IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 18, NO.

8, AUGUST 2019 1745

Classifying IoT Devices in Smart Environments

Using Network Traffic Characteristics
Arunan Sivanathan , Hassan Habibi Gharakheili , Franco Loi, Adam Radford, Chamith Wijenayake ,
Arun Vishwanath , Senior Member, IEEE, and Vijay Sivaraman

Abstract—The Internet of Things (IoT) is being hailed as the next wave revolutionizing our society, and smart homes, enterprises, and
cities are increasingly being equipped with a plethora of IoT devices. Yet, operators of such smart environments may not even be fully
aware of their IoTassets, let alone whether each IoT device is functioning properly safe from cyber-attacks. In this paper, we address this
challenge by developing a robust framework for IoT device classification using traffic characteristics obtained at the network level. Our
contributions are fourfold. First, we instrument a smart environment with 28 different IoT devices spanning cameras, lights, plugs, motion
sensors, appliances, and health-monitors. We collect and synthesize traffic traces from this infrastructure for a period of six months, a
subset of which we release as open data for the community to use. Second, we present insights into the underlying network traffic
characteristics using statistical attributes such as activity cycles, port numbers, signalling patterns, and cipher suites. Third, we develop
a multi-stage machine learning based classification algorithm and demonstrate its ability to identify specific IoT devices with over
99 percent accuracy based on their network activity. Finally, we discuss the trade-offs between cost, speed, and performance involved in
deploying the classification framework in real-time. Our study paves the way for operators of smart environments to monitor their IoT
assets for presence, functionality, and cyber-security without requiring any specialized devices or protocols.

Index Terms—IoT, network characteristics, device visibility, classification, machine learning

Ç
1 INTRODUCTION

T HE number of devices connecting to the Internet is bal-

looning, ushering in the era of the “Internet of Things”
(IoT). IoT refers to the tens of billions of low cost devices that
communicate with each other and with remote servers on the
Internet autonomously. It comprises everyday objects such as
lights, cameras, motion sensors, door locks, thermostats,
power switches and household appliances, with shipments
projected to reach nearly 20 billion by 2020 [1]. Thousands of
IoT devices are expected to find their way in homes, enter-
prises, campuses and cities of the near future, engendering
“smart” environments benefiting our society and our lives.
The proliferation of IoT, however, creates an important
problem. Operators of smart environments can find it diffi-
cult to determine what IoT devices are connected to their
network and further to ascertain whether each device is
functioning normally. This is mainly attributed to the task
of managing assets in an organization, which is typically
distributed across different departments. For example, in a
local council, lighting sensors may be installed by the

A. Sivanathan, H. Habibi Gharakheili, F. Loi, C. Wijenayake, and
V. Sivaraman are with the School of Electrical Engineering and Telecommu-
nications, University of New South Wales, Sydney, NSW 2052, Australia.
E-mail: {asivanathan, h.habibi, c.wijenayake, vijay}@unsw.edu.au, f.loi@
student.unsw.edu.au.

A. Radford is with Cisco Systems, Sydney, NSW 2060, Australia.
E-mail: aradford@ciscocom.

A. Vishwanath is with IBM Research, Southbank, VIC 3006, Australia.
E-mail:
facilities team, sewage and garbage sensors by the sanita-
tion department and surveillance cameras by the local
police division. Coordinating across various departments to
obtain an inventory of IoT assets is time consuming, oner-
ous and error-prone, making it nearly impossible to know
precisely what IoT devices are operating on the network at
any point in time. Obtaining “visibility” into IoT devices in
a timely manner is of paramount importance to the opera-
tor, who is tasked with ensuring that devices are in appro-
priate network security segments, are provisioned for
requisite quality of service, and can be quarantined rapidly
when breached. The importance of visibility is emphasized
in Cisco’s most recent IoT security report [2], and further
highlighted by two recent events: sensors of a fishtank that
compromised a casino in Jul 2017 [3], and attacks on a Uni-
versity campus network from its own vending machines in
Feb 2017 [4]. In both cases, network segmentation could
have potentially prevented the attack and better visibility
would have allowed rapid quarantining to limit the damage
of the cyber-attack on the enterprise network.
One would expect that devices can be identified by their
MAC address and DHCP negotiation. However, this faces
several challenges: (a) IoT device manufacturers typically
use NICs supplied by third-party vendors, and hence the
Organizationally Unique Identifier (OUI) prefix of the MAC
address may not convey any information about the IoT
device; (b) MAC addresses can be spoofed by malicious

[email protected]. devices; (c) many IoT devices do not set the Host Name
Manuscript received 4 Oct. 2017; revised 10 Aug. 2018; accepted 14 Aug. option in their DHCP requests [5]; indeed we found that
2018. Date of publication 20 Aug. 2018; date of current version 28 June 2019. about half the IoT devices we studied do not reveal their
(Corresponding author: Hassan Habibi Gharakheili.) host names, as shown in Table 1; (d) even when the IoT
For information on obtaining reprints of this article, please send e-mail to: device exposes its host name it may not always be meaning-
[email protected], and reference the Digital Object Identifier below.
Digital Object Identifier no. 10.1109/TMC.2018.2866249
ful (e.g., WBP-EE4C for Withings baby monitor in Table 1);

1536-1233 ß 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See ht_tp://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
1746 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 18, NO. 8, AUGUST 2019

TABLE 1
MAC Address and DHCP Host Name of IoT Devices Used in Our Testbed

IoT device MAC address OUI DHCP host name

Amazon Echo 44:65:0d:56:cc:d3 Amazon Technologies Inc.
August Doorbell Cam e0:76:d0:3f:00:ae AMPAK Technology, Inc.
Awair air quality monitor 70:88:6b:10:0f:c6 Awair-4594
Belkin Camera b4:75:0e:ec:e5:a9 Belkin International Inc. NetCamHD
Belkin Motion Sensor ec:1a:59:83:28:11 Belkin International Inc.
Belkin Switch ec:1a:59:79:f4:89 Belkin International Inc.
Blipcare BP Meter 74:6a:89:00:2e:25 Rezolt Corporation
Canary Camera 7c:70:bc:5d:5e:dc IEEE Registration Authority Ambarella/C100F1615229
Dropcam 30:8c:fb:2f:e4:b2 Dropcam
Google Chromecast 6c:ad:f8:5e:e4:61 AzureWave Technology Inc. Chromecast
Hello Barbie 28:c2:dd:ff:a5:2d AzureWave Technology Inc. Barbie-A52D
HP Printer 70:5a:0f:e4:9b:c0 Hewlett Packard HPE49BC0
iHome PowerPlug 74:c6:3b:29:d7:1d AzureWave Technology Inc. hap-29D71D
LiFX Bulb d0:73:d5:01:83:08 LIFI LABS MANAGEMENT PTY LTD LIFX Bulb
NEST Smoke Sensor 18:b4:30:25:be:e4 Nest Labs Inc.
Netatmo Camera 70:ee:50:18:34:43 Netatmo netatmo-welcome-183443
Netatmo Weather station 70:ee:50:03:b8:ac Netatmo
Phillip Hue Lightbulb 00:17:88:2b:9a:25 Philips Lighting BV Philips-hue
Pixstart photo frame e0:76:d0:33:bb:85 AMPAK Technology, Inc.
Ring Door Bell 88:4a:ea:31:66:9d Texas Instruments
Samsung Smart Cam 00:16:6c:ab:6b:88 Samsung Electronics Co.,Ltd
Smart Things d0:52:a8:00:67:5e Physical Graph Corporation SmartThings
TP-Link Camera f4:f2:6d:93:51:f1 TP-LINK TECHNOLOGIES CO.,LTD. Little Cam
TP-Link Plug 50:c7:bf:00:56:39 TP-LINK TECHNOLOGIES CO.,LTD. HS110(US)
Triby Speaker 18:b7:9e:02:20:44 Invoxia
Withings Baby Monitor 00:24:e4:10:ee:4c Withings WBP-EE4C
Withings Scale 00:24:e4:1b:6f:96 Withings
Withings sleep sensor 00:24:e4:20:28:c6 Withings WSD-28C6

