Wavelet-Based IoT Device Fingerprinting

Abstract

Accurate fingerprinting of Internet of Things (IoT) devices is essential for network security, management, and anomaly detection. Existing machine-learning-based approaches can be broadly classified into two categories. The first are time-domain-based approaches that infer device identity from aggregated traffic statistics, while effective in dense communication environments, they perform poorly for devices that generate sparse, low-volume, or irregular traffic, which restricts behavioral visibility. The second, radio frequency fingerprinting (RFF), extracts hardware-specific traits from radio frequency signals but is limited in wired or mixed-connectivity IoT networks and lacks behavioral or functional insights. To overcome these limitations, this paper proposes a hybrid fingerprinting framework that integrates network traffic analysis with frequency-domain representations using wavelet transform techniques. This approach captures both temporal and spectral characteristics, combining behavioral and structural perspectives to enable robust and accurate IoT device identification. The proposed system is evaluated on three real-world datasets under multiple experimental scenarios, including (1) device identification, (2) device type classification, (3) scalability with dataset size and complexity, and (4) performance under Distributed Denial-of-Service (DDoS) attack conditions. Experimental results show that wavelet-based features consistently outperform conventional time-domain features across all evaluation metrics, achieving higher accuracy, resilience, and generalization.

1. Introduction

IoT device fingerprinting is the process of identifying and authenticating Internet of Things (IoT) devices by analyzing their unique characteristics—such as radio frequency signal patterns, network traffic behavior, or hardware-specific traits. As IoT deployments expand rapidly across environments like smart homes, healthcare systems, and industrial networks, secure and reliable device identification has become critical. Traditional identifiers like MAC or IP addresses are vulnerable to spoofing and cloning, underscoring the need for more robust, spoof-resistant fingerprinting techniques that leverage hard-to-replicate device-specific features.

Modern approaches employ machine learning, signal processing, and behavioral analysis to streamline device management and enhance security and fingerprinting in increasingly complex and heterogeneous IoT ecosystems. These approaches can generally be classified into two main groups based on the behavior analysis domain.

The first group is the time-domain-based approach, which primarily focuses on analyzing IoT device behavior from the network traffic based on aggregated statistics extracted from dense network traffic. These methods extract features from various levels of network activity, including packet-level, flow-level, and link-layer communication (e.g., Wi-Fi or Ethernet) [1,2]. These approaches have shown promising performance in many scenarios; however, they also face significant limitations. One of the primary challenges is the limited visibility into device behavior, particularly for IoT devices that generate sparse, low-volume, or irregular traffic. Many such devices remain inactive for extended periods and only transmit data during brief, infrequent interactions. In these cases, the time-domain features may appear noisy, inconsistent, or insufficient for constructing accurate and reliable fingerprints.

The second group is frequency-domain-based analysis, which primarily focuses on analyzing IoT device behavior from the radio frequency signals in the frequency domain. Fourier transform or wavelet analysis has primarily been applied to only radio frequency signals [3,4,5], which are emitted by IoT devices at the physical layer during wireless communication. Radio frequency fingerprinting (RFF) identifies devices by analyzing unique physical-layer characteristics of wireless signals, such as amplitude, phase, or modulation imperfections.

RFF is inherently limited in IoT networks with wired or mixed connectivity. Wired devices, such as industrial sensors, medical equipment, or point-of-sale systems connected via Ethernet, transmit data through cables, producing no RF signals for analysis, rendering RFF ineffective in wire-dominant environments like smart factories or medical networks. Moreover, RFF captures only device-specific hardware traits, such as transmitter imperfections, which reflect individual identities but not device function or type. This makes it challenging to identify device types (e.g., distinguishing a smart bulb from a smart thermostat), which is critical for network administrators performing tasks like firmware updates, vulnerability patching, or access control. Moreover, environmental factors like interference or multipath fading can degrade RFF’s effectiveness.

To overcome the limitations of both time-domain and radio frequency-based fingerprinting approaches, we propose a novel solution that leverages the informative richness of network traffic alongside the robustness of frequency-domain representations. Frequency-domain features provide a more stable and discriminative feature space by capturing underlying periodicities, burst patterns, and behavioral rhythms that are often obscured in raw time-series data. Our approach combines the behavioral depth of time-domain analysis with the structural clarity and pattern recognition capabilities of the frequency domain by applying wavelet transform techniques, enabling accurate and resilient IoT device fingerprinting in diverse network environments.

We refer to the proposed solution as Wavelet IoT Device Fingerprint. As illustrated in Figure 1, the system addresses the limitations of radio frequency fingerprinting (RFF) by enabling passive traffic collection from both wired and wireless interfaces at the network gateway level. This approach leverages network traffic characteristics—including flow behavior, packet timing, and communication patterns—that inherently carry device-specific and type-specific signatures. Moreover, wired connections offer more stable and noise-free traffic, improving the reliability of the fingerprinting process. To analyze the network traffic in the frequency domain, the system first converts the network traffic into time-series signals, then applies wavelet transform techniques (such as DWT or WST) to extract multi-resolution patterns across both time and frequency domains. These wavelet coefficients are rich in behavioral information and serve as features for classification. Finally, machine learning models are used to classify devices by their unique identity or device type. By operating in the frequency domain, the Wavelet IoT Device Fingerprint system provides a resilient and comprehensive solution for IoT device identification and classification.

This work is, to the best of our knowledge, the first to apply wavelet-based analysis (DWT and WST) to network-traffic signals specifically for the purpose of IoT device fingerprinting, and the first to conduct a systematic and comparative evaluation of these wavelet techniques across three distinct datasets. While wavelet-based analysis has been used for anomaly detection and intrusion detection [6,7,8,9,10,11], these domains focus on identifying deviations from established norms to detect suspicious or malicious behavior. In contrast, device fingerprinting is a fundamentally different problem: rather than detecting anomalies, it aims to uncover stable and distinctive patterns in device behavior that are consistent over time and unique to each device or device type. This distinction is critical, as techniques effective in anomaly detection do not necessarily translate to robust fingerprinting.

Moreover, prior works in IoT device fingerprinting have largely overlooked two critical evaluation dimensions: the impact of dataset size and complexity on model accuracy [12] and the performance of fingerprinting methods under cyberattacks such as DDoS attacks [12,13]. In this study, we address these gaps by evaluating the proposed wavelet-based fingerprinting approach under both different size, heterogeneous datasets and adversarial conditions. We examine how increasing the number and diversity of IoT devices affects classifier performance and assess the system’s resilience during DDoS attacks. This provides a more realistic measure of the model’s scalability and robustness in complex, real-world IoT environments.

We evaluate the proposed wavelet-based fingerprinting solution on three IoT datasets of varying sizes and complexity: the CIC IoT Dataset 2022 [14], the IoT Device Classification Dataset by Sivanathan et al. [15], and the CIC IoT Dataset 2023 [16]. The results show a clear advantage in accuracy, with the approach effectively identifying both individual devices and device types. It also demonstrates robustness to network heterogeneity and maintains acceptable performance under DDoS attack conditions, making it well-suited for scalable and secure IoT environments.

The rest of this paper is organized as follows: Section 2 reviews the related work. Section 3 introduces the proposed approach. Section 4 presents the experimental setup and the results, followed by a discussion in Section 5. Finally, Section 6 concludes the paper and outlines potential directions for future research.

2. Related Work

In prior work, numerous methods have been proposed to profile IoT devices based on their network behavior. These approaches can generally be categorized into two main groups, depending on the domain of analysis: time-domain-based methods and frequency-domain-based methods.

