.\u003c/p\u003e\n\u003cp\u003eRecently, the use of Artificial Intelligence (AI) and Machine Learning (ML) techniques in detecting cyberattacks has been explored. These techniques can be used to detect and recognize attacks with high accuracy in identifying threats within WSNs by applying a training phase that utilizes these ML techniques [2]. \u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/p\u003e\n\u003cp\u003eLarge Language Models (LLMs), as part of an Artificial Intelligence program that is trained on a huge set of data, are used by researchers to improve security. [3] introduced an efficient tool, ChatTracer, that uses the LLMs techniques to monitor and recognize the behavior of nodes in the network [4]. The main role of ChatTracer is to detect unusual activity, which can be considered an attack indication. It tries to trigger changes or suspicious patterns in the information exchange between nodes by using the previous understanding of LLMs about natural languages. This method can help in detecting some cyberattacks like sinkholes, Sybil, and spoofing.\u003c/p\u003e\n\u003cp\u003eUsing recent LLMs models like ChatTracer will make the WSNs environment more secure and dynamically discover and respond to new attacks. \u0026nbsp; \u0026nbsp;\u003c/p\u003e\n\u003cp\u003eUnlike traditional cybersecurity approaches, the proposed approach in this paper gives a flexible and dynamic approach to detect already known attacks and be able to adapt to new attacks by analyzing the information exchange behavior in a real-world environment. \u0026nbsp; The previous achievement is done by exploring how LLMs method, ChatTracer, will help in detecting previous attacks and predict new attacks dynamically.\u003c/p\u003e\n\u003cp\u003eDue to the wide use of WSN in our daily lives, the risk of attacks on this type of network is an ongoing issue that needs to be addressed and mitigated. \u0026nbsp;Our research focuses on bridging the gap between modern approaches in AI and real-world security needs. The approach used in our research is LLMs through the ChatTracer tool to determine the level of accuracy this idea will help in protect and discovering cyberattacks for WSNs. \u0026nbsp;\u003c/p\u003e\n\u003cp\u003eWe focus on answering three simple questions:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003eCan LLMs and ChatTracer help make WSNs more secure?\u003c/li\u003e\n \u003cli\u003eCan ChatTracer detect and tell the difference between different types of attacks?\u003c/li\u003e\n \u003cli\u003eCan ChatTracer work in real time to quickly find and respond to attacks?\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eBy answering these questions, we want to show that ChatTracer is a smart and helpful tool for keeping WSNs safe.\u003c/p\u003e"},{"header":"LITERATURE AND RELATED WORKS","content":"\u003cp\u003eMany researchers between 2024 and 2025 have focused on improving the security of Wireless Sensor Networks (WSNs) using machine learning (ML) and deep learning (DL). WSNs are used in areas like smart cities, healthcare, and agriculture, but they are also vulnerable to cyberattacks. Below are some recent studies that help address these issues:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003eBehiry and Aly (2024) [9] used a combination of SVD and PCA to reduce features and improve detection accuracy on NSL-KDD and CICIDS2017 datasets.\u003c/li\u003e\n \u003cli\u003eDelwar et al. (2024) [10] provided a detailed review of Machine learning(ML) methods for detecting abnormal behavior, handling congestion, and saving energy in WSNs.\u003c/li\u003e\n \u003cli\u003eJoo et al. (2025) [11] developed a fast and lightweight system to detect Denial-of-Service (DoS) attacks.\u003c/li\u003e\n \u003cli\u003eNandhini et al. (2024) [12] used threat intelligence data and deep learning models to detect advanced cyberattacks.\u003c/li\u003e\n \u003cli\u003ePramanick et al. (2025) [13] improved detection results on unbalanced datasets by combining multiple models using a building method.\u003c/li\u003e\n \u003cli\u003eQaisar et al. (2025) [14] applied Software Defined Networking (SDN) and Digital Twin technologies to detect battery-draining Depletion of Computation (DoC) attacks in sensor networks.