and lastly (e) these host names can be changed by the user
(e.g., the HP printer can be given an arbitrary host name).
For these reasons, relying on DHCP infrastructure is not a
viable solution to correctly identify devices at scale.
In this paper, we address the above problem by develop-
ing a robust framework that classifies each IoT device sepa-
rately in addition to one class of non-IoT devices with high
accuracy using statistical attributes derived from network
traffic characteristics. Qualitatively, most IoT devices are
expected to send short bursts of data sporadically. Quantita-
tively, our preliminary work in [6] was one of the first
attempts to study how much traffic IoT devices send in a
burst and how long they idle between activities. We also
evaluated how much signaling they perform (e.g., domain
lookups using DNS or time synchronization using NTP) in
comparison to the data traffic they generate. This paper sig-
nificantly expands on our prior work by employing a more
comprehensive set of attributes on trace data captured over
a much longer duration (of 6 months) from a test-bed com-
prising 28 different IoT devices.
There is no doubt that it is becoming increasingly
important to understand the nature of IoT traffic. Doing so
helps contain unnecessary multicast/broadcast traffic,
reducing the impact they have on other applications. It
also enables operators of smart cities and enterprises to
dimension their networks for appropriate performance
levels in terms of reliability, loss, and latency needed by
environmental, health, or safety applications. However,
the most compelling reason for characterizing IoT traffic is
to detect and mitigate cyber-security attacks. It is widely
known that IoT devices are by their nature and design
easy to infiltrate [7], [8], [9], [10], [11], [12]. New stories are
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
emerging of how IoT devices have been compromised
and used to launch large-scale attacks [13]. The large het-
erogeneity in IoT devices has led researchers to propose
network-level security mechanisms that analyze traffic
patterns to identify attacks (see [14] and our recent work
[15]); success of these approaches relies on a good under-
standing of what “normal” IoT traffic profile looks like.
Our primary focus in this work is to establish a machine
learning framework based on various network traffic char-
acteristics to identify and classify the default (i.e., baseline)
behavior of IoT devices on a network. Such a framework
can potentially be used in the future to detect anomalous
behavior of IoT devices (potentially due to cyber-attacks),
and such anomaly detection schemes are beyond the scope
of this paper. This paper fills an important gap in the litera-
ture relating to classification of IoT devices based on their
network traffic characteristics. Our contributions are:
1) We instrument a living lab with 28 IoT devices emu-
lating a smart environment. The devices include
cameras, lights, plugs, motion sensors, appliances
and health-monitors. We collect and synthesize data
from this environment for a period of 6 months. A
subset of our data is made available for the research
community to use.
2) We identify key statistical attributes such as activity
cycles, port numbers, signaling patterns and cipher
suites, and use them to give insights into the under-
lying network traffic characteristics.
3) We develop a multi-stage machine learning based
classification algorithm and demonstrate its ability
to identify specific IoT devices with over 99 percent
accuracy based on their network behavior.
SIVANATHAN ET AL.: CLASSIFYING IOT DEVICES IN SMART ENVIRONMENTS USING NETWORK TRAFFIC CHARACTERISTICS
4) We evaluate the deployment of the classification
framework in real-time, by examining the trade-offs
between costs, speed, and accuracy of the classifier.
The rest of this paper is organized as follows: Section 2
describes relevant prior work. We present our IoT setup
and data traces in Section 3, and in Section 4 characterize
traffic attributes of the various IoT devices. In Section 5 we
propose a machine learning based multi-stage device classi-
fication method and evaluate its performance, followed by
a discussion on the real-time operation of the proposed sys-
tem in Section 6. The paper is concluded in Section 7.
2 RELATED WORK
There is a large body of work characterizing general Internet
traffic [16], [17], [18], [19]. These prior works largely focus on
application detection (e.g., Web browsing, Gaming, Mail,
Skype VoIP, Peer-to-Peer, etc.). However, studies focusing
on characterizing IoT traffic (also referred to as machine-to-
machine or M2M traffic) are still in their infancy.
Analysis of Empirical Traces. The work in [20] is one of the
first large-scale studies to delve into the nature of M2M traf-
fic. It is motivated by the need to understand whether M2M
traffic imposes new challenges for the design and manage-
ment of cellular networks. The work uses a traffic trace
spanning one week from a tier-1 cellular network operator
and compares M2M traffic with traditional smart-phone
traffic from a number of different perspectives—temporal
variations, mobility, network performance, and so on. The
study informs network operators to be cognizant of these
factors when managing their networks.
In [21], the authors note that the amount of traffic gener-
ated by a single M2M device is likely to be small, but the
total traffic generated by hundreds or thousands of M2M
devices would be substantial. These observations are to
some extent corroborated by [22], [23], which note that a
remote patient monitoring application is expected to gener-
ate about 0.35 MB per day and smart meters roughly
0.07 MB per day.
Aggregated Traffic Model. A Coupled Markov Modulated
Poisson Processes framework to capture the behavior of a
single machine-type communication as well as the collective
behavior of tens of thousands of M2M devices is proposed
in [24]. The complexity of the CMMPP framework is shown
to grow linearly with the number of M2M devices, render-
ing it effective for large-scale synthesis of M2M traffic.
In [25], the authors show that it is possible to split the
(traffic) state of an M2M device into three generic categories,
namely periodic update, event driven, and payload excha-
nge, and a number of modelling strategies that use these
states are developed. An illustration of model fitting is
shown via a use-case in fleet management comprising 1000
trucks run by a transportation company. The fitting is based
on measured M2M traffic from a 2G/3G network. A simple
model to estimate the volume of M2M traffic generated in a
wireless sensor network enabled connected home is con-
structed in [26]. Since behavior of sensors is very application
specific, the work identifies certain common communication
patterns that can be attributed to any sensor device. Using
these attributes, four generalized equations are proposed to
estimate the volume of traffic generated by a sensor network
enabled connected apartment/home.
Use of Machine Learning. Various machine-learning-based
analytical methods have been proposed in the literature to
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
1747
classify traffic application or identify malwares/botnets for
typical computer networks. The work in [27] uses deep learn-
ing to classify flow types such as HTTP, SMTP, Telnet, QUIC,
Office365, and YouTube by considering six features namely
source/destination port number, payload volume, TCP win-
dow size, inter-arrival time and direction of traffic that are
extracted from the first 20 packets of a flow. The work carried
out in [28] suggests that botnets exhibit identifiable traffic
patterns that can be classified by considering features such
as average time between successive flows, flow duration,
inbound/outbound traffic volume, and Fourier transforma-
tion over the flow start times. Detection of malicious activity
on the network was enhanced in [29] and [30] by combining
these flow-level features with packet-level attributes includ-
ing packet size, byte distribution of payload, inter arrival
times of packets and TLS handshake metadata (i.e., cipher
suite codes). Further, authors have released an open source
libpcap-based tool called Joy [31] to extract these features
from the passive capture of network traffic.
In the context of IoT, [32] uses machine learning to clas-
sify a single TCP flow from authorized devices on the net-
work. It employs over 300 attributes (packet-level and flow-
level), though the most influential ones are minimum,
median and average of packets Time-To-Live (TTL), the
ratio of total bytes transmitted and received, total number
packets with reset (RST) flag, and the Alexa rank of server.
While all the above works make important contributions,
they do not undertake fine-grained characterization and
classification of IoT devices in a smart environment such as
a home, city, campus or enterprise. Furthermore, statistical
models are not developed that enable IoT device classifica-
tion based on their network traffic characteristics. Most
importantly, prior works do not make any data set publicly
available for the research community to use and build
upon. Our work overcomes these shortcomings.
3 IOT TRAFFIC COLLECTION AND SYNTHESIS
In this section, we describe our smart environment infra-
structure for collecting and synthesizing traffic from various
IoT devices.
3.1 Experimental Test-Bed
A real-life architecture of a “smart environment” is depicted
in Fig. 1 that serves a wide range of IoT and non-IoT devices
over its (wired/wireless) network infrastructure and allows
them to communicate with the Internet servers via a gate-
way. Our lab setup is a specialized implementation of this
architecture, housed at our campus facility, comprises one
node of TP-Link Archer C7 v2 WiFi access point (represent-
ing internal switch) collocated with the Internet gateway.
The TP-Link access point, flashed with the OpenWrt firm-
ware release Chaos Calmer (15.05.1, r48532), serves as the
gateway to the public Internet. We also installed additional
OpenWrt packages on the gateway, namely tcpdump
(4.5.1-4) for capturing traffic, bash (4.3.39-1) for
scripting, block-mount package for mounting external
USB storage on the gateway, kmod-usb-core and kmod-
usb-storage (3.18.23-1) for storing the traffic trace
data on the USB storage.
In our lab setup, the WAN interface of the TP-Link access
point is connected to the public Internet via the university
network, while the IoT devices are connected to the LAN
and WLAN interfaces respectively. Our smart environment
1748
Fig. 1. Testbed architecture showing connected 28 different IoT devices
along with several non-IoT devices, and telemetry collected across the
infrastructure is fed to our classification models.
has a total of 28 unique IoT devices representing different
categories along with several non-IoT devices. Here, IoT
refers to specific-purpose Internet connected devices (e.g.,
cameras and smoke sensors), while general-purpose devices
(e.g., phones and laptops) fall into the non-IoT category.
The IoT devices include cameras (Nest Dropcam, Sam-
sung SmartCam, Netatmo Welcome, Belkin camera, TP-Link
Day Night Cloud camera, Withings Smart Baby Monitor,
Canary camera, August door bell, Ring door bell), switches
and triggers (iHome, TP-Link Smart Plug, Belkin Wemo
Motion Sensor, Belkin Wemo Switch), hubs (Smart Things,
Amazon Echo), air quality sensors (NEST Protect smoke
alarm, Netatmo Weather station, Awair air quality monitor),
electronics (Triby speaker, PIXSTAR Photoframe, HP Printer,
Hello barbie, Google Chromecast), healthcare devices (With-
ings Smart scale, Withings Aura smart sleep sensor, Blipcare
blood pressure meter) and light bulbs (Phips Hue and LiFX
Smart Bulb). Several non-IoT devices were also connected to
the testbed, such as laptops, mobile phones and an Android
tablet. The tablet was used to configure the IoT devices as rec-
ommended by the respective device manufacturers.
3.2 Trace Data
All the traffic on the LAN side was collected using the
tcpdump tool running on OpenWrt [33]. It is important to
have a one-to-one mapping between a physical device and
a known MAC address (by virtue of being in the same
LAN) or IP address (i.e., without NAT) in the traffic trace.
Capturing traffic on the LAN allowed us to use MAC
address as the identifier for a device to isolate its traffic
from the traffic mix comprising many other devices in the
network. We developed a script to automate the process of
data collection and storage. The resulting traces were stored
as pcap files on an external USB hard drive of 1 TB storage
attached to the gateway. This setup permitted continuous
logging of the traffic across several months.
We started logging the network traffic in our smart envi-
ronment from 1-Oct-2016 to 13-Apr-2017, i.e., over a period
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 18, NO. 8, AUGUST 2019
of 26 weeks. The raw trace data contains packet headers and
payload information. The process of data collection and stor-
age begins at midnight local time each day using the Cron job
on OpenWrt. We wrote a monitoring script on the OpenWrt
to ensure that data collection/storage was proceeding
smoothly. The script checks the processes running on the
gateway at 5 second intervals. If the logging process is not
running, then the script immediately restarts it, thereby limit-
ing any data loss event to only 5 seconds. To make the trace
data publicly available, we set up an Apache server on a vir-
tual machine (VM) in our university data center and wrote a
script to periodically transfer the trace data from the previous
day, stored on the hard drive, onto the VM. The trace data
from two weeks is openly available for download at: http://
iotanalytics.unsw.edu.au/. The size of the daily logs varies
between 61 MB and 2 GB, with an average of 365 MB.
4 IOT TRAFFIC CHARACTERIZATION
We now present our observations using passive packet-
level analysis of traffic from 28 IoT devices over the course
of 26 weeks. We study a broad range of IoT traffic character-
istics including activity patterns (e.g., distribution of vol-
ume/times during active/sleep periods), and signalling
(e.g., domain names requested, server-side port numbers
used and TLS handshake exchanges).
IoT traffic constitutes (i) traffic generated by the devices
autonomously—e.g., DNS, NTP, etc. that are unaffected by
human interaction, as well as (ii) traffic generated due to
users interacting with the devices—e.g., Belkin Wemo
sensor responding to detection of movement, Amazon Echo
responding to voice commands issued by a user, LiFX
lightbulb changing colour and intensity upon user request,
Netatmo Welcome camera detecting an occupant and ins-
tructing the LiFX light bulb to turn on with a specific colour,
and so on. Our dataset well captures these two types of IoT
traffic from a lab that represents a living smart environment
(i.e., covering periods over which humans are present or
absent in the environment).
To provide insights into the IoT traffic characteristics, we
show in Fig. 2a Sankey plot of network traffic seen over a
24 hour period for Amazon Echo and LiFX lightbulb. These
devices are chosen just for illustrative purposes. Each plot
depicts the flow-level information generated by the respec-
tive device. Flows are: (a) either unicast or multicast/broad-
cast, (b) destined to either local hosts (LAN) or Internet
servers (WAN), and (c) tied to protocols (TCP, UDP, ICMP
or IGMP) and port numbers.
Fig. 2 provides a visual aid depicting the underlying traf-
fic signature exhibited by the two devices. For example, DNS
(port number 53) and NTP (port number 123) are used by
both Amazon Echo and LiFX lightbulb. While Amazon Echo
uses HTTP (port number 80), HTTPS (port number 443) and
ICMP (port number 0), LiFX lightbulb does not use any of
these applications. Further, each device seems to communi-
cate to a unique port number on a WAN server; TCP 33434
for Amazon Echo and UDP 56700 for LiFX lightbulb, as
shown by the top flow in Figs. 2a and 2b. Finally, we observe
that Amazon Echo accesses a number of domain names
including softwareupdates.amazon.com, device-
metrics-su.amazon.com, example.org, pindorama.
amazon.com and pool.ntp.org. However, LiFX light-
bulb communicates with only two domains, i.e., v2.bro-
ker.lifx.co and pool.ntp.org.
SIVANATHAN ET AL.: CLASSIFYING IOT DEVICES IN SMART ENVIRONMENTS USING NETWORK TRAFFIC CHARACTERISTICS 1749