2.1. Time-Domain-Based Methods

Time-domain-based methods rely on aggregated statistics features extracted from classic network traffic. These features typically include packet-level attributes such as packet size, inter-arrival time, and packet count, along with flow-level metrics like session duration, total byte and packet counts, and protocol types. Additionally, many approaches incorporate statistical descriptors computed over time-based segments or flow aggregates to capture variability and summarize behavioral trends. Common statistical measures include the maximum, minimum, mean, median, and standard deviations. These features are widely adopted due to their accessibility through standard packet capture tools (e.g., Wireshark, tcpdump) and their correlation with device-specific communication patterns. Examples of studies using these features are those by Bruhadeshwar et al. [17], Hamad et al. [18], Fan et al. [19], Meidan et al. [20], Miettinen et al. [21], Sivanathan et al. [15,22], Thangavelu et al. [23], and Xu et al. [24].

In addition to traditional network-layer traffic features, data link layer attributes derived from IEEE 802.11 MAC frames have gained prominence, particularly in wireless IoT environments. These features provide finer-grained insights into transmission behavior and include metrics such as inter-frame arrival intervals, frame size distributions, beacon interval consistency, probe request frequency, and frame retransmission rates. Such characteristics are often unique to specific device types, manufacturers, or operating systems and are not easily spoofed or altered by users. Studies by Alyami et al. [25], Martin et al. [26], Gu et al. [27], and Robyns et al. [28] have illustrated the utility of MAC-layer features for device identification and fingerprinting in Wi-Fi networks. By analyzing low-level behaviors that are inherent to the device’s wireless communication stack, these methods provide valuable complementary data to higher-layer traffic analysis, improving accuracy and resilience against obfuscation techniques.

Time-domain approaches have shown promising performance in many scenarios; however, they also face significant limitations. One of the primary challenges is their limited visibility into device behavior, particularly for IoT devices that generate sparse, low-volume, or irregular traffic. Many such devices remain inactive for extended periods and only transmit data during brief, infrequent interactions. In these cases, the time- domain features may appear noisy, inconsistent, or insufficient for constructing accurate and reliable fingerprints.

2.2. Frequency-Domain Methods

Frequency-domain methods extract discriminative features from radio frequency signals and serve as the foundation for radio frequency fingerprinting (RFF). These methods capitalize on the fact that every wireless device introduces unique, hardware-induced imperfections into its transmitted signals due to variations in manufacturing processes. To capture these characteristics, frequency-domain approaches transform raw time-domain radio frequency signals using signal processing techniques such as the Fast Fourier Transform (FFT) or wavelet decomposition. These transformations reveal the underlying spectral content and energy distribution across frequencies, enabling the extraction of robust features that are often invariant to higher-layer protocol obfuscation or traffic encryption.

Köse et al. [29] uses the energy spectrum of transmitter turn-on transients via FFT to fingerprint IEEE 802.11 devices. Taşcıoğlu et al. [30] analyzes how sampling rate affects transient-based fingerprinting of Wi-Fi transmitters using probabilistic neural network classification. Galtier et al. [31] fingerprints devices using Power Spectral Density (PSD) profiles of RF signals, yielding 85% precision/recall. Xie et al. [32] uses Wavelet multi-resolution + coherent integration + G-SVM to identify nRF24 transmitters. Lui et al. [33] proposed a distributed sensor system utilizing incremental learning to enhance radio frequency fingerprint (RFF) identification for wireless device authentication. Zhou et al. [34] propose a radio frequency fingerprint (RFF) verification scheme based on the generative Gaussian probabilistic linear discriminant analysis (GPLDA) model. It decomposes the received feature vector into a device identity vector and a noise vector, both modeled as independent Gaussian distributions. By capturing the generative process of identity vectors, the model can also generalize to identify previously unseen devices. Shi et al. [35] use squared cross power spectral density (SCPSD) features to obtain radio frequency fingerprint (RFF) representations. They theoretically analyze the impact of noise on SCPSD and validate the effectiveness and robustness of the proposed scheme through simulation experiments. The use of wavelet transforms in IoT device fingerprinting is well-supported by the literature by focusing uniquely on radio frequency signal. Mutala et al. [36] use Continuous Wavelet Transform (CWT) + U-Net to extract and denoise frequency–time patterns from Wi-Fi signals. They achieved 95.4% accuracy at 10 dB and 89.5% at 5 dB for identical-model devices.

Radio frequency fingerprinting (RFF) is limited in IoT networks with wired or hybrid connectivity, as it depends on wireless signal imperfections that wired devices do not produce. Devices like industrial sensors or point-of-sale systems connected via Ethernet bypass RF analysis entirely. Moreover, RFF identifies device hardware but not its functional type, making it unsuitable for management tasks like firmware updates or access control. Its performance also degrades under interference and signal distortion. As wired infrastructure becomes more common in critical IoT systems, RFF’s lack of applicability and scalability makes it insufficient for comprehensive device identification. Amamra et al. [37] addressed the limitations of traditional RF fingerprinting (RFF) by analyzing IoT network traffic in the frequency domain using the Fourier Transform. They introduced two novel fingerprint representations: the Spectral-Only Frequency Fingerprint (SFF) and the Spectro-Correlative Frequency Fingerprint (SCFF). These approaches shift the analysis of network behavior from the time domain to the frequency domain, enabling the extraction of richer, more distinctive, and noise-resilient device signatures. From a theoretical perspective, FFT-based methods provide a global frequency representation and implicitly assume stationarity over the analysis window, which limits their ability to capture transient and nonstationary patterns commonly present in IoT network traffic. In contrast, wavelet-based representations (DWT and WST) offer time–frequency localization and multi-resolution analysis, enabling the extraction of device-specific traffic dynamics that evolve over time and are not well captured by global spectral features. To further delineate the innovation boundary, we have expanded the discussion to emphasize that our contribution lies not merely in applying a different transform, but in systematically integrating wavelet-based features with network-traffic-level IoT fingerprinting and evaluating their stability, robustness, and classifier compatibility.

3. The Proposed Solution

The proposed system processes raw network traffic from both wired and wireless IoT devices at the gateway level through a structured multi-stage pipeline, as shown in Figure 2. First, the Traffic-to-Image Encoder converts packet-level data into a 2D time series traffic image that captures temporal and volumetric patterns. Next, the Feature Extraction stage applies wavelet techniques (DWT or WST) to analyze time-series signals and generate multi-scale coefficients that reflect device-specific behaviors. In the Feature Reduction stage, PCA is used to reduce feature dimensionality, enhancing efficiency and classification accuracy by removing redundancy and noise. Finally, the Decision Engine employs machine learning models—including SVM, RF, XGB, and KNN—to classify devices by identity or type, enabling robust and scalable fingerprinting across diverse and heterogeneous IoT networks.

3.1. Traffic-to-Image Encoder

The “Traffic-to-Image” encoder is a core component of the proposed pipeline, responsible for transforming raw network traffic traces into structured time-series representations suitable for multi-resolution wavelet analysis. As illustrated in Figure 3, the encoder operates through four sequential phases: (1) network traffic feature selection, in which relevant traffic-level features are extracted from raw network traffic traces to capture essential temporal and statistical characteristics; (2) time-series signal construction, where the selected features are organized into uniformly sampled temporal sequences at a fixed resolution; (3) signal conditioning, including denoising and normalization to ensure numerical stability and compatibility with wavelet-based transformations; and (4) 2D embedding stack, where the conditioned time-series signals are arranged into structured two-dimensional representations that preserve temporal locality and inter-feature relationships and serve as direct input to the wavelet transform stages.

3.1.1. Feature Selection

Select a set of features from raw network traffic data that are sufficiently distinctive to characterize IoT devices uniquely. These features capture device-specific behaviors, such as packet frequency or data volume, to facilitate accurate fingerprinting. The eight traffic-derived time-series features that have proven useful for fingerprinting IoT devices follow.

