Identifying IoT Devices Behind a NAT by Using Empirical Data and Learning Methods




Nader, Christelle

Journal Title

Journal ISSN

Volume Title



The explosive growth of the Internet-of-Things (IoT) paradigm has brought the rise of malicious activity targeting the Internet. Indeed, the lack of basic security protocols and measures in IoT devices is allowing attackers to use exploited Internet-scale IoT devices to organize malicious botnets, and cause significant damage to the Internet through Denial of Service (DoS) attacks, illicit scraping, and cryptojacking attacks. Such IoT botnets can be Internet-facing, or can also be deployed behind Network Address Translation (NAT) gateways. The growing usage of NAT over the past couple of years has become a double-edged sword. On one hand, it provides an added measure of security for legitimate users. On the other hand, the anonymity provided by NAT could undoubtedly be leveraged by malicious actors to provide anonymity to the exploited bots. To this end, the objective of fingerprinting devices behind a NAT aims at properly comprehending the nature of such devices while aiding in proper network and security provisioning and characterization. While the problem scope is certainly not new, it has been evolving quite rapidly given the wide macroscopic and microscopic deployments of IoT devices, and have recently attracted significant attention from the research community. First, we propose several unsupervised and semi-supervised shallow and deep learning methodologies to classify NATed IoT devices deployed within a microscopic, localized IoT realm. We implement and evaluate an explainable mechanism that provides preliminary insights into this phenomena. We then propose a methodology to possibly generate malicious activities towards the Internet by leveraging large-scale macroscopic darknet data. We implement and evaluate an attentive interpretable tabular transformer to detect NATed IoT bots. To the best of our knowledge, we are among the first to capture the nature of such nodes operating on one-way network traffic.


This item is available only to currently enrolled UTSA students, faculty or staff. To download, navigate to Log In in the top right-hand corner of this screen, then select Log in with my UTSA ID.


Internet of Things, IoT fingerprinting, Machine Learning, Network Address Translation, Network Telescope, Network traffic analysis



Information Systems and Cyber Security