Jiahan Dong,Tong Jin,Bowen Li,Yinan Zhong,Guangxin Guo,Xiaohu Wang,Yanjiao Chen

DOI: https://doi.org/10.1109/cyberc62439.2024.00016

2024-01-01

Abstract:The Internet of Things (IoT) has significantly expanded the scope of the Internet by enabling seamless communication between devices and the cloud. However, the rapid proliferation of IoT devices has led to a surge in cyber-attacks, such as Distributed Denial of Service (DDoS) attacks, Man-in-the-Middle (MITM) attacks, and privacy data theft. These threats underscore the urgent need for robust device identification (DI) methods. However, current DI approaches often struggle with issues related to accuracy, generalizability across different network environments, privacy concerns, and real-time performance. To address these issues, we introduce DIFORMER, a novel method that leverages network packet data and advanced deep learning techniques, specifically the attention mechanism and residual networks. DIFORMER outperforms existing methods, even in privacy-limited scenarios, and is more generalizable as it does not strictly rely on features like MAC and IP addresses. Rigorous experiments confirm DIFORMER’s effectiveness and robustness, making it a promising solution for securing IoT environments.

Md Mainuddin,Zhenhai Duan,Yingfei Dong,Shaeke Salman,Tania Taami

DOI: https://doi.org/10.1109/GLOBECOM48099.2022.10001639

2022-12-17

Abstract:IoT device identification plays an important role in monitoring and improving the performance and security of IoT devices. Compared to traditional non-IoT devices, IoT devices provide us with both unique challenges and opportunities in detecting the types of IoT devices. Based on critical insights obtained in our previous work on understanding the network traffic characteristics of IoT devices, in this paper we develop an effective machine-learning based IoT device identification scheme, named iotID. In developing iotID, we extract 70 features of TCP flows from three complementary aspects: remote network servers and port numbers, packet-level traffic characteristics such as packet inter-arrival times, and flow-level traffic characteristics such as flow duration. Different from existing work, we take into account the imbalance nature of network traffic generated by various devices in both the learning and evaluation phases of iotID. Our performance studies based on network traffic collected on a typical smart home environment consisting of both IoT and non-IoT devices show that iotID can achieve a balanced accuracy score of above 99%.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

Li, Shuai

DOI: https://doi.org/10.1007/s11276-024-03736-y

IF: 2.701

2024-04-24

Wireless Networks

Abstract:Nowadays, the Internet of Things is booming and more and more IoT devices are connected to the Internet. However, due to design and configuration vulnerabilities, as well as the pursuit of cheap IoT devices, these IoT devices are often vulnerable. Therefore, effective identification of IoT devices is essential to maintain security. In this paper, in order to better classify and accurately identify IoT devices of the same type, a combination of traffic-based and machine-learning methods are used to identify IoT devices and hierarchize the model. In the first layer, the IoT devices are classified according to their types or features. In the second layer, feature extraction is performed based on TCP/UDP flows to perform specific device identification under each type of iot device. The final experimental results show that we reduced the data volume by 35%, compared to the benchmark experiment,and achieved an overall recognition accuracy of 99.9% after classification of iot devices.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jianjin Zhao,Qi Li,Jintao Sun,Mianxiong Dong,Kaoru Ota,Meng Shen

DOI: https://doi.org/10.1109/jiot.2023.3305585

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Due to hardware limitations, Internet of Things (IoT) devices without integrated security become easy targets for network attacks. IoT device identification is significant for network security management. Despite many efforts, previous studies either require excessive features raising concerns about efficiency and privacy, or underutilize the data resources to fulfill the potential of simple features. Moreover, the severe data imbalance problem is unaddressed. In this paper, we present IoTProfile, an efficient IoT device identification framework via time series dictionary. It only considers simple packet-level attributes and maps them into different time windows. On this basis, it further follows a shuffle&split organization scheme to structure the imbalanced data as multi-channel time series. By performing random convolutional kernel transformations in two ways and aggregations, IoTProfile captures discriminative patterns and forms the frequency count of recurring patterns to profile the network behaviors of IoT devices over a period of time. The experimental results show that IoTProfile is superior to the other state-of-the-art methods in terms of both identification effectiveness and time overhead, achieving 99.81% and 97.65% Macro-F1 scores on UNSW and UNB datasets in under four minutes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Rajarshi Roy Chowdhury,Sandhya Aneja,Nagender Aneja,Emeroylariffion Abas

