Ray Valdez, Hani Jamjoom and Dimitrios Pendarakis
IEEE International Congress on Internet of Things (IEEE ICIOT)
Milan, Italy, July 2019
Abstract. Managing Internet of Things (IoT) devices should be easy. Yet, the
increasing use of encrypted network traffic in IoT devices is
complicating their management, for example during device audits
or security scans. While desirable from a network security point of view, the use of
encrypted traffic allows less visibility to IT environments looking to
manage IoT devices. In this paper, we focus on the
problem of identifying IoT device types by analyzing their encrypted
traffic. We examine the TLS traffic of IoT
devices and derive fingerprints from their session initialization
message exchanges (i.e., ClientHello and ServerHello messages).
We identify key features of the TLS handshake protocol that can serve
as strong indicators for identifying IoT devices. We then
build term frequency-inverse document frequency
(TF-IDF) based models for identifying IoT devices based on their TLS
fingerprints. In our experimental setup, we train on 71 IoT devices
in 15 distinct categories over a range of three months; we derive
TF-IDF classifiers for testing using two different feature sets. One
feature set representing a greedy strategy contains ten prominent
features extracted from the TLS handshake protocol. The other feature
set contains the four features representing the most unique values in the
training dataset. Experimental results show that the 4-feature set
classifiers have similar classification performance as the 10-feature
set, generating accuracy, precision and F1-score of over 90%.
Bibtex.
@inproceedings{jamjoom-iot-iciot-2019,
author = {Ray and Valdez and Hani and Jamjoom and Dimitrios and Pendarakis},
title = {{How to Discover IoT Devices When Network Traffic is Encrypted}},
booktitle = {IEEE International Congress on Internet of Things (IEEE ICIOT)},
address = {Milan, Italy},
month = {July},
year = {2019}
}