DI4IoT: A comprehensive framework for IoT device-type identification through network flow analysis

Abstract

The rapid growth of the Internet of Things (IoT) necessitates an effective Device-Type Identification System to monitor resource-constrained devices and mitigate potential security risks. Most Machine Learning (ML) based approaches for IoT Device-Type Identification utilize behavior-based, packet-based, flow-based characteristics, or a combination of these. Packet and behavior-based characteristics require analysis of individual packets. Furthermore, behavior-based characteristics need the analysis of application layer data (payloads), which may not be practical in case of encrypted traffic. Moreover, the existing approaches do not handle the mixed traffic (IoT and non-IoT) in an appropriate manner, suffer from frequent misclassification of closely related devices, and do not maintain performance when tested in different network environments. In contrast, flow-based characteristics neither require per-packet analysis nor the inspection of payloads. However, the existing flow-based approaches underperform as they consider a limited set of appropriate characteristics. To address these challenges, we propose DI4IoT, a two-stage flow-based Device-Type Identification framework using ML. The first stage categorizes the traffic into IoT and non-IoT, and the second stage identifies the device type from the categorized traffic. We create labeled flow-based characteristics and provide a methodology to select a minimal set of appropriate flow characteristics. We evaluate different ML algorithms to identify the suitable model for our proposed framework. The results demonstrate that our framework outperforms the state-of-the-art flow-based methods by over 10%. Furthermore, we evaluate and validate the performance gains in terms of Generalizability with complex network traffic compared to not only flow-based but also combined feature-type approaches.