Identifying IoT Devices Behind a NAT by Using Empirical Data and Learning Methods
Date
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
The explosive growth of the Internet-of-Things (IoT) paradigm has brought the rise of malicious activity targeting the Internet. Indeed, the lack of basic security protocols and measures in IoT devices is allowing attackers to use exploited Internet-scale IoT devices to organize malicious botnets, and cause significant damage to the Internet through Denial of Service (DoS) attacks, illicit scraping, and cryptojacking attacks. Such IoT botnets can be Internet-facing, or can also be deployed behind Network Address Translation (NAT) gateways. The growing usage of NAT over the past couple of years has become a double-edged sword. On one hand, it provides an added measure of security for legitimate users. On the other hand, the anonymity provided by NAT could undoubtedly be leveraged by malicious actors to provide anonymity to the exploited bots. To this end, the objective of fingerprinting devices behind a NAT aims at properly comprehending the nature of such devices while aiding in proper network and security provisioning and characterization. While the problem scope is certainly not new, it has been evolving quite rapidly given the wide macroscopic and microscopic deployments of IoT devices, and have recently attracted significant attention from the research community. First, we propose several unsupervised and semi-supervised shallow and deep learning methodologies to classify NATed IoT devices deployed within a microscopic, localized IoT realm. We implement and evaluate an explainable mechanism that provides preliminary insights into this phenomena. We then propose a methodology to possibly generate malicious activities towards the Internet by leveraging large-scale macroscopic darknet data. We implement and evaluate an attentive interpretable tabular transformer to detect NATed IoT bots. To the best of our knowledge, we are among the first to capture the nature of such nodes operating on one-way network traffic.