Received 29 May 2023, accepted 3 June 2023, date of publication 9 June 2023, date of current version 16 June 2023.

Digital Object Identifier 10.1109/ACCESS.2023.3284542

IoTTFID: An Incremental IoT Device Identification

Model Based on Traffic Fingerprint
QINXIA HAO AND ZHENG RONG
College of Communication and Information Engineering, Xi’an University of Science and Technology, Xi’an, Shaanxi 710054, China
Corresponding author: Zheng Rong ([email protected])

ABSTRACT Driven by 5G communication technology, IoT devices are widely deployed in various scenarios
to provide automated services. However, a large number of IoT devices cannot install strong encryption
suites and become the preferred target of cyber attackers. Specific vulnerabilities target specific types of IoT
devices. Screening and repairing corresponding vulnerabilities based on device information can improve
device protection capabilities. Traditional device identification models are static and have limitations in
the identification range. The model needs to be trained from scratch to identity new types of devices,
which consumes a lot of computing resources and training time. To overcome these limitations, we propose
IoTTFID, an incremental IoT device identification model based on traffic fingerprint. Extract the traffic
fingerprint of the new device, convert it into an input vector after preprocessing, and input it to the original
model to update some network parameters, so that the model has the ability to identify new devices. The
results of evaluation on two open datasets show that the accuracy of IoTTFID is 98.09% on UNSW dataset
and 98.29% on Yourthings dataset, which outperforms the existing methods. IoTTFID has an accuracy rate of
80.4% after five incremental learning stages, and an F1 of over 96% for encrypted IoT devices. IoTTFID can
dynamically adjust with the actual environment to increase the range of identifiable device types, providing
strong support for the security management of IoT devices.

INDEX TERMS IoT, device identification, IoT security, fingerprinting, deep learning.

I. INTRODUCTION periodically generates a large amount of non-encrypted traffic

The development of hardware devices and communication
technologies has led to the widespread deployment of IoT
devices to collect and transmit data, such as homes, airports,
corporate offices, and military bases [1], [2]. However, the
emerging IoT ecosystem brings new challenges to network
security and network management [3], [4]. Constraints exist
in IoT device resources, and strong cryptographic protocols
and complex authentication mechanisms are not suitable for
IoT devices with limited storage and computing resources.
Many devices connected to the Internet are only configured
with simple security rules, making it easy for intruders to use
existing vulnerabilities to launch various types of malicious
attacks [5], [6]. The IEEE 802.11 standard cannot prevent
traffic eavesdropping [7], [8], and IoT device communication
The associate editor coordinating the review of this manuscript and
approving it for publication was Sangsoon Lim . order of the network.
or traffic with a small payload. Attackers analyze network
traffic to obtain device information, and carry out targeted
attacks on the target network [9]. IoT device management
also has potential threats. Different IoT devices use differ-
ent protocols to communicate with vendor servers, which
increases the difficulty of network management. IoT devices
use default passwords everywhere in the network, and weak
password vulnerabilities have a high ranking in the vulner-
ability list [10]. The new IoT botnet Persirai targets more
than 1000 models of IP cameras, but these vulnerable users
are unaware that their IP cameras are exposed on the Inter-
net [11]. In conclusion, IoT device identification is important
for the device itself and other components in the network.
Knowing the detailed information of the device can check
whether the device has specific vulnerabilities and formulate
corresponding remedial measures to maintain the normal

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License.