\u003c/li\u003e\n \u003cli\u003eRahmati (2025) [15] focused on making AI models lightweight and explainable so they can run on small, low-power devices.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThese works help build smarter systems that protect Wireless Sensor Networks (WSNs) from cyber threats.\u003c/p\u003e\n\u003cp\u003eSeveral new methods have also been introduced that use Large Language Models (LLMs) for network-related tasks:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003eCui et al. (2025) [6] proposed TrafficLLM, which uses LLMs to analyze network traffic and detect threats.\u003c/li\u003e\n \u003cli\u003eHuo and Tang (2025) [4], and Farrukh et al. (2024) [2] studied how Large Language Models (LLMs) and multimodal can support continuous learning and intrusion detection.\u003c/li\u003e\n \u003cli\u003eWang et al. (2024) [3] introduced ChatTracer, a system that combines Large Language Models(LLMs) and Bluetooth Low Energy (BLE) packet data to track nearby devices in real time.\u003c/li\u003e\n \u003cli\u003eTo train and test such systems, researchers often use the WSN-BFSF dataset by Okur (2023) [16], which includes normal, flooding, blackhole, and selective forwarding attacks.\u003c/li\u003e\n\u003c/ul\u003e"},{"header":"METHODOLOGY","content":"\u003cp\u003eOur methodology starts with the preprocessing of the latest Wireless Sensor Network dataset (WSN) WSNBFSF [16]. We conducted an attribute selection process to identify.\u003c/p\u003e\n\u003cp\u003erely only the most important features relevant to the network traffic analysis. And we transformed the numeric attributes into a single prompt to reflect network traffic behaviors to be compatible with large language models (LLMs).\u003c/p\u003e\n\u003cp\u003eWe split the final processed dataset into three subsets: training, validation, and testing in a 7:1:2 ratio, respectively, to ensure a balanced and effective evaluation.\u003c/p\u003e\n\u003cp\u003eThen we started the DeepSeek model development process with a training process that aimed to enable the model to learn the traffic patterns and detect anomalies.\u003c/p\u003e\n\u003cp\u003eFinally, we selected the trained DeepSeek model after the evaluation process and utilized it to implement ChatTracer as shown in Figure 1.\u003c/p\u003e\n\u003ch2\u003eA. Dataset\u003c/h2\u003e\n\u003cp\u003eThe WSNBFSF dataset was created to study security threats in Wireless Sensor Networks (WSNs) [16]. It includes data collected from a simulated WSN environment, where three types of cyberattacks were tested: Blackhole, Flooding, and Selective Forwarding. These are common types of DDoS (Distributed Denial of Service) attacks. The dataset also contains normal network traffic, which makes it useful for comparing normal and malicious behavior.\u003c/p\u003e\n\u003cp\u003eAfter processing the raw data, the final dataset includes 312,106 rows and 16 features (columns). Each row represents a record of network activity, and each feature gives specific information about the network\u0026rsquo;s status during that time.\u003c/p\u003e\n\u003cp\u003eHere are some of the important features in the dataset:\u003c/p\u003e\n\u003cp\u003e1)\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u0026nbsp;Id: A unique number for each record.\u003c/p\u003e\n\u003cp\u003e2)\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u0026nbsp;Time: The time the data was collected. 3) Is an attack: Shows if the traffic is normal (0) or an attack\u003c/p\u003e\n\u003cp\u003e(1).\u003c/p\u003e\n\u003cp\u003e4)\u0026nbsp; \u0026nbsp;Attack type: The type of attack (Blackhole, Flooding, or Selective Forwarding).\u003c/p\u003e\n\u003cp\u003e5)\u0026nbsp; \u0026nbsp;Packet loss: The number of data packets that were lost.\u003c/p\u003e\n\u003cp\u003e6)\u0026nbsp; \u0026nbsp;Delay: The time it took for the data to travel through the network.\u003c/p\u003e\n\u003cp\u003e7)\u0026nbsp; \u0026nbsp;Energy consumption: The amount of energy used by network nodes.\u003c/p\u003e\n\u003cp\u003e8)\u0026nbsp; \u0026nbsp;Packet delivery ratio: The percentage of packets that reached their destination.\u003c/p\u003e\n\u003cp\u003eThe data set is saved in CSV format, which makes it easy to load and use in machine learning projects. It is especially helpful for training models to detect and classify cyberattacks in WSNs, and it can support researchers in building more secure and reliable wireless networks.