Characterizing New Devices on a Network with Zero-Shot Learning

Watch the video

Military / Coalition Issue

Operating a Coalition network effectively and securely requires the ability to detect and characterize previously unseen devices on the network by analysing network traffic data. A traditional Deep Learning (DL) model which is trained to recognize a set of known devices cannot recognize nor characterize a new device connecting to the network as traffic data associate with such device cannot have been included in the data used to train the DL model.

Core idea and key achievements

Our approach trains a DL model to recognize a set of key device traffic attributes which are shared across multiple devices, thus it can recognize a new device and characterise it.

image info

Initial experiments on two datasets comprising of 21 known and 27 unknown devices, respectively, show the capability of our approach to recognize unknown devices (f1 score 0.58, as opposed to 0 for traditional fully supervised DL models) at the cost of a moderate decrease in performance for known devices recognition (f1 score from 0.77 to 0.65).

Implications for Defence

This approach allows an agent to identify or characterise a new device on a monitored network, even though it has never been seen before. This has obvious applications to network management and security.

Readiness & alternative Defence uses

The technology has been tested with promising results as a demo on two datasets of network traffic data from IoT devices [3]. More experiments are underway involving multiple datasets. The component needs a network traffic data sniffer and feature extractor to provide network traffic data in proper input format. It relies on modern opensource deep learning libraries [4] for the DL model definition and training. This work is also connected to Project 10 (for example 10.2 neuro-symbolic), since the attribute information can be seen as additional input to a neural network.

Resources and references

Organisations

IBM US