• Transmitted Packet Count (Tx Packets), the number of packets sent by an IoT device within a specified time window.
• Received Packet Count (Rx Packets), the number of packets received by an IoT device within a specified time window.
• Tx/Rx Packet Ratio, the ratio of transmitted to received packets within a time window.
• Outbound Payload Size, the total size of data sent by an IoT device within a specified time window.
• Inbound Payload Size, the total size of data received by an IoT device within a specified time window.
• Outbound-to-Inbound Payload Ratio, the ratio of outbound to inbound payload sizes (e.g., total outbound bytes/total inbound bytes) within a time window.
• Mean inter-arrival time (IAT), the average gap between successive packets.
• TCP window size, reflects the device’s memory and processing capacity, offering a hardware-dependent fingerprint, while TCP window size may also be affected by operating system and network stack configurations, its combination with additional transport-layer, physical-layer, and timing-related features provides a more reliable composite fingerprint.

3.1.2. Time-Series Construction

A time series is a sequence of data points gathered at consistent intervals, capturing the temporal evolution of a specific feature. In IoT device fingerprinting, these sequences are derived from network traffic features to reveal device-specific behavioral patterns which differ across device types like smart cameras, thermostats, lights, or sensors. The process starts by segmenting the traffic observation period into fixed-length time windows of duration $\Delta t$ (e.g., 1 s, 1 min, or 1 h), shorter windows (e.g., 1 s) enable detailed, real-time behavior analysis, while longer windows (e.g., 1 min) reduce short-term noise, suiting long-term trend analysis. These windows are indexed as $t_1,t_2,\dots ,t_N$, where each $t_i$ covers the interval $[t_i,t_i+\Delta t)$. Within each window $t_i$, feature extraction computes relevant metrics from observed packets, such as packet count or total bytes transferred. These values are then compiled into a time series for each feature, creating sequences like $\{X\left(t_1\right),X\left(t_2\right),\dots ,X\left(t_N\right)\}$, where X represents the specific feature.

Below, we provide the mathematical formulation for constructing the time series for each of the eight specified features:

• Transmitted Packet Count (Tx Packets): Let $P_{out}\left(t_i\right)=\{p_1,p_2,\dots ,p_{n_i}\}$ be the set of $n_i$ packets sent by the device (source IP matches the device’s IP) in window $t_i$. The transmitted packet count is

  $$C_{out}\left(t_i\right)=n_i$$

  (1)
  If no packets are sent, $C_{out}\left(t_i\right)=0$. Time Series: The sequence $\{C_{out}\left(t_1\right),C_{out}\left(t_2\right),\dots ,$$C_{out}\left(t_N\right)\}$ forms the time series.
• Received Packet Count (Rx Packets): Let $P_{in}\left(t_i\right)=\{p_1,p_2,\dots ,p_{m_i}\}$ be the set of $m_i$ packets received by the device (destination IP matches the device’s IP) in window $t_i$. The received packet count is

  $$C_{in}\left(t_i\right)=m_i$$

  (2)
  If no packets are received, $C_{in}\left(t_i\right)=0$. Time Series: The sequence $\{C_{in}\left(t_1\right),C_{in}\left(t_2\right),\dots ,$$C_{in}\left(t_N\right)\}$ forms the time series.
• Tx-Rx Packet Ratio: Using the packet counts from above:

  $$R_{packets}\left(t_i\right)={\displaystyle \frac{C_{out}\left(t_i\right)}{C_{in}\left(t_i\right)}}\mathrm{if}{C}_{in}\left(t_i\right)>0.$$

  (3)
  Edge Case Handling:

  –

  If $C_{in}\left(t_i\right)=0$, set $R_{packets}\left(t_i\right)=\infty$ or a large constant to indicate purely outbound traffic.

  –

  If $C_{out}\left(t_i\right)=0$ and $C_{in}\left(t_i\right)>0$, set $R_{packets}\left(t_i\right)=0$.

  –

  If both are zero, set $R_{packets}\left(t_i\right)=0$.

• Outbound Payload Size: Let $P_{out}\left(t_i\right)=\{p_1,p_2,\dots ,p_{n_i}\}$ be the set of outgoing packets, with $s_j$ as the payload size of packet $p_j$. Total Outbound Payload Size:

  $$S_{out}\left(t_i\right)=\sum _{j=1}^{n_i}{s}_j$$

  (4)
• Inbound Payload Size: Let $P_{in}\left(t_i\right)=\{p_1,p_2,\dots ,p_{m_i}\}$ be the set of incoming packets, with $s_j$ as the payload size. Total Inbound Payload Size:

  $$S_{in}\left(t_i\right)=\sum _{j=1}^{m_i}{s}_j$$

  (5)
• Outbound-to-Inbound Payload Ratio: Using the payload sizes from above:

  $$R_{payload}\left(t_i\right)={\displaystyle \frac{S_{out}\left(t_i\right)}{S_{in}\left(t_i\right)}}\mathrm{if}{S}_{in}\left(t_i\right)>0$$

  (6)
  Edge Case Handling:

  –

  If $S_{in}\left(t_i\right)=0$, set $R_{payload}\left(t_i\right)=\infty$ or a large constant.

  –

  If $S_{out}\left(t_i\right)=0$, set $R_{payload}\left(t_i\right)=0$.

  –

  If both are zero, set $R_{payload}\left(t_i\right)=0$.

• Mean Inter-Arrival Time (IAT): Let $P_{out}\left(t_i\right)=\{p_1,p_2,\dots ,p_{n_i}\}$ be the set of outgoing packets in window $t_i$, with timestamps ${\tau }_j$. Compute inter-arrival times: $\Delta {\tau }_j={\tau }_{j+1}-{\tau }_j$ for $j=1,2,\dots ,n_i-1$. The mean IAT is

  $$\begin{array}{c}\hfill IAT\left(t_i\right)={\displaystyle \frac{1}{n_i-1}}\sum _{j=1}^{n_i-1}({\tau }_{j+1}-{\tau }_j)\mathrm{if}{n}_i>1,\\ \hfill \mathrm{else}IAT\left(t_i\right)=0\end{array}$$

  (7)
• TCP Window Size: Let $P_{TCP}\left(t_i\right)=\{p_1,p_2,\dots ,p_{l_i}\}$ be the set of $l_i$ TCP packets (sent or received) in window $t_i$, with TCP window size $w_j$ for packet $p_j$. The average TCP window size is

  $$W\left(t_i\right)={\displaystyle \frac{1}{l_i}}\sum _{j=1}^{l_i}{w}_j\mathrm{if}{l}_i>0,\mathrm{else}W\left(t_i\right)=0$$

  (8)

3.1.3. Signal Conditioning

Signal conditioning is a critical preprocessing phase in constructing time series for IoT device fingerprinting, ensuring that network traffic data is clean, consistent, and suitable for subsequent analysis, such as wavelet transforms. This process involves several key steps to address noise, scale differences, and incomplete data, which can otherwise obscure device-specific patterns. The primary steps include:

• Denoising: This step is designed to enhance the clarity and reliability of the time-series data before further analysis. This step involves outlier removal, which targets extreme values caused by network anomalies—such as sudden spikes from retransmissions, scanning activity, or misconfigured devices. We use interquartile range (IQR) filtering [38], where values falling outside a defined range are considered outliers and replaced with the boundary values. The IQR multiplier is used to identify outliers by defining thresholds based on the interquartile range (IQR). Specifically, data points are flagged as outliers if they fall below the lower bound $Q1-1.5\times IQR$ or above the upper bound $Q3+1.5\times IQR$. To apply this method, we first compute $Q1$, $Q3$, and the $IQR$ using only the training set, then derive the lower and upper bounds from the selected multiplier. These bounds are subsequently applied to the training data to remove outliers and consistently used on the validation, test, and unseen data to filter or flag anomalous instances. When $IQR=Q3-Q1=0$, we use a stabilized denominator:

  $$IQ{R}_{safe}=max(IQR,ϵ)$$

  (9)

  where $ϵ={10}^{-6}$ (a fixed constant). This removes the ambiguity of ∞ or a large constant, and ensures deterministic behavior. We explicitly confirm that all preprocessing parameters are fitted on the training set only—including Q1, Q3, the IQR-based bounds, and the scaling transformation—and the resulting parameters are applied unchanged to validation and test sets to prevent leakage. Finally, we include a minimal sensitivity analysis by varying $ϵ$ over several orders of magnitude (${10}^{-3}$, ${10}^{-6}$, ${10}^{-9}$). The results show negligible variation across this range, indicating that the reported outcomes are not sensitive to the specific stabilization constant while ensuring numerical stability in zero-IQR cases.
• Normalization: Normalization maps each time series to a comparable range to ensure that amplitude differences do not dominate subsequent analysis, particularly when features like packet counts and payload sizes have vastly different scales. We use min–max normalization, which scales the series to a fixed range (e.g., [0, 1]) using the formula

  $$x^{\prime }={\displaystyle \frac{x-min\left(x\right)}{max\left(x\right)-min\left(x\right)}}$$

  (10)
  For IoT fingerprinting, normalizing packet counts (e.g., tens to hundreds) and payload sizes (e.g., bytes to kilobytes) ensures that no single feature overshadows others in models like wavelet analysis or machine learning classifiers.