\u003c/p\u003e\n\u003ch2\u003eB. Dataset Preprocessing\u003c/h2\u003e\n\u003cp\u003eBefore using the WSN-BFSF dataset for training a model, we cleaned and prepared the data using these steps:\u003c/p\u003e\n\u003cp\u003ePrepare data\u003c/p\u003e\n\u003cp\u003e1)\u0026nbsp; \u0026nbsp;Load the Data: We started by loading the CSV file, which contains over 312,000 records.\u003c/p\u003e\n\u003cp\u003e2) \u0026nbsp; Choose the Best Features: Some columns were not useful, so we kept only the important ones that help detect attacks better.\u003c/p\u003e\n\u003cp\u003e3) \u0026nbsp; Fix Class Imbalance: There were more records for normal traffic than for attacks, so we balanced the data to make sure all types are treated fairly.\u003c/p\u003e\n\u003cp\u003e4)\u0026nbsp; \u0026nbsp;Normalize the Values: We scaled numbers like energy and packet size so they are all in a similar range, which helps the model learn better.\u003c/p\u003e\n\u003cp\u003e5)\u0026nbsp; \u0026nbsp;Convert Text to Numbers: Attack types (like \u0026rdquo;Flooding\u0026rdquo; or \u0026rdquo;Blackhole\u0026rdquo;) were changed into numbers so the model can understand them.\u003c/p\u003e\n\u003cp\u003e6)\u0026nbsp; \u0026nbsp;Save the Clean Data: Finally, we saved the new version of the dataset so it can be used for training and testing.\u003c/p\u003e\n\u003cp\u003eSplit data. After pre-processing, the data set was divided into three parts to train, validate, and test the model:\u003c/p\u003e\n\u003cp\u003e1)\u0026nbsp; \u0026nbsp;Training Set (70%) \u0026ndash; This is the biggest part. It is used to teach the model. m \u0026rarr; 21,406 records\u003c/p\u003e\n\u003cp\u003e2)\u0026nbsp; \u0026nbsp;Validation Set (10%) \u0026ndash; This part helps us check how well the model is learning during training. \u0026rarr; 3,058 records\u003c/p\u003e\n\u003cp\u003e3)\u0026nbsp; \u0026nbsp;Test Set (20%) \u0026ndash; This part is used at the end to test how good the model is on new, unseen data. \u0026rarr; 6,116\u003c/p\u003e\n\u003cp\u003erecords\u003c/p\u003e\n\u003cp\u003eThe ratio used was 70:10:20 for train: validation: test. Training Data he training dataset contains 21,406 rows and 2 columns:\u003c/p\u003e\n\u003cp\u003e1)\u0026nbsp; \u0026nbsp;full text: This column contains a short instruction like \u0026ldquo;Analyze the following network data and identify the type of traffic...\u0026rdquo; It gives context or a prompt to the model.\u003c/p\u003e\n\u003cp\u003e2)\u0026nbsp; \u0026nbsp;response: This is the label or correct answer. It shows the traffic type:\u003c/p\u003e\n\u003cp\u003eNormal \u0026rarr; Normal behavior in the network\u003c/p\u003e\n\u003cp\u003eForwarding \u0026rarr; Selective forwarding attack\u003c/p\u003e\n\u003cp\u003eBlackhole \u0026rarr; Blackhole attack\u003c/p\u003e\n\u003cp\u003e(and possibly others like Flooding if included in the full dataset)\u003c/p\u003e\n\u003ch2\u003eC. Hyperparameter Tuning Process\u003c/h2\u003e\n\u003cp\u003eAs part of fine tuning process we selected the deepseekai/DeepSeek-R1-Distill-Qwen-1.5B model since we are limited with hardware resources, we selected the most light DeepSeek-R1 with only 1.5B parameter version to allow us to perform effective performance.\u003c/p\u003e\n\u003cp\u003eWe selected these hyperparameters to train the model on with an evaluation epoch strategy: Number of epochs \u0026rarr; 9\u003c/p\u003e\n\u003cp\u003eBatch size per device \u0026rarr; 16\u003c/p\u003e\n\u003cp\u003eLearning rate \u0026rarr; 3e-5, 1e-3\u003c/p\u003e\n\u003cp\u003eTo further enhance training performance and reduce the memory requirements with our limited resources, we applied the Low-Rank Adaptation (LoRA) technique, which enables efficient fine-tuning of large models by updating a smaller number of trainable parameters. We also optimized the data loading using dataloader num workers for faster data retrieval during training. And we used gradient accumulation steps, which simulated larger batches by accumulating gradients before updating the model weights.