VOLUME 11, 2023 For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/ 58679
 Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint
According to the special behavior pattern of IoT device
communication, researchers analyze device network com-
munication traffic to identify device information [12], [13],
[14], [15]. Their approaches show excellent accuracy in iden-
tifying a fixed number of IoT devices. However, as new
types of devices continue to be connected to the real network
environment, static supervised models cannot identify device
categories outside the training set [16]. To address this prob-
lem, Bao et al. [17] proposed a hybrid supervised and unsu-
pervised learning method, combining deep neural networks
and unsupervised clustering to achieve visible and invisible
device classification. Capture traffic of devices connected to
the network and extract features to build a binary classifier
for each device in the whitelist. The discriminator judges
whether the feature vector is known or not. The clustering
module clusters agnostic feature vectors. This method can
perform secondary classification on unseen device types, but
building a separate classifier for each device would make the
model too large. More devices in the whitelist occupy more
computing resources. Bremler-Barr et al. [18] proposed three
classifiers to identify IoT devices and non-IoT devices. The
first is a classifier based on traffic characteristics, the second
is a classifier based on DHCP protocol information, and the
third is a unified form of the first two classifiers. A DHCP
protocol packet is generated when the device is connected
to the network or IP is updated. The DHCP protocol is not
available in some network configurations. The model does
not classify new devices in more detail, so the context of use
is limited. The model realizes the identification of devices
in an open environment following two conditions: (1) Less
resource consumption. The equipment identification model
should have the ability to update dynamically. New devices
added to the network are iteratively updated on the basis
of the original model, consuming less computing resources.
As the number of new devices in the network continues to
increase, the device identification model should continuously
increase the number of identifiable device types, while the
model occupies less storage resources. (2) Wider identifica-
tion range. The real network communication environment has
encrypted traffic and non-IoT device traffic, so the model
should have the ability to identify devices using encryption
protocols and non-IoT devices in the network.
In this study we design IoTTFID, an incremental IoT
device identification model based on traffic fingerprint.
IoTTFID uses new device traffic fingerprints to update some
network parameters on the basis of the original model,
so that the model has the ability to identify new devices
without forgetting the previous devices. The model applies
equally to devices using encrypted protocols and non-IoT
devices. As the number of identifiable devices increases,
the model only occupies a fixed size of storage resources
without additional resource consumption. IoTTFID solves
the problem of limited number of identifications by tradi-
tional identification models, realizes continuous and uninter-
rupted identification of new devices in an open environment,
58680
and has high scalability and high practicability. It can improve
the device security management capability in the network
environment.
However, there are three challenges in realizing IoTTFID:
(1) It is difficult to extract common traffic fingerprints of gen-
eral IoT devices and encrypted IoT devices. The traffic finger-
prints are preprocessed to generate feature vectors to train the
identification model, so the quality of the traffic fingerprints
directly affects the device identification performance of the
model. (2) As the model keeps learning new device features,
model performance will degrade because it is difficult to
maintain the memory of old devices. (3) As the scope of
model identification increases, resource consumption will
also continue to increase. Excessive resource consumption
will lead to reduced model utility [19].
In response, IoTTFID proposed the following innovative
designs:
1) Device traffic fingerprint extraction. IoT devices com-
municate using a variety of network protocols, includ-
ing encryption protocols [20]. In order to solve the
problem of device fingerprint extraction of different
protocols, we propose a jump-type device fingerprint
extraction algorithm, which jumps and extracts data
packets of the same protocol in the time dimension and
stitches them into a complete session. Extract the data
link layer, network layer, transport layer header charac-
teristics of each data packet in the session, application
layer message characteristics and session global statis-
tical characteristics to generate device fingerprints for
identifying IoT devices. This algorithm is applicable
to both encrypted devices and non-encrypted devices,
which can effectively distinguish different IoT devices.
2) Model forgetting. With the continuous addition of
new devices, the model will forget the knowledge
of old devices, resulting in a decline in identifica-
tion accuracy. To reduce model forgetting, we propose
a multi-protocol representative population selection
strategy. At the end of each incremental learning phase,
a fixed number of samples is selected to be added
to the representative population, which will be part
of the training set for the next incremental learning
phase, so that the model can refer to the old class
samples when updating parameters. As a model param-
eter update condition, the cross-distillation loss func-
tion increases the memory ability of the model for old
devices.
3) Resource consumption. The resource consumption of
the model will increase with the number of devices.
Excessive resource consumption leads to reduced
model practicality [21]. To address this problem,
we design a device identification model based on
Transformer. On the one hand, Transformer has paral-
lel computing capabilities, which can reduce the con-
sumption of model computing resources. On the other
hand, the size of the representative population is fixed.
VOLUME 11, 2023
Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint
An increase in the number of devices does not result
in an increase in the size of the representative popula-
tion, so the storage resources for the model remain the
same.
We evaluate the model on the UNSW dataset and
Yourthings dataset. Experiments show that IoTTFID has an
identification accuracy rate of 98.09% on 20 devices in the
UNSW dataset and 98.29% on 30 devices in the Yourthings
dataset, outperforming other methods. In the incremen-
tal learning test, the identification range of IoTTFID was
expanded to 50 devices after 5 incremental learning stages,
with an accuracy rate of 80.4%. Adding five incremental
learning stages in the learning test, the identification range of
IoTTFID is expanded to 50 devices, and the accuracy rate is
80.4%. The model also performs well on the identification of
non-IoT devices and encrypted devices. IoTTFID effectively
solves the problem of limited identification range, and can
continuously increase the identification range of devices in a
dynamic network environment with high persistence and high
scalability.
The rest of the paper is as follows: Section II introduces
related work. Section III introduces our model. Section IV
analyzes the experimental results. Section V conclusions and
future work.
II. RELATED RESEARCH
A. IoT DEVICE IDENTIFICATION MODEL
According to the different methods of obtaining device fin-
gerprints, the identification models of IoT devices are divided
into active identification models and passive identification
models. The active identification model sends a request to the
target address through the probe, uses the rule to match the
response data of the port, and obtains the corresponding soft-
ware service information and hardware device information.
Active identification has the characteristics of fast scanning
speed and wide identification range. Active identification is
mainly used for public Internet exposed surface asset scan-
ning and network asset management. Sending a large number
of detection packets will increase the network load and be
easily intercepted by the defense system. The passive iden-
tification model identifies the device type by capturing the
communication flow of the device and using traffic character-
istic modeling. Passive identification has the characteristics
of high concealment and simple implementation, and does
not bring additional pressure to the network. It is mainly used
for intrusion detection, access authentication, and malicious
attack identification [22].
The passive identification model includes three parts:
traffic capture, traffic processing, and device identification.
Firstly, the traffic of the IoT device is captured at the gateway,
including the initial configuration of the device, communica-
tion between the device and the service provider, and user
instructions. The captured device raw traffic is saved in the
form of pcap files. Then parse the pcap file, extract the charac-
teristics of the device data link layer, network layer, transport
layer, and application layer to generate traffic fingerprints.
VOLUME 11, 2023
Finally, the processed traffic fingerprint is used as a data set
to construct a device identification model based on machine
learning, which is used to identify the device type, model and
other information of IoT devices.
B. INCREMENTAL LEARNING
Incremental learning aims to allow machines to imitate the
human ability to learn new knowledge. The model learns
new concepts through a small number of cases without
forgetting existing knowledge. ‘‘Catastrophic forgetting’’ is
a challenge in incremental learning tasks, and the classic
solution is to introduce knowledge distillation to transfer
knowledge from old models to new ones. Castro et al. [23]
propose that EEIL combines cross-entropy loss and distilla-
tion loss into cross-distillation loss. The new category cal-
culates cross-entropy loss, and the old category calculates
distillation loss and cross-entropy loss, realizing an end-to-
end incremental learning model. Liu et al. [24] propose a
mnemonic training framework to address the category incre-
ment problem by simultaneously learning a classification
model and mnemonic paradigms to make class boundaries
more distinguishable.
The types of devices connected to the network will change
all the time. Traditional machine learning models are static
and cannot adapt to changing networks. The incremental
IoT device identification model we proposed only needs to
fingerprint the traffic of the new device, adding it to the
existing model and update the parameters to adapt to the
newly connected device. The model maintains old knowledge
through a fixed-size representative sample set, and samples
of each class are used only once without additional memory
consumption. Trusted new devices connect to the network
through rapid update models that dynamically adjust the
identification device types. Prevent malicious devices from
posing as normal identities to access the network and spread
network viruses.
C. EXISTING WORKS
The communication flow of the device reflects the behavior
pattern of the device. Traffic identification technology has
attracted widespread attention of researchers in network secu-
rity and traffic engineering in the early days [25], [26]. Traffic
identification is one of the open issues in network security
research [27]. Researchers analyze the traffic of IoT devices
to understand their behavior and improve the security of IoT
devices. Fan et al. [28] proposed AutIoT, a semi-supervised
learning method that employs neural networks to extract
high-dimensional features from traffic. Multi-task learning
to distinguish IoT devices from non-IoT devices, using KS
test to improve the maximum probability performance of the
new model output to classify new types of devices and known
types of devices. Bao et al. [29] classify unseen devices by
means of blended learning. Combining deep neural network
and unsupervised clustering, using autoencoder technology
to reduce the dimensionality of the data set and balance the
58681
 Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint

overhead of classification accuracy. Kostas et al. [30] pro-

pose IoTDevID to classify device behavior using a single data
packet. Importance voting is used to eliminate unnecessary
features during feature extraction. The genetic algorithm is
used to determine the optimal feature subset to reduce the
complexity of the model. The accuracy rate on the Aalto
dataset is 83.30%, and the accuracy rate on the UNSW
dataset is 94.30%. Pashamokhtari et al. [31] develop a traffic
subset output architecture that uses the confidence output of
a multi-classification model to dynamically select a traffic
subset for each device. Two SYN- and DNS-based packet-
level models and one flow-level model are trained to iden-
tify IoT devices. The overall accuracy of the model replay
to the SDN switching simulator to evaluate performance
reaches 99.4%. Sivanathan et al. [32] propose a multi-stage
IoT device identification framework that exploits the sta-
tistical characteristics of network traffic to build machine
learning models. The accuracy rate of the test on the traffic
data of 28 IoT devices that simulates the intelligent environ-
ment reaches 99%. Salman et al. [33] propose a framework
for traffic anomaly detection to identify different types of
IoT and non-IoT attacks. The framework builds a machine
learning model by extracting 4 features from 16 consecutive
data packets to detect device types, traffic types, and attack
types.