DOI: https://doi.org/10.48550/arXiv.2009.04682

2020-09-10

Cryptography and Security

Abstract:Device identification is the process of identifying a device on Internet without using its assigned network or other credentials. The sharp rise of usage in Internet of Things (IoT) devices has imposed new challenges in device identification due to a wide variety of devices, protocols and control interfaces. In a network, conventional IoT devices identify each other by utilizing IP or MAC addresses, which are prone to spoofing. Moreover, IoT devices are low power devices with minimal embedded security solution. To mitigate the issue in IoT devices, fingerprint (DFP) for device identification can be used. DFP identifies a device by using implicit identifiers, such as network traffic (or packets), radio signal, which a device used for its communication over the network. These identifiers are closely related to the device hardware and software features. In this paper, we exploit TCP/IP packet header features to create a device fingerprint utilizing device originated network packets. We present a set of three metrics which separate some features from a packet which contribute actively for device identification. To evaluate our approach, we used publicly accessible two datasets. We observed the accuracy of device genre classification 99.37% and 83.35% of accuracy in the identification of an individual device from IoT Sentinel dataset. However, using UNSW dataset device type identification accuracy reached up to 97.78%.

Yi Chen,Junxu Lai,Zhu Lin,Meijing Zhang,Wenxi Liu

DOI: https://doi.org/10.7717/peerj-cs.2363

2024-01-01

PeerJ Computer Science

Abstract:In recent years, notable advancements have been achieved in the realm of identifying IP-based Internet of Things (IoT) devices and events. Nevertheless, the majority of methods rely on extracting fingerprints or features from plain text IP-based packets, which limits their ability to accommodate heterogeneous IoT devices such as ZigBee and Z-Wave, and fails to address the challenge of limited traffic samples. To tackle these issues, we propose a novel approach based on IoT communication characteristics and featuring module extensibility. This method is presented to effectively identify IoT devices and events from non-IP heterogeneous IoT network traffic. To shield the differences caused by the heterogeneous IoT protocol, a heterogeneous sample extraction platform with an extensible structure is created to extract raw sequence samples from ZigBee and Z-Wave traffic, with potential for expansion to other protocols. To address the challenges arising from the scarcity of samples, a sample identification framework based on IoT communication characteristics is devised to create synthetic samples from the raw sequence samples, enabling concurrent processing of the raw and synthetic samples using an identification model featuring two separate sequence networks. Comparative assessments of our method against baseline sequence models and the latest techniques demonstrate the advantages of our approach in identifying non-IP heterogeneous IoT traffic. The experimental results indicate that our method achieves an average accuracy improvement of 29.7% compared to baseline models using only raw samples. Furthermore, our method shows improvements of 22.1%, 21.5%, and 21.8% in macro precision, macro recall, and macro F1-score, respectively, over the latest method.

