Toward IoT device fingerprinting from proprietary protocol traffic via key-blocks aware approach

Abstract

IoT Device fingerprinting of network traffic is valuable for many management and security solutions as it provides insights into the devices active on a network. Unfortunately, existing techniques focus on the public (de facto) standard protocol and suffer from low efficiency and high data packet dependence at flow-level granularity. Hence, accurately identifying the types of proprietary-protocol-oriented IoT devices is still a challenge that cannot be ignored. As a solution, we propose DeepFinger, a full-automated, byte-level payload fingerprint generation approach to fill this gap. DeepFinger aims to eliminate the manual intervention required to extract available payload-driven fingerprints, in the absence of priori protocol specification information. The key sight of DeepFinger is that it utilizes deep clustering to automatically cluster similar payloads and infer key-blocks as fingerprints. Through extensive evaluation, we demonstrate that DeepFinger achieves the average TPR with 98.81%, the average FTF with 98.74%, and the average FPR with 0.07% on the dataset containing multiple proprietary protocols. In addition, on three datasets containing public protocols such as MQTT, Modbus, HTTP, and XMPP, DeepFinger also achieved excellent performance by virtue of its extensibility. These results suggest that DeepFinger can be a promising tool for automatizing the payload fingerprint extraction process, based on proprietary protocol assumption.