Network Traffic Fingerprinting for IIoT Device Identification: A Survey

Abstract

As the Industrial Internet of Things (IIoT) continues to expand, the need for effective device identification becomes critical for securing industrial environments. Network traffic fingerprinting has emerged as an important technique for IIoT device identification, leveraging the unique communication patterns embedded in network traffic. Despite significant efforts in this area, a comprehensive overview of the relevant research is still missing. To address the lack of comprehensive research, this paper, for the first time, identifies critical knowledge gaps constraining IIoT device identification through network traffic analysis: obscure fingerprint feature space, limited generalizability to unknowns, and scarce data sources. Focusing on these gaps, existing methods are analyzed and summarized in detail across network traffic fingerprinting, IIoT device identification, and public IIoT datasets. Specifically, network traffic fingerprinting methods are categorized into three levels: Packet-level, flow-level, and business-level, and relevant methods are examined in terms of data formats, segmentation units, and extraction or generation techniques. In the context of IIoT device identification, tasks such as device type, model, and instance recognition, as well as abnormal device detection, are extensively investigated using rule-based, traditional machine learning- based, and deep learning-based approaches, with a focus on device fingerprints and application scenarios. Furthermore, main public datasets from the IoT, ICS, and IIoT scenarios are highlighted to support the development of fingerprinting and identification methods. Finally, several future research directions are proposed to guide new advancements in this area.