Device Behavior Identification in Encrypted Home Security Camera Traffic

Home security cameras have become one of the most popular IoT devices due to rigid demand and low cost. However, these devices have become a disaster area where security issues such as cyberattacks and privacy breaches often occur. Researchers and intruders often employ traffic behavior analyzing methods to mine vulnerabilities. Nevertheless, the content transmitted by the HSC device contains a lot of dynamic interference video traffic, so it is hard to mine the behavior information of the HSC device from it. In contrast, the HSC device's non-TLS one-way response packets carry more efficient behavior information. Therefore, we propose an approach to identify device behavior based on the features of one-way response packets in non-TLS traffic. Based on the functional characteristics of the HSC device, we have a more fine-grained type division of behaviors, including eight behaviors and five states. In addition, we propose an automatic labeling approach based on countercurrent and operation logs for the problem of tedious and inaccurate manual labeling. Based on the features of three attributes, we compared the recognition effects of nine classifiers on two datasets, the real-world dataset and the IMC 2019 payload public dataset. Finally, the CNN-based classifier can achieve the most desirable identification effect with an accuracy rate of 97.47%, a recall rate of 97.42%, and an F1 score of 97.4%. The results show that the proposed approach can accurately identify the behavior and state of HSC at a fine-grained level. Moreover, this work has a significant reference value for device anomalous behavior detection and threat awareness.