Behavioral transparency for Internet-of-Things (IoT) networked assets involves two distinct yet interconnected tasks: (a) characterizing device types by discerning the patterns exhibited in their network traffic, and (b) assessing vulnerabilities they introduce to the network. While identifying communication protocols, particularly at the application layer, plays a vital role in effective network management, current methods are, at best, ad-hoc. Accurate protocol identification and attribute extraction from packet payloads are crucial for distinguishing devices and discovering vulnerabilities. This paper makes three contributions: (1) We process a public dataset to construct specific packet traces pertinent to six standard protocols (TLS, HTTP, DNS, NTP, DHCP, and SSDP) of ten commercial IoT devices. We manually analyze TLS and HTTP flows, highlighting their characteristics, parameters, and adherence to best practices-we make our data publicly available; (2) We develop a common model to describe protocol signatures that help with the systematic analysis of protocols even when communicated through non-standard port numbers; and, (3) We evaluate the efficacy of our data models for the six protocols, which constitute approximately 97% of our dataset. Our data models, except for SSDP in 0.3% of Amazon Echo's flows, produce no false positives for protocol detection. We draw insights into how various IoT devices behave across those protocols by applying these models to our IoT traces.

翻译：物联网（IoT）联网资产的行为透明度涉及两个不同但相互关联的任务：(a) 通过辨别网络流量中呈现的模式来刻画设备类型，以及(b) 评估它们给网络引入的漏洞。尽管识别通信协议（特别是在应用层）在有效网络管理中起着关键作用，但当前的方法充其量只是临时性的。从数据包有效载荷中准确识别协议并提取属性，对于区分设备和发现漏洞至关重要。本文做出三项贡献：(1) 我们对一个公共数据集进行处理，构建了与十种商用IoT设备的六种标准协议（TLS、HTTP、DNS、NTP、DHCP和SSDP）相关的特定数据包轨迹。我们手动分析了TLS和HTTP流，突出了它们的特征、参数以及是否符合最佳实践——我们将数据公开发布；(2) 我们开发了一个通用模型来描述协议签名，即使在通过非标准端口号进行通信时，也有助于对协议进行系统分析；以及(3) 我们评估了这六种协议（约占我们数据集的97%）的数据模型的有效性。除Amazon Echo的0.3%流量中的SSDP外，我们的数据模型在协议检测上未产生任何误报。通过将这些模型应用于我们的IoT轨迹，我们得出了关于各种IoT设备如何跨这些协议行为表现的见解。