\u003c/p\u003e\n\u003ch2\u003eD. ChatTracer\u003c/h2\u003e\n\u003cp\u003eThe ChatTracer provides an interaction method to detect the normal WSN traffic in real time. We introduced ChatTracer V1, an interactive chatbot that Utilize the capabilities of our traiend deepseek-ai/DeepSeek-R1-Distill-Qwen-\u003c/p\u003e\n\u003cp\u003e1.5B model to analyze and detect the Wireless Sensor Network\u003c/p\u003e\n\u003ch3\u003eFig. 4. ChatTracer V1 testing\u003c/h3\u003e\n\u003cp\u003e(WSN) traffic type through client natural language conversion generation inputs around 250 tokens with a small history. But the small 1.5 model\u0026rsquo;s parameter limitations caused some unexpected generation tokens that need more weights to generate more accurate context as outputs.\u003c/p\u003e\n\u003ch2\u003eE. Evaluation Metrics\u003c/h2\u003e\n\u003cp\u003eThe evaluation process involved generating a maximum of 5 tokens to assess the performance of our trained model on test input samples. From the generated model outputs, we extracted the first predicted token as the model\u0026rsquo;s test predictions. Then we compared them to the ground truth labels and calculated the standard confusion matrix and the following key metrics:\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e1)\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/em\u003e\u003cem\u003ePrecision:\u0026nbsp;\u003c/em\u003eThe proportion of correctly predicted positive observations to the total predicted positives.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e2)\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/em\u003e\u003cem\u003eRecall:\u0026nbsp;\u003c/em\u003eThe proportion of correctly predicted positive observations to all actual positives.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e3)\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/em\u003e\u003cem\u003eF1-Score:\u0026nbsp;\u003c/em\u003eThe harmonic mean of precision and recall, providing a balanced measure of model performance.\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e4)\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp;\u0026nbsp;\u003c/em\u003e\u003cem\u003eAccuracy\u003c/em\u003e: The overall percentage of correct predictions.\u003c/p\u003e\n\u003cp\u003eAs for the ChatTracer evaluation, it is under end-user testing, and since the resource constraints and the use of the smaller 1.5B DeepSeek model, evaluation of ChatTracer is currently limited to informal testing with only user inputs.\u003c/p\u003e"},{"header":"RESULT AND DISCUSSION","content":"\u003cp\u003eWhile we are using two learning rates with the same 9 epochs and 16 batch size, we got huge difference results between 3e-5, and 1e-3 learning rates.\u003c/p\u003e\n\u003cp\u003eWith the 1e-3 learning rate, the model achieved a perfect classification performance. All class labels, Blackhole, Flooding, Forwarding, and normal, achieved precision, recall, and F1-scores of 1.00, with 99% accuracy, showing the model successfully captured the distinguishing features of each class as shown in the confusion Matrix.\u003c/p\u003e\n\u003cp\u003eHowever, small samples have gotten unexpected tokens as predictions, such as Forwarding, Forwarding, and Forwardingackets. Although the model maintained an overall accuracy of 99%, the presence of these spurious classes significantly reduced the macro-averaged metrics, with macro precision, recall, and F1-score dropping to around 0.18.\u003c/p\u003e\n\u003cp\u003eThe small learning rate 3e-5 is never achieved the same as 1e-3, it produces more strange tokens for testing samples with an accuracy of 0.43% with an unclear confusion Matrix, and also it never detected Blackhole network attack.\u003c/p\u003e"},{"header":"FUTURE WORKS","content":"\u003cp\u003eAs Future work we aim to enhance ChatTracer output performance and implement an interactive user interface with Reinforcement Learning integration for the ability to enhance the ChatTracer output and network detection. Furthermore, we open the ability to use a variety of network attack types and train a variety of LLM models with large parameters.\u003c/p\u003e"},{"header":"CONCLUSION","content":"\u003cp\u003eIn this study, we proposed a new method to improve the security of Wireless Sensor Networks (WSNs) using ChatTracer, a system based on Large Language Models (LLMs). By training and fine-tuning a lightweight DeepSeek model on the WSN-BFSF dataset, we demonstrated that LLMs can successfully detect different types of attacks, such as Blackhole, Flooding, and Selective Forwarding. The model achieved high accuracy even with limited computational resources. This shows that ChatTracer can serve as an effective and intelligent security tool for real-world WSN environments.