Xiaoyan Hu,Yuxin Shi,Guang Cheng,Ruidong Li,Hua Wu,Gang Wang

DOI: https://doi.org/10.1109/globecom54140.2023.10437132

2023-01-01

Abstract:With the rapid development of Internet of Things (IoT) technology, there is explosive growth in the number of IoT devices. Meanwhile, the low security and network heterogeneity of IoT networks have brought new challenges to implementing network management and security strategies in smart homes and small offices. Early and accurate IoT device-type identification is the first step towards the security management of IoT networks. The existing machine learning-based and deep learning-based models for IoT traffic classification have achieved decent results. However, most of these methods rely on a long-term window to collect IoT device traffic for identification, resulting in limited real-time performance. This work proposes IoT-GFCN, an early and accurate IoT device-type identification model with global attention mechanism. IoT-GFCN first constructs a multi-feature sequence for each device from a small packet window. Then IoT-GFCN resorts to the global attention mechanism to efficiently mine temporal information and feature relationships and obtain an updated embedding of each multi-feature sequence. Finally, a fully convolutional neural network is trained based on the updated embeddings of traffic features to identify IoT device types. Our experimental study suggests that IoT-GFCN can efficiently capture distinguishable representations for packet-level features of IoT traffic and outperforms state-of-the-art IoT identification methods. It achieves an average accuracy of 98.88% with a window size of 75 packets (the traffic of about three minutes) on the UNSW dataset.

Chenxin Duan,Hao Gao,Guanglei Song,Jiahai Yang,Zhiliang Wang

DOI: https://doi.org/10.1109/tnsm.2021.3130312

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:A tremendous amount of Internet-of-Things (IoT) devices have been deployed in recent years, bringing new challenges for network management and cyber security. It is important for network managers to know what types of IoT devices are connecting to the network. Despite much research efforts, previous works place more emphasis on accuracy but ignore some other performance indicators also in high demand, like efficiency, robustness, adaptability to special scenarios and extensibility for new devices. In this paper, we propose a practical IoT device identification system, namely ByteIoT, based on a simple but well-organized traffic feature, i.e., the frequency distribution of bidirectional packet lengths. ByteIoT applies k-nearest neighbors algorithm as the classifier to gain extensibility and adaptability. We evaluate ByteIoT on several datasets and the results show that ByteIoT can outperform other state-of-the-art methods in the aspects of accuracy, efficiency, extensibility and adaptability.

Qinxia Hao,Zheng Rong

DOI: https://doi.org/10.1109/access.2023.3284542

IF: 3.9

2023-06-20

IEEE Access

Abstract:Driven by 5G communication technology, IoT devices are widely deployed in various scenarios to provide automated services. However, a large number of IoT devices cannot install strong encryption suites and become the preferred target of cyber attackers. Specific vulnerabilities target specific types of IoT devices. Screening and repairing corresponding vulnerabilities based on device information can improve device protection capabilities. Traditional device identification models are static and have limitations in the identification range. The model needs to be trained from scratch to identity new types of devices, which consumes a lot of computing resources and training time. To overcome these limitations, we propose IoTTFID, an incremental IoT device identification model based on traffic fingerprint. Extract the traffic fingerprint of the new device, convert it into an input vector after preprocessing, and input it to the original model to update some network parameters, so that the model has the ability to identify new devices. The results of evaluation on two open datasets show that the accuracy of IoTTFID is 98.09% on UNSW dataset and 98.29% on Yourthings dataset, which outperforms the existing methods. IoTTFID has an accuracy rate of 80.4% after five incremental learning stages, and an F1 of over 96% for encrypted IoT devices. IoTTFID can dynamically adjust with the actual environment to increase the range of identifiable device types, providing strong support for the security management of IoT devices.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yu Jiang,Yufei Dou,Aiqun Hu

DOI: https://doi.org/10.3390/sym16070846

2024-01-01

Abstract:Unauthenticated device access to a network presents substantial security risks. To address the challenges of access and identification for a vast number of devices with diverse functions in the era of the Internet of things (IoT), we propose an IoT device identification method based on hardware and software fingerprint features. This approach aims to achieve comprehensive “hardware–software–user” authentication. First, by extracting multimodal hardware fingerprint elements, we achieve identity authentication at the device hardware level. The time-domain and frequency-domain features of the device’s transient signals are extracted and further learned by a feature learning network to generate device-related time-domain and frequency-domain feature representations. These feature representations are fused using a splicing operation, and the fused features are input into the classifier to identify the device’s hardware attribute information. Next, based on the interaction traffic, behavioral information modeling and sequence information modeling are performed to extract the behavioral fingerprint elements of the device, achieving authentication at the software level. Experimental results demonstrate that the method proposed in this paper exhibits a high detection efficacy, achieving 99% accuracy in both software and hardware level identification.

