Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Unveiling Behavioral Transparency of Protocols Communicated by IoT Networked Assets (Full Version)

Savindu Wannigama, Arunan Sivanathan, Ayyoob Hamza, Hassan Habibi Gharakheili

TL;DR

The paper tackles the lack of systematic visibility into IoT communication protocols by constructing protocol-specific fingerprints and a machine-processable data model. Through manual analysis of TLS and HTTP flows from ten commercial IoT devices and a public dataset, it demonstrates that protocol signatures—especially TLS ciphersuites and HTTP attributes—enable near-deterministic device identification and reveal security vulnerabilities. The authors formalize a three-section protocol data model (Info, Metadata, Contents) and apply six protocol models (TLS, HTTP, DNS, NTP, DHCP, SSDP), discovering non-standard-port traffic and various adherence gaps to best practices. This work enhances scalable protocol detection, vulnerability assessment, and potential enforcement within MUD-enabled networks, and it provides open data and models to the community for broader adoption and validation.

Abstract

Behavioral transparency for Internet-of-Things (IoT) networked assets involves two distinct yet interconnected tasks: (a) characterizing device types by discerning the patterns exhibited in their network traffic, and (b) assessing vulnerabilities they introduce to the network. While identifying communication protocols, particularly at the application layer, plays a vital role in effective network management, current methods are, at best, ad-hoc. Accurate protocol identification and attribute extraction from packet payloads are crucial for distinguishing devices and discovering vulnerabilities. This paper makes three contributions: (1) We process a public dataset to construct specific packet traces pertinent to six standard protocols (TLS, HTTP, DNS, NTP, DHCP, and SSDP) of ten commercial IoT devices. We manually analyze TLS and HTTP flows, highlighting their characteristics, parameters, and adherence to best practices-we make our data publicly available; (2) We develop a common model to describe protocol signatures that help with the systematic analysis of protocols even when communicated through non-standard port numbers; and, (3) We evaluate the efficacy of our data models for the six protocols, which constitute approximately 97% of our dataset. Our data models, except for SSDP in 0.3% of Amazon Echo's flows, produce no false positives for protocol detection. We draw insights into how various IoT devices behave across those protocols by applying these models to our IoT traces.

Unveiling Behavioral Transparency of Protocols Communicated by IoT Networked Assets (Full Version)

TL;DR

The paper tackles the lack of systematic visibility into IoT communication protocols by constructing protocol-specific fingerprints and a machine-processable data model. Through manual analysis of TLS and HTTP flows from ten commercial IoT devices and a public dataset, it demonstrates that protocol signatures—especially TLS ciphersuites and HTTP attributes—enable near-deterministic device identification and reveal security vulnerabilities. The authors formalize a three-section protocol data model (Info, Metadata, Contents) and apply six protocol models (TLS, HTTP, DNS, NTP, DHCP, SSDP), discovering non-standard-port traffic and various adherence gaps to best practices. This work enhances scalable protocol detection, vulnerability assessment, and potential enforcement within MUD-enabled networks, and it provides open data and models to the community for broader adoption and validation.

Abstract

Behavioral transparency for Internet-of-Things (IoT) networked assets involves two distinct yet interconnected tasks: (a) characterizing device types by discerning the patterns exhibited in their network traffic, and (b) assessing vulnerabilities they introduce to the network. While identifying communication protocols, particularly at the application layer, plays a vital role in effective network management, current methods are, at best, ad-hoc. Accurate protocol identification and attribute extraction from packet payloads are crucial for distinguishing devices and discovering vulnerabilities. This paper makes three contributions: (1) We process a public dataset to construct specific packet traces pertinent to six standard protocols (TLS, HTTP, DNS, NTP, DHCP, and SSDP) of ten commercial IoT devices. We manually analyze TLS and HTTP flows, highlighting their characteristics, parameters, and adherence to best practices-we make our data publicly available; (2) We develop a common model to describe protocol signatures that help with the systematic analysis of protocols even when communicated through non-standard port numbers; and, (3) We evaluate the efficacy of our data models for the six protocols, which constitute approximately 97% of our dataset. Our data models, except for SSDP in 0.3% of Amazon Echo's flows, produce no false positives for protocol detection. We draw insights into how various IoT devices behave across those protocols by applying these models to our IoT traces.
Paper Structure (10 sections, 3 figures, 2 tables)

This paper contains 10 sections, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Attributes and Vulnerabilities of Standard Protocols used by IoT Devices
  3. Transport Layer Security (TLS)
  4. Hypertext Transfer Protocol (HTTP)
  5. Data Models for Protocols
  6. Realizing Protocol Data Models: Evaluation and Utility
  7. TLS and HTTP: New Findings
  8. Characteristics of DNS, NTP, DHCP, and SSDP
  9. Related Work
  10. Conclusion

Figures (3)

  • Figure 1: Ciphersuite fingerprint of: (a) Ring doorbell and Awair air quality, and (b) Amazon Echo.
  • Figure 2: Visual representation of our protocol data schema.
  • Figure 3: The Contents section of our protocol data model: (a) HTTP and (b) TLS.