Behavioral Fingerprinting of IoT Devices for Forensic Identification Post-Attack

Laveeza Tahir; Isha Bukhari; Kashif Munir; Hasan J. Alyamani; Amine Bermak; Atiq Ur Rehman

doi:10.1109/ACCESS.2026.3651297

Behavioral Fingerprinting of IoT Devices for Forensic Identification Post-Attack

Laveeza Tahir
, Isha Bukhari
, Kashif Munir^*
, Hasan J. Alyamani
, Amine Bermak
, Atiq Ur Rehman^*

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

Abstract

The rapid adoption of Internet of Things (IoT) devices has amplified security risks, particularly in post-incident scenarios where accurate device attribution and evidence reconstruction are required. Existing intrusion detection solutions mainly focus on real-time detection and provide limited forensic support after an attack. This paper proposes a phase-aware behavioral fingerprinting framework for post-attack forensic analysis of IoT devices. The approach models normal device behavior and compares it with post-incident activity to identify persistent behavioral deviations caused by compromise. A layered learning strategy is employed, combining supervised detection and attribution with unsupervised anomaly identification to capture residual and previously unseen behaviors. Temporal segmentation into pre-attack, attack, and post-attack phases enables reliable forensic timeline reconstruction and realistic evaluation. Experiments on a real-world IoT traffic dataset demonstrate high detection accuracy, strong generalization to unseen devices, and effective identification of post-attack residual behavior. The framework produces time-aligned forensic evidence that enables reconstruction of attack progression and post-attack behavior.

Original language	English
Pages (from-to)	5541-5552
Number of pages	12
Journal	IEEE Access
Volume	14
DOIs	https://doi.org/10.1109/ACCESS.2026.3651297
Publication status	Published - 2026

Keywords

Accuracy
Authentication
Behavioral fingerprinting
Device compromise
Edge computing
Fingerprint recognition
Forensics
Internet of Things
Internet of Things (IoT)
Intrusion detection
Object recognition
Real-time systems
Security
Surveys

Access to Document

10.1109/ACCESS.2026.3651297

Cite this

@article{bdf2e8c672164d5eaec2303dd4f2663d,

title = "Behavioral Fingerprinting of IoT Devices for Forensic Identification Post-Attack",

abstract = "The rapid adoption of Internet of Things (IoT) devices has amplified security risks, particularly in post-incident scenarios where accurate device attribution and evidence reconstruction are required. Existing intrusion detection solutions mainly focus on real-time detection and provide limited forensic support after an attack. This paper proposes a phase-aware behavioral fingerprinting framework for post-attack forensic analysis of IoT devices. The approach models normal device behavior and compares it with post-incident activity to identify persistent behavioral deviations caused by compromise. A layered learning strategy is employed, combining supervised detection and attribution with unsupervised anomaly identification to capture residual and previously unseen behaviors. Temporal segmentation into pre-attack, attack, and post-attack phases enables reliable forensic timeline reconstruction and realistic evaluation. Experiments on a real-world IoT traffic dataset demonstrate high detection accuracy, strong generalization to unseen devices, and effective identification of post-attack residual behavior. The framework produces time-aligned forensic evidence that enables reconstruction of attack progression and post-attack behavior.",

keywords = "Accuracy, Authentication, Behavioral fingerprinting, Device compromise, Edge computing, Fingerprint recognition, Forensics, Internet of Things, Internet of Things (IoT), Intrusion detection, Object recognition, Real-time systems, Security, Surveys",

author = "Laveeza Tahir and Isha Bukhari and Kashif Munir and Alyamani, \{Hasan J.\} and Amine Bermak and Rehman, \{Atiq Ur\}",

note = "Publisher Copyright: {\textcopyright} 2013 IEEE.",

year = "2026",

doi = "10.1109/ACCESS.2026.3651297",

language = "English",

volume = "14",

pages = "5541--5552",

journal = "IEEE Access",

issn = "2169-3536",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - Behavioral Fingerprinting of IoT Devices for Forensic Identification Post-Attack

AU - Tahir, Laveeza

AU - Bukhari, Isha

AU - Munir, Kashif

AU - Alyamani, Hasan J.

AU - Bermak, Amine

AU - Rehman, Atiq Ur

PY - 2026

Y1 - 2026

N2 - The rapid adoption of Internet of Things (IoT) devices has amplified security risks, particularly in post-incident scenarios where accurate device attribution and evidence reconstruction are required. Existing intrusion detection solutions mainly focus on real-time detection and provide limited forensic support after an attack. This paper proposes a phase-aware behavioral fingerprinting framework for post-attack forensic analysis of IoT devices. The approach models normal device behavior and compares it with post-incident activity to identify persistent behavioral deviations caused by compromise. A layered learning strategy is employed, combining supervised detection and attribution with unsupervised anomaly identification to capture residual and previously unseen behaviors. Temporal segmentation into pre-attack, attack, and post-attack phases enables reliable forensic timeline reconstruction and realistic evaluation. Experiments on a real-world IoT traffic dataset demonstrate high detection accuracy, strong generalization to unseen devices, and effective identification of post-attack residual behavior. The framework produces time-aligned forensic evidence that enables reconstruction of attack progression and post-attack behavior.

AB - The rapid adoption of Internet of Things (IoT) devices has amplified security risks, particularly in post-incident scenarios where accurate device attribution and evidence reconstruction are required. Existing intrusion detection solutions mainly focus on real-time detection and provide limited forensic support after an attack. This paper proposes a phase-aware behavioral fingerprinting framework for post-attack forensic analysis of IoT devices. The approach models normal device behavior and compares it with post-incident activity to identify persistent behavioral deviations caused by compromise. A layered learning strategy is employed, combining supervised detection and attribution with unsupervised anomaly identification to capture residual and previously unseen behaviors. Temporal segmentation into pre-attack, attack, and post-attack phases enables reliable forensic timeline reconstruction and realistic evaluation. Experiments on a real-world IoT traffic dataset demonstrate high detection accuracy, strong generalization to unseen devices, and effective identification of post-attack residual behavior. The framework produces time-aligned forensic evidence that enables reconstruction of attack progression and post-attack behavior.

KW - Accuracy

KW - Authentication

KW - Behavioral fingerprinting

KW - Device compromise

KW - Edge computing

KW - Fingerprint recognition

KW - Forensics

KW - Internet of Things

KW - Internet of Things (IoT)

KW - Intrusion detection

KW - Object recognition

KW - Real-time systems

KW - Security

KW - Surveys

UR - https://www.scopus.com/pages/publications/105026991029

U2 - 10.1109/ACCESS.2026.3651297

DO - 10.1109/ACCESS.2026.3651297

M3 - Article

AN - SCOPUS:105026991029

SN - 2169-3536

VL - 14

SP - 5541

EP - 5552

JO - IEEE Access

JF - IEEE Access

ER -

Behavioral Fingerprinting of IoT Devices for Forensic Identification Post-Attack

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this