DEFT: A Distributed IoT Fingerprinting Technique

Identifying IoT devices connected to a network has multiple security benefits, such as deployment of behavior-based anomaly detectors, automated vulnerability patching of specific device types, dynamic attack mitigation, etc. In this paper, we look into the problem of IoT device identification at network level, in particular from an ISP's perspective. The simple solution of deploying a supervised machine learning algorithm at a centralized location in the network neither scales well nor can identify new devices. To tackle these challenges, we propose and develop a distributed device fingerprinting technique (DEFT), a distributed fingerprinting solution that addresses and exploits the presence of common devices, including new devices, across smart homes and enterprises in a network. A DEFT controller develops and maintains classifiers for fingerprinting, while gateways located closer to the IoT devices at homes perform device classification. Importantly, the controller and gateways coordinate to identify new devices in the network. DEFT is designed to be scalable and dynamic-it can be deployed, orchestrated, and controlled using software-defined networking and network function virtualization. DEFT is able to identify new device types automatically, while achieving high accuracy and low false positive rate. We demonstrate the effectiveness of DEFT by experimenting on data obtained from real-world IoT devices.