From Flows to Functions: Macroscopic Behavioral Fingerprinting of IoT Devices via Network Services
- URL: http://arxiv.org/abs/2512.16348v1
- Date: Thu, 18 Dec 2025 09:37:50 GMT
- Title: From Flows to Functions: Macroscopic Behavioral Fingerprinting of IoT Devices via Network Services
- Authors: Shayan Azizi, Norihiro Okui, Masataka Nakahara, Ayumu Kubota, Hassan Habibi Gharakheili,
- Abstract summary: Identifying devices such as cameras, printers, voice assistants, or health monitoring sensors, collectively known as the Internet of Things (IoT), within a network is a critical operational task.<n>Most existing approaches rely on machine learning (ML) techniques applied to fine-grained features of short-lived traffic units (packets and/or flows)<n>We propose a macroscopic, lightweight, and explainable alternative to behavioral fingerprinting focusing on the network services that IoT devices use to perform their intended functions.
- Score: 2.3037558470292185
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Identifying devices such as cameras, printers, voice assistants, or health monitoring sensors, collectively known as the Internet of Things (IoT), within a network is a critical operational task, particularly to manage the cyber risks they introduce. While behavioral fingerprinting based on network traffic analysis has shown promise, most existing approaches rely on machine learning (ML) techniques applied to fine-grained features of short-lived traffic units (packets and/or flows). These methods tend to be computationally expensive, sensitive to traffic measurement errors, and often produce opaque inferences. In this paper, we propose a macroscopic, lightweight, and explainable alternative to behavioral fingerprinting focusing on the network services (e.g., TCP/80, UDP/53) that IoT devices use to perform their intended functions over extended periods. Our contributions are threefold. (1) We demonstrate that IoT devices exhibit stable and distinguishable patterns in their use of network services over a period of time. We formalize the notion of service-level fingerprints and derive a generalized method to represent network behaviors using a configurable granularity parameter. (2) We develop a procedure to extract service-level fingerprints, apply it to traffic from 13 consumer IoT device types in a lab testbed, and evaluate the resulting representations in terms of their convergence and recurrence properties. (3) We validate the efficacy of service-level fingerprints for device identification in closed-set and open-set scenarios. Our findings are based on a large dataset comprising about 10 million IPFIX flow records collected over a 1.5-year period.
Related papers
- Generalizable IoT Traffic Representations for Cross-Network Device Identification [15.867734233278568]
We study the problem of learning generalizable traffic representations for IoT device identification.<n>We design compact encoder architectures that learn per-flow embeddings from unlabeled IoT traffic.<n>We show that these learned representations can be used effectively for IoT device-type classification.
arXiv Detail & Related papers (2026-01-27T07:56:31Z) - Smart Surveillance: Identifying IoT Device Behaviours using ML-Powered Traffic Analysis [3.6442413702696506]
This study investigates the use of machine learning (ML) techniques to classify IoT device types and their actions.<n>We constructed a testbed comprising an NPAT-enabled router and a diverse set of IoT devices, including smart cameras, controller hubs, home appliances, power controllers, and streaming devices.
arXiv Detail & Related papers (2025-12-06T14:01:56Z) - Magnifier: Detecting Network Access via Lightweight Traffic-based Fingerprints [22.86294408673709]
We propose Magnifier for mobile device network access detection.<n>Magnifier passively infers access patterns from backbone traffic at the gateway level.<n>We have made both the Magnifier prototype and the NetCess2023 dataset publicly available.
arXiv Detail & Related papers (2024-12-18T01:45:07Z) - DeviceRadar: Online IoT Device Fingerprinting in ISPs using Programmable Switches [37.41464693677561]
Device fingerprinting can be used by Internet Service Providers (ISPs) to identify vulnerable IoT devices for early prevention of threats.
This paper proposes DeviceRadar, an online IoT device fingerprinting framework that achieves accurate, real-time processing in ISPs using programmable switches.
arXiv Detail & Related papers (2024-04-19T09:31:11Z) - Locality Sensitive Hashing for Network Traffic Fingerprinting [5.062312533373298]
We use locality-sensitive hashing (LSH) for network traffic fingerprinting.
Our method increases the accuracy of state-of-the-art by 12% achieving around 94% accuracy in identifying devices in a network.
arXiv Detail & Related papers (2024-02-12T21:14:37Z) - Effective Intrusion Detection in Heterogeneous Internet-of-Things Networks via Ensemble Knowledge Distillation-based Federated Learning [52.6706505729803]
We introduce Federated Learning (FL) to collaboratively train a decentralized shared model of Intrusion Detection Systems (IDS)
FLEKD enables a more flexible aggregation method than conventional model fusion techniques.
