Aniello, LeonardoSassone, VladimiroAlyahya ,Tadani Nasser2025-02-182024https://hdl.handle.net/20.500.14154/74893Recognising IoT devices through network fingerprinting contributes to enhancing the security of IoT networks and supporting forensic activities. Network fingerprinting for IoT devices involves analysing the traffic from these devices to accurately identify them without relying on explicit identifiers within the transmitted packets, which can be spoofed. Machine learning techniques have been extensively utilised in the literature to optimise IoT fingerprinting accuracy. Given the rapid proliferation of new IoT devices, a current challenge in this field is around how to make IoT fingerprinting scalable, which involves efficiently updating the used machine learning model to enable the recognition of new IoT devices. Some approaches have been proposed to achieve scalability, but they all suffer from limitations like large memory requirements to store training data and accuracy decrease for older devices. In this research, we propose a novel, scalable network fingerprinting method for IoT devices that leverages online stream learning and fixed-size session payloads. This approach enables the model to be updated periodically without needing to retain data, ensuring scalability and maintaining high recognition accuracy. Moreover, our method includes a mechanism for detecting unknown IoT devices. Our contributions are multifaceted, beginning with a comprehensive survey of passive IoT device fingerprinting that leverages machine learning and network characteristics, systematically reviewing the literature and detailing the network traffic features used for device identification. We identify key open research problems and future directions in this domain, highlighting significant challenges and gaps. A notable advancement is the introduction of ScaNeF-IoT, a scalable IoT fingerprinting approach utilising online stream learning and fixed-size traffic payload sessions, demonstrating high accuracy and adaptability. The scalability of the approach lies in its ability to continuously update the machine learning model with minimal resource overhead, allowing for the seamless recognition of new IoT devices without retraining from scratch. We further investigate the feature extraction method, which indicates the instances of interest from network traffic, such as packets, flows, or sessions, for further analysis and feature extraction, finding that fixed-size payload sessions outperform others with an accuracy of over 99.5% and an average false positive rate of 2.25%. Additionally, our scalable system is able to detect unknown IoT devices using online stream learning and z-score analysis, showcasing efficiency and adaptability. Our scalable IoT device fingerprinting approach achieves 100% accuracy in detecting unknown devices and 94% average accuracy in identifying known devices in streaming data.158enInternet of Things (IoT)IoT device fingerprintingdevice identificationpassive scanningscalabilityThesis