III. METHODOLOGY
A. IoTTFID OVERVIEW
The framework of IoTTFID can be seen in Fig. 1. It mainly
consists of four modules: Session Stitching, Traffic Finger-
print Extraction, Device Identification and Device Represen-
tative Population Update.

1) SESSION STITCHING
In network communication, affected by the transmission path,
the sending order of data packets at the sending end is not
necessarily the same as the receiving order of data packets
at the receiving end. The data packets sent by the sender
are transmitted to the receiver along different paths. The
receiving end usually needs to check the seq number and
ack number in the TCP header to confirm the order of the
packets. The out-of-sequence data in different data packets
is reassembled in the correct order to obtain the original
data. After the data is received, the receiving end sends a
confirmation message to the sending end to ensure that all
packet data has been received correctly. This module cap-
tures traffic at the wireless access node and stores it as a
PCAP file. Parses the PCAP file, extracts the same pro-
tocol data packets and stitches them into a complete ses-
sion. Prepare for the next stage of extracting session global
features.
2) TRAFFIC FINGERPRINT EXTRACTION
This module uses the jump-type device fingerprint extraction
algorithm to extract the packet data link layer, network layer,
FIGURE 1. The framework of IoTTFID.
transport layer header field features, application layer mes-
sage features and session global features in the session to gen-
erate device traffic fingerprints. The device traffic fingerprint
is preprocessed and transformed into the input paradigm of
the neural network.
3) DEVICE IDENTIFICATION
The module uses the Transformer framework to build a device
identification model. The timestamp of the data packet is
monotonically increasing, and the application layer message
is of text type, so the data packet sample can be regarded as a
time sequence. Transformer has parallel computing capabil-
ities, which can improve data processing speed and respond
quickly when faced with massive traffic data. Self-attention
mechanism can extract higher-dimensional time-domain fea-
tures of data packet samples to correctly identify relevant
information of devices.

58682 VOLUME 11, 2023

Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint

4) DEVICE REPRESENTATIVE POPULATION UPDATE

The module first uses herding selection [37] to calculate the
distance from the sample point to the average sample in the
sample set. Then the multi-protocol representative population
selection strategy selects the most representative individuals
in the sample set to join the representative population. The
representative population is used as part of the model training
set for the next incremental learning phase. The model is able
to continuously learn new devices while not forgetting knowl-
edge of old devices. The model can be quickly iteratively
updated to achieve the purpose of identifying new devices in
the network environment.

FIGURE 2. A record of packet transmissions by an IoT device over a

B. JUMP-TYPE DEVICE FINGERPRINT EXTRACTION
The device fingerprint is the unique identification of the
device, which exists in the packet header and message of each
layer of the OSI model [34]. Device fingerprints of differ-
ent manufacturers and models are quite different. Extracting
device fingerprints is mainly divided into three parts:
1) PACKET HEADER CHARACTERISTIC
The header contains the header information at the beginning
of the data packet, which is extensible and used to store
special flags associated with the protocol. For example, the
IP header includes IP version number, header length, off-
set, IP checksum, source address, and destination address.
the TCP header includes source port, destination port, TCP
checksum, window size, RST, SYN, FIN, etc.
certain period of time.
the same protocol data packets. A complete session better
reflects the unique communication behavior of a device.
To address this problem, we propose a jump-type device
fingerprint extraction algorithm, as shown in Fig. 3. The
algorithm refers to the protocol used by the highest layer in
the data packet, and splices the same protocol data packets to
generate a complete session. Extract session-level features to
generate device fingerprints.

2) PACKET MESSAGE CHARACTERISTIC

The message refers to the application layer payload, which
is the actual data transmitted by the data packet. Packet fea-
tures mainly include message length, message content, and
information entropy of the message.

3) PACKET STATISTICAL CHARACTERISTIC FIGURE 3. Session-level traffic packet splicing.

Features mainly includes the average length of the data

packet, the maximum and minimum values of the data packet,
and the information entropy of the payload.
Researchers have found that IoT devices often use multi-
ple network protocols to communicate. The entire stream is
divided into several packets to improve communication per-
formance and transmission reliability. Packets travel through
one or more networks along different paths and are eventually
reassembled at their destination. Data packets of different
protocols are transmitted interleavedly. Affected by network
delay, the same protocol data packets are not continuous in
the time dimension. The IoT data packet transmission record
of the device within a certain period of time is shown in Fig. 2.
In the figure, the data packets of protocols such as UDP, TCP,
and TLS are discontinuous in the time dimension.
Previous work to extract device fingerprints only selects
the first few packets or a single packet in the pcap file [12],
[28], [30]. The data packets are discrete, so the method can
only extract local features, ignoring the correlation between
Use the Scapy library to divide the IoT device traffic record
pcap file into data packets P1, P2, P3, . . . , Pn, where n is
the total number of data packets in the pcap file. Analyze
the top layer protocol of the data packet, when the top layer
is the network layer, obtain the network layer protocol, such
as IPv4, IPv6, ICMP protocol; when the uppermost layer is
the transport layer, obtain the transport layer protocol, such
as TCP and UDP protocols; when the uppermost layer is
the application layer, obtain the application layer protocol,
such as HTTP, SSDP, and DNS protocols. The data packets
of the same protocol are spliced together in the order of
increasing timestamp to obtain a complete session of the
protocol. Analyze the header features of the data link layer,
network layer, and transport layer of each data packet in
the session, the message characteristics of the application
layer and the session-level statistical characteristics to gen-
erate device fingerprints as packet_features. The features are
shown in Table 1.