Fig. 2. Sankey diagram of daily network activity for two representative IoT devices, Amazon Echo, and LiFX lightbulb. A clear distinction is observed
in terms of their communication patterns, i.e., the servers they talk to, and the port numbers and protocols used for data exchange.

Fig. 3. Distribution of IoT activity pattern: (a) Flow volume, (b) flow duration, (c) average flow rate, and (d) device sleep time.

4.1 IoT Activity and Volume Pattern
We start with the activity pattern of IoT devices that is
defined by the properties of their traffic flows. We define
four key attributes at a per-flow level to characterize IoT
devices based on their network activity: flow volume (i.e.,
sum total of download and upload bytes), flow duration (i.e.,
time between the first and the last packet in a flow), average
flow rate (i.e., flow volume divided by the flow duration),
and device sleep time (i.e., time interval over which the IoT
device has no active flow).
We plot in Fig. 3 the probability distribution of the above
four attributes for a chosen set of IoT devices using the trace
data collected over 26 weeks. It can be observed from
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
Fig. 3a that each IoT device tends to exchange a small
amount of data per flow. For the case of the LiFX lightbulb
(depicted by red bars), 26 percent of flows transfer between
[130, 140] bytes and 20 percent between [120, 130] bytes.
The flow volume for the Belkin motion sensor (depicted by
green bars) is slightly higher; over 35 percent of flows trans-
fer between [2800, 3800] bytes. For the Amazon Echo
(depicted by blue bars), over 95 percent of flows transfer
less than 1000 bytes. Though we present the flow volume
histogram for only a few devices, most of our IoT devices
exhibit a similar predictable pattern.
A similar pattern emerges for the flow duration as
well. Referring to Fig. 3b, we note that the flow duration of
1750 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 18, NO. 8, AUGUST 2019

Fig. 4. Word-cloud of server ports (total count of unique ports is shown in {sub-captions} next to the device name).