Jaidip Kotak,Yuval Elovici

DOI: https://doi.org/10.1007/978-3-030-57805-3_8

2020-02-25

Abstract:The growing use of IoT devices in organizations has increased the number of attack vectors available to attackers due to the less secure nature of the devices. The widely adopted bring your own device (BYOD) policy which allows an employee to bring any IoT device into the workplace and attach it to an organization's network also increases the risk of attacks. In order to address this threat, organizations often implement security policies in which only the connection of white-listed IoT devices is permitted. To monitor adherence to such policies and protect their networks, organizations must be able to identify the IoT devices connected to their networks and, more specifically, to identify connected IoT devices that are not on the white-list (unknown devices). In this study, we applied deep learning on network traffic to automatically identify IoT devices connected to the network. In contrast to previous work, our approach does not require that complex feature engineering be applied on the network traffic, since we represent the communication behavior of IoT devices using small images built from the IoT devices network traffic payloads. In our experiments, we trained a multiclass classifier on a publicly available dataset, successfully identifying 10 different IoT devices and the traffic of smartphones and computers, with over 99% accuracy. We also trained multiclass classifiers to detect unauthorized IoT devices connected to the network, achieving over 99% overall average detection accuracy.

Cryptography and Security,Machine Learning,Networking and Internet Architecture,Signal Processing

DOI: https://doi.org/10.1007/s11235-023-01009-1

2023-04-27

Telecommunication Systems

Abstract:IoT device identification is an effective security measure to track different devices, helping analyze and defend against potential vulnerabilities of various IoT devices. However, existing IoT device identification works mainly use hand-designed features generated from relevant prior knowledge in the field, resulting in additional labor costs, low efficiency, and loss of some potential features. In addition, most of these works only identify known devices in the training set, without considering unknown devices. In this paper, we propose a quick and efficient IoT device identification method. Our method employs the convolutional neural network and converts raw network traffic into images as the model input, automatically extracting features from images instead of manually extracting features. Our method can identifies device types including unknown device types, and detects abnormal traffic of devices. We achieve over 98% accuracy on public datasets with few time consume, demonstrating the accuracy and practicality of our method.

telecommunications

Jingrun Ma,Yafei Sang,Yongzheng Zhang,Xiaolin Xu,Beibei Feng,Yuwei Zeng

DOI: https://doi.org/10.1007/978-3-031-24386-8_12

2022-01-01

Abstract:The Internet of Things (IoT) has developed rapidly in recent years and has been widely used in our daily life. An online report claimed that the connected IoT devices will reach the scale of 14.4 billion globally at the end of 2022. With the rapid and large-scale deployment of such devices, however, some severe security problems and challenges arised as well, especially in the field of IoT device management. Device identification is a prerequisite procedure to mitigate the above issues. Therefore, accurately identifying the deployed IoT devices plays a vital role in network management and cyber security. In this work, we come up with a spatio-temporal-based method that characterizes IoT device behaviors by leveraging the packet sequence features of IoT traffic, which is able to automatically extract the high-level features from raw IoT traffic. The further evaluation indicates that our method is capable of identifying diverse IoT devices with satisfactory accuracy.

Yubo Song,Qiang Huang,Junjie Yang,Ming Fan,Aiqun Hu,Yu Jiang

DOI: https://doi.org/10.1145/3321408.3326671

2019-01-01

Abstract:As mass devices access to network in the era of the Internet of Things (IoT), the network access control becomes more important. Traditional authentication mechanisms are no longer suitable for IoT devices with limited physical and computational resources because of their complexity. This problem can be solved by the device fingerprinting, which can identify devices only by their traffic characteristics. However, existing device fingerprinting technologies cannot accurately identify devices' type from the same manufacturer which equips these devices with similar hardwares and softwares. Therefore, we proposed the TSMC-SVM algorithm which introduced the cosine similarity into the SVM for improving the identification accuracy of these similar devices described above. Experiments illustrate that the average identification accuracy of the TSMC-SVM reaches 93.2%.

