Unveiling Behavioral Transparency of Protocols Communicated by IoT Networked Assets (Full Version)

TL;DR

This paper analyzes IoT network traffic to characterize device behaviors and identify protocols, developing models that improve detection accuracy and provide insights into device-specific communication patterns.

Contribution

It introduces a systematic protocol signature model, analyzes traffic from six protocols across ten IoT devices, and publicly shares the dataset and findings.

Findings

High accuracy in protocol detection with minimal false positives.

Distinct behavioral patterns observed across different IoT devices.

Models effectively describe protocol signatures even on non-standard ports.

Abstract

Behavioral transparency for Internet-of-Things (IoT) networked assets involves two distinct yet interconnected tasks: (a) characterizing device types by discerning the patterns exhibited in their network traffic, and (b) assessing vulnerabilities they introduce to the network. While identifying communication protocols, particularly at the application layer, plays a vital role in effective network management, current methods are, at best, ad-hoc. Accurate protocol identification and attribute extraction from packet payloads are crucial for distinguishing devices and discovering vulnerabilities. This paper makes three contributions: (1) We process a public dataset to construct specific packet traces pertinent to six standard protocols (TLS, HTTP, DNS, NTP, DHCP, and SSDP) of ten commercial IoT devices. We manually analyze TLS and HTTP flows, highlighting their characteristics, parameters, and adherence to best practices-we make our data publicly available; (2) We develop a common model to describe protocol signatures that help with the systematic analysis of protocols even when communicated through non-standard port numbers; and, (3) We evaluate the efficacy of our data models for the six protocols, which constitute approximately 97% of our dataset. Our data models, except for SSDP in 0.3% of Amazon Echo's flows, produce no false positives for protocol detection. We draw insights into how various IoT devices behave across those protocols by applying these models to our IoT traces.