Skip to main content
SpringerLink
Log in

Policy-Based Identification of IoT Devices’ Vendor and Type by DNS Traffic Analysis

  • Chapter
  • First Online:
Policy-Based Autonomic Data Governance

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11550))

Abstract

The explosive growth of IoT devices and the weak security protection in some types of devices makes them an attractive target for attackers. IoT devices can become a vulnerable weak link for penetrating a secure IT infrastructure. The risks are exacerbated by the Bring-Your-Own-Device trend that allows employees to connect their own personal devices into an enterprise network. Currently, network administrators lack adequate tools to discover and manage IoT devices in their environments. A good tool to address this requirement can be created by adapting and applying natural language interpretation algorithms to network traffic. In this paper, we show that an application of algorithms like Term Frequency - Inverse Document Frequency (TF-IDF) to the domain name resolution process, a required first step in every Internet based communication, can be highly effective to determine IoT devices, their manufacturers and their type. By treating the domain names being resolved as words, and the set of domain names queried by a device as a document, then comparing these synthetic documents from a reference data set to real traffic results in a very effective approach for IoT discovery. Evaluation of our approach on a traffic data set shows that the approach can identify 84% of the instances, with an accuracy of 91% for the IoT devices’ vendor, and 100% of the instances with an accuracy of 94% for the IoT devices’ type. We believe that this is the first attempt to apply natural language processing algorithms for traffic analysis, and the promising results could open new venues for securing and understanding computer networks through natural language processing algorithms. These and other techniques require policies to determine how the large volume of data will be handled efficiently. By assisting in detecting potential malicious devices, this paper contributes to the topic of safe autonomy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    While IoT-VEN takes as input the set of queried DNS names from an IoT device, IoT-TYP takes the list of DNS names. In a list, a DNS name may appear multiple times. The difference comes from the fact that IoT-TYP is based on TF/TF-IDF: the term frequency of each DNS name can reflect how important that domain is to the device type.

  2. 2.

    Similar to the preprocessing in IoT-VEN, we discard *.local domains, and queries to common services (e.g., *.ntp.org, *.arpa).

References

  1. Gartner Research: Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016 (2017). http://www.gartner.com/newsroom/id/3598917

  2. Hautala, L.: Why it was so easy to hack the cameras that took down the web. In: CNET Security (2016)

    Google Scholar 

  3. Palmer, D.: 175,000 IoT cameras can be remotely hacked thanks to flaw, says security researcher. In: ZDNet (2017)

    Google Scholar 

  4. Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: rethinking network security for the internet-of-things. In: ACM Workshop on Hot Topics in Networks (2015)

    Google Scholar 

  5. Apthorpe, N., Reissman, D., Feamster, N.: A smart home is no castle: privacy vulnerabilities of encrypted IoT traffic. In: Workshop on Data and Algorithmic Transparency (DAT) (2016)

    Google Scholar 

  6. Sivanathan, A., Sherratt, D., Gharakheili, H.H., Vishwanath, A., Sivaraman, V.: Low-cost flow-based security solutions for smart-home IoT devices. In: Advanced Networks and Telecommunications Systems (2016)

    Google Scholar 

  7. Miettinen, M., et al.: IoT sentinel demo: automated device-type identification for security enforcement in IoT. In: IEEE International Conference on Distributed Computing Systems (2017)

    Google Scholar 

  8. Sivanathan, A., et al.: Characterizing and classifying IoT traffic in smart cities and campuses. In: IEEE INFOCOM Workshop Smart Cities and Urban Computing (SmartCity 2017) (2017)

    Google Scholar 

  9. Cisco identity services engine. https://www.cisco.com/c/en/us/products/security/identity-services-engine/

  10. IEEE: OUI Public Listing. http://standards.ieee.org/develop/regauth/oui/oui.txt. Accessed 18 Jan 2018

  11. Markowsky, L., Markowsky, G.: Scanning for vulnerable devices in the internet of things. In: Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS) (2015)

    Google Scholar 

  12. Ramos, J.: Using TF-IDF to determine word relevance in document queries. Department of Computer Science, Rutgers University (1999)

    Google Scholar 

  13. Mockapetris, P.: Domain names - implementation and specification. RFC 1035, Internet Engineering Task Force (1987)

    Google Scholar 

  14. Droms, R., Lemon, T.: The DHCP Handbook: Understanding, Deploying, and Managing Automated Configuration Services. New Riders Publishing, Thousand Oaks (1999)