VOLUME 11, 2023 58683

 Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint

TABLE 1. Feature location and feature name. Algorithm 1 Jump-Type Device Fingerprint Extraction
Algorithm
Input: device raw network traffic pcap file
Output: session level dataset session_datasets
Use the Scapy library function to split the pcap file into individual packets
P1, P2, . . . , Pn, where n is the total number of packets in the pcap file.
session_features ← ∅;
session_datasets ← ∅;
for each Pi do
packet_protocol ← Extract the top level protocol in Pi;
packet_length ← Len(Pi);
if P haslayer(IP) then
IP_header_features ← Extract network layer features in
IP headers;
else if P haslayer(TCP) then
TCP_header_features ← Extract transport layer features in TCP
header;
else if P haslayer(UDP) then
UDP_header_features ← Extract transport layer features
in DUP header;
else if P has(Raw_data) then
message_features ← Extract message in application layer
and convert hexadecimal to decimal;
else
ether_features ← Extract data link layer features in Ether frame;
end
packet_features ← IP_header_features ∪ TCP_header_features ∪
UDP_header_features ∪ message_features ∪ ether_features;
The data link layer, network layer, transport layer and if Len(packet_features) ≤ max_len then
application layer features in Table 1 are all special fields packet_features ∪ (‘‘0’’ ∗ (max_len Len(packet_features)));
else
and payloads in the header. In session-level statistical fea- packet_features ← Get the frist max_len beytes in packet_features;
tures, PCK_size indicates the packet length, Payload_bytes end
indicates the packet length, Payload_entropy indicates the end
for each packet_features do
packet entropy value, Session_Protocol indicates the pro- if packet_protocol is same then
tocol used by the session, Padding_size indicates the session_features ← Select the same protocol packets in
padding length, Session_max indicates the maximum packet chronological order and extract session-level statistical features;
session_datasets ∪ session_features;
length in the session, Session_min indicates the minimum end
length of data packets in a session, Session_avg indi- end
cates the average length of session data packets, and Ses- return session_datasets;
sion_median indicates the median length of session data
packets. Algorithm 1 sets the maximum byte length threshold
of packet_features to max_len, fill with 0 when the length
is less than max_len, and intercept to the max_len position
when the length exceeds max_len. Divide the session into
several samples in chronological order, each sample con-
tains N packet_features, and discard the last sample when
the number of packet_features is less than N . The com-
plete algorithm for extracting device fingerprints is shown
in Algorithm 1.
In order to determine the value of max_len, we count the
packet length in the UNSW dataset and Yourthings dataset,
including the minimum packet length, maximum packet
length, average packet length, and median packet length.
The results are shown in Fig. 4. Due to the different lengths
of data packet headers and payloads of different protocols, FIGURE 4. Statistical characteristics of packets in UNSW dataset and
Yourthings dataset.
the length of the data packet is not fixed during transmis-
sion, and the length of the data packet varies greatly. Both
the UNSW dataset and Yourthings dataset have a minimum
packet length of 45 bytes, and the longest packet length the Yourthings dataset is 553, and the median packet length
in both datasets exceeds 2000 bytes. The average length is 366 bytes. Considering comprehensively, the threshold
of packets in the UNSW dataset is 572, and the median value max_len is selected as 500 as the packet segmentation
packet length is 334 bytes. The average packet length in length.

58684 VOLUME 11, 2023

Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint
C. MULTIPLE PROTOCOLS REPRESENT POPULATION
SELECTION STRATEGIES
‘‘Catastrophic forgetting’’ is an important problem in incre-
mental learning tasks. One solution is to select several sam-
ples at the end of the incremental task in the current stage
and add them to the training set in the next stage to main-
tain the knowledge previously learned by the model. Current
work [24], [35], [36] reduces the forgetting of the model by
optimizing the population selection strategy. IoT devices use
a variety of protocols for data transmission. Data packets of
different protocols contain different layers of the OSI model
and different message lengths. For example, ICMP exists in
the network layer and has no application layer messages;
DHCP and DNS protocols exist in Application layer, which
can extract the characteristics of application layer packets.
If the individual with the best performance in the sample set
is selected as the representative population, it is easy to ignore
the diversity of the protocol, which will weaken the identifi-
cation effect of the protocol samples in the non-representative
population in the incremental learning task of the next
stage. For example, in the selected representative population,
there are only For DHCP and DNS protocol individuals,
so misjudgment will occur when identifying ICMP protocol
samples.
Aiming at the IoT device identification scenario, we pro-
posed a multi-protocol representative population selection
strategy, and the optimal individuals of different protocols
are selected to join the representative population. Assuming
that the new class sample set of the m-th stage incremen-
tal learning task is Dm = {(xi , yi , pi ) , i ∈ [1, M ] , yi ∈
[n + 1, . . . , n + m], Where x ∈ Rl×d is the input of the
model, l represents the number of data packets in a single
sample, d represents the dimension of the data packet, M
represents the total number of new class samples, m rep-
resents the number of classes, yi and pi respectively indi-
cates the label and protocol type of the i-th sample, and
Nm represents that the total number of individuals in the
population. Extract the protocol type in the sample set Dm Y =y
with the same label y, and calculate the distance FYm=y,P=p (x)
between the individual in the sample set Dm Y =y,P=p of the
protocol p and the average sample of the set based on herding
selection [37]. Sort Dm m
Y =y,P=p according to FY =y,P=p (x) from
Nm
large to small, select the first m×Np samples to join the
representative population, the number of samples selected for
each label y is Nmm , and the number of samples of a certain pro-
tocol p may be insufficient, now Dm m
Y =y is sorted by FY =y (x)
And select several samples to add to the representative
population.
As the number of added categories increases, the
value of Nmm decreases, by deleting the smallest sam-
ples of FYm=y (x) in the sample set Dm Y =y of each label
y to keep the total number of representative popula-
tions constant. The complete algorithm of multi-protocol
representative population selection strategy is shown in
Algorithm 2.
VOLUME 11, 2023
Algorithm 2 Multi-Protocol Representative Population
Selection Strategy
Input: new class samples set Dm , represents the total number of individuals
in the population Nm
Output: representative population memory_samples
Split Dm into d1, d2, . . . , dn, where n ∈ [1, M ], M represents the total
number of sample sets.
memory_samples ← ∅;
labels ← Get all label values in the Dm and duplication;
Nl ← Nm /Len(labels);
for each L in labels do
label_set ← ∅;
L_samples ← Get the sample with label L in the Dm ;
protocols ← Get all protocol values in the L_samples and duplication;
Np ← Nl /Len(protocols);
for each P in protocols do
p_samples ← Get the sample with protocol P in the L_samples;
for each di in p_samples do
fitness_value ← Calculate the fitness value of sample di;
end
p_samples ← Sort the p_samples by fitness_value;
if Len(p_samples) ≥ Np then
p_samples ← Get the frist Np samples;
label_set ∪ p_samples;
else
label_set ∪ p_samples;
end
end
if Len(label_set) ≤ Nl then
label_set ← Select the remaining samples by the fitness value
and make the number up to Nl ;
memory_samples ∪ label_set;
else
memory_samples ∪ label_set;
end
end
return memory_samples;
D. INCREMENTAL IoT DEVICE IDENTIFICATION MODEL
The number of devices connected to a LAN changes from
moment to moment. The addition of new devices is often
accompanied by new threats. How to quickly update existing
models to adapt to identification new devices is an urgent
problem to be solved. Existing machine learning models
trained using device traffic characteristics are static. The
model output categories are limited and cannot predict cat-
egories that are not in the training set. For the addition of new
categories, it is necessary to integrate all the samples of the
old and new categories to retrain the model, and the resource
overhead is huge, which cannot be applied to the actual
network. We design an incremental IoT device identification
model, as shown in Fig. 5. This model combines incremental
learning technology with IoT device identification. When
new device is connected to the network, the traffic of the new
device is captured and processed by Algorithm 1 to obtain a
new class training set. The model only needs to be iteratively
updated on the original basis. Continuously learn new data to
handle new tasks while retaining knowledge from previous
tasks. The fast update speed of the model avoids the trouble
of retraining the model, and solves the problem of device
identification newly added to the network.
58685
 Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint

loss [39] that retains the knowledge of the old class and the
cross-entropy loss that learns the knowledge of the new class
as the cross-distillation loss, the function formula is shown in
Eq. (6)
XF
L (x) = 1 − λ LC (x) + λ LDf (x)


