Classifying Time-Series of IoT Flow Activity using Deep Learning and Intransitive Features

The continuous rise of traffic encryption in IoT devices has led network operators to revisit the way they gain visibility into the behavior of their network and connected assets. Moreover, flow-level analysis is perceived as a more cost-effective approach in network monitoring, particularly at scale, given the high computing cost of deep packet inspection engines. This paper uses time-series signals captured from the flow activity of IoT devices and classifies network traffic with deep learning-based classifiers based on Neural Networks (NN) and Decision Trees (DT). We analyze the efficiency and efficacy of deep learning models using one-dimensional convolutional neural networks (1D-CNN), Long Short Term Memory (LSTM), and Deep Forest (DF). We train our models on the real network traffic of 10 IoT devices collected from our lab during two months. To the best of our knowledge, this study is the first to investigate the performance of DF classifiers on IoT network traffic data and compare them to deep neural network models. We quantify the performance of our models by varying the window size (one minute to three minutes) in a time-series format. We show that the DF models present similar performance to 1D-CNN and LSTM and outperform the (shallow) Random Forest (RF) model but significantly higher inference time. DFs are attractive models since they have a dynamic architecture adjusted during training. Therefore, there is no need to manually search for the model architecture required for deep neural networks.