IoTFinder: Efficient Large-Scale Identification of IoT Devices via Passive DNS Traffic Analysis
Roberto Perdisci, Thomas Papastergiou, Omar Alrawi, Manos Antonakakis
IEEE European Symposium on Security and Privacy, 2020
Being able to enumerate potentially vulnerable IoT devices across the Internet is important, because it allows for assessing global Internet risks and enables network operators to check the hygiene of their own networks. To this end, in this paper we propose IoTFinder, a system for efficient, large-scale passive identification of IoT devices. Specifically, we leverage distributed passive DNS data collection, and develop a machine learning-based system that aims to accurately identify a large variety of IoT devices based solely on their DNS fingerprints . Our system is independent of whether the devices reside behind a NAT or other middleboxes, or whether they are assigned an IPv4 or IPv6 address. We design IoTFinder as a multi-label classifier, and evaluate its accuracy in several different settings, including computing detection results over a third-party IoT traffic dataset and DNS traffic collected at a US-based ISP hosting more than 40 million clients. The experimental results show that our approach allows for accurately detecting many diverse IoT devices, even when they are hosted behind a NAT and their traffic is “mixed” with traffic generated by other IoT and non-IoT devices hosted in the same local network.