Shuodi Hui,Huandong Wang,Dianlei Xu,Jing Wu,Yong Li,Depeng Jin

DOI: https://doi.org/10.1109/jiot.2021.3078879

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices are increasingly growing in mobile networks with the ubiquity of various IoT services. They share the same infrastructure with smartphones while having different requirements for communication resources and security defense mechanisms. Distinguishing IoT devices from smartphones has far-reaching implications on effective network design, resource allocation scheme, pricing scheme, etc. In this article, we distinguish between 12 107 IoT devices and 12 693 smartphones in the real world via characterizing their network traffic. The IoT devices fall into five categories, namely, locating, monitoring, portable, point of sale (POS), and vehicle. We analyze the device behaviors from the network domain, physical domain, and time domain, make comparisons between each kind of IoT devices and smartphones, and design effective features based on the distinguishable network behavior characteristics at packet level, traffic level, and mobility level. Then, we train several classifiers based on our feature set to identify different kinds of mobile devices. Specifically, the accuracy of identifying IoT devices from smartphones achieves 95.86%, and the accuracies of distinguishing IoT devices in each category from smartphones are all over 95%. In the trained classifiers, feature importance verifies the discriminability of different network traffic characteristics observed in our multidomain measurement. Our study reveals the network traffic behavior characteristics for IoT devices, and successfully distinguishes them from smartphones, which paves the way for better network design, resource allocation, pricing scheme, and security defense mechanisms.

Oliver Thompson,Anna Maria Mandalari,Hamed Haddadi

DOI: https://doi.org/10.1145/3488659.3493777

2021-12-07

Abstract:Consumer Internet of Things (IoT) devices are increasingly common in everyday homes, from smart speakers to security cameras. Along with their benefits come potential privacy and security threats. To limit these threats we must implement solutions to filter IoT traffic at the edge. To this end the identification of the IoT device is the first natural step. In this paper we demonstrate a novel method of rapid IoT device identification that uses neural networks trained on device DNS traffic that can be captured from a DNS server on the local network. The method identifies devices by fitting a model to the first seconds of DNS second-level-domain traffic following their first connection. Since security and privacy threat detection often operate at a device specific level, rapid identification allows these strategies to be implemented immediately. Through a total of 51,000 rigorous automated experiments, we classify 30 consumer IoT devices from 27 different manufacturers with 82% and 93% accuracy for product type and device manufacturers respectively.

Yantian Luo,Xu Chen,Ning Ge,Wei Feng,Jianhua Lu

DOI: https://doi.org/10.1109/jiot.2022.3221967

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Due to the heterogeneity of Internet of Things (IoT) devices and the diversity of IoT communication protocols, it is challenging to model the communication behaviors of IoT devices to facilitate attack defense. Considering the complex correlation between the IoT device types and the patterns of their communication behaviors, one possible solution is to cluster IoT devices into different types based on the characteristics of their communication behaviors and deal with each type, respectively. However, IoT traffic includes a significant proportion of abnormal traffic, such as attack traffic sourcing from compromised devices, which cannot reflect the behavioral characteristics of the source device. In this article, we propose a Transformer-based IoT device-type identification method to address the above challenges. Specifically, our approach consists of three main components. First, we classify the traffic data from IoT devices into normal and abnormal types by a Transformer-based traffic diagnosis model. Next, another Transformer-based model is adopted on the normal traffic to identify the IoT device type. Finally, considering the immutability of IoT device types, a results-ensemble algorithm is designed to improve the accuracy of IoT device-type identification. Experimental results verify the effectiveness of our method, which brings a noticeable improvement in terms of both accuracy and macro $F1$ -score compared to other methods. Moreover, by applying the results-ensemble algorithm in the test phase, we can achieve 100% accuracy under certain conditions.