53 seconds is seen in more than 40 percent of flows for
Amazon Echo, while a duration of 60 seconds is seen for the
LiFX lightbulb and Belkin motion sensor with a probability
of 50 and 21 percent respectively.
For the average flow rate attribute, Fig. 3c shows that the
mean rate is rather small, in the bits-per-second range as
one would qualitatively expect. Quantitatively, the figure
shows that the LiFX lightbulb has an average flow rate of
18 bits-per-second nearly 60 percent of the time. Nearly
30 percent of Belkin flows have a bit rate in the range 59 to
60 bits-per-second while nearly 40 percent Amazon Echo
flows have a bit range in the range 70 to 71 bits-per-second.
Lastly, in terms of the sleep time for the devices Fig. 3d
shows that the Belkin motion sensor and the LiFX lightbulb
exhibit a distinct sleep pattern. The duration is 1 second and
60 seconds with probability 73 and 48 percent respectively.
However, multiple sleep times with small probabilities are
observed for the Amazon Echo. This is because Amazon
Echo keeps its TCP connections alive and goes to sleep only
when it disconnects from the Internet. Other devices in our
test-bed also perform like the Echo and do not seem to have
a dominant sleep pattern.
4.2 IoT Signaling Pattern
We now focus on the application layer protocols, inferred
using the port numbers, that IoT devices mostly use to com-
municate locally in the LAN and/or externally with servers
on the public Internet.
4.2.1 Server Port Numbers
Fig. 4 shows the word cloud of server-side port numbers of
all flows initiated from a variety of IoT devices. For each
device, if a port is used more frequently then it is shown by a
larger font-size in the respective word cloud. Sub-captions
(i.e., numbers within {}) report the number of unique server
ports for each device. It can be seen that IoT devices each
uniquely communicate with a handful of server ports
whereas non-IoT devices use a much wider range of services
(i.e., 2382 unique ports are shown in Fig. 4h and many of
them are very infrequent). We observe that non-standard
ports 33434, 56700, 8883, and 25050 are prominently seen in
traffic originating from Amazon Echo, LiFX lightbulb, Awair
air quality monitor, and Netatmo weather station respec-
tively, as shown in the top row of Fig. 4. Further, we note
devices from the same manufacturer share certain ports. For
example, port numbers 8443 and 3478 are common between
Belkin’s motion sensor, power switch, and camera, as shown
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
in Figs. 4e, 4f, and 4g. We also note that well-known standard
port numbers such as 53 (DNS), 123 (NTP), 0 (ICMP) and
1900 (SSDP) are used by many of the IoT devices as well as
the non-IoTs with various frequencies, as shown in Fig. 4.
Moreover, the server-side port number of 443 (TLS/SSL) is
also used by many of the IoT devices.
4.2.2 DNS Queries
DNS is a common application used by almost all networked
devices. Since IoT devices are custom-designed for specific
purposes, they access a limited number of domains corre-
sponding to their vendor-specific end-point servers. We
plot in Fig. 5 the word cloud of domain names accessed by
several IoT devices as well as non-IoTs. It is seen that IoT
devices are fairly distinguishable by the domain names they
communicate with. For example, as depicted in Figs. 5a, 5b,
and 5c, domains such as example.com, example.net,
and example.org are frequently requested by Amazon
Echo; sub-domains of hp.com and hpeprint.com are
seen in DNS queries from the HP printer. However, we also
see that some prominent domain names are shared between
the different devices. For example, belkin.com and
d3gjecg2uu2faq.cloudfront.net are commonly used
by Belkin devices (i.e., camera, motion sensor and power
switch) as shown in Figs. 5d, 5e, and 5f; or pool.ntp.org
is prominent in traffic flows generated from Google Drop-
cam, Awair air quality monitor and LiFX lightbulb, as
shown in Figs. 5b, 5c, 5d, 5e, 5f, 5g, and 5h. Again consider-
ing non-IoTs in Fig. 5i, we see about 12000 unique domains
visited which is far diverse compared to IoT devices with
only a handful of domains accessed repeatedly.
We also found that IoT devices differ from one other in
how often the DNS protocol is used. We have observed
from our traffic traces that IoT devices generate DNS
queries during different stages of its operation; for example
only during the boot-up phase (e.g., Google Dropcamp) or
when interacting with a user (e.g., Hello Barbie) or periodi-
cally (e.g., Amazon Echo). As shown in Fig. 6, certain IoT
devices exhibit a characteristic signature in the frequency of
their DNS queries. The LiFX lightbulb and Amazon Echo
send DNS queries very frequently (i.e., every 5 minutes) but
a device like the Belkin motion sensor requests domain
names only once every 30 minutes.
4.2.3 NTP Queries
As mentioned earlier, NTP is another popular protocol
used by IoT devices because precise and verifiable timing
SIVANATHAN ET AL.: CLASSIFYING IOT DEVICES IN SMART ENVIRONMENTS USING NETWORK TRAFFIC CHARACTERISTICS 1751

Fig. 5. Word-cloud of domain names (total count of unique domains is shown in {sub-captions} next to the device name).

is crucial for IoT operations [34]. Many IoT devices tend to
use NTP protocol (UDP port 123) in a periodic manner in
order to synchronize their time with publicly available
NTP servers. For example, Awair air quality monitor, LiFX
lightbulb and Google Dropcam obtain the IP address of
time servers from pool.ntp.org. We also find that time
synchronization occurs repeatedly in our test-bed and
many IoT devices exhibit a recognizable pattern in the use
of NTP. For example, the Belkin power switch, LiFX light-
bulb and SmartThings hub send NTP requests every 60,
300 and 600 seconds respectively, as shown in histogram
plot of Fig. 7.
4.2.4 Cipher Suite
A number of IoT devices use TLS/SSL protocol (port num-
ber 443) to communicate with their respective servers on
the Internet [30]. In order to initiate the TLS connection and
negotiate the security algorithms with servers, devices start
handshaking by sending a “Client Hello” packet with a list
of “cipher suites” that they can support, in the order of their
preference. For example, Figs. 8a and 8b depict cipher suites
that Amazon Echo offers to two different Amazon servers.
Each cipher suite (i.e., 4-digit code) can take one of 380 pos-
sible values and represents algorithms for key exchange,
bulk encryption and message authentication code (MAC).
For example, the cipher 002f negotiated by an Amazon
server uses RSA, AES_128_CBC, and SHA protocols for key
exchange, bulk encryption and message authentication,
respectively.
We find that 17 out of the 28 IoT devices in our setup,
inclu ding the Amazon Echo, August Doorbell Cam, Awair
air quality monitor, Belkin Camera, Canary Camera, Drop-
cam, Google Chromecast, Hello Barbie, HP ENVY Printer,
iHome, Netatmo Welcome camera, Philips Hue lightbulb,

Fig. 6. Histogram of DNS interval. Fig. 7. Histogram of NTP interval.

Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
1752
Fig. 8. Signature of cipher suite.
Pixtar photoframe, Ring Door Bell, Triby, Withings Aura
smart sleep sensor and Withings Scale, use TLS/SSL for
communication. We find that Amazon Echo uses total of
five different cipher suite strings when communicating SSL
to different servers, Triby speaker uses two strings, while
the Pixtar photoframe uses only one string for all of its SSL
communications. We plot unique cipher suite strings from
these three devices in Fig. 9 as discrete signals: x-axis is the
order of 4-digit cipher codes that appear in the offered suite,
and y-axis is the index of the individual cipher codes (i.e., a
value from {1, 2, ..., 380}). It is seen that the collection of
cipher suite signals enunciates a unique signature for each
IoT device. Exceptionally, we found that Pixtar photoframe
shares its single cipher suite with one of 18 suites that are
used by August door-bell—we will see in Section 5.2 that
relying only on cipher suite attribute would not be effective
in classifying Pixtar photo-frame traffic.
There are however many devices that rarely exchange
cipher suites but instead prefer to keep their TLS connec-
tions alive for a long period. For example, Google Dropcam
establishes a TLS connection to its own server whenever it
boots up and maintains this connection as long as it has
network connectivity, while Amazon Echo and Pixstar pho-
toframe initiate on average 1 and 2 TLS connections respec-
tively every hour.
Summary. In this section, we have identified 8 key attrib-
utes based on the underlying network traffic characteristics
of IoT devices. They are flow volume, flow duration, aver-
age flow rate, device sleep time, server port numbers, DNS
queries, NTP queries and cipher suites. Although, some
devices (e.g., Amazon Echo, or LiFX lightbulb) can be
uniquely identified by considering just one or two traffic attrib-
utes such as the list of domain-names, port-numbers, or cipher
suites, these come with challenges. For example, a strong attri-
bute like the list of cipher-suites is observed very infrequently
in the traffic (e.g., only once a day). As another example,
Fig. 9. Signature of cipher suite.
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 18, NO. 8, AUGUST 2019
different types of devices from the same vendor visit similar
domains and use the same port numbers to access cloud serv-
ers. Capturing aspects such as the number of occurrences for
these attributes (e.g., number of times a domain is accessed or
number of streams that use the port), in combination with
other attributes, vastly improves the prediction capability to
distinguish between devices from the same manufacturer. In
the next section, we develop a multi-stage machine learning
based algorithm using combinations of these attributes to help
classify IoT devices with high accuracy.
5 MACHINE LEARNING BASED CLASSIFICATION
In order to synthesize the attributes from our trace data, we
first convert the raw pcap files into flows on an hourly basis
using the Joy tool [31]. Then, for a given IoT device, we com-
pute the traffic activity and signalling attributes defined in
the previous section over the hourly instances. The number
of instances for each device obtained from the trace span-
ning 26 weeks varies depending on factors such as the dura-
tion for which a device is online, or how a device generates
traffic (autonomously or interactively). For example, there
were only 13 hourly instances for the Blipcare BP monitor
since it generates traffic only when the device is used by a
user. On the other hand, we collected 4177 instances for
Google Dropcam.
5.1 Multi-Stage Device Classification Architecture
We note that three of our attributes namely “set of domain
names”, “set of remote port numbers” and “set of cipher
suites” are nominal (i.e., are not treated as numeric values)
and multi-valued (for example, {”53”:3, ”123”:1, ”443”:2}
represents a set of remote port numbers with three occur-
rences of port number 53, two occurrences of port 123, and
one occurrence of port number 443). Our remaining attrib-
utes including flow volume/duration, flow rate, sleep time,
and DNS/NTP intervals contain single quantitative and
continuous values. We therefore employ a two-stage hierar-
chical architecture for our IoT classifier as shown in Fig. 10.
Inthisarchitecture,wefirstfeedeachmulti-valuedattribute
to its corresponding stage-0 classifier in the form of a “bag of
words”. A bag of words is a matrix whose rows represent
labeled instances, and columns represent unique words. This
matrix has M rows (i.e., total number of instances) and N
columns (i.e., number of unique words). We observed 356,
421 and 54 unique words for domain-names, remote port
numbers and cipher suite strings, as shown in Fig. 10. In addi-
tion to these unique words, we aggregated all corresponding
words for non-IoT devices as “others” - a column called
“others” in each Stage-0 matrix represents words not seen
SIVANATHAN ET AL.: CLASSIFYING IOT DEVICES IN SMART ENVIRONMENTS USING NETWORK TRAFFIC CHARACTERISTICS
Fig. 10. System architecture of the multi-stage classifier.
in IoT traffic. Each cell of this matrix is the number of occur-
rencesof suchuniquewordsinagiveninstance.
As shown in Fig. 10, each classifier of Stage-0 generates
two outputs, namely a tentative class and a confidence level,
which together with other single-valued quantitative attrib-
utes (i.e., flow volume, duration, rate, sleep time, DNS, NTP
intervals) are fed into a Stage-1 classifier that produces the
final output (i.e., the device identification with a confidence
level).
5.1.1 Stage-0: Bag-of-Words Classifiers
We employ a Naive Bayes Multinomial classifier to analyze
each bag of words in the stage-0 of our machine. It has been
shown [35] that this classifier performs well in text classifica-
tion when dealing with a large number of unique words.
During the training phase, the classifier takes the distribution
of words, e.g., individual unique domain names, and com-
putes the probability of each word given a class using:
P ber of instances (e.g., 13 for Blipcare BP monitor, 21 for Goo-
1þ D l¼1 nl;ci ;wj
train
Prðwtrain
j jci Þ ¼ PN PD ; (1)
N þ k¼1 l¼1 nl;ci ;wk train
where wj is a unique word in the training dataset (e.g., port
number 56700); ci is a class label (e.g., LiFX lightbulb); D is
the total number of instances; nl;ci ;wj train is the number of wj
occurrences in each of instances with class label of ci ; N is
the total number of unique words (e.g., we have N ¼ 421
unique port numbers in our dataset).
During the testing phase, the classifier needs to compute
the following probability for all possible classes:
Y
N
ntest
Prðci jW test Þ ¼ Prðctrain
i Þ Pr ðwj train jci Þj ; (2)
j¼1
where W test is a set represented by fw1 : ntest test
1 ; w2 : n2 ; . . . ;
wN : ntest
N g; ntest
j is the occurrence number of individual
unique words wj in a given test instance; Prðctrain i Þ is the
presence probability of a class ci in the whole training data-
set (i.e., number of ci training instances divided by total
number of all training instances). The classifier finally choo-
ses the class that gives the maximum probability in (2) for a
given set of words along with their occurrences. Note that a
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
1753
Naive Bayes Multinomial classifier performs well if training
instances are fairly distributed among various classes [35].
5.1.2 Stage-1 Classifier
We have a stage-1 classifier that takes all quantitative attrib-
utes along with the pair of outputs from each stage-0 classi-
fier. Since the stage-1 attributes are not linearly separable
and the outputs of stage-0 classifiers are nominal values, we
use a Random Forest based stage-1 classifier. Another rea-
son for selecting the Random Forest is its high tolerance to
over-fitting compared to other decision tree classifiers.
5.2 Performance Evaluation
We use the Weka [36] tool for our IoT device classification.
We have collected a total of 50,378 labeled instances from
our traffic traces. As mentioned earlier, we have a number
of instances from different devices—those that generate
traffic when triggered by user interaction have small num-
gle Chromecast) and those that autonomously generate
traffic have a fairly large number of instances (e.g., 2,868 for
Samsung Smart Things or 2,247 for Amazon Echo). We have
randomly split instances into two groups, one containing
70 percent of the instances for “training” and another con-
taining 30 percent of the instances for “testing”.
Table 2 shows the performance of our classifier under
various scenarios, each captured by a pair of columns.
For a given scenario, we measure the true positive rate
(i.e., fraction of test instances that are correctly classified)
and false positive rate (i.e., fraction of test instances that
are incorrectly classified) for every device corresponding
to the rows in Table 2. We also obtain the average confi-
dence level (i.e., a number between 0 and 1 depicted
within square brackets in each cell) of our classifier for
correctly classified and incorrectly classified instances. In
addition, we aggregate the performance of individual
classes and compute the overall accuracy (i.e., total true
positive rate) along with the overall root relative squared
error (RRSE) as measures of performance for our classi-
fier. These measures are reported in the top row of each
scenario in Table 2. Note that our objective is to achieve a
high accuracy (close to 100 percent) with a fairly low
error (close to zero).
1754
TABLE 2
Performance of the Proposed IoT Device Classifier under Different Sets of Attributes
5.2.1 Performance of Stage-0: Port Numbers Attribute
The first three columns correspond to those cases in which
we consider only nominal attributes of stage-0 (i.e., bag of
words corresponding to port numbers, domain names and
cipher suites). The first column shows that when we only
use a list of server-side port numbers for device classifica-
tion, a reasonable accuracy of 92.13 percent is achieved, but
RRSE is poor (at 39.93 percent). Inspecting the individual
classes, we observe that certain classes highlighted by yel-
low or light-green (e.g., Ring door bell, Blipcare BP monitor,
Hello Barbie, and Google chromecast) are poorly classified.
We explain the reason behind this misclassification next.
Ring Door Bell. Out of 486 instances, 465 contain a single
occurrence of the DNS query (i.e., remote port number 53).
We see that 95.8 percent of test instances are incorrectly clas-
sified as Netatmo weather station. This is because of two
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 18, NO. 8, AUGUST 2019
reasons: (i) there are 2451 training instances of Netatmo
compared to 323 of Ring door bell, which makes Prðctrain i Þ of
Netatmo larger than that of Ring door bell, and (ii) many
Netatmo instances contain several (on average 4 times)
occurrences of port 53 as opposed to only one for Ring Door
bell, which also contributes to Prðwj jci Þ of Netatmo being
greater than that for Ring door bell in (1). Thus, Ring door
bell instances get classified as Netatmo weather station,
warranting a second stage of classification with additional
attributes for improved accuracy.
Blipcare BP Monitor. It uses only two remote port numbers,
namely 8777 and 53, in a total of 13 instances - the port num-
bers appear only once or twice in each instance. Surprisingly,
we see that 80 percent of Blipcare test instances are incorrectly
