Fine-grain Identification For Large-scale Internet-connected IoT Devices

With the development of LoRa,NB-IoT and 5G technologies,the number of Internet of Things(IoT)devices will grow rapidly and IoT security is also increasing.IoT device identification is a prerequisite for security assessment,protection and upgrade of IoT devices.Device identification is to determine the type,brand,model and firmware version of the device,especially the fine-grained device model and firmware version,which are directly related to device vulnerabilities,and reflect the security status of devices more accurately.However,for a large number of IoT devices,various brand types and mixed service protocols,IoT devices identification will face many challenges in terms of identification accuracy,identification granularity,feature space and time efficiency.In this thesis,proactive device identification is adopted.Based on banners,protocol fields and web management pages,various technologies and strategies,such as multi-protocol fusion,retransmission mechanism,cross-layer protocol and weak password are utilized to realize fine-grained identification of device model and firmware version.The main contributions and innovatin of this paper are as follows:(1)For balancing the time cost and accuracy of the multi-protocol bannerbased method,a multi-protocol detection optimization scheduling mechanism is proposed to realize device identification.Based on reinforcement learning,the scheduling problem of multi-protocol probes is modeled as Markov decision process.By counting the probability of device attribute information contained in each protocol banner,the Markov state transition matrix of banner-based device identification process is constructed,and the existing value iteration algorithm is improved to generate the optimal protocol probe sequence.The experimental results show that the proposed algorithm is more accurate and time-efficiency,and has better scalability on routers and printers.(2)For improving the devices diversity of TCP protocol field feature,an IoT device identification method based on retransmission TCP message fields is designed.By improving the TCP three-time handshake mechanism,a connectionless retransmission TCP packet detection rule is proposed.The header field is efficiently obtained to increase the fingerprint granularity of device identification.Then different feature field groups are selected by quantifying the consistency and diversity of numerous field features,and the bagging integrated classifier is adopted to realize the dynamic IoT device identification.The experimental results indicate the efficiency and accuracy of the method.(3)For improving the devices diversity of single protocol field features,a large-scale fine-grained device identification method based on cross-layer protocol field features by taking advantage of the universality of HTTP and TCP protocols in the IoT scenario is proposed.A cross-layer protocol probe strategies based on the TCP three-way handshake process,and five kinds of cross-layer response messages are designed and obtained.Then the cross-layer protocol fields of HTTP and TCP are selected by designing the consistency and diversity evaluation metric of field features,and the prototype system of cross-layer device identification is implemented by using CNN+LSTM+softmax neural network model.The experiments verify the effectiveness of the proposed cross-layer protocol method on the identification accuracy and recall of devices model.(4)For the challenge of firmware source code analysis,a new method to identify large-scale fine-grained device firmware based on weak password by analyzing the content of IoT device web management page is proposed.The weak password vulnerability on IoT devices is used to obtain the content of web management page.Through the design of automatic login page feature clustering method and web content partition analysis algorithm,the firmware version page is obtained,and a regular expression method is used to realize the firmware version identification.The experimental results demonstrate the effectiveness of the proposed method in device firmware identification.