3.1.4. 2D Embedding Stack

The 2D Embedding Stack step combines multiple preprocessed time-series signals, each representing a selected network traffic feature, into a unified 2D matrix or “traffic image.” In this matrix, rows correspond to fixed-length time windows (e.g., 300 s), and columns represent individual features, forming a structure suitable for wavelet transform (WT) analysis. This representation enables WT to capture both temporal correlations (across rows) and feature interactions (across columns). To formalize this process, assume we have F preprocessed time-series signals (one per feature), each defined over T time windows of equal duration. Let the f-th feature’s time-series be represented as a vector:

$${\mathbf{s}}_f={[s_f\left(1\right),\dots ,s_f\left(T\right)]}^T\in {\mathbb{R}}^T,f=1,2,\dots ,F$$

(11)

where $s_f\left(t\right)$ is the value of feature f at time window t, and T is the number of time windows.

The 2D Embedding Stack combines the K time-series into a 2D matrix $\mathbf{M}$ by stacking them column-wise:

$$\mathbf{M}=[{\mathbf{s}}_1,{\mathbf{s}}_2,\dots ,{\mathbf{s}}_F]\in {\mathbb{R}}^{T\times F}$$

(12)

• Rows (T): Number of time windows (temporal dimension).
• Columns (F): Number of features (feature dimension).
• Element-wise:

  $$\mathbf{M}(t,f)=s_f\left(t\right),t=1,2,\dots ,T,f=1,2,\dots ,F$$

  where $\mathbf{M}(t,f)$ is the value of feature f at time window t.

Algorithm 1 shows the 2D Embedding Stack steps.

Algorithm 1: 2D Embedding Stack

1: Input: Set of preprocessed time-series features $\{{\mathbf{s}}_1,{\mathbf{s}}_2,\dots ,{\mathbf{s}}_F\}$, each of length T 2: Initialize an empty matrix $\mathbf{M}$ with dimensions T rows × F columns 3: for each feature index $f=1$ to F do 4:     for each time window index $t=1$ to T do 5:         $\mathbf{M}[t,f]\leftarrow s_f\left(t\right)$ 6:     end for 7: end for 8: return $\mathbf{M}$

3.2. Wavelet Transform

Wavelet transform [39,40,41,42] is a versatile signal processing technique widely used in fields such as signal processing, biomedical analysis, telecommunications, and anomaly detection due to its ability to analyze signals in both the time and frequency domains. It excels at capturing transient features, localized patterns, and multi-scale structures. Common variants include Continuous Wavelet Transform (CWT), Discrete Wavelet Transform (DWT), Packet Wavelet Transform (PWT), and Wavelet Scattering Transform (WST), each differing in resolution, redundancy, computational cost, and application suitability.

This work focuses on DWT and WST. DWT effectively captures low-frequency, steady-state patterns in IoT traffic, useful for identifying baseline device behaviors, while WST offers a deeper, hierarchical representation—producing stable, translation-invariant features across multiple layers. Further details on DWT and WST, and their roles in our system, are provided in the following sections.

3.2.1. Discrete Wavelet Transform (DWT)

DWT decomposes a signal into a set of wavelet coefficients using a series of low-pass and high-pass filters, followed by down sampling. These coefficients represent the signal at different scales (frequencies) and time shifts. DWT helps capture unique patterns in network traffic time series signals [43,44].

DWT represents a signal $x\left(t\right)$ as a sum of scaled and shifted versions of a mother wavelet $\psi \left(t\right)$ and a scaling function $\varphi \left(t\right)$. The signal is decomposed into:

• Approximation coefficients: Representing low-frequency (smooth) components.
• Detail coefficients: Representing high-frequency (rapidly changing) components.

The decomposition is performed iteratively, producing a multi-resolution analysis of the signal. For a discrete signal $x\left[n\right]$, the wavelet and scaling functions are defined at scale j and position k:

$$\begin{array}{cc}\hfill {\psi }_{j,k}\left(n\right)& =2^{-j/2}\psi (2^{-j}n-k),\hfill \\ \hfill {\varphi }_{j,k}\left(n\right)& =2^{-j/2}\varphi (2^{-j}n-k)\hfill \end{array}$$

(13)

where j is the scale index and k is the time shift.

DWT uses a filter bank approach to decompose the signal:

• Low-pass filter $h\left[n\right]$: Corresponds to the scaling function, producing approximation coefficients.
• High-pass filter $g\left[n\right]$: Corresponds to the wavelet function, producing detail coefficients.

At each level j, the signal is convolved with these filters and downsampled by 2 (decimation):

$$\begin{array}{c}\hfill c{A}_j\left[k\right]=\sum _{n}x\left[n\right]h[2k-n],\\ \hfill c{D}_j\left[k\right]=\sum _{n}x\left[n\right]g[2k-n]\end{array}$$

(14)

where $c{A}_j$ are approximation coefficients and $c{D}_j$ are detail coefficients at level j.

The process is applied recursively to the approximation coefficients $c{A}_j$ to obtain the next level’s coefficients:

$$\begin{array}{c}\hfill c{A}_{j+1}\left[k\right]=\sum _{n}c{A}_j\left[n\right]h[2k-n],\\ \hfill c{D}_{j+1}\left[k\right]=\sum _{n}c{A}_j\left[n\right]g[2k-n]\end{array}$$

(15)

For a signal of length N, the decomposition typically continues for $J=\lfloor {log}_{2}N\rfloor$ levels or fewer, depending on the desired resolution.

The output of DWT is a set of coefficients: $\{c{A}_J,c{D}_J,c{D}_{J-1},\dots ,c{D}_1\}$, where $c{A}_J$ captures the coarsest (low-frequency) components and $c{D}_j$ captures finer (high-frequency) details at each level j.

3.2.2. Wavelet Scattering Transform (WST)

WST is a multi-layer signal-processing pipeline that applies a bank of wavelet filters at many scales, takes the modulus of the resulting coefficients to discard fragile phase information, and then performs a local average that builds translation invariance [45,46]. Cascading this trio of operations two or three times yields a hierarchical set of coefficients—called scattering coefficients—with three crucial properties:

• Translation invariance: Because coefficients are locally averaged, a traffic burst that slides forward or backward in time produces nearly the same representation. This matters when packet captures start at arbitrary instants.
• Stability to small deformations: Minor changes in packet timings or sizes perturb the coefficients only slightly, so day-to-day device noise does not break the fingerprint.
• Rich multi-scale detail: Each stage captures longer-range interactions between frequency bands, allowing the fingerprint to reflect both coarse trends (e.g., periodic telemetry beacons) and fine-grained quirks (e.g., millisecond-level jitter).