(6)
f =1

where LC (x) is the cross-entropy loss function for com-

FIGURE 5. Incremental IoT device identification model.
puting new and old classes, LDf (x) is the distillation loss
for old classes f , and F is the total number of old classes.
λ ϵ[0, 1) is used to balance LC and LD . The larger the λ , the
Transformer is a model proposed in the field of NLP [38].
stronger the model’s memory of the old class knowledge, and
With the core advantages of parallel training and multi-head
the smaller the λ , the stronger the knowledge ability of the
self-attention mechanism, it is widely used to process tem-
model to learn new tasks. Since there is no old class in the
poral sequences. The Transformer model is divided into two
incremental learning task in the first stage, the value of λ is
parts: Encoder and Decoder. Encoder is a feature extractor,
0 at this time, and the value of λ increases with the increase
and the self-attention mechanism can extract the association
of learning tasks.
information between the current element and all other ele-
The cross-entropy loss function LC (ω) is shown in Eq. (7)
ments. The formula of the multi-head self-attention unit is
shown in Eq. (1)-(2) 1 XN XC
LC (x) = − yi,j log pi,j (x)
 
(7)
N i=1 j=1
MultiHead (Q, K , V ) = Concat (h1 , h2 , . . . , hn ) W O (1)

Q
 where pi,j is the probability of the neural network outputting
hi = Attention QWi , KWiK , VWiV classes j for sample i, yi is the true value of sample i, N is the
(2) total number of samples and C is the number of classes.
The distillation loss function LD (ω) is shown in
Q
where Wi ∈ Rdmodel ×dk , WiK ∈ Rdmodel ×dk , WiV ∈ Eq. (8)-(10)
R model v , W ∈ Rdmodel ×hd v , dmodel represents the dimen-
d ×d O
1 XN XF t−1
LD (x) = − ŷ (x) log pt (x)
 
sions of all hidden layers in the model, dk represents the (8)
N i=1 j=1
dimension of the key vector, dv represents the dimension of
ep̂k (x)/T
the value vector, h represents the number of attention heads, ŷ (x) = PF (9)
p̂j (x)/T
and the self-attention function formula is shown in Eq. (3) j=1 e

QK T
 epk (x)/T
Attention (Q, k, V ) = softmax √ V (3) p (x) = PF (10)
pj (x)/T
dk j=1 e

where Q, K, and V are√ matrices converted from input vectors,
and the function of d k is to prevent the gradient from
disappearing due to too large a dot product. Adding position
coding to the input vector strengthens the input order of the
time series sequence, and the formula of position coding is
shown in Eq. (4)-(5)

pos
 The UNSW dataset [32] records the network communication
PE(pos,2i) = sin 2i/dmodel
(4)
1000  mission uses a variety of protocols, such as DNS, UDP, TCP,
pos
PE(pos,2i+1) = cos (5)
10002i/dmodel
where pos is the position of the current element, i represents
the dimension of the element.
Network traffic packet timestamps are monotonically
increasing. The elements at the current moment are related
to the elements at the previous and subsequent moments.
The content of the application layer message is a time series
sequence of this text type. Therefore we use the Transformer
Encoder layer as the base model for incremental learning.
When the model performs incremental learning tasks,
a distillation loss function is introduced to prevent the model
from ‘‘catastrophic forgetting.’’ Combining the distillation
where p̂k (x) represents the predicted values of the incremental
learning stage t − 1, pk (x) represents stage t models for the
k-th class.
IV. PERFORMANCE ANALYSIS
A. EVALUATION DATASET
traffic of 28 IoT devices within 26 weeks. The data trans-
HTTP, ICMP, etc. Some of these devices have less traffic data,
such as BlipcareBloodPressureMeter, NESTSmokeAlarm,
etc. Finally, we selected 20 devices in the dataset as our
experimental dataset.
The Yourthings dataset [40] contains the traffic generated
by 45 smart home devices in 10 days, among which Amazon
EchoGen1, NestCamera, Withings Home and other devices
use encryption protocols, and we selected 30 of them as the
experimental dataset.
B. TRAFFIC FINGERPRINT MODEL EVALUATION
First, we test the performance of the model after applying
Algorithm 1 on the dataset, where the setting is due to the

