{"paper":{"title":"Unsupervised Baseline Clustering and Incremental Adaptation for IoT Device Traffic Profiling","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"Density-based clustering best matches ground-truth IoT device labels in unsupervised traffic profiling while incremental methods trade purity for adaptability.","cross_cats":["cs.CR","cs.LG"],"primary_cat":"cs.NI","authors_text":"John D. Hastings, Sean M. Alderman","submitted_at":"2026-02-27T14:31:01Z","abstract_excerpt":"The growth and heterogeneity of IoT devices create security challenges where static identification models can degrade as traffic evolves. This paper presents a two-stage, flow-feature-based pipeline for unsupervised IoT device traffic profiling and incremental model updating, evaluated on selected long-duration captures from the Deakin IoT dataset. For baseline profiling, density-based clustering (DBSCAN) isolates a substantial outlier portion of the data and produces the strongest alignment with ground-truth device labels among tested classical methods (NMI 0.78), outperforming centroid-based"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"density-based clustering (DBSCAN) isolates a substantial outlier portion of the data and produces the strongest alignment with ground-truth device labels among tested classical methods (NMI 0.78)","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The selected long-duration captures from the Deakin IoT dataset are representative of real-world evolving IoT traffic and that flow features alone suffice to distinguish device identities across time.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"DBSCAN on flow features reaches NMI 0.78 with ground-truth IoT device labels on Deakin captures, while BIRCH supports 0.13-second incremental updates with 0.87 purity on a novel device.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Density-based clustering best matches ground-truth IoT device labels in unsupervised traffic profiling while incremental methods trade purity for adaptability.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"2967a5ef33cf7388864aca1c216f79ee420bf1b51b8b315db0dfc6709263fed3"},"source":{"id":"2602.24047","kind":"arxiv","version":1},"verdict":{"id":"c789c674-f0c3-4250-8975-f260ce090a3e","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T18:53:22.521466Z","strongest_claim":"density-based clustering (DBSCAN) isolates a substantial outlier portion of the data and produces the strongest alignment with ground-truth device labels among tested classical methods (NMI 0.78)","one_line_summary":"DBSCAN on flow features reaches NMI 0.78 with ground-truth IoT device labels on Deakin captures, while BIRCH supports 0.13-second incremental updates with 0.87 purity on a novel device.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The selected long-duration captures from the Deakin IoT dataset are representative of real-world evolving IoT traffic and that flow features alone suffice to distinguish device identities across time.","pith_extraction_headline":"Density-based clustering best matches ground-truth IoT device labels in unsupervised traffic profiling while incremental methods trade purity for adaptability."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2602.24047/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":19,"sample":[{"doi":"10.1002/ett.3743","year":2022,"title":"A machine learning based framework for IoT device identification and abnormal traffic detection,","work_id":"ecfa7822-33ce-4c4a-8c8e-5163271c089e","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"10.1109/iccws53234.2021.9702983","year":2021,"title":"A Generic Machine Learning Approach for IoT Device Identifica- tion,","work_id":"5a43b879-fa41-4dd2-b8c3-06d619b15dec","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"10.1109/access.2024.3384460","year":2024,"title":"Machine Learning With Computer Networks: Tech- niques, Datasets, and Models,","work_id":"fab96e9e-e619-44f3-95d0-2fee84fb6035","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"10.1109/icnc59896.2024.10556143","year":2024,"title":"In 2024 International Conference on Computing, Networking and Communications (ICNC)","work_id":"3ad9caa8-24fa-49ab-a366-a8339e3e99a9","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"10.1109/access.2023.3284542","year":2023,"title":"IoTTFID: An incremental IoT device iden- tification model based on traffic fingerprint,","work_id":"1838dfd7-7a6c-4383-b36c-bcceef1679ca","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":19,"snapshot_sha256":"61b033a4248ce621379e04a0497f990e677544bc301e69ae60e3b91d978033ea","internal_anchors":0},"formal_canon":{"evidence_count":2,"snapshot_sha256":"fdc4e2aac34e899bd0c06b4226259b8b5aa7a07184ac7193772eb182d78438be"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}