\u003c/p\u003e\n\u003cp\u003eThis research aimed to answer the following questions:\u003c/p\u003e\n\u003cp\u003e•\u0026nbsp; \u0026nbsp; \u0026nbsp;Do LLMs and ChatTracer provide secure solutions for WSNs?\u003c/p\u003e\n\u003cp\u003eYes — our results show that LLMs can effectively analyze WSN traffic, and ChatTracer can offer an intelligent layer of security.\u003c/p\u003e\n\u003cp\u003e•\u0026nbsp; \u0026nbsp; \u0026nbsp;Can ChatTracer identify and classify different types of WSN attacks?\u003c/p\u003e\n\u003cp\u003eYes — the trained model was able to classify common WSN attacks such as Flooding, Forwarding, and Blackhole with up to 99% accuracy.\u003c/p\u003e\n\u003cp\u003e•\u0026nbsp; \u0026nbsp; \u0026nbsp;Can ChatTracer be used in real-time to detect and respond to WSN attacks effectively? Yes — although tested in a controlled environment, ChatTracer’s fast prediction time and lightweight design make it suitable for real-time use.\u003c/p\u003e\n\u003cp\u003eIn conclusion, ChatTracer shows that combining large language models (LLMs) with Wireless Sensor Network(WSN) security offers a smart, flexible, and modern solution to handle current and future cyberattacks.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\n \u003cli\u003eAlotaibi, Elham, Rejwan Bin Sulaiman, and Mohammed Almaiah. \u0026rdquo;Assessment of cybersecurity threats and defense mechanisms in wireless sensor networks.\u0026rdquo; Journal of Cyber Security and Risk Auditing 2025.1 (2025): 47-59.\u003c/li\u003e\n \u003cli\u003eAl Sukkar, Ghadeer, and Saleh Al-Sharaeh. \u0026rdquo;Enhancing Security in Wireless Sensor Networks: A Machine Learning-based DoS Attack Detection.\u0026rdquo; Engineering, Technology \u0026amp; Applied Science Research 15.1 19712-19719.\u003c/li\u003e\n \u003cli\u003eWang, Qijun, et al. \u0026ldquo;ChatTracer: Large Language Model Powered Real-time Bluetooth Device Tracking System.\u0026rdquo; arXiv preprint arXiv:2403.19833 (2024).\u003c/li\u003e\n \u003cli\u003eHuo, Yukang, and Hao Tang. \u0026rdquo;When Continue Learning Meets Multimodal Large Language Model: A Survey.\u0026rdquo; arXiv preprint arXiv:2503.01887 (2025).\u003c/li\u003e\n \u003cli\u003eKarpurasundharapondian, P., and M. Selvi. \u0026rdquo;A comprehensive survey on optimization techniques for efficient cluster-based routing in WSN.\u0026rdquo; Peer-to-Peer Networking and Applications 17.5 (2024): 3080-3093.\u003c/li\u003e\n \u003cli\u003eCui, Tianyu, et al. \u0026rdquo;TrafficLLM: Enhancing Large Language Models for Network Traffic Analysis with Generic Traffic Representation.\u0026rdquo; arXiv preprint arXiv:2504.04222 (2025).\u003c/li\u003e\n \u003cli\u003eJia, Runliang, and Haiyu Zhang. \u0026rdquo;Wireless sensor network (WSN) model targeting energy efficient wireless sensor networks node coverage.\u0026rdquo; IEEe Access 12 (2024): 27596-27610.\u003c/li\u003e\n \u003cli\u003eTawfeek, Medhat A., et al. \u0026rdquo;Improving energy efficiency and routing reliability in wireless sensor networks using modified ant colony optimization.\u0026rdquo; EURASIP Journal on Wireless Communications and Networking 2025.1 (2025): 22.\u003c/li\u003e\n \u003cli\u003eBehiry, Mohamed H., and Mohammed Aly. \u0026rdquo;Cyberattack detection in wireless sensor networks using a hybrid feature reduction technique with AI and machine learning methods.\u0026rdquo; Journal of Big Data 11.1 (2024):\u003c/li\u003e\n \u003cli\u003eDelwar, Tahesin Samira, et al. \u0026rdquo;The intersection of machine learning and wireless sensor network security for cyber-attack detection: a detailed analysis.\u0026rdquo; Sensors 24.19 (2024): 6377.\u003c/li\u003e\n \u003cli\u003eJoo, Soyoung, et al. \u0026rdquo;Machine Learning-Based Detection and Selective Mitigation of Denial-of-Service Attacks in Wireless Sensor Networks.\u0026rdquo; Computers, Materials \u0026amp; Continua 82.2 (2025).\u003c/li\u003e\n \u003cli\u003eNandhini, S., A. Rajeswari, and N. R. Shanker. \u0026rdquo;Cyber attack detection in IOT-WSN devices with threat intelligence using hidden and connected layer-based architectures.\u0026rdquo; Journal of Cloud Computing 13.1 (2024): 159.