58686 VOLUME 11, 2023

Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint
imbalance in the number of samples in the dataset, and we
use F1 to evaluate the performance of the model.
TABLE 2. Performance of three methods on UNSW dataset.
Table 2 shows the experimental results of the three methods
on the UNSW dataset. Overall, IoTTFID processed by Algo-
rithm 1 performs best, and its F1 is higher than IoTTFID-base
without Algorithm 1 processing and IoTDevID. Compared
with the other two methods, IoTTFID achieves the highest F1
in 17 out of 20 devices, among which F1 on InsteonCamera
reaches 1, which is higher than IoTDevID at 0.953. The F1 of
IoTTFID on AmazonEcho, Dropcam, NetatmoWeatherSta-
tion, SamsungSmartCam and TP-LinkRouter are all higher
than 99%. Among the three methods for identifying Belk-
inWemoSwitch, the best F1 of IoTTFID-base is 0.969. This
is because BelkinWemoSwitch uses fewer types of proto-
cols during traffic transmission, resulting in more continuous
time stamps for the same protocol data packets. The features
extracted by IoTTFID-base are similar to the session-level
features of IoTTFID, so the performance of IoTTFID-base
is similar to that of IoTTFID, but higher than that of IoT-
DevID. The F1 of IoTTFID on HPPrinter is 0.965, and the
F1 on WithingsAuraSleepSensor is 0.951, which is much
higher than that of IoTDevID. IoTDevID performs better
on Dropcam and SmartThings, where the F1 of Dropcam is
0.998 and the F1 of SmartThings is 0.995. The F1 of IoTTFID
on these two devices is similar to that of IoTDevID, with only
a difference of 0.001 and 0.013.
VOLUME 11, 2023
TABLE 3. IoTTFID performance on Yourthings dataset.
The experimental results of IoTTFID in Yourthings dataset
are shown in Table 3. As the number of experimental
datasets increases, the performance of IoTTFID becomes
more prominent. 10 of the 30 devices have a identifica-
tion accuracy rate of over 99%, namely BelkinNetcam,
D-LinkDCS5009Lcamera, LogitechLogiCircle, NestCam-
era, NestCamIQ, NestGuard, nVidiaShield, SamsungThing-
sHub, Sonos and Wink2Hub. The recall of 28 devices is
higher than 95%, including 3 devices with 100% recall. The
F1 of all devices is above 95%. IoTTFID has achieved a high
F1 on Amazon EchoGen1, NestCamera, Withings Home and
other devices that use encryption protocols. The identifica-
tion precision rate, recall rate and F1 on D-LinkDCS-5009L
camera are all 100%. In summary, IoTTFID can effectively
identify different types of IoT devices, and has high perfor-
mance on different data sets. Performance does not degrade
as the number of devices increases. The model is practical
and extensible.
In order to observe the more detailed identification results
of the model on the device, the confusion matrix of the
two data sets is shown in Fig. 6. Fig. 6(a) is the confu-
sion matrix of the UNSW dataset. We observe that most
of the device samples are correctly identified, and only a
small number of samples are misidentified. Amazon Echo has
6185 samples correctly identified and only 60 samples are
misidentified as other devices. Dropcam has 10000 samples
58687
 Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint
FIGURE 6. The confusion matrix of the model on the two datasets. (a) The
confusion matrix of the UNSW dataset. (b) The confusion matrix of the
Yourthings dataset.
correctly identified. Only 50 samples are misidentified as
WithingsAuraSleepSensor. LightBulbsLiFXSmartBulb has a
total of 1010 samples, 990 of which are correctly identi-
fied, 15 samples are misidentified as Laptop, and 5 sam-
ples are misidentified as SamsungSmartCam. 575 samples
of TP-LinkDayNight CloudCamera are correctly identified,
only 5 samples are incorrectly identified as Laptop, and
5 samples are incorrectly identified as SamsungGalaxyTab.
WithingsSmartBabyMonitor has a total of 2590 samples,
of which 2550 samples are correctly identified, and only
40 samples are misjudged. Overall, IoTTFID has a high
identification accuracy rate on 20 devices. IoTTFID can
accurately identify different types of devices. Fig. 5(b) is
the confusion matrix of Yourthings dataset. We observe that
IoTTFID performance is more prominent as the number
of devices increases. Among the Android Tablet samples,
45 samples are misidentified as AppleTV, 50 samples are
misidentified as Gateway, 75 samples are misidentified as
58688
PhilipsHUE Hub, 65 samples are misidentified as Sam-
sungSThings Hub, but 9870 samples are still correctly identi-
fied. LIFXVirtualBulb has a total of 765 samples, all of which
are correctly identified without misjudgment. 55 out of 10050
NestCamIQ samples are misidentified as AppleTV (4thGen),
5 samples are misidentified as AndroidTablet, 5 samples are
misidentified as GoogleOnHub, but 9985 samples are cor-
rectly identified. This is because some devices have similar
functions or header field configurations when communicat-
ing. Among the 2530 samples of WithingsHome, 2435 sam-
ples are correctly identified, 95 samples are misidentified,
5 samples are misidentified as BoseSoundTouch10, 5 sam-
ples are misidentified as Canary, 35 samples are misidentified
as GoogleOnHub, 5 samples are misidentified as Logitech-
LogiCircle, 5 samples are misidentified as SamsungSThing-
sHub, and 35 samples are misidentified as SamsungSmartTV.
Overall, the accuracy of model identification is high, and it
can accurately identify devices from different manufacturers
and devices of different models from the same manufacturer.
Identifying encrypted devices also has a better performance,
demonstrating that our method can ignore encrypted content
using session-level features.
TABLE 4. Comparison with previous works.
We compare with previous work in terms of accuracy,
training time and data level. The experimental results are
shown in Table 4. The data levels of IoTDevID, paper [32]
and DeviceMien are data packets, and the three methods iden-
tify devices by extracting the internal features of data packets.
The test results on the UNSW dataset show that IoTDevID
achieved an accuracy rate of 94.30%, paper [32] achieved
an accuracy rate of 86.28%, and DeviceMien achieved an
accuracy rate of 97.47%. The data level of paper [42] is the
protocol, and the device identification method is constructed
by using the characteristics of the application layer protocol.
The accuracy rate on the UNSW dataset is 97.51%. Our
method data level is session, by extracting session internal
features and global feature identification device, the accu-
racy rate is the highest among the five methods, method
achieved an accuracy rate of 98.09% on the UNSW dataset
and 98.29% on the Yourthings dataset. In terms of train-
ing time, our method uses the Transformer neural network,
and its parallel computing capability saves a lot of train-
ing time. The training time on the two data sets is much
shorter than other methods. The training time is 538 seconds
on the UNSW dataset and 546 seconds on the Yourthings
dataset.
VOLUME 11, 2023
Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint
FIGURE 7. Evaluation of the proposed incremental identification model.
(a) 5 classes. (b) 10 classes. (c) 25 classes.
C. INCREMENTAL MODEL EVALUATION
In this section, we merge UNSW dataset and Yourthings
dataset. There are 50 IoT devices in the complete dataset.
We split the 50 classes into 5, 10, 25 classes in random order,
resulting in 10, 5, 2 incremental stages. In each incremental
stage, we use the test set corresponding to all classes in the
current training set to evaluate the model, and the experimen-
tal results use different random classification sequences to
test ten times and take the average value. We use standard
gradient descent to train the network. The learning rate is set
to 0.01, the momentum is set to 0.9, the weight decay is set to
0.0001, each incremental stage is trained for 40 epochs, and
the batch size is set to 512. The ratio of training set to test set
is 4:1 for each class.
VOLUME 11, 2023
TABLE 5. The performance of the model when the incremental class is 10.
We set up three methods and tested them on the dataset.
EEIL-RANDOM and EEIL-FIXED use two classic sample
selection strategies in the article [33], which is a widely used
method in the field of incremental learning. Among them,
EEIL-RANDOM uses a random selection sample strategy,
and EEIL-FIXED uses a fixed selection sample strategy,
IoTTFID uses the sample selection strategy of Algorithm 2.
The experimental results are shown in the Fig. 6.
Fig. 7 shows IoTTFID has achieved better results, and the
red dashed line represents the effect when incremental learn-
ing is not used. The problem of ‘‘catastrophic forgetting’’
is inevitable. With the continuous addition of new classes,
the data imbalance between old and new classes increases,
and the performance of all methods gradually decreases with
the increase of incremental steps. Fig. 7(a) introduce the
incremental stage is 10, the first 5 stages of EEIL-RANDOM
are close to IoTTFID. The performance loss of IoTTFID in
the last five stages is less, and it has widened the gap with
the other two methods. This is because the use of Algo-
rithm 2 represents a richer population diversity and is more
robust in resisting model forgetting. Due to the fixed quantity
selected each time, the EEIL-FIXED performs poorly when
there are many incremental stages. At the end of the final
10-increment stage, IoTTFID achieves an accuracy of 78.3%,
outperforming the EEIL-RANDOM and EEIL-FIXED strat-
