A system and method for autonomously fingerprinting and enumerating internet of thing (IOT) devices based on NATED IPFIX and DNS traffic

Fingerprinting and enumerating Internet-of-Things (IoT) devices based on Network Address Translated (NAT-ed) traffic. The system comprises a grouping module (GM) 110, a Term Frequency-Inverse Document Frequency (TF-IDF) vectorizer 112 and an IoT detector and enumerator (IDE) 114. The GM retrieves Domain Name System (DNS) records from the NAT-ed traffic, groups the records based on time-period and source internet-protocol (IP) addresses, and retrieves domains associated with the records. Domains not found in a database generated from records of known IoT devices are removed. The TF-IDF vectorizer generates IoT DNS signatures based on DNS records of known IoT devices. The signatures comprise a list of TF-IDF vectors and a list of normalized TF-IDF (N-TF-IDF) vectors. The distances between each TF-IDF vector in the list exceed a first similarity threshold and distances between each N-TF-IDF vector in the list of N-TF-IDF vectors exceed a second threshold. TF-IDF vectors are computed for the group of domains obtained from the GM. The IDE module computes constituents of the TF-IDF vectors based on the TF-IDF vectors and a Moore-Penrose pseudo-inverse-matrix of the IoT DNS signatures. The constituents of the TF-IDF vectors represent identities of IoT devices and counts of the IoTs that generated the NAT-ed traffic.