How the Wavelet Scattering Transform Works

• Input: 2D matrix $X(t,f)$, where t is time windows, f is F network traffic features.
• First Layer:

  –

  Wavelet Convolution: Convolve each $X(:,f)$ with wavelets ${\psi }_j\left(t\right)$ (scales $j=1,\dots ,J$): $W_{j}X(t,f)=X(:,f)\ast {\psi }_j\left(t\right)$.

  –

  Nonlinear Modulus: Compute $S_1[j,t,f]=\left|W_{j}X(t,f)\right|$, forming a 3D array.

  –

  Low-Pass Filter: Apply $\varphi \left(t\right)$ to get zeroth-order coefficients: $S_0[t,f]=X(:,f)\ast \varphi \left(t\right)$.

• Second Layer:

  –

  Wavelet Convolution: Convolve $|W_{j}X(t,f)|$ with wavelets ${\psi }_k\left(t\right)$: $W_k\left|W_{j}X(t,f)\right|$.

  –

  Nonlinear Modulus: Compute $S_2[j,k,t,f]=\left|\right|W_{j}X(t,f)|\ast {\psi }_k\left(t\right)|$.

  –

  Low-Pass Filter: Apply $\varphi \left(t\right)$: $S_2[j,k,f]=S_2[j,k,t,f]\ast \varphi \left(t\right)$.

• Output: Concatenate coefficients:

  –

  Zeroth Order: $S_0\left[f\right]=X(:,f)\ast \varphi \left(t\right)$ (1D vector).

  –

  First Order: $S_1[j,f]=|X(:,f)\ast {\psi }_j\left(t\right)|\ast \varphi \left(t\right)$ (2D matrix).

  –

  Second Order: $S_2[j,k,f]=\left|\right|X(:,f)\ast {\psi }_j\left(t\right)|\ast {\psi }_k\left(t\right)|\ast \varphi \left(t\right)$ (3D array).

  –

  Form translation-invariant feature vector for IoT device fingerprinting.

3.2.3. Time Complexity Analysis of DWT and WST

The time complexity analysis of the DWT and WST is crucial for understanding their applicability in real-world IoT environments. The DWT has a linear time complexity of $O\left(N\right)$ where N is the length of the input signal [39,47]. In contrast, the WST is more computationally intensive, with a complexity of approximately $JQNlogN$, where J is the number of scattering scales, Q is the number of wavelet filters per scale, and N is the signal length. This increased cost stems from its use of multiple layers of convolution, modulus operations, and averaging filters [48,49].

In practice, the choice between DWT and WST depends on the trade-off between computational efficiency and feature robustness. For real-time IoT fingerprinting on edge devices, DWT’s lower complexity is advantageous. For cloud-based analytics requiring high accuracy, WST’s enhanced feature extraction justifies its increased computational demand.

3.3. Feature Reduction

Principal Component Analysis (PCA) is an effective dimensionality reduction technique used in our approach to simplify the high-dimensional feature space generated by DWT or WST, while preserving key signal characteristics for IoT device fingerprinting. Wavelet coefficients capture rich, multi-scale patterns in traffic data such as packet counts or volume trends, but often include redundancy and noise. PCA addresses this by projecting the data onto a lower-dimensional subspace defined by the principal components—directions that retain the most variance—thus reducing complexity and enhancing feature quality. This improves the efficiency and accuracy of machine learning models, lowers computational cost, and reduces overfitting, making it ideal for large-scale or resource-constrained IoT environments.

3.4. Decision Engine

Decision Engine is responsible for the final classification of IoT devices. This module leverages a set of different machine learning classifiers to predict either the individual identity or the device type based on the transformed wavelet-derived features. The classifiers used in this work include:

• Support Vector Machine (SVM): SVM constructs an optimal hyperplane that maximizes the margin between classes in the reduced feature space.
• Random Forest (RF): RF is an ensemble learning method that builds multiple decision trees during training and aggregates their outputs for classification.
• XGBoost (XGB): XGBoost is a high-performance, gradient-boosting framework that constructs additive decision trees in a sequential manner to minimize classifi- cation errors.
• K-Nearest Neighbors (KNN): KNN is a non-parametric algorithm that classifies a new instance based on the majority label of its closest neighbors in the feature space.

4. Experiments and Results

In this section, we present the datasets, the evaluation scenarios, and the experimental results used to assess the effectiveness of the proposed wavelet-based IoT device fingerprinting solution.

To evaluate the system’s performance, we compare the proposed approach against baseline models that utilize traditional time-domain features that aggregate statistics extracted from network traffic. The baseline models are designed to ensure a fair and controlled comparison by using the same machine learning classifiers and being trained on the same datasets as the proposed method. The only variation between the baseline and the proposed system lies in the feature representation: the baseline models rely on a set of eight time-domain features, which also serve as the input for the proposed method and generate the wavelet-based features used in our approach.

To provide a comprehensive and quantitative assessment, we employ standard performance metrics commonly used in machine learning and classification tasks, including:

• Accuracy: Measures overall correctness of classification.
• Precision: Assesses how many of the identified devices were correctly classified.
• Recall: Measures the model’s ability to correctly identify all relevant devices.
• F1-Score: Provides a balance between precision and recall.

Macro-averaged precision, recall, and F1-score are used as the primary evaluation metrics in this work to provide a fair and robust assessment of IoT device fingerprinting performance under class imbalance. These metrics are computed by evaluating precision, recall, and F1-score independently for each device class and then taking their unweighted average, thereby ensuring that all devices contribute equally to the final evaluation regardless of traffic volume or class frequency.

The evaluation of the proposed wavelet-based IoT fingerprinting solution is conducted across different distinct experimental scenarios, each designed to assess a specific dimension of the system’s performance, scalability, and robustness:

• Scenario 1: Sampling Rate Sensitivity Analysis.
• Scenario 2: Feature Reduction Analysis.
• Scenario 3: Individual Device Identification Under Normal Conditions.
• Scenario 4: Device Type Identification Under Normal Conditions.
• Scenario 5: Performance Under Adversarial Conditions.

Each scenario targets a unique evaluation objective—ranging from fine-grained device recognition to generalized type classification, and resilience against malicious or abnormal traffic. Together, these scenarios provide a comprehensive framework for validating the effectiveness of the proposed solution under realistic and security-relevant conditions. Detailed descriptions of these scenarios are provided in the corresponding section.

Our learning instances are traffic windows of 300 s extracted with no overlap. To prevent temporal and near-duplicate leakage between partitions, we define sessions as time-block sessions: for each device, the traffic timeline is partitioned into contiguous non-overlapping time blocks of 15–30 min (block length), and all windows whose timestamps fall within the same time block are assigned the same $sessio{n}_{i}d$. We then construct a grouping key $grou{p}_{i}d=(devic{e}_{i}d,sessio{n}_{i}d)$ and perform the 70–15–15% train–validation–test split using GroupShuffleSplit, ensuring that all windows from the same device and time block remain entirely within a single partition. The fixed seed (seed = 42) is retained to make this grouping-based split reproducible. To quantify the stability and reliability of the reported performance, we evaluate all models using repeated fully grouped 5-fold cross-validation, where grouping is enforced at the session (time-block) level to prevent temporal and near-duplicate leakage between folds.

For each metric, performance is first computed independently on each fold and then aggregated. In addition to reporting mean ± standard deviation, we explicitly quantify uncertainty by computing 95% confidence intervals (CIs) across folds using the standard normal approximation. Specifically, given the fold-level standard deviation and the number of folds $n=5$, the 95% CI is computed as $\mu =\pm 1.96\times \sigma /\sqrt{(}n)$. For clarity and transparency, the reported standard deviations are consistent with—and derived from—these confidence intervals, ensuring that variability and uncertainty are directly interpretable and reproducible. This dual reporting of mean ± standard deviation and explicit confidence intervals provides a rigorous assessment of result stability, particularly important given the near-perfect performance observed in several configurations.