egy by 10% and 18.1%, respectively. In Fig. 7(b) introduce
the incremental stage is 5, the EEIL-FIXED is higher than the
other two methods in the first stage, and then the performance
decreases. EEIL-RANDOM is similar to IoTTFID in the
second stage, and the performance in the third stage is only
reduced by 1.6%, then it drops faster. IoTTFID performed
better at 20, 30, 40, and 50 classes, as detailed records are
shown in the Table 5, and finally still had an accuracy rate of
80.4%, which was higher than the other two methods. When
there are only two incremental stages in Fig. 7(c), there is little
difference between the three methods, and IoTTFID performs
slightly better.
V. CONCLUSION AND FUTURE WORK
In this study we propose IoTTFID, an incremental IoT device
identification model based on traffic fingerprints. IoTTFID
extracts new device traffic fingerprints to generate feature
vectors, and updates some network parameters on the basis of
the original model to have the ability to identify new devices,
effectively solving the problem of limited identification range
of device identification models. The IoTTFID is evaluated on
the UNSW dataset and Yourthings dataset. The experimental
results show that the accuracy rate of IoTTFID on the UNSW
dataset is 98.09%, and the accuracy rate on the Yourthings
58689
 Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint
dataset is 98.29%. After five incremental learning stages,
it still achieves 80.4% accuracy on 50 devices, outperform-
ing existing models. The F1 of IoTTFID on encrypted IoT
devices can reach more than 96%. In addition, the experi-
mental results prove that our model can increase the range
of device identification without retraining, and overcome the
problems of resource consumption and model forgetting. The
model has high performance and high scalability.
In future work, we will collect more protocols of IoT device
communication traffic for experiments, including IoT devices
using TCP/IP protocol communication, smart terminals using
ZigBee, Bluetooth and other protocols. We can further extend
to unsupervised models for identifying unknown devices. The
model will be deployed to various network environments
for training, increasing the learning ability of the model and
making it adapt to more complex open network environments.
DATA AVAILABILITY
The data used to support the fndings of this study are available
from the corresponding author upon request.
CONFLICTS OF INTEREST
The authors declare that they have no conficts of interest.
ACKNOWLEDGMENT
The authors would like to thank their supervisor, Qinxia Hao,
for her guidance through each stage of the process.
REFERENCES
[1] N. Mishra and S. Pandya, ‘‘Internet of Things applications, security
challenges, attacks, intrusion detection, and future visions: A systematic
review,’’ IEEE Access, vol. 9, pp. 59353–59377, 2021.
[2] I. H. Sarker, A. I. Khan, Y. B. Abushark, and F. Alsolami, ‘‘Internet of
Things (IoT) security intelligence: A comprehensive overview, machine
learning solutions and research directions,’’ Mobile Netw. Appl., pp. 1–17,
Mar. 2022, doi: 10.1007/s11036-022-01937-3.
[3] J. Telo, ‘‘Smart city security threats and countermeasures in the context
of emerging technologies,’’ Int. J. Intell. Automat. Comput., vol. 6, no. 1,
pp. 31–45, 2023.
[4] I. Butun, P. Österberg, and H. Song, ‘‘Security of the Internet of Things:
Vulnerabilities, attacks, and countermeasures,’’ IEEE Commun. Surveys
Tuts., vol. 22, no. 1, pp. 616–644, 1st Quart., 2020.
[5] L. Zhang, L. Gong, and H. Qian, ‘‘An effiective IoT device identification
using machine learning algorithm,’’ in Proc. IEEE 6th Int. Conf. Comput.
Commun. (ICCC), Chengdu, China, Dec. 2020, pp. 874–877.
[6] F. John Dian, R. Vahidnia, and A. Rahmati, ‘‘Wearables and the Internet of
Things (IoT), applications, opportunities, and challenges: A survey,’’ IEEE
Access, vol. 8, pp. 69200–69211, 2020.
[7] B. Bellalta, L. Bononi, R. Bruno, and A. Kassler, ‘‘Next generation IEEE
802.11 wireless local area networks: Current status, future directions and
open challenges,’’ Comput. Commun., vol. 75, pp. 1–25, Feb. 2016.
[8] R. Nazir, A. A. Laghari, K. Kumar, K. Kumar, S. David, and M. Ali,
‘‘Survey on wireless network security,’’ Arch. Comput. Methods Eng.,
vol. 29, pp. 1591–1610, Jul. 2021.
[9] I. Hafeez, M. Antikainen, A. Y. Ding, and S. Tarkoma, ‘‘IoT-KEEPER:
Detecting malicious IoT network activity using online traffic analysis at
the edge,’’ IEEE Trans. Netw. Service Manage., vol. 17, no. 1, pp. 45–59,
Mar. 2020.
[10] J. Kotak and Y. Elovici, ‘‘IoT device identification using deep learning,’’
in Proc. 13th Int. Conf. Comput. Intell. Secur. Inf. Syst., Burgos, Spain,
Sep. 2021, pp. 76–86.
[11] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, ‘‘DDoS in the IoT:
Mirai and other botnets,’’ Computer, vol. 50, no. 7, pp. 80–84, 2017.
58690
[12] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A. Sadeghi, and
S. Tarkoma, ‘‘IoT SENTINEL: Automated device-type identification for
security enforcement in IoT,’’ in Proc. IEEE 37th Int. Conf. Distrib. Com-
put. Syst. (ICDCS), Atlanta, GA, USA, Jun. 2017, pp. 2177–2184.
[13] L. Bai, L. Yao, S. S. Kanhere, X. Wang, and Z. Yang, ‘‘Automatic device
classification from network traffic streams of Internet of Things,’’ in
Proc. IEEE 43rd Conf. Local Comput. Netw. (LCN), Chicago, IL, USA,
Oct. 2018, pp. 1–9.
[14] S. Marchal, M. Miettinen, T. D. Nguyen, A. Sadeghi, and N. Asokan,
‘‘AuDI: Toward autonomous IoT device-type identification using peri-
odic communication,’’ IEEE J. Sel. Areas Commun., vol. 37, no. 6,
pp. 1402–1412, Jun. 2019.
[15] A. Aksoy and M. H. Gunes, ‘‘Automated IoT device identification using
network traffic,’’ in Proc. IEEE Int. Conf. Commun. (ICC), Shanghai,
China, May 2019, pp. 1–7.
[16] Y. Liu, J. Wang, J. Li, S. Niu, and H. Song, ‘‘Machine learning for the
detection and identification of Internet of Things devices: A survey,’’ IEEE
Internet Things J., vol. 9, no. 1, pp. 298–320, Jan. 2022.
[17] J. Bao, B. Hamdaoui, and W. Wong, ‘‘IoT device type identification
using hybrid deep learning approach for increased IoT security,’’ in Proc.
Int. Wireless Commun. Mobile Comput. (IWCMC), Limassol, Cyprus,
Jun. 2020, pp. 565–570.
[18] A. Bremler-Barr, H. Levy, and Z. Yakhini, ‘‘IoT or NoT: Identifying IoT
devices in a short time scale,’’ in Proc. IEEE/IFIP Netw. Oper. Manage.
Symp. (NOMS), Budapest, Hungary, Apr. 2020, pp. 1–9.
[19] F. Yin, L. Yang, J. Ma, Y. Zhou, Y. Wang, and J. Dai, ‘‘Identifying IoT
devices based on spatial and temporal features from network traffic,’’
Secur. Commun. Netw., vol. 2021, pp. 1–16, Nov. 2021.
[20] N. Ammar, L. Noirie, and S. Tixeuil, ‘‘Network-protocol-based IoT device
identification,’’ in Proc. 4th Int. Conf. Fog Mobile Edge Comput. (FMEC),
Shanghai, China, May 2019, pp. 204–209.
[21] L. Fan, L. He, Y. Wu, S. Zhang, Z. W. Wang, J. Li, J. Yang, C. Xiang, and
X. Ma, ‘‘AutoIoT: Automatically updated IoT device identification with
semi-supervised learning,’’ IEEE Trans. Mobile Comput., early access,
Jun. 14, 2022, doi: 10.1109/TMC.2022.3183118.
[22] H. Tahaei, F. Afifi, A. Asemi, F. Zaki, and N. B. Anuar, ‘‘The rise of traffic
classification in IoT networks: A survey,’’ J. Netw. Comput. Appl., vol. 154,
Mar. 2020, Art. no. 102538.
[23] F. M. Castro, M. J. Marín-Jiménez, N. Guil, C. Schmid, and K. Alahari,
‘‘End-to-end incremental learning,’’ in Proc. Eur. Conf. Comput. Vis.
(ECCV), Munich, Germany, 2018, pp. 233–248.
[24] Y. Liu, Y. Su, A. Liu, B. Schiele, and Q. Sun, ‘‘Mnemonics training: Multi-
class incremental learning without forgetting,’’ in Proc. IEEE/CVF Conf.
Comput. Vis. Pattern Recognit. (CVPR), New York, NY, USA, Jun. 2020,
pp. 12242–12251.
[25] L. Bernaille, R. Teixeira, I. Akodkenou, A. Soule, and K. Salamatian,
‘‘Traffic classification on the fly,’’ ACM SIGCOMM Comput. Commun.
Rev., vol. 36, no. 2, pp. 23–26, Apr. 2006.
[26] A. Dainotti, A. Pescape, and K. C. Claffy, ‘‘Issues and future directions in
traffic classification,’’ IEEE Netw., vol. 26, no. 1, pp. 35–40, Jan. 2012.
[27] J. Zhang, X. Chen, Y. Xiang, W. Zhou, and J. Wu, ‘‘Robust network traffic
classification,’’ IEEE/ACM Trans. Netw., vol. 23, no. 4, pp. 1257–1270,
Aug. 2015.
[28] L. Fan, L. He, Y. Wu, S. Zhang, Z. W. Wang, J. Li, J. Yang, C. Xiang, and
X. Ma, ‘‘AutoIoT: Automatically updated IoT device identification with
semi-supervised learning,’’ IEEE Trans. Mobile Comput., early access,
Jun. 14, 2022, doi: 10.1109/TMC.2022.3183118.
[29] J. Bao, B. Hamdaoui, and W. Wong, ‘‘IoT device type identification using
hybrid deep learning approach for increased IoT security,’’ in Proc. Int.
Wireless Commun. Mobile Comput. (IWCMC), Xi’an, China, Jun. 2020,
pp. 565–570.
[30] K. Kostas, M. Just, and M. A. Lones, ‘‘IoTDevID: A behavior-based device
identification method for the IoT,’’ IEEE Internet Things J., vol. 9, no. 23,
pp. 23741–23749, Dec. 2022.
[31] A. Pashamokhtari, H. H. Gharakheili, and V. Sivaraman, ‘‘Progressive
monitoring of IoT networks using SDN and cost-effective traffic signa-
tures,’’ in Proc. Workshop Emerg. Technol. Secur. IoT (ETSecIoT), Sydney,
NSW, Australia, Apr. 2020, pp. 1–6.
[32] A. Sivanathan, H. H. Gharakheili, F. Loi, A. Radford, C. Wijenayake,
A. Vishwanath, and V. Sivaraman, ‘‘Classifying IoT devices in smart
environments using network traffic characteristics,’’ IEEE Trans. Mobile
Comput., vol. 18, no. 8, pp. 1745–1759, Aug. 2019.
VOLUME 11, 2023
Q. Hao, Z. Rong: IoTTFID: An Incremental IoT Device Identification Model Based on Traffic Fingerprint