Yongxin Liu,Jian Wang,Jianqiang Li,Houbing Song,Thomas Yang,Shuteng Niu,Zhong Ming

DOI: https://doi.org/10.1109/JIOT.2020.3018677

2020-08-28

Abstract:The Internet of Things (IoT) provides applications and services that would otherwise not be possible. However, the open nature of IoT make it vulnerable to cybersecurity threats. Especially, identity spoofing attacks, where an adversary passively listens to existing radio communications and then mimic the identity of legitimate devices to conduct malicious activities. Existing solutions employ cryptographic signatures to verify the trustworthiness of received information. In prevalent IoT, secret keys for cryptography can potentially be disclosed and disable the verification mechanism. Non-cryptographic device verification is needed to ensure trustworthy IoT. In this paper, we propose an enhanced deep learning framework for IoT device identification using physical layer signals. Specifically, we enable our framework to report unseen IoT devices and introduce the zero-bias layer to deep neural networks to increase robustness and interpretability. We have evaluated the effectiveness of the proposed framework using real data from ADS-B (Automatic Dependent Surveillance-Broadcast), an application of IoT in aviation. The proposed framework has the potential to be applied to accurate identification of IoT devices in a variety of IoT applications and services. Codes and data are available in IEEE Dataport.

Machine Learning,Signal Processing

Jaidip Kotak,Yuval Elovici

DOI: https://doi.org/10.1007/s12652-022-04415-6

2023-03-02

Abstract:Attack vectors for adversaries have increased in organizations because of the growing use of less secure IoT devices. The risk of attacks on an organization's network has also increased due to the bring your own device (BYOD) policy which permits employees to bring IoT devices onto the premises and attach them to the organization's network. To tackle this threat and protect their networks, organizations generally implement security policies in which only white listed IoT devices are allowed on the organization's network. To monitor compliance with such policies, it has become essential to distinguish IoT devices permitted within an organization's network from non white listed (unknown) IoT devices. In this research, deep learning is applied to network communication for the automated identification of IoT devices permitted on the network. In contrast to existing methods, the proposed approach does not require complex feature engineering of the network communication, because the 'communication behavior' of IoT devices is represented as small images which are generated from the device's network communication payload. The proposed approach is applicable for any IoT device, regardless of the protocol used for communication. As our approach relies on the network communication payload, it is also applicable for the IoT devices behind a network address translation (NAT) enabled router. In this study, we trained various classifiers on a publicly accessible dataset to identify IoT devices in different scenarios, including the identification of known and unknown IoT devices, achieving over 99% overall average detection accuracy.

Networking and Internet Architecture,Artificial Intelligence,Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Huifen Wang,Dong Guo,Jinrui Wei,Jinze Li

DOI: https://doi.org/10.1016/j.jisa.2024.103751

IF: 4.96

2024-03-27

Journal of Information Security and Applications

Abstract:The emergence of IoT has introduced new security concerns, particularly the detection of large-scale network attacks initiated by compromised IoT devices. The diverse nature of IoT devices adds complexity to attack detection, necessitating the classification of devices based on their unique characteristics and behavior patterns. This paper presents a novel device classification method grounded in traffic differentials before and after IoT devices succumb to compromise. The study defines the concept of attack sensitivity and designs a method for calculating the value. The K-means algorithm is used to classify devices into predefined categories based on their attack sensitivity values. The effectiveness of this method is demonstrated through experiments on a public dataset. Additionally, a multi-class classification model is developed to identify newly added devices to the IoT environment, with good results in accuracy, precision, recall, F1 score, and FPR (0.999, 0.997–1,0.997–1,0.998–1,0–0.001). Overall, The device classification method proposed in this paper, based on attack sensitivity, not only enables a rational definition of device categories but also ensures precise classification for devices newly integrated into the IoT environment. This lays the foundation for achieving more precise attack detection and protection, advancing the field towards enhanced cybersecurity measures.

computer science, information systems