In cases where the denominator (e.g., payload size) is zero for packet/payload ratios, we replace the undefined value with a large constant (specifically, ${10}^6$ in our implementation, chosen to exceed typical ratio scales in the dataset by several orders of magnitude). This avoids direct representation of infinity, which can introduce numerical instability in floating-point operations. However, we recognize that such substitutions can indeed act as an uncontrolled parameter if not addressed further. To mitigate this, in the implementation, prior to normalization and extraction of downstream wavelet features, we explicitly identify these large constants as outliers and eliminate the affected samples or features from the dataset. This is done via a simple threshold-based filter (values $>{10}^6$ are flagged and removed), ensuring they do not propagate into the normalization process or influence wavelet decomposition. In our experiments, this filtering impacted less than 0.5% of the data points, and sensitivity analyses (re-running models with varied constants ${10}^3$, ${10}^6$, ${10}^9$) showed negligible changes in overall accuracy (<0.1% variance in F1 scores), supporting that our near-perfect results are robust and not materially dependent on this parameter.

4.1. Machine Learning Algorithms

Four distinct machine learning algorithms—K-Nearest Neighbors (KNN), Support Vector Machine (SVM), Random Forest (RF), and XGBoost (XGB)—were employed to represent four different families of machine learning techniques. These algorithms were selected because they have been widely adopted in prior research and allow the diverse properties of the extracted wavelet features to be systematically examined. The KNN classifier was applied as an instance-based learning method, in which each sample was classified by computing its distance to the k nearest training instances in the feature space. Through this mechanism, local geometric patterns within the feature vectors were effectively captured. The SVM classifier was used as a kernel-based discriminative model. In this approach, class boundaries were determined by identifying an optimal separating hyperplane that maximizes the margin between classes in a suitably transformed feature space, allowing complex and nonlinear separations to be modeled. The RF algorithm was incorporated as an ensemble technique drawn from the decision tree family. Multiple decision trees were constructed through randomized feature selection and bootstrapped sampling, and their outputs were aggregated to produce final predictions. This ensemble formulation was shown to enhance robustness against overfitting while capturing hierarchical and nonlinear relationships within frequency- and wavelet-domain representations. The XGB classifier was employed as a gradient-boosting-based ensemble method, in which trees were sequentially constructed to correct the residual errors of prior trees. Through its use of second-order gradient information, regularization, and optimized tree growth, XGB was able to model subtle boundary structures and complex interactions in the wavelet feature space with high predictive stability. Collectively, these algorithms—differing in their underlying assumptions, decision boundaries, and learning biases—enabled a comprehensive examination of the geometric, hierarchical, and discriminative characteristics encoded within the extracted wavelet features.

Model hyperparameters were selected manually rather than through automated search methods such as GridSearchCV or Bayesian optimization. This manual approach was chosen based on prior empirical experience with similar datasets and to maintain computational efficiency during experimentation.

Table 1. Hyperparameters of machine learning algorithms.

Model	Tested Hyperparameters	Selected Hyperparameters
SVM	kernel = {rbf, linear}, C = {0.1, 1.0, 10}, gamma = {0.01, 0.1, 1.0}	kernel = rbf, C = 1.0, gamma = 0.1
KNN	k = {3, 5, 7, 9}, metric = {euclidean, manhattan}, weights = {uniform, distance}	k = 5, metric = euclidean, weights = distance
Random Forest	n_estimators = {50, 100, 200}, max_depth = {10, 20, 30}	n_estimators = 100, max_depth = 20
XGBoost	n_estimators = {50, 100, 200}, max_depth = {4, 6, 8}, learning_rate = {0.05, 0.1, 0.2}	n_estimators = 100, max_depth = 6, learning_rate = 0.1

summarizes the algorithms hyperparameters that have been used.

4.2. Datasets

To evaluate the effectiveness and generalizability of the proposed wavelet-based IoT device fingerprinting approach, we utilize three publicly available datasets: the CIC IoT Dataset 2022 [14], the UNSW IoT Device Classification Dataset by Sivanathan et al. [15], and the CIC IoT Dataset 2023 [16]. These datasets collectively provide a rich and diverse foundation for experimentation and validation.

We selected these datasets based on their varying sizes, levels of complexity, and degrees of heterogeneity, to thoroughly evaluate the scalability and robustness of our proposed fingerprinting approach. The CIC IoT Dataset 2023 is the largest and most comprehensive, featuring 105 IoT devices deployed in a complex network topology with support for multiple communication protocols, including Wi-Fi, Zigbee, and Z-Wave. This dataset reflects a highly realistic and challenging environment, including both benign and malicious traffic. The CIC IoT Dataset 2022 is moderate in scale, containing 60 devices and offering acceptable heterogeneity with multi-protocol support, though it operates within a simpler network structure. In contrast, the UNSW IoT dataset is the smallest, with only 28 devices, and features low complexity, as it contains benign traffic only and lacks the variability found in larger datasets.

Table 2. Summary of IoT datasets.

Dataset	Devices	Protocols	Traffic
UNSW IoT [15]	28	WiFi, MQTT, CoAP, Ethernet	Benign
CIC IoT 2022 [14]	60	WiFi, Zigbee, Z-Wave, Ethernet	Benign, Attack
CIC IoT 2023 [16]	105	WiFi, Zigbee, Z-Wave, MQTT, Ethernet	Benign, Attack

summarizes the key characteristics of each dataset, including the number of devices, types of traffic, and protocols.

4.3. Wavelet-Based Feature Construction Parameters

During model development, we systematically evaluated a range of parameters and configurations in order to identify settings that provide the best trade-off between classification accuracy and computational resource usage. This evaluation was guided by both empirical performance and practical deployment considerations.

For DWT-based feature extraction, we selected the Daubechies-4 (db4) mother wavelet with two decomposition levels. We evaluated both shallower and deeper decompositions; however, two levels were sufficient to capture the dominant multi-resolution structure present within the 300 s windows, while deeper decompositions led to coefficient dilution and marginal performance gains. The db4 wavelet was chosen due to its compact support and favorable time–frequency localization properties, which are well suited for modeling bursty and nonstationary IoT traffic patterns.

For WST-based features, we used a configuration with J = 2 scales, L = 4 angular filters, and maximum scattering order = 2, implemented using the Kymatio framework. Increasing the number of scales beyond J = 2 resulted in a substantial increase in computational cost without corresponding improvements in classification performance. Retaining second-order scattering coefficients proved beneficial, as they effectively capture higher-order interactions and modulation-style variability in traffic dynamics that are characteristic of device-specific behavior.

4.4. Sampling Rate Sensitivity Analysis

The sampling rate plays a critical role in transforming raw network packet data into meaningful time-series signals for IoT device fingerprinting. An appropriate sampling rate determines the granularity and resolution of the captured traffic behavior, directly influencing the quality of extracted features and, consequently, the performance of the classification models. Therefore, investigating the optimal sampling rate is an essential step in designing an effective fingerprinting system. If the sampling rate is too low, important behavioral patterns may be missed; if too high, it may introduce noise or unnecessary computational overhead.

In this experiment, we evaluate the impact of different sampling rates on classification performance. Specifically, we generate time-series signals using multiple sampling intervals (1 s to 60 s) and measure the accuracy of various machine learning models at each setting. This analysis helps identify the sampling rate that provides the best balance between signal fidelity, model accuracy, and processing efficiency.

Figure 4 presents the accuracy of various machine learning models using DWT and WST coefficients for both individual IoT device identification. Figure 4a shows the accuracy of individual IoT device identification across different sampling rates using DWT features. Figure 4b shows the accuracy of device type classification across different sampling rates using DWT features. Similarly, Figure 4c,d illustrate the models’ accuracy for both individual IoT device identification and IoT device type classification using WST features. The four figures show the highest classification accuracy across all models is achieved at a 1 s sampling rate. As the sampling interval increases—in increments of 10 s up to 60 s—the accuracy consistently declines. At the 60 s sampling rate, all models demonstrate their lowest performance, indicating that coarse temporal granularity leads to a loss of critical behavioral patterns necessary for effective classification. Based on these results, a 1 s sampling rate is selected for the remaining experiments, as it provides the best trade-off between signal resolution and model accuracy for both device-level and type-level identification tasks.

