Smart Surveillance: Identifying IoT Device Behaviours using ML-Powered Traffic Analysis

TL;DR

This paper explores using machine learning algorithms to analyze network traffic for identifying IoT device types and actions, enhancing security by detecting malicious behaviors externally.

Contribution

It introduces a novel ML-based traffic analysis approach for external IoT device classification, achieving up to 91% accuracy across diverse device categories.

Findings

RF classifier achieved 91% accuracy

MLP classifier achieved 56% accuracy

Most device categories were successfully classified

Abstract

The proliferation of Internet of Things (IoT) devices has grown exponentially in recent years, introducing significant security challenges. Accurate identification of the types of IoT devices and their associated actions through network traffic analysis is essential to mitigate potential threats. By monitoring and analysing packet flows between IoT devices and connected networks, anomalous or malicious behaviours can be detected. Existing research focuses primarily on device identification within local networks using methods such as protocol fingerprinting and wireless frequency scanning. However, these approaches are limited in their ability to monitor or classify IoT devices externally. To address this gap, we investigate the use of machine learning (ML) techniques, specifically Random Forest (RF), Multilayer Perceptron (MLP), and K-Nearest Neighbours (KNN), in conjunction with targeted network traffic monitoring to classify IoT device types and their actions. We constructed a testbed comprising an NPAT-enabled router and a diverse set of IoT devices, including smart cameras, controller hubs, home appliances, power controllers, and streaming devices. Experimental results demonstrate that IoT device and action recognition is feasible using our proposed ML-driven approach, with the RF classifier achieving the highest accuracy of 91%, while the MLP recorded the lowest accuracy at 56%. Notably, all device categories were successfully classified except for certain actions associated with security cameras, underscoring both the potential and the limitations of the proposed method.