Experiment results show that the proposed approach outperforms local training and traditional FL in terms of both speed and performance.
arXiv Detail & Related papers (2024-01-22T14:16:37Z) - IoTScent: Enhancing Forensic Capabilities in Internet of Things Gateways [45.44831696628473]
This paper presents IoTScent, an open-source forensic tool that enables IoT gateways and Home Automation platforms to perform IoT traffic capture and analysis.
IoTScent is specifically designed to operate over IEEE5.4-based traffic, which is the basis for many IoT-specific protocols such as Zigbee, 6LoWPAN and Thread.
This work provides a comprehensive description of the IoTScent tool, including a practical use case that demonstrates the use of the tool to perform device identification from Zigbee traffic.
arXiv Detail & Related papers (2023-10-05T09:10:05Z) - Agile gesture recognition for capacitive sensing devices: adapting
on-the-job [55.40855017016652]
We demonstrate a hand gesture recognition system that uses signals from capacitive sensors embedded into the etee hand controller.
The controller generates real-time signals from each of the wearer five fingers.
We use a machine learning technique to analyse the time series signals and identify three features that can represent 5 fingers within 500 ms.
arXiv Detail & Related papers (2023-05-12T17:24:02Z) - Detecting Anomalous Microflows in IoT Volumetric Attacks via Dynamic
Monitoring of MUD Activity [1.294952045574009]
Anomaly-based detection methods are promising in finding new attacks.
There are certain practical challenges like false-positive alarms, hard to explain, and difficult to scale cost-effectively.
In this paper, we use SDN to enforce and monitor the expected behaviors of each IoT device.
arXiv Detail & Related papers (2023-04-11T05:17:51Z) - Machine Learning for QoS Prediction in Vehicular Communication:
Challenges and Solution Approaches [46.52224306624461]
We consider maximum throughput prediction enhancing, for example, streaming or high-definition mapping applications.
We highlight how confidence can be built on machine learning technologies by better understanding the underlying characteristics of the collected data.
We use explainable AI to show that machine learning can learn underlying principles of wireless networks without being explicitly programmed.
arXiv Detail & Related papers (2023-02-23T12:29:20Z) - Task-Oriented Communications for NextG: End-to-End Deep Learning and AI
Security Aspects [78.84264189471936]
NextG communication systems are beginning to explore shifting this design paradigm to reliably executing a given task such as in task-oriented communications.
Wireless signal classification is considered as the task for the NextG Radio Access Network (RAN), where edge devices collect wireless signals for spectrum awareness and communicate with the NextG base station (gNodeB) that needs to identify the signal label.
Task-oriented communications is considered by jointly training the transmitter, receiver and classifier functionalities as an encoder-decoder pair for the edge device and the gNodeB.
arXiv Detail & Related papers (2022-12-19T17:54:36Z) - AFR-Net: Attention-Driven Fingerprint Recognition Network [47.87570819350573]
We improve initial studies on the use of vision transformers (ViT) for biometric recognition, including fingerprint recognition.
We propose a realignment strategy using local embeddings extracted from intermediate feature maps within the networks to refine the global embeddings in low certainty situations.
This strategy can be applied as a wrapper to any existing deep learning network (including attention-based, CNN-based, or both) to boost its performance.
arXiv Detail & Related papers (2022-11-25T05:10:39Z) - Multi-Exit Semantic Segmentation Networks [78.44441236864057]
We propose a framework for converting state-of-the-art segmentation models to MESS networks.
specially trained CNNs that employ parametrised early exits along their depth to save during inference on easier samples.
We co-optimise the number, placement and architecture of the attached segmentation heads, along with the exit policy, to adapt to the device capabilities and application-specific requirements.
arXiv Detail & Related papers (2021-06-07T11:37:03Z) - Towards AIOps in Edge Computing Environments [60.27785717687999]
This paper describes the system design of an AIOps platform which is applicable in heterogeneous, distributed environments.
It is feasible to collect metrics with a high frequency and simultaneously run specific anomaly detection algorithms directly on edge devices.
arXiv Detail & Related papers (2021-02-12T09:33:00Z) - IoT Behavioral Monitoring via Network Traffic Analysis [0.45687771576879593]
This thesis is the culmination of our efforts to develop techniques to profile the network behavioral pattern of IoTs.
We develop a robust machine learning-based inference engine trained with attributes from traffic patterns.
We demonstrate real-time classification of 28 IoT devices with over 99% accuracy.
arXiv Detail & Related papers (2020-01-28T23:13:12Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.