4.5. Feature Reduction Analysis

Wavelet transform coefficients—whether derived from DWT or WST—capture signal behavior across multiple time-frequency scales, making them highly effective for characterizing IoT device communication patterns. However, this richness in representation often results in a high-dimensional feature space, which may include redundant or noisy features. Such redundancy can increase computational complexity and risk overfitting without significantly improving classification performance.

To address this, PCA is applied primarily as an exploratory feature-reduction step to assess whether the high-dimensional DWT and WST feature sets contain redundant or non-discriminative components, rather than as a mandatory preprocessing stage. To guide component selection, we adopt a model-driven performance criterion: instead of selecting the number of principal components solely based on retained variance ratios, we systematically evaluate classifier accuracy across a range of PCA dimensions and select the configuration that yields the best validation performance. This approach is particularly appropriate in the context of IoT device fingerprinting, where not all variance captured by PCA is relevant to device identity, and some components may predominantly reflect noise or channel effects.

Importantly, to prevent information leakage, PCA is fitted exclusively on the training data in each iteration, and the learned transformation is then applied to the corresponding validation and test sets. This procedure ensures a fair evaluation and preserves the integrity of the experimental protocol.

Figure 5a illustrates the accuracy of machine learning models using varying numbers of features extracted from DWT coefficients. The results show that accuracy improves steadily up to 30 features, after which further increases yield minimal or no significant improvement. Beyond this point, the marginal gain does not justify the additional computational overhead. Similarly, Figure 5b presents the results for WST-based features. The trend mirrors that of the DWT experiment: model accuracy increases up to approximately 30 features, after which it plateaus, indicating that the most informative components are concentrated in the first few dimensions.

These findings highlight the importance of feature reduction in optimizing the trade-off between model performance and efficiency, and justify the use of 30 features for subsequent experiments involving both DWT and WST-based fingerprinting.

4.6. Individual Device Identification Under Normal Conditions

In this experiment, we train and test supervised machine learning algorithms using benign network traffic, representing the normal operating conditions of IoT devices. The objective is to evaluate the system’s ability to accurately perform fine-grained device identification, distinguishing between individual IoT devices—even those from the same manufacturer or with similar functionality.

The experiment reflects use cases where precise identification is critical, such as tracking specific devices within a network, auditing device presence, or detecting unauthorized replicas that may appear visually or functionally identical but differ in origin or intent. The evaluation is conducted in three phases: (1) testing baseline models using time-domain features, (2) evaluating the proposed solution with DWT features, and (3) assessing performance using WST features.

4.6.1. Baseline Models’ Performance

Table 3. Accuracy, precision, recall, and F1-score of baseline models for IoT device identification.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.54 ± 0.02	0.55 ± 0.01	0.55 ± 0.01	0.55 ± 0.01
	SVM	0.64 ± 0.01	0.65 ± 0.01	0.64 ± 0.01	0.64 ± 0.01
	RF	0.69 ± 0.02	0.68 ± 0.02	0.69 ± 0.02	0.69 ± 0.02
	XGB	0.72 ± 0.01	0.73 ± 0.01	0.73 ± 0.01	0.73 ± 0.01
CIC2023	KNN	0.43 ± 0.03	0.45 ± 0.02	0.44 ± 0.02	0.44 ± 0.02
	SVM	0.41 ± 0.02	0.41 ± 0.02	0.40 ± 0.02	0.40 ± 0.02
	RF	0.64 ± 0.02	0.64 ± 0.01	0.64 ± 0.01	0.64 ± 0.01
	XGB	0.68 ± 0.01	0.67 ± 0.01	0.68 ± 0.01	0.67 ± 0.01
UNSW	KNN	0.61 ± 0.01	0.62 ± 0.01	0.62 ± 0.01	0.62 ± 0.01
	SVM	0.61 ± 0.02	0.62 ± 0.02	0.61 ± 0.02	0.61 ± 0.02
	RF	0.68 ± 0.02	0.70 ± 0.01	0.69 ± 0.01	0.69 ± 0.01
	XGB	0.77 ± 0.01	0.76 ± 0.01	0.77 ± 0.01	0.76 ± 0.01

presents the performance of baseline machine learning models—KNN, SVM, Random Forest (RF), and XGBoost (XGB)—on three datasets (CIC2022, CIC2023, and UNSW) using time-domain features for individual IoT device identification. The results indicate moderate to low accuracy, highlighting the limitations of time-domain features in achieving reliable classification.

Among all configurations, the best performance was achieved by XGBoost on the UNSW dataset, with an accuracy of 77%, followed closely by its performance on CIC2022 (72%) and CIC2023 (68%). Random Forest also performed consistently across all datasets, with accuracies ranging from 64% to 69%. In contrast, SVM and KNN showed lower effectiveness, particularly on the CIC2023 dataset, where SVM recorded the lowest accuracy of 41%, and KNN followed closely at 43%. These results highlight the challenges of using limited conventional time-domain features alone for effective device fingerprinting—particularly in more complex or noisy datasets.

4.6.2. Discrete Wavelet Transform (DWT) Performance

Table 4. Performance metrics of DWT-based models for individual IoT device identification.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.90 ± 0.02	0.90 ± 0.02	0.90 ± 0.02	0.90 ± 0.02
	SVM	0.81 ± 0.03	0.83 ± 0.02	0.83 ± 0.02	0.83 ± 0.02
	RF	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
CIC2023	KNN	0.83 ± 0.02	0.83 ± 0.01	0.84 ± 0.01	0.84 ± 0.01
	SVM	0.74 ± 0.01	0.75 ± 0.01	0.74 ± 0.01	0.74 ± 0.01
	RF	0.97 ± 0.02	0.97 ± 0.02	0.97 ± 0.02	0.97 ± 0.02
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
UNSW	KNN	0.94 ± 0.01	0.93 ± 0.01	0.94 ± 0.01	0.94 ± 0.01
	SVM	0.95 ± 0.01	0.95 ± 0.01	0.96 ± 0.01	0.96 ± 0.01
	RF	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01

presents the performance of various machine learning models—KNN, SVM, Random Forest (RF), and XGBoost (XGB)—using Discrete Wavelet Transform (DWT) features for individual IoT device identification across three datasets: CIC2022, CIC2023, and UNSW.

The results presented in Table 4 demonstrate a significant performance improvement over baseline time-domain models. Across all datasets, XGBoost and Random Forest consistently deliver the highest performance, achieving near-perfect scores. Specifically, both models reach 99% accuracy, precision, recall, and F1-score on CIC2022 and UNSW, indicating outstanding ability to distinguish between individual devices. On the CIC2023 dataset, XGBoost maintains a high accuracy of 99%, while Random Forest scores 97%, reflecting strong generalizability. In contrast, SVM and KNN show relatively lower but still solid performance. For instance, on CIC2023, SVM achieves 74% accuracy, while KNN reaches 83%. On CIC2022 and UNSW, both models perform better, with accuracies ranging from 81% to 95%.