classified as Ring Door Bell though the remote port number of
8777 is unique to the Blipcare BP monitor. This is because
SIVANATHAN ET AL.: CLASSIFYING IOT DEVICES IN SMART ENVIRONMENTS USING NETWORK TRAFFIC CHARACTERISTICS
there are only a very small number of Blipcare instances in
our dataset, which results in a fairly small value of
Prð00 5300 jBlipcareÞ ¼ 0:0203 and Prð00 877700 j BlipcareÞ ¼
0:0294 in (1), and a negligible value of Pr ðBlipcaretrain Þ ¼
0:0003 in (2). On the other hand, Prð00 877700 jRingÞ becomes
very small as the remote port number 8777 is never used by
the Ring Door Bell in our dataset. However, the probability of
Prð00 877700 jRingÞ ¼ 0:0011 in (1) is sufficient enough to maxi-
mize the classifier probability PrðRingjf00 5300 : 1;00 877700 : 1gÞ
in (2), given PrðRingtrain Þ ¼ 0:0097.
Other Devices. Server-side port numbers are empty in
72 percent of instances for Hello Barbie, since it communi-
cates with local devices instead of Internet-based end-points.
Similarly for HP printer (38 percent) and iHome power plug
(10 percent). The lack of server-side port number information
explains why these devices are classified as Dropcam, which
has the highest value of PrðDropcamtrain Þ ¼ 0:0828 in (2). We
note that the confidence level of our stage-0 classifier is fairly
low (i.e., less than 0.4) in these cases, suggesting that the clas-
sifier chooses the most probable class given empty attribute
(i.e., all ntest
j are zero).
5.2.2 Performance of Stage-0: Domain
Names Attribute
We now focus on the stage-0 machine that uses only a bag of
domain-names, which yields an accuracy of 79.48 percent
with a fairly high RRSE value of 57.56 percent, as shown in the
second column in Table 2. In this scenario, more classes suffer
from misclassification (i.e., those with yellow coloured cells)
compared to the previous scenario where only remote port
numbers were considered. The reasons behind the misclassifi-
cation are threefold: (i) since devices from the same manufac-
turer share a collection of domain names, as discussed in
Section 4.2.2, 59.8 percent of Belkin camera test instances are
misclassified as Belkin Motion sensor and 100 percent Belkin
Motion sensor instances are misclassified as Belkin switch.
Similarly, 56.8 percent of Withings scale instances are incor-
rectly classified as Withings sleep sensor, and 12 percent of
Samsung smart cam are misclassified as Samsung Smart-
things. (ii) a significant number of instances from select devi-
ces contain no DNS query entries (e.g., 96.2 percent of HP
printer, 73.4 percent of Samsung Smart Cam, 71.4 percent of
Hello Barbie, 12.5 percent of iHome power plug, 11 percent of
Hue bulb) and are thus incorrectly classified as a Dropcam,
which also rarely generates DNS packets. (iii) the low number
of training instances with domain names leads to poor perfor-
mance (e.g., Blipcare BP meter and Hello Barbie).
5.2.3 Performance of Stage-0: Cipher Suite Attribute
Considering only the cipher suite attribute, this stage-0 clas-
sifier results in a fairly low accuracy of 36.15 percent with a
high RRSE of 86.73 percent, as shown in the third column in
Table 2. Again, the main reason for such poor performance
is the scarcity of cipher suite attribute in the training instan-
ces, though this attribute carries a very strong signature to
uniquely identify an IoT device. Note that many of the IoT
devices do not use secure communication at all and are thus
devoid of this attribute (i.e., have an empty field for it).
Unsurprisingly, instances of devices that exchange cipher
suite fairly frequently including Amazon Echo, Awiar air
quality monitor, Canary camera, Google Chromecast and
Netatmo camera are correctly classified, as shown by the
dark-green color cells in the corresponding column in
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
1755
Table 2. In addition, we find that August doorbell cam is
sharing one of its cipher suite strings (out of total 18) with
Pixstar photoframe, which has a single cipher suite string.
Thus, 21.2 percent of August door bell instances are misclas-
sified as Pixstar photoframe and almost all instances of Pix-
star photoframe are classified as August doorbell.
5.2.4 Performance of Stage-0: Combination
of Attributes
We expect the combination of the three bags of words (port
numbers, domain names, and cipher suites) to significantly
enhances the accuracy of our classifier, as indeed shown by
the fourth column titled “Combined stage-0” in Table 2. The
overall accuracy reaches to 97.39 percent with RRSE of
18.24 percent. It can be seen that the majority of test instances
are correctly classified, except for Hello Barbie. This is because
most of the Hello Barbie attributes are empty in stage-0 and
thus it is classified as Dropcam, as mentioned earlier.
Interestingly, we see that all test instances of Blipcare BP
monitor are classified correctly though the accuracy of indi-
vidual stage-0 was fairly poor. This is because our decision-
tree-based classifier in stage-1 sees a strong correlation
between the outputs of stage-0 classifiers and the actual
class of training instance, even though those outputs (tenta-
tive class) are incorrect—e.g., having the tentative output
from remote port number classifier as Ring door bell, hav-
ing the tentative output from cipher suite classifier as Drop-
cam, and having the confidence level from domain name
classifier less than 0.66 collectively is a strong indication of
Blipcare instance.
5.2.5 Overall Performance
As the last step, we incorporate the outputs from the stage-0
classifiers into stage-1 (without the latter having any notion
of the quantitative attributes from the former), and addi-
tionally include quantitative attributes (flow volume, dura-
tion, rate, sleep time, DNS and NTP intervals). The last
column of Table 2 shows the overall performance of the
classification framework. In this case, the accuracy reaches a
remarkably high value of 99.88 percent, with almost all clas-
ses labeled correctly with a very small value of RRSE at
5.06 percent. Fig. 11 shows the full confusion matrix of our
classification when all the attributes are used in conjunction,
and corroborates that the diagonal entries (corresponding to
correct classification) are all at or very close to 100 percent,
with just two exceptions—the Google Chromecast and the
Hello Barbie. As explained earlier, the Chromecast gets clas-
sified as the Dropcam in some instances, while the Hello
Barbie gets classified as a Hue bulb.
6 REAL-TIME OPERATION IN A NETWORK
Thus far, we have examined the performance of our multi-
stage classifier using off-line analysis on captured traffic
traces (i.e., pcap files). In this section, we discuss how one
can realize a real-time implementation of our system taking
into account the various stages involved in the analysis,
namely attribute collection, machine training, and interpret-
ing the classifier’s output.
6.1 Computing Attributes
Extracting the attributes on-the-fly requires infrastructure
that has sufficient visibility into the traffic flowing on the
1756
Fig. 11. Confusion matrix of our IoT device classification using all attributes (accuracy: 99.88 percent, RRSE: 5.06 percent).
network. Flow related attributes such as flow volume, flow
duration and flow rate can be extracted relatively easily
using network switches that are instrumented with special
hardware-accelerated flow-level analyzers, e.g., NetFlow
capable devices [37]. We therefore deem the extraction cost
of flow related attributes to be fairly low, and show them
via blue color bars in Fig. 12c that depicts the relative costs
and merits of the various attributes.
Attributes including bag of port numbers, sleep-time,
and frequency of DNS/NTP requests can be extracted using
flow-aware network switches with extra computation and
state management. For example, remote port numbers of all
flows associated with a given IoT device need to be
recorded for the bag of port numbers. However, this specific
state is not captured by default in commodity switches. Sim-
ilarly, time intervals between successive UDP packets of
NTP/DNS should be recorded, which requires additional
computation. We therefore associate these attributes with
medium cost, and shown as yellow color bars in Fig. 12c.
Lastly, two of our attributes, namely bag of domain
names and bag of cipher suite strings, can only be extracted
by looking inside the payload of the appropriate packets,
which imposes considerable cost on processing. Thus, we
associate these attributes with high collection cost, and
shown them via red color bars in Fig. 12c.
Having understood the extraction cost of various attrib-
utes, let us now examine the relative importance of the
attributes in classifying the IoT devices. We quantify the
importance of each attribute by employing the select
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 18, NO. 8, AUGUST 2019
attributes tool in Weka with InfoGain attribute evaluator and
Ranker search method. Fig. 12c shows the attributes in
decreasing order of merit score. A high merit score trans-
lates to superior strength in identifying the class of an
instance. We can see that the “flow-volume” is the most
important attribute, followed by “bag of remote port
numbers”, “bag of domain names” and “flow duration”
respectively. The sleep-time and NTP interval are the attrib-
utes with the lowest merit.
Knowing the relative cost and merit of each attribute
allows us to evaluate the performance of our classifier
using: (a) only low cost attributes, (b) combination of low
and medium cost attributes, and (c) all attributes. The
classifier accuracy and RRSE are shown in Table 3. It is
seen that using only low-cost attributes results in 97.85
percent accuracy with an RRSE value of 18.63 percent; the
additional use of medium-cost attributes increases accu-
racy to 99.68 percent and significantly reduces the RRSE
error to 7.7 percent; while including all attributes yields
an overall accuracy of 99.88 percent and RRSE of 5.06 per-
cent. The method can therefore be tuned to achieve
appropriate balance between attribute collection cost and
accuracy/error of classification.
6.2 Training the Machine
The duration of the training data set is another source of
cost incurred by our classification. In Fig. 12a, we plot the
accuracy of the classifier on the left y-axis and the RRSE on
SIVANATHAN ET AL.: CLASSIFYING IOT DEVICES IN SMART ENVIRONMENTS USING NETWORK TRAFFIC CHARACTERISTICS
Fig. 12. Operational insights for real-time implementation of our device classifier: (a) Impact of training, (b) confidence-level for correct/incorrect clas-
sification, and (c) importance of attributes.
the right y-axis as a function of the number of days involved
in collecting the training data set. Note that the x-axis is in
log-scale and each day represents 24 instances.
It can be seen that the classifier achieves an overall accu-
racy is 99.28 percent with only one day of training and satu-
rates at 99.76 percent when trained over 16 days. On the
other hand, RRSE drops from 14.43 to 7.5 percent when the
training duration is increased from 1 day to 16 days. It fur-
ther falls to 5.82 percent when we train using 70 percent of
all instances from 128 days. As mentioned in Section 5, the
RRSE value is sensitive to the accuracy of individual classes.
We therefore believe that if there is a balanced number of
instances from various classes, our classifier would perform
better in terms of RRSE.
6.3 Interpreting the Output of Classifier
