Find My IoT Device – An Efficient and Effective Approximate Matching Algorithm to Identify IoT Traffic Flows

Internet of Things (IoT) devices has become more and more popular as they are limited in terms of resources, designed to serve only one specific purpose, and hence cheap. However, their profitability comes with the difficulty to patch them. Moreover, the IoT topology is often not well documented, too. Thus IoT devices form a popular attack vector in networks. Due to the widespread missing documentation vulnerable IoT network components must be quickly identified and located during an incident and a network forensic response. In this paper, we present a novel approach to efficiently and effectively identify a specific IoT device by using approximate matching applied to network traffic captures. Our algorithm is called Cu-IoT and is publicly available. Cu-IoT is superior to previous machine-learning approaches because it does not require feature extraction and a learning phase. Furthermore, in the case of 2 out of 3 datasets, Cu-IoT outperforms a hash-based competitor, too. We present an in-depth evaluation of Cu-IoT on different IoT datasets and achieve a classification performance of almost 100% in terms of accuracy, recall, and precision, respectively, for the first dataset (Active Data), and almost 99% accuracy and 84% precision and recall, respectively, for the second dataset (Setup Data), and almost 100% accuracy and 90% precision and recall, respectively, for the third dataset (Idle Data).