\u003c/li\u003e\n \u003cli\u003ePramanick, Neha, et al. \u0026rdquo;Leveraging stacking machine learning models and optimization for improved cyberattack detection.\u0026rdquo; Scientific Reports 15.1 (2025): 1-23.\u003c/li\u003e\n \u003cli\u003eQaisar, Muhammad Umar Farooq, et al. \u0026rdquo;Integration of SDN and Digital Twin for the Intelligent Detection of DoC Attacks in WRSNs.\u0026rdquo; arXiv preprint arXiv:2503.06164 (2025).\u003c/li\u003e\n \u003cli\u003eRahmati, Milad. \u0026rdquo;Towards Explainable and Lightweight AI for Real-Time Cyber Threat Hunting in Edge Networks.\u0026rdquo; arXiv preprint arXiv:2504.16118 (2025).\u003c/li\u003e\n \u003cli\u003eOkur, Celil. WSN-BFSF Dataset. Kaggle, 2023, https://www.kaggle.com/datasets/celilokur/wsnbfsfdataset. Accessed 18 May 2025.\u003c/li\u003e\n\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"
[email protected]","identity":"cluster-computing","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"Learn more about [Cluster Computing](https://www.springer.com/journal/10586)","snPcode":"10586","submissionUrl":"https://submission.nature.com/new-submission/10586/3","title":"Cluster Computing","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"","lastPublishedDoi":"10.21203/rs.3.rs-7712006/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7712006/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eWireless Sensor Networks (WSNs) are crucial to applications in smart cities, agriculture, and healthcare; however, their open architecture makes them highly vulnerable to cyberattacks. To address this vulnerability, we introduce ChatTracer, a novel security framework leveraging a lightweight Large Language Model (LLM). Fine-tuned on the WSN-BFSF dataset using Low-Rank Adaptation (LoRA), our efficient DeepSeek model analyzes network communication patterns through natural language processing. ChatTracer achieves up to 99% accuracy in real-time detection of major threats like Blackhole, Flooding, and Selective Forwarding, providing a powerful and scalable defense for resource-constrained WSNs.\u003c/p\u003e","manuscriptTitle":"Enhancing Cyber Security in Wireless Sensor Networks using ChatTracer in Large Language Models (LLMs)","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-10-22 10:14:12","doi":"10.21203/rs.3.rs-7712006/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"decision","content":"Revision requested","date":"2025-10-18T12:25:11+00:00","index":"","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2025-10-17T14:22:14+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"97960166751492463668919096530724063658","date":"2025-10-17T06:26:55+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2025-10-17T01:08:19+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"247258885188798472297453834785227344958","date":"2025-10-09T14:12:01+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2025-10-09T05:12:25+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2025-09-27T13:36:52+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2025-09-27T01:24:59+00:00","index":"","fulltext":""},{"type":"submitted","content":"Cluster Computing","date":"2025-09-25T10:38:08+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"
[email protected]","identity":"cluster-computing","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"Learn more about [Cluster Computing](https://www.springer.com/journal/10586)","snPcode":"10586","submissionUrl":"https://submission.nature.com/new-submission/10586/3","title":"Cluster Computing","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"2a6e59d5-0f07-4c45-b3b6-1c33c94377b0","owner":[],"postedDate":"October 22nd, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"in-revision","subjectAreas":[],"tags":[],"updatedAt":"2026-04-04T14:10:19+00:00","versionOfRecord":[],"versionCreatedAt":"2025-10-22 10:14:12","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7712006","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7712006","identity":"rs-7712006","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}
Text is read by the "Ask this paper" AI Q&A widget below.
Extraction quality varies by source — PMC NXML preserves structure
cleanly, OA-HTML may include some navigation residue, and OA-PDF can
have broken hyphenation. The publisher copy
(via DOI)
is the canonical version.