As discussed in Section 5.1, our classifier generates a confi-
dence level during the testing phase. This can be used as a
measure of reliability for our classifier. If adequate information
is not provided by a test instance then the classifier will choose
a random class (as discussed in Section 5.2.1) with a low confi-
dence level—this can be interpreted as an “unknown” class.
For example, given instances with an empty value for the
cipher suite attribute, the corresponding stage-0 classifier will
output Dropcam class with a confidence value of less than
10 percent - even for Dropcam instances that are classified cor-
rectly the confidence level is low within the same range.
We plot the CCDF of confidence level of our stage-1 clas-
sifier in Fig. 12b for instances classified as correct and incor-
rect. It is clearly seen that the confidence level is always
below 80 percent when an instance is incorrectly classified,
as shown by the red dotted line - the average confidence
level for incorrectly classified instances is 54.22 percent. On
the other hand, our classifier has an average 99.74 percent
confidence level for instances that are correctly classified.
We note that for only a negligible fraction of correctly classi-
fied instances (i.e., 0.37 percent) the confidence level is less
than 80 percent as shown by the blue dashed line. This sug-
gests that we can comfortably rely on our classifier’s output
for a device if it results in a confidence level of greater than
TABLE 3
Impact of Attributes Combination on Performance of Classifier
Accuracy
all attributes 99.88%
low- and medium-cost attributes 99.68%
only low-cost attributes 97.85%
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
1757
80 percent, otherwise we need to collect more traffic (and
richer instances) from that device in order to increase the
confidence level.
To demonstrate the ability of our classifier in detecting
changes of normal behavior, we have launched UDP reflec-
tion and TCP SYN attacks of varying rates on the Samsung
camera. When our classifier is fed these attributes during the
attack, it incorrectly identifies the device, but its confidence-
level drops to less than 50 percent. We note that the confi-
dence level is 100 percent for normal traffic from Samsung
camera, as shown in the last column of Table 2. This is taken
as a sign of anomalous behavior that warrants further inves-
tigation by the network operator.
7 CONCLUSION
Despite the proliferation of IoT devices in smart homes,
enterprises, campuses, and cities around the world, opera-
tors of such environments lack visibility into what IoT devi-
ces are connected to their networks, what their traffic
characteristics are, and whether the devices are functioning
appropriately free from security compromises. This work is
the first to systematically characterize and classify IoT devi-
ces at run-time. We instrumented a smart environment with
28 unique IoT devices and collected traffic traces continu-
ously over 26 weeks. We then statistically characterized the
traffic in terms of activity cycles, signalling patterns, commu-
nication protocols and cipher suites. We developed a multi-
stage machine learning based classification framework that
uniquely identifies IoT devices with over 99 percent accu-
racy. Finally, we evaluated the real-time operational cost,
speed, and accuracy trade-offs of our classification method.
This paper shows that IoT devices can be identified with
high accuracy based on their network behavior, and sets the
stage for future work in detecting misbehaviors resulting
from security breaches in teh smart environment.
ACKNOWLEDGMENTS
Funding for this project was provided by the Australian
Research Council (ARC) Linkage Grant LP150100666.
REFERENCES
RRSE [1] I. Spectrum, Popular Internet of Things forecast of 50 billion devi-
ces by 2020 Is outdated. 2016. [Online]. Available: https://goo.gl/
5.06% 6wSUkk
7.70% [2] Cisco, “Cisco 2017 Midyear Cybersecurity Report,” 2017, https://
18.63% www.cisco.com/c/dam/global/es_mx/solutions/security/pdf/
cisco-2017-midyear-cybersecurity-report.pdf
1758 IEEE TRANSACTIONS ON MOBILE COMPUTING,
[3] A. Schiffer, How a fish tank helped hack a casino, 2017. [Online].
Available: https://goo.gl/SAHxCX
[4] Ms. Smith, University attacked by its own vending machines,
smart light bulbs & 5,000 IoT devices, 2017. [Online]. Available:
https://goo.gl/cdNJnE
[5] S. Alexander and R. Droms, “DHCP Options and BOOTP vendor
extensions,” Internet Requests for Comments, RFC Editor, RFC
2132, Mar. 1997. [Online]. Available: https://tools.ietf.org/rfc/
rfc2132.txt
[6] A. Sivanathan, et al., “Characterizing and classifying IoT traffic in
smart cities and campuses,” in Proc. IEEE Infocom Workshop Smart
Cities Urban Comput., May 2017, pp. 559–564.
[7] S. Notra, et al., “An experimental study of security and privacy
risks with emerging household appliances,” in Proc. M2MSec,
Oct. 2014, pp. 79–84.
[8] F. Loi, et al., “Systematically evaluating security and privacy for
consumer IoT devices,” in Proc. ACM CCS Workshop IoT Security
Privacy, Nov. 2017, pp. 1–6.
[9] I. Andrea, et al., “Internet of Things: Security vulnerabilities and
challenges,” in Proc. IEEE Symp. Comput. Commun., Jul. 2015,
pp. 180–187.
[10] K. Moskvitch, “Securing IoT: In your smart home and your con-
nected enterprise,” Eng. Technol., vol. 12, no. 3, pp. 40–42,
Apr. 2017.
[11] N. Dhanjani, Abusing the Internet of Things: Blackouts, Freakouts, and
Stakeouts. Sebastopol, CA, USA: O’Reilly Media, 2015.
[12] E. Fernandes, et al., “Security analysis of emerging smart home
applications,” in Proc. IEEE Symp. Security Privacy, May 2016,
pp. 636–654.
[13] T. guardian, Why the internet of things is the new magic ingredi-
ent for cyber criminals. 2016. [Online]. Available: https://goo.gl/
MuH8XS
[14] T. Yu, et al., “Handling a trillion (Unfixable) flaws on a Billion devi-
ces: Rethinking network security for the internet-of-things,” in Proc.
Proc. 14th ACM Workshop Hot Topics Netw., Nov. 2015, Art. no. 5.
[15] A. Sivanathan, et al., “Low-cost flow-based security solutions for
smart-home IoT devices,” in Proc. IEEE Int. Conf. Advanced Netw.
Telecommun. Syst., Nov. 2016, pp. 1–6.
[16] A. Moore and D. Zuev, “Internet traffic classification using bayes-
ian analysis techniques,” SIGMETRICS Perform. Eval. Rev., vol. 33,
no. 1, pp. 50–60, Jun. 2005.
[17] M. Iliofotou, et al., “Exploiting dynamicity in graph-based traffic
analysis: Techniques and applications,” in Proc. 5th Int. Conf.
Emerging Netw. Experiments Technol., Dec. 2009, pp. 241–252.
[18] D. Bonfiglio, et al.,“Revealing skype traffic: When randomness
plays with you,” SIGCOMM Comput. Commun. Rev., vol. 37, no. 4,
pp. 37–48, Aug. 2007.
[19] R. Ferdous, et al., “On the use of SVMs to detect anomalies in a
stream of SIP messages,” in Proc. 11th Int. Conf. Mach. Learn. Appl.,
Dec. 2012, pp. 592–597.
[20] M. Z. Shafiq, et al., “A first look at cellular machine-to-machine
traffic: Large scale measurement and characterization,” in Proc.
ACM 12th ACM SIGMETRICS/PERFORMANCE Joint Int. Conf.
Meas. Modeling Comput. Syst., Jun. 2012, pp. 65–76.
[21] N. Nikaein, et al., “Simple traffic modeling framework for
machine type communication,” in Proc. 10th Int. Symp. Wireless
Commun. Syst., Aug. 2013, pp. 1–5.
[22] M. Jadoul, The IoT: The network can make it or break it. 2016.
[Online]. Available: https://insight.nokia.com/iot-network-can-
make-it-or-break-it
[23] M. Simon and Alcatel-Lucent. Architecting Networks: Supporting
IoT, 2014, https://www.slideshare.net/usmanusb/mimos-iot-twg-
day1-session-ii-2nd-speaker-mathew-al
[24] M. Laner, et al., “Traffic models for machine type commu-
nications,” in Proc. 10th Int. Symp. Wireless Commun. Syst.,
Aug. 2013, pp. 1–5.
[25] L. Markus, N. Nikaein, P. Svoboda, M. Popovic, D. Drajic, and
S. Krco, “8 - Traffic models for machine-to-machine (M2M) com-
munications: types and applications,” Machine-to-machine (M2M)
Communications, Woodhead Publishing, pp. 133–154, 2015.
[26] A. Orrevad, “M2M Traffic Characteristics: When Machines Partic-
ipate in Communication,” Inf. Commun. Technol., Stockholm,
Sweden, 2009.
[27] M. Lopez-Martin, et al., “Network traffic classifier with convolu-
tional and recurrent neural networks for internet of things,” IEEE
Access, vol. 5, pp. 18042–18050, 2017.
Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.
VOL. 18, NO. 8, AUGUST 2019
[28] D. Tegeler, et al., “BotFinder: Finding bots in network traffic with-
out deep packet inspection,” in Proc. 8th Int. Conf. Emerging Netw.
Experiments Technol., Dec. 2012, pp. 349–360.
[29] D. McGrew and B. Anderson, “Enhanced telemetry for encrypted
threat analytics,” in Proc. IEEE 24th Int. Conf. Netw. Protocols,
Nov. 2016, pp. 1–6.
[30] B. Anderson and D. McGrew, “Identifying encrypted malware
traffic with contextual flow data,” in Proc. ACM Workshop Artif.
Intell. Security, Oct. 2016, pp. 35–46.
[31] Cisco, 2017. [Online]. Available: https://github.com/cisco/joy
[32] Y. Meidan, et al., “Detection of unauthorized IoT devices using
machine learning techniques,” arXiv, 2017. [Online]. Available:
http://arxiv.org/abs/1709.04647
[33] OpenWrt. 2016. [Online]. Available: https://openwrt.org/
[34] M. Weiss, et al., Time-aware applications, computers, and com-
munication systems. 2015. [Online]. Available: http://dx.doi.org/
10.6028/NIST.TN.1867
[35] A. McCallum and K. Nigam, “A comparison of event models for
naive bayes text classification,” in Proc. Workshop Learn. Text Cate-
gorization, 1998, pp. 41–48.
[36] E. Frank, et al., The WEKA Workbench. Online Appendix for ”Data
Mining: Practical Machine Learning Tools and Techniques”, 4th ed.
San Mateo, CA, USA: Morgan Kaufmann, 2016.
[37] E. Vyncke and C. Paggen, LAN Switch Security: What Hackers Know
About Your Switches. Indianapolis, IN, USA: Cisco Press, 2008.
Arunan Sivanathan received the bachelor’s
degree from the University of Peradeniya, Sri
Lanka, in 2012. He is currently working toward the
PhD degree in the School of Electrical and Tele-
communication Engineering, University of New
South Wales (UNSW Sydney). He later joined the
University of Jaffna, Sri Lanka, as a lecturer from
2013 to 2016. His primary research interests
include security of Internet of Things and data
analytics on machine-to-machine communication.
Hassan Habibi Gharakheili received the BSc
and MSc degrees in electrical engineering from
the Sharif University of Technology in Tehran,
Iran, in 2001 and 2004, respectively, and the PhD
degree in electrical engineering and telecommu-
nications from UNSW in Sydney, Australia, in
2015. He is currently a postdoctoral researcher
with UNSW Sydney. His research interests inclu-
de network architectures, software-defined net-
working, and Internet of Things.
Franco Loi is currently working toward the bach-
elor’s degree in electrical engineering and com-
puter science at the University of New South
Wales in Sydney. His research interest includes
the network security of IoT.
Adam Radford received a first class honors
degree in science, majoring in computer science
from UNSW. He is a distinguished systems engi-
neer at Cisco Systems in Sydney, Australia. His
background is software and automation, having
spent 10 years building and automating campus
networks. He then joined Cisco and has focused
on a variety of technologies including voice, wire-
less, and data center. In recent times, his focus
has been enterprise networks, specifically auto-
mation and programmability.
SIVANATHAN ET AL.: CLASSIFYING IOT DEVICES IN SMART ENVIRONMENTS USING NETWORK TRAFFIC CHARACTERISTICS 1759

