Smart Surveillance: Identifying IoT Device Behaviours using ML-Powered Traffic Analysis

The proliferation of Internet of Things (IoT) devices has grown exponentially in recent years, introducing significant security challenges. Accurate identification of the types of IoT devices and their associated actions through network traffic analysis is essential to mitigate potential threats. By monitoring and analysing packet flows between IoT devices and connected networks, anomalous or malicious behaviours can be detected. Existing research focuses primarily on device identification within local networks using methods such as protocol fingerprinting and wireless frequency scanning. However, these approaches are limited in their ability to monitor or classify IoT devices externally. To address this gap, we investigate the use of machine learning (ML) techniques, specifically Random Forest (RF), Multilayer Perceptron (MLP), and K-Nearest Neighbours (KNN), in conjunction with targeted network traffic monitoring to classify IoT device types and their actions. We constructed a testbed comprising an NPAT-enabled router and a diverse set of IoT devices, including smart cameras, controller hubs, home appliances, power controllers, and streaming devices. Experimental results demonstrate that IoT device and action recognition is feasible using our proposed ML-driven approach, with the RF classifier achieving the highest accuracy of 91%, while the MLP recorded the lowest accuracy at 56%. Notably, all device categories were successfully classified except for certain actions associated with security cameras, underscoring both the potential and the limitations of the proposed method.

💡 Research Summary

The paper “Smart Surveillance: Identifying IoT Device Behaviours using ML-Powered Traffic Analysis” addresses the growing security concerns in IoT ecosystems by proposing a novel framework for identifying IoT device types and their real-time actions solely through external network traffic analysis. The core motivation stems from the limitation of existing research, which primarily relies on internal network access (e.g., protocol fingerprinting within a LAN), making it ineffective for external monitoring or attacker-perspective reconnaissance.

To bridge this gap, the authors designed a controlled testbed network featuring an NPAT-enabled router and a diverse array of consumer IoT devices, including smart security cameras, controller hubs (e.g., Amazon Echo), home appliances, smart plugs, and streaming devices. The key methodological innovation involves capturing network traffic passively from the WAN side of the router, simulating an external observer or attacker without privileged access to the internal network. Traffic was collected in both idle (passive) and active-use states for each device.

The raw packet capture (PCAP) data was processed into communication flows, from which 63 comprehensive flow-based features were extracted using tools like CICFlowMeter. These features encompassed timing statistics, packet size variations, TCP flag counts, and window characteristics. Instead of labeling data by specific device models—which could lead to overfitting—the authors grouped devices into broader functional categories: Surveillance, Hub, Energy Management, Appliance, Streaming Devices, and Non-IoT Devices. This approach aimed to improve model generalizability.

The study evaluated and compared three supervised machine learning algorithms for the classification task: Random Forest (RF), Multilayer Perceptron (MLP), and K-Nearest Neighbours (KNN). The choice of these models, particularly favoring ensemble methods like RF over deep learning, was informed by the moderate size of the custom-generated dataset. Additionally, the paper explored the supplementary use of SNORT IDS rules for signature-based detection of specific device actions.

The experimental results demonstrated the feasibility of the proposed approach. The Random Forest classifier achieved the highest overall accuracy of 91% in classifying device types, followed by KNN at 85%, and MLP at 56%. All major device categories were successfully distinguished. However, the research also identified a significant limitation: the accuracy of recognizing specific actions for certain devices, particularly security cameras, was lower. The authors attribute this challenge to the difficulty of extracting discriminative features from encrypted media streaming traffic, which often exhibits less variability in packet size and timing patterns.

In conclusion, the paper presents a valid proof-of-concept for external, ML-powered IoT device and behavior identification, highlighting its potential for threat detection without internal network intrusion. The main contributions include the external monitoring framework, a comparative analysis of ML models on traffic flow features, and a realistic IoT testbed for validation. For future work, the authors suggest expanding the dataset scale and diversity, investigating deep learning models with larger data, and integrating encrypted traffic analysis techniques to overcome the identified limitations with devices like cameras.