Detecting Behavioral Change of IoT Devices Using Clustering-Based Network Traffic Modeling

The Internet of Things (IoT) is increasingly becoming a major challenge for network administrators to manage connected devices and sensors ranging from smart lights to smoke alarms and security cameras, at scale. IoT devices use an extensive variety of firmware and provide little (or no) access for the management of their operating systems and configurations. Operators of the IoT infrastructure, therefore, need to employ traffic classification models (trained by historical data) to automatically detect their assets on the network and ensure the health of devices against cyber attacks by monitoring their network behavior. On the other hand, IoT manufacturers often automatically perform firmware upgrades from cloud servers to devices that are operational in the field. This can potentially lead to a change of device behavior which makes it difficult for network operators to maintain classification models (incorporating changes without retraining the entire model). In this article, we develop a modular device classification architecture that allows operators to automatically detect IoT devices by their network activity and dynamically accommodate legitimate changes in assets (either addition of new device profile or upgrade of existing profiles). Our contributions are threefold: 1) we identify key traffic attributes that can be obtained from flow-level network telemetry to characterize the behavior of various IoT device types. We develop an unsupervised one-class clustering method for each device to detect their normal network behavior; 2) we tune device-specific clustering models and use them to classify IoT devices from their network traffic in real time. We enhance our classification by developing methods for automatic conflict resolution and noise filtering; and 3) we evaluate the efficacy of our scheme by applying it to traffic traces (benign and attack) from ten real IoT devices and demonstrate its ability to detect behavioral changes with an overall accuracy of more than 94 %.