[33] O. Salman, I. H. Elhajj, A. Chehab, and A. Kayssi, ‘‘A machine learn- [42] R. Kumar, M. Swarnkar, G. Singal, and N. Kumar, ‘‘IoT network traffic
ing based framework for IoT device identification and abnormal traffic classification using machine learning algorithms: An experimental analy-
detection,’’ Trans. Emerg. Telecommun. Technol., vol. 33, no. 3, p. e3743, sis,’’ IEEE Internet Things J., vol. 9, no. 2, pp. 989–1008, Jan. 2022.
Mar. 2022.
[34] S. Kumar, S. Dalal, and V. Dixit, ‘‘The OSI model: Overview on the seven
layers of computer networks,’’ Int. J. Comput. Sci. Inf. Technol. Res., vol. 2,
no. 3, pp. 461–466, 2014.
[35] J. Bang, H. Kim, Y. Yoo, J. Ha, and J. Choi, ‘‘Rainbow memory: Continual QINXIA HAO received the Ph.D. degree, in 2022.
learning with a memory of diverse samples,’’ in Proc. IEEE/CVF Conf. She is currently a Master Tutor with the College
Comput. Vis. Pattern Recognit. (CVPR), New York, NY, USA, Jun. 2021, of Communication and Information Engineering,
pp. 8214–8223. Xi’an University of Science and Technology. Her
[36] C. Zhang, N. Song, G. Lin, Y. Zheng, P. Pan, and Y. Xu, ‘‘Few-shot incre- research interests include the IoT applications and
mental learning with continually evolved classifiers,’’ in Proc. IEEE/CVF data security decisions.
Conf. Comput. Vis. Pattern Recognit. (CVPR), New York, NY, USA,
Jun. 2021, pp. 12450–12459.
[37] M. Welling, ‘‘Herding dynamical weights to learn,’’ in Proc. 26th Annu.
Int. Conf. Mach. Learn., New York, NY, USA, Jun. 2009, pp. 1121–1128.
[38] A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez,
Ł. Kaiser, and I. Polosukhin, ‘‘Attention is all you need,’’ in Proc. Adv.
Neural Inf. Process. Syst., 2017, pp. 5998–6008.
[39] G. Hinton, O. Vinyals, and J. Dean, ‘‘Distilling the knowledge in a neural ZHENG RONG was born in Henan, China,
network,’’ Comput. Sci., vol. 14, no. 7, pp. 38–39, 2015. in 1998. He is currently pursuing the mas-
[40] O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose, ‘‘SoK: Secu- ter’s degree with the College of Communication
rity evaluation of home-based IoT deployments,’’ in Proc. IEEE and Information Engineering, Xi’an University of
Symp. Secur. Privacy (SP), San Francisco, CA, USA, May 2019, Science and Technology. His research interests
pp. 1362–1380. include cyber security and cyberspace exploration.
[41] J. Ortiz, C. Crawford, and F. Le, ‘‘DeviceMien: Network device behav-
ior modeling for identifying unknown IoT devices,’’ in Proc. Int. Conf.
Internet Things Design Implement., New York, NY, USA, Apr. 2019,
pp. 106–117.

VOLUME 11, 2023 58691