The rapid proliferation of Internet of Things (IoT) devices introduces significant security challenges due to limited visibility and weak device-level guarantees. Accurate and timely identification of devices is essential for enforcing network policies and detecting unauthorised hardware, yet existing approaches often rely on long-term traffic observation, payload inspection, or infrastructure-dependent features. In this paper, we investigate whether IoT devices can be reliably identified during the early stages of network attachment using only passive traffic analysis. We propose a lightweight approach based on flow-level features extracted from metadata, avoiding payload inspection and active probing. Through systematic evaluation across multiple observation windows, we show that device-specific signatures emerge within the first few seconds of communication, enabling high-accuracy identification (up to 99%) across 37 IoT devices. Notably, extending the observation window does not consistently improve performance and may slightly degrade accuracy, indicating that the most discriminative behaviour occurs during initial device startup. These findings demonstrate the feasibility of fast, privacy-preserving IoT device identification at the network edge, supporting real-time enforcement, device inventory, and anomaly detection in practical deployments.

翻译：物联网(IoT)设备的快速普及带来了显著的安全挑战，主要源于设备可见性有限及设备级安全保障薄弱。准确及时地识别设备对于实施网络策略和检测未授权硬件至关重要，然而现有方法往往依赖于长期流量观测、载荷检查或基础设施相关特征。本文探究能否仅通过被动流量分析，在网络附着早期可靠识别物联网设备。我们提出一种轻量级方法，基于从元数据中提取的流级特征，无需载荷检查与主动探测。通过多观测窗口的系统性评估，我们证明设备特定签名在通信开始后的前几秒内即可显现，从而实现对37款物联网设备的高精度识别（最高达99%）。值得注意的是，延长观测窗口并不能持续提升性能，甚至可能轻微降低准确率，这表明最具区分性的行为发生于设备启动初期。这些发现论证了在网络边缘实现快速、隐私保护的物联网设备识别的可行性，支持实际部署中的实时策略执行、设备清册与异常检测。