Abstract
The explosive growth of IoT devices and the weak security protection in some types of devices makes them an attractive target for attackers. IoT devices can become a vulnerable weak link for penetrating a secure IT infrastructure. The risks are exacerbated by the Bring-Your-Own-Device trend that allows employees to connect their own personal devices into an enterprise network. Currently, network administrators lack adequate tools to discover and manage IoT devices in their environments. A good tool to address this requirement can be created by adapting and applying natural language interpretation algorithms to network traffic. In this paper, we show that an application of algorithms like Term Frequency - Inverse Document Frequency (TF-IDF) to the domain name resolution process, a required first step in every Internet based communication, can be highly effective to determine IoT devices, their manufacturers and their type. By treating the domain names being resolved as words, and the set of domain names queried by a device as a document, then comparing these synthetic documents from a reference data set to real traffic results in a very effective approach for IoT discovery. Evaluation of our approach on a traffic data set shows that the approach can identify 84% of the instances, with an accuracy of 91% for the IoT devices’ vendor, and 100% of the instances with an accuracy of 94% for the IoT devices’ type. We believe that this is the first attempt to apply natural language processing algorithms for traffic analysis, and the promising results could open new venues for securing and understanding computer networks through natural language processing algorithms. These and other techniques require policies to determine how the large volume of data will be handled efficiently. By assisting in detecting potential malicious devices, this paper contributes to the topic of safe autonomy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
While IoT-VEN takes as input the set of queried DNS names from an IoT device, IoT-TYP takes the list of DNS names. In a list, a DNS name may appear multiple times. The difference comes from the fact that IoT-TYP is based on TF/TF-IDF: the term frequency of each DNS name can reflect how important that domain is to the device type.
- 2.
Similar to the preprocessing in IoT-VEN, we discard *.local domains, and queries to common services (e.g., *.ntp.org, *.arpa).
References
Gartner Research: Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016 (2017). http://www.gartner.com/newsroom/id/3598917
Hautala, L.: Why it was so easy to hack the cameras that took down the web. In: CNET Security (2016)
Palmer, D.: 175,000 IoT cameras can be remotely hacked thanks to flaw, says security researcher. In: ZDNet (2017)
Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: rethinking network security for the internet-of-things. In: ACM Workshop on Hot Topics in Networks (2015)
Apthorpe, N., Reissman, D., Feamster, N.: A smart home is no castle: privacy vulnerabilities of encrypted IoT traffic. In: Workshop on Data and Algorithmic Transparency (DAT) (2016)
Sivanathan, A., Sherratt, D., Gharakheili, H.H., Vishwanath, A., Sivaraman, V.: Low-cost flow-based security solutions for smart-home IoT devices. In: Advanced Networks and Telecommunications Systems (2016)
Miettinen, M., et al.: IoT sentinel demo: automated device-type identification for security enforcement in IoT. In: IEEE International Conference on Distributed Computing Systems (2017)
Sivanathan, A., et al.: Characterizing and classifying IoT traffic in smart cities and campuses. In: IEEE INFOCOM Workshop Smart Cities and Urban Computing (SmartCity 2017) (2017)
Cisco identity services engine. https://www.cisco.com/c/en/us/products/security/identity-services-engine/
IEEE: OUI Public Listing. http://standards.ieee.org/develop/regauth/oui/oui.txt. Accessed 18 Jan 2018
Markowsky, L., Markowsky, G.: Scanning for vulnerable devices in the internet of things. In: Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS) (2015)
Ramos, J.: Using TF-IDF to determine word relevance in document queries. Department of Computer Science, Rutgers University (1999)
Mockapetris, P.: Domain names - implementation and specification. RFC 1035, Internet Engineering Task Force (1987)
Droms, R., Lemon, T.: The DHCP Handbook: Understanding, Deploying, and Managing Automated Configuration Services. New Riders Publishing, Thousand Oaks (1999)
Neustar security - DNS services. https://www.security.neustar/dns-services. Accessed 18 Jan 2018
easyDNS technologies inc. domains - register, transfer domains. https://www.easydns.com/. Accessed 18 Jan 2018
Le, Q., Mikolov, T.: Distributed representations of sentences and documents. In: International Conference on International Conference on Machine Learning (2014)
Verma, D.: Principles of Computer Systems and Network Management. Springer, New York (2009)
Stallings, W.: SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley Longman Publishing Co., Inc., Boston (1998)
Breitbart, Y., Garofalakis, M., Martin, C., Rastogi, R., Seshadri, S., Silberschatz, A.: Topology discovery in heterogeneous IP networks. In: IEEE INFOCOM (2000)
DMTF: Desktop management task force CIM-RS. https://www.dmtf.org/standards/cimrs. Accessed 18 Jan 2018
Pautasso, C., Zimmermann, O., Leymann, F.: Restful web services vs. big’web services: making the right architectural decision. In: Proceedings of the 17th International Conference on World Wide Web, pp. 805–814. ACM (2008)
Martin, J., Rye, E., Beverly, R.: Decomposition of MAC address structure for granular device inference. In: Proceedings of the 32nd Annual Conference on Computer Security Applications. ACM (2016)
Franklin, J., McCoy, D., Tabriz, P., Neagoe, V., Randwyk, J.V., Sicker, D.: Passive data link layer 802.11 wireless device driver fingerprinting. In: USENIX Security Symposium, vol. 3, pp. 16–89 (2006)
Martin, J., Rhame, D., Beverly, R., McEachen, J.: Correlating GSM and 802.11 hardware identifiers. In: Military Communications Conference, MILCOM 2013–2013 IEEE, pp. 1398–1403. IEEE (2013)
Fingerbank device fingerprints. https://fingerbank.org/. Accessed 18 Jan 2018
Hupperich, T., Maiorca, D., Kührer, M., Holz, T., Giacinto, G.: On the robustness of mobile device fingerprinting: can mobile users escape modern web-tracking mechanisms? In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 191–200. ACM (2015)
Guo, H., Heidemann, J.: IP-based IoT device detection. In: Proceedings of the 2018 Workshop on IoT Security and Privacy. ACM (2018)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31, 2435–2463 (1999)
Cisco: Chromecast as mDNS service in order to cast screen configuration on WLC. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-mobility/119017-config-chromecast-mdns-wlc-00.html. Accessed 18 Jan 2018
ICANN: WHOIS. https://whois.icann.org/en
Chokhani, S., Ford, W., Sabett, R., Merrill, C., Wu, S.: Internet x.509 public key infrastructure certificate policy and certification practices framework (2003)
Google: Chromecast. https://store.google.com/us/product/chromecast_2015?hl=en-US/. Accessed 11 Oct 2017
NTP pool project. http://www.pool.ntp.org/en/. Accessed 18 Jan 2018
Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, USA (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Le, F., Ortiz, J., Verma, D., Kandlur, D. (2019). Policy-Based Identification of IoT Devices’ Vendor and Type by DNS Traffic Analysis. In: Calo, S., Bertino, E., Verma, D. (eds) Policy-Based Autonomic Data Governance. Lecture Notes in Computer Science(), vol 11550. Springer, Cham. https://doi.org/10.1007/978-3-030-17277-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-17277-0_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-17276-3
Online ISBN: 978-3-030-17277-0
eBook Packages: Computer ScienceComputer Science (R0)