IoTFinder: Efficient Large-Scale Identification of IoT Devices via Passive DNS Traffic Analysis

Roberto Perdisci

Patty and D.R. Grimes Distinguished Professor in Computer Science

Director, Institute for Cybersecurity and Privacy

School of Computing

University of Georgia

3/10/2023

11am – 12pm CST

WebEx: https://utsa.webex.com/utsa/j.php?MTID=m48256e669a2ad8e4769466e25d886773

Being able to identify and enumerate potentially vulnerable IoT devices across the Internet is important, because it allows for assessing global Internet risks and enables network operators to check the hygiene of their own networks. Towards this goal, in this talk I’ll present IoTFinder, a network-based system for efficient, large-scale passive identification of IoT devices. To develop IoTFinder, we leveraged distributed passive DNS data collection, and developed a machine learning-based system that aims to accurately identify a large variety of IoT devices based solely on their DNS traffic fingerprints. IoTFinder can efficiently detect IoT devices independently of whether they reside behind a NAT or other network middleboxes, or whether they are assigned an IPv4 or IPv6 address. We designed IoTFinder as a multi-label classifier, and evaluated its accuracy in several different settings, including DNS traffic collected at a US-based ISP hosting more than 40 million clients. The experimental results show that our approach allows for accurately and efficiently detecting many diverse IoT devices, even when they are hosted behind a NAT and their traffic is “mixed” with traffic generated by other IoT and non-IoT devices hosted in the same local network.