Chamith Wijenayake received the BSc degree in
electronic and telecom engineering from the Uni-
versity of Moratuwa, Sri Lanka, in 2007, and the
PhD degree in electrical engineering from the Uni-
versity of Akron, Ohio, in 2014. He is currently a
lecturer with the School of Electrical Engineering
and Telecommunications at UNSW. His research
interests include multidimensional space-time sig-
nal processing for electronically scanned smart
antenna arrays, light field signal processing, local
signal approximations, and FPGA based system
design for DSP applications.
Vijay Sivaraman received the BTech degree from
the Indian Institute of Technology in Delhi, India, in
1994, the MS degree from North Carolina State
University, in 1996, and the PhD degree from the
University of California at Los Angeles, in 2000.
He has worked at Bell-Labs as a student fellow, in
a Silicon Valley start-up manufacturing optical
switch-routers, and as a senior research engineer
at CSIRO in Australia. He is now a professor with
the University of New South Wales in Sydney, Aus-
tralia. His research interests include software
defined networking, network architectures, and
cyber-security particularly for IoT networks.

Arun Vishwanath (SM’15-M’11) received the " For more information on this or any other computing topic,
PhD degree in electrical engineering from the Uni- please visit our Digital Library at www.computer.org/publications/dlib.
versity of New South Wales, Sydney, Australia, in
2011. He is a lead research scientist with IBM
Research in Melbourne, Australia, working in the
area of IoT for energy optimization in smart build-
ings and IoT security. He was a visiting PhD
scholar in the Department of Computer Science,
North Carolina State University, in 2008. His
research interests include areas of IoT applica-
tions, cybersecurity and software defined net-
working. He has received several awards from IBM for outstanding
technical accomplishments. He is the recipient of the Best Paper Award
at the ACM e-Energy 2018 conference, an appointed a Distinguished
Speaker of the ACM, and a senior member of the IEEE.

Authorized licensed use limited to: Birla Institute of Technology and Science. Downloaded on October 05,2024 at 14:43:49 UTC from IEEE Xplore. Restrictions apply.