From Flows to Functions: Macroscopic Behavioral Fingerprinting of IoT Devices via Network Services

TL;DR

This paper introduces a lightweight, explainable method for identifying IoT devices by analyzing their long-term network service usage patterns, offering a practical alternative to complex ML-based traffic analysis.

Contribution

It proposes a novel service-level fingerprinting approach, formalizes its methodology, and validates its effectiveness on a large, real-world IoT dataset for device identification.

Findings

IoT devices show stable, distinguishable service usage patterns

Service-level fingerprints effectively identify devices in various scenarios

The approach is computationally efficient and robust over time

Abstract

Identifying devices such as cameras, printers, voice assistants, or health monitoring sensors, collectively known as the Internet of Things (IoT), within a network is a critical operational task, particularly to manage the cyber risks they introduce. While behavioral fingerprinting based on network traffic analysis has shown promise, most existing approaches rely on machine learning (ML) techniques applied to fine-grained features of short-lived traffic units (packets and/or flows). These methods tend to be computationally expensive, sensitive to traffic measurement errors, and often produce opaque inferences. In this paper, we propose a macroscopic, lightweight, and explainable alternative to behavioral fingerprinting focusing on the network services (e.g., TCP/80, UDP/53) that IoT devices use to perform their intended functions over extended periods. Our contributions are threefold. (1) We demonstrate that IoT devices exhibit stable and distinguishable patterns in their use of network services over a period of time. We formalize the notion of service-level fingerprints and derive a generalized method to represent network behaviors using a configurable granularity parameter. (2) We develop a procedure to extract service-level fingerprints, apply it to traffic from 13 consumer IoT device types in a lab testbed, and evaluate the resulting representations in terms of their convergence and recurrence properties. (3) We validate the efficacy of service-level fingerprints for device identification in closed-set and open-set scenarios. Our findings are based on a large dataset comprising about 10 million IPFIX flow records collected over a 1.5-year period.