    Google Scholar 

  15. Neustar security - DNS services. https://www.security.neustar/dns-services. Accessed 18 Jan 2018

  16. easyDNS technologies inc. domains - register, transfer domains. https://www.easydns.com/. Accessed 18 Jan 2018

  17. Le, Q., Mikolov, T.: Distributed representations of sentences and documents. In: International Conference on International Conference on Machine Learning (2014)

    Google Scholar 

  18. Verma, D.: Principles of Computer Systems and Network Management. Springer, New York (2009)

    Book  Google Scholar 

  19. Stallings, W.: SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley Longman Publishing Co., Inc., Boston (1998)

    Google Scholar 

  20. Breitbart, Y., Garofalakis, M., Martin, C., Rastogi, R., Seshadri, S., Silberschatz, A.: Topology discovery in heterogeneous IP networks. In: IEEE INFOCOM (2000)

    Google Scholar 

  21. DMTF: Desktop management task force CIM-RS. https://www.dmtf.org/standards/cimrs. Accessed 18 Jan 2018

  22. Pautasso, C., Zimmermann, O., Leymann, F.: Restful web services vs. big’web services: making the right architectural decision. In: Proceedings of the 17th International Conference on World Wide Web, pp. 805–814. ACM (2008)

    Google Scholar 

  23. Martin, J., Rye, E., Beverly, R.: Decomposition of MAC address structure for granular device inference. In: Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM (2016)

    Google Scholar 

  24. Franklin, J., McCoy, D., Tabriz, P., Neagoe, V., Randwyk, J.V., Sicker, D.: Passive data link layer 802.11 wireless device driver fingerprinting. In: USENIX Security Symposium, vol. 3, pp. 16–89 (2006)

    Google Scholar 

  25. Martin, J., Rhame, D., Beverly, R., McEachen, J.: Correlating GSM and 802.11 hardware identifiers. In: Military Communications Conference, MILCOM 2013–2013 IEEE, pp. 1398–1403. IEEE (2013)

    Google Scholar 

  26. Fingerbank device fingerprints. https://fingerbank.org/. Accessed 18 Jan 2018

  27. Hupperich, T., Maiorca, D., Kührer, M., Holz, T., Giacinto, G.: On the robustness of mobile device fingerprinting: can mobile users escape modern web-tracking mechanisms? In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 191–200. ACM (2015)

    Google Scholar 

  28. Guo, H., Heidemann, J.: IP-based IoT device detection. In: Proceedings of the 2018 Workshop on IoT Security and Privacy. ACM (2018)

    Google Scholar 

  29. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)

    Article  Google Scholar 

  30. Cisco: Chromecast as mDNS service in order to cast screen configuration on WLC. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-mobility/119017-config-chromecast-mdns-wlc-00.html. Accessed 18 Jan 2018

  31. ICANN: WHOIS. https://whois.icann.org/en

  32. Chokhani, S., Ford, W., Sabett, R., Merrill, C., Wu, S.: Internet x.509 public key infrastructure certificate policy and certification practices framework (2003)

    Google Scholar 

  33. Google: Chromecast. https://store.google.com/us/product/chromecast_2015?hl=en-US/. Accessed 11 Oct 2017

  34. NTP pool project. http://www.pool.ntp.org/en/. Accessed 18 Jan 2018

  35. Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, USA (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Distributed AI Department, IBM TJ Watson Research Center, Yorktown Heights, NY, 10549, USA

    Franck Le & Dinesh Verma

  2. ECE Department, Rutgers, The State University of New Jersey, Piscataway, NJ, 08854, USA

    Jorge Ortiz

  3. Google, 1600 Amphitheatre Parkway, Mountain View, CA, 94043, USA

    Dilip Kandlur

Authors
  1. Franck Le
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jorge Ortiz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dinesh Verma
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dilip Kandlur
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Franck Le .

Editor information

Editors and Affiliations

  1. IBM Research, Yorktown Heights, NY, USA

    Seraphin Calo

  2. Purdue University, West Lafayette, IN, USA

    Elisa Bertino

  3. IBM Research, Yorktown Heights, NY, USA

    Dinesh Verma

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Le, F., Ortiz, J., Verma, D., Kandlur, D. (2019). Policy-Based Identification of IoT Devices’ Vendor and Type by DNS Traffic Analysis. In: Calo, S., Bertino, E., Verma, D. (eds) Policy-Based Autonomic Data Governance. Lecture Notes in Computer Science(), vol 11550. Springer, Cham. https://doi.org/10.1007/978-3-030-17277-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17277-0_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17276-3

  • Online ISBN: 978-3-030-17277-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation