A complete technical guide to passive 802.11 monitoring, TinyML device classification, security threat detection, and AI-assisted network analysis on Nordic Semiconductor hardware.

Here we have few more blogs related to this topic: https://www.aerlync.com/Blogs/edgeai https://www.aerlync.com/Blogs/edgeai-iotsecurity do check it out for more insights on Edge AI and IoT Security.

Section 01

Hardware Architecture — nRF7002-DK

The Nordic Semiconductor nRF7002-DK is a dual-chip development kit that pairs the nRF5340 application processor with the nRF7002 companion Wi-Fi IC. What makes it exceptional for security research is raw frame-level access to the 802.11 physical medium — bypassing the typical socket abstraction that hides per-frame metadata from application software.

Section 02

Passive 802.11 Monitor Mode

In monitor mode, the nRF7002's radio receives every 802.11 frame on the current channel — beacons, probe requests, data frames, management frames — without associating to any network. The nRF5340's network core formats each captured frame into a compact ASCII record and streams it to the host over USB-CDC:

RSSI Signal Scale

RSSI values are negative dBm. Closer to 0 = stronger signal: −30 to −50 dBm is excellent; −50 to −60 dBm is good; −60 to −70 dBm is fair; −70 to −80 dBm is weak; below −80 dBm is unusable. The more-negative-is-weaker direction is a frequent source of errors in analysis code.

Section 03

RF Fingerprinting & Feature Extraction

RF fingerprinting identifies and classifies wireless devices based solely on observable characteristics of their transmitted frames — no authentication, no association required. The 802.11 management frame subtype is the primary classification signal, with each subtype revealing the device's current behavioral state.

Beyond frame type counts, the temporal pattern of transmission is highly distinctive. A normal AP has regular beacon intervals (CV ≈ 0.05–0.15). Attack tools show either perfectly regular floods (CV ≈ 0.02) or chaotic bursts (CV > 0.5). This regularity measure — the coefficient of variation of PPS — is a core TinyML input feature.

Section 04

TinyML Device Classifier

The device classifier is a TinyML model — a machine learning model small enough to run inference directly on microcontroller hardware. On the nRF7002-DK, the nRF5340's Cortex-M33 Application Core (128 MHz, 512 KB RAM) runs a quantized neural network using TensorFlow Lite for Microcontrollers (TFLite Micro), classifying each observed MAC address into a threat category based on its behavioral feature vector.

TFLite Micro on the nRF5340

TFLite Micro is a stripped-down version of TensorFlow Lite designed to run on bare-metal or RTOS-based microcontrollers without an OS, file system, or dynamic memory allocator. The complete inference runtime fits in under 20 KB of flash. On Zephyr RTOS, it integrates as a kernel module alongside the Wi-Fi stack.

Inputs, Model Architecture & Outputs

The classifier operates on a per-MAC feature window: a 10-second sliding window of observed frames is aggregated into a fixed-length feature vector. This vector is normalized and fed to a small fully-connected neural network that outputs a probability distribution over device threat classes.

Training Pipeline

The model is trained offline using labeled PCAP captures. The training pipeline uses scikit-learn and Keras to produce a float32 model, which is then quantized to INT8 using TFLite's post-training quantization. The quantized .tflite file is embedded into the Zephyr firmware image as a flat binary array — no filesystem required.

Why TFLite Micro over scikit-learn on host?

Running inference on the nRF5340 rather than the host means classification happens at the hardware edge — results are available within 0.3 ms of the observation window closing, before the frame data even crosses the USB link. This enables future firmware implementations to trigger active responses (channel switching, alert LED) without any host involvement. The host-side scikit-learn model is a fallback used for PCAP uploads where latency is irrelevant.

Section 05

End-to-End Processing Flow

The following diagram traces a single incoming 802.11 packet through the complete pipeline — from RF capture on the nRF7002 to final Device Report and Security Report presented in the browser UI.

Section 06

Security Threat Engine

The host-side security engine maintains a 10-second sliding window per MAC address and runs a rule-based scorer every 2 seconds. Each device receives a composite threat score in [0, 1.0]. The ML classifier output and the rule score are merged by taking the maximum — so either signal can independently trigger a high severity level.

Key Attack Signatures

Composite Score → Severity Mapping

Section 07

Bridge Architecture & AI Analyst

The rf_bridge.py is a single-process Python server combining serial ingestion, security scoring, SSE broadcast, REST API, and LLM inference — all threaded within one process with per-component locks.

Context Engineering for the AI Analyst

Qwen2.5-3B receives a pre-computed context snapshot rather than raw device rows. The key principle: Python does the reasoning, the LLM does the retrieval. Pre-sorted LOW_RSSI_DEVICES, INSECURE_NETWORKS, MOST_CONGESTED_CHANNEL, and BAND_SUMMARY lines let the model answer questions like 'which devices have the weakest signal?' by reading a single line — not sorting 56 records.

Section 08

Deployment & Use Cases

The platform is designed to be self-contained: plug in the nRF7002-DK, start the bridge, and open a browser. No cloud services, no API keys, no internet connection required.

Legal Notice

Passive Wi-Fi monitoring captures frames from all devices in range, including third-party devices. Deployment must comply with applicable local laws (CFAA in the US, Computer Misuse Act in the UK, IT Act in India). Always obtain written authorization before deploying on premises you do not own.

Section 09

Conclusion

The nRF7002-DK project demonstrates that a single sub-$50 microcontroller development kit — when paired with the right software layers — can deliver enterprise-grade Wi-Fi intelligence that would otherwise require dedicated hardware appliances or cloud-connected sensors.

The key architectural insight is the layered intelligence model: raw 802.11 physics at the nRF7002, behavioral feature extraction and TinyML inference on the nRF5340 App Core, rule-based threat scoring on the host bridge, and natural language reasoning via a 3B parameter LLM. Each layer operates at its appropriate level of abstraction, and together they produce outputs — device reports, security reports, AI analyst answers — that are actionable without requiring deep networking expertise from the operator.

The TinyML + Edge AI Opportunity

What makes this platform a meaningful proof of concept for the embedded systems community is not any single capability — it's the demonstration that the gap between raw sensor hardware and actionable intelligence can be closed at the edge, without cloud dependency.

The nRF5340's Cortex-M33 Application Core with 512 KB RAM is representative of a whole class of modern MCUs (STM32H7, ESP32-S3, RP2350) that are now capable of running quantized neural networks alongside their primary firmware tasks. TFLite Micro provides a vendor-neutral runtime that works across all of them. The workflow demonstrated here — capture → feature extraction → INT8 inference → rule fusion → NL reporting — is a template applicable to any domain where an MCU sits adjacent to a sensor stream: industrial vibration monitoring, acoustic anomaly detection, PPG-based health monitoring, or radar-based presence sensing.

The addition of a 3B parameter LLM on the host bridge completes the intelligence stack: the MCU handles latency-sensitive, always-on inference; the LLM handles open-ended reasoning over aggregated data. Neither layer could do the other's job effectively. Together, they turn a $50 development kit into a network security appliance that can answer natural language questions about a live Wi-Fi environment — in real time, entirely offline.

Future Directions

Immediate next steps for this platform include: channel hopping for full-spectrum passive scanning (currently single-channel), on-device KARMA detection before USB transmission, federated anomaly model updates without raw frame sharing, and PCAP export with automatic threat annotation for incident documentation.