Unsupervised Baseline Clustering and Incremental Adaptation for IoT Device Traffic Profiling

TL;DR

This paper introduces an unsupervised, flow-feature-based pipeline for IoT device traffic profiling that combines density-based clustering with incremental model updates, addressing security challenges in evolving IoT environments.

Contribution

It presents a novel two-stage approach using density-based clustering and stream-oriented incremental adaptation for IoT traffic profiling, outperforming classical methods in certain metrics.

Findings

DBSCAN achieves high alignment with ground-truth labels (NMI 0.78).

BIRCH supports efficient incremental updates with good cluster coherence.

Trade-offs exist between static profiling purity and incremental adaptation flexibility.

Abstract

The growth and heterogeneity of IoT devices create security challenges where static identification models can degrade as traffic evolves. This paper presents a two-stage, flow-feature-based pipeline for unsupervised IoT device traffic profiling and incremental model updating, evaluated on selected long-duration captures from the Deakin IoT dataset. For baseline profiling, density-based clustering (DBSCAN) isolates a substantial outlier portion of the data and produces the strongest alignment with ground-truth device labels among tested classical methods (NMI 0.78), outperforming centroid-based clustering on cluster purity. For incremental adaptation, we evaluate stream-oriented clustering approaches and find that BIRCH supports efficient updates (0.13 seconds per update) and forms comparatively coherent clusters for a held-out novel device (purity 0.87), but with limited capture of novel traffic (share 0.72) and a measurable trade-off in known-device accuracy after adaptation (0.71). Overall, the results highlight a practical trade-off between high-purity static profiling and the flexibility of incremental clustering for evolving IoT environments.