4.6.3. Wavelet Scattering Transform (WST) Performance

The results presented in

Table 5. Performance metrics of WST-based models for individual IoT device identification.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.92 ± 0.02	0.92 ± 0.01	0.92 ± 0.01	0.92 ± 0.01
	SVM	0.90 ± 0.02	0.89 ± 0.02	0.89 ± 0.02	0.89 ± 0.02
	RF	0.91 ± 0.01	0.93 ± 0.01	0.93 ± 0.01	0.91 ± 0.01
	XGB	0.98 ± 0.01	0.98 ± 0.01	0.98 ± 0.01	0.98 ± 0.01
CIC2023	KNN	0.86 ± 0.03	0.86 ± 0.02	0.86 ± 0.02	0.86 ± 0.02
	SVM	0.86 ± 0.02	0.75 ± 0.02	0.74 ± 0.02	0.75 ± 0.02
	RF	0.90 ± 0.02	0.88 ± 0.01	0.87 ± 0.01	0.90 ± 0.01
	XGB	0.96 ± 0.01	0.96 ± 0.01	0.96 ± 0.01	0.96 ± 0.01
UNSW	KNN	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	SVM	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	RF	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01

demonstrate that WST-based features substantially enhance the performance of traditionally weaker models, particularly KNN and SVM. On the CIC2022 dataset, KNN achieves 92% accuracy and SVM reaches 90%, both showing notable improvements over their performance using time-domain features and even Discrete Wavelet Transform (DWT) features. These models also maintain balanced precision and recall, resulting in strong F1-scores of 0.92 and 0.90, respectively.

Similarly, on the more challenging CIC2023 dataset, both KNN and SVM achieve 86% accuracy, with KNN demonstrating better overall balance (precision and recall = 0.86) compared to SVM (precision = 0.75, recall = 0.74). On the UNSW dataset, both KNN and SVM achieve near-perfect accuracy of 99%, equaling the performance of more advanced ensemble models such as Random Forest and XGBoost. This result is particularly significant, as it shows that simpler models can match the effectiveness of complex classifiers when powered by rich, hierarchical WST features. While XGBoost continues to deliver the highest overall performance, with accuracy ranging from 98% to 100% across all datasets, and Random Forest closely follows with 90% to 99% accuracy, the key insight is clear: WST dramatically improves the predictive power of non-ensemble models like KNN and SVM, effectively narrowing the performance gap between them and their more computationally intensive counterparts.

4.7. IoT Device Type Identification Under Normal Conditions

In this experiment, we again use benign traffic, but shift the focus from individual identification to device type identification. Here, the goal is to group devices into broader functional categories—such as smart plugs, IP cameras, thermostats, or sensors—based on their communication behavior.

This setting evaluates the model’s ability to capture shared behavioral patterns among different devices of the same type, regardless of manufacturer or deployment environment. It simulates practical scenarios where network administrators need to manage devices at a group level, for example, to roll out firmware updates, apply security patches, or enforce type-based access policies efficiently. The evaluation is conducted in three phases: (1) testing baseline models using time-domain features, (2) evaluating the proposed solution with DWT features, and (3) assessing performance using WST features.

4.7.1. Baseline Models’ Performance

The results presented in

Table 6. Accuracy, precision, recall, and F1-score of baseline models for IoT Device type identification.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.69 ± 0.03	0.66 ± 0.02	0.65 ± 0.02	0.66 ± 0.02
	SVM	0.74 ± 0.02	0.72 ± 0.02	0.72 ± 0.02	0.72 ± 0.02
	RF	0.78 ± 0.02	0.79 ± 0.02	0.78 ± 0.02	0.79 ± 0.02
	XGB	0.80 ± 0.02	0.82 ± 0.02	0.81 ± 0.02	0.82 ± 0.02
CIC2023	KNN	0.55 ± 0.03	0.57 ± 0.01	0.56 ± 0.01	0.56 ± 0.01
	SVM	0.57 ± 0.02	0.55 ± 0.01	0.56 ± 0.01	0.56 ± 0.01
	RF	0.76 ± 0.01	0.74 ± 0.01	0.74 ± 0.01	0.74 ± 0.01
	XGB	0.82 ± 0.01	0.79 ± 0.01	0.80 ± 0.01	0.79 ± 0.01
UNSW	KNN	0.72 ± 0.01	0.73 ± 0.01	0.73 ± 0.01	0.73 ± 0.01
	SVM	0.71 ± 0.01	0.72 ± 0.01	0.71 ± 0.01	0.71 ± 0.01
	RF	0.80 ± 0.01	0.79 ± 0.01	0.79 ± 0.01	0.79 ± 0.01
	XGB	0.87 ± 0.01	0.86 ± 0.01	0.87 ± 0.01	0.86 ± 0.01

indicate moderate performance, with clear limitations in using the limited eight time-domain features for generalized type-level classification. On the CIC2022 dataset, XGBoost achieves the highest performance with 80% accuracy and an F1-score of 0.82, followed by Random Forest at 78% accuracy. KNN, by contrast, shows the weakest performance, with only 69% accuracy and an F1-score of 0.66. On the more challenging CIC2023 dataset, the overall accuracy of all models drops noticeably except XGBoost leads with 82% accuracy, while KNN and SVM drop to 55% and 57% accuracy, respectively. This suggests that time-domain features struggle to capture consistent patterns across varied device types in noisy or diverse environments. On the UNSW dataset, the trend remains consistent: XGBoost performs best with 87% accuracy, followed by Random Forest at 80%. KNN and SVM achieve 72% and 71% accuracy respectively, showing limited discriminative power for device type classification.

4.7.2. Discrete Wavelet Transform (DWT) Performance

The results presented in

Table 7. Performance metrics of DWT-based models for IoT device type identification.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.93 ± 0.01	0.93 ± 0.01	0.93 ± 0.01	0.93 ± 0.01
	SVM	0.85 ± 0.01	0.92 ± 0.01	0.92 ± 0.01	0.89 ± 0.01
	RF	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
CIC2023	KNN	0.84 ± 0.01	0.86 ± 0.01	0.85 ± 0.01	0.85 ± 0.01
	SVM	0.75 ± 0.01	0.78 ± 0.01	0.77 ± 0.01	0.76 ± 0.01
	RF	0.98 ± 0.01	0.98 ± 0.01	0.98 ± 0.01	0.98 ± 0.01
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
UNSW	KNN	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	SVM	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	RF	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01

clearly demonstrate that DWT-based feature representations yield high classification performance across all datasets, significantly outperforming the baseline models built on time-domain features. On the CIC2022 dataset, all models perform well, with XGBoost achieving perfect accuracy (100%), and Random Forest following closely with 99% accuracy. Simpler models like KNN also show strong results with 93% accuracy, while SVM achieves 85%, both maintaining respectable F1-scores of 0.93 and 0.89, respectively. On the more challenging CIC2023 dataset, which includes higher variability and noise, XGBoost once again performs robustly with 99% accuracy, and Random Forest achieves 98%, confirming their effectiveness even in complex environments. KNN maintains a solid performance with 84% accuracy, while SVM sees a drop to 75% accuracy and an F1-score of 0.76, indicating a greater sensitivity to overlapping device behaviors and traffic inconsistencies. Finally, on the UNSW dataset, all models exhibit exceptional performance: KNN, SVM, and Random Forest each achieve 99% accuracy, while XGBoost delivers perfect classification results with 100% accuracy, precision, recall, and F1-score.

4.7.3. Wavelet Scattering Transform (WST) Performance

The results presented in

Table 8. Performance metrics of WST-based models for IoT device type identification.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.94 ± 0.01	0.94 ± 0.01	0.94 ± 0.01	0.94 ± 0.01
	SVM	0.94 ± 0.01	0.93 ± 0.01	0.93 ± 0.01	0.94 ± 0.01
	RF	0.97 ± 0.01	0.97 ± 0.01	0.97 ± 0.01	0.97 ± 0.01
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
CIC2023	KNN	0.87 ± 0.01	0.88 ± 0.01	0.87 ± 0.01	0.87 ± 0.01
	SVM	0.88 ± 0.01	0.78 ± 0.01	0.76 ± 0.01	0.78 ± 0.01
	RF	0.93 ± 0.01	0.90 ± 0.01	0.88 ± 0.01	0.90 ± 0.01
	XGB	0.96 ± 0.01	0.97 ± 0.01	0.97 ± 0.01	0.96 ± 0.01
UNSW	KNN	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	SVM	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	RF	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01
	XGB	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01	0.99 ± 0.01

demonstrate that WST-based features enable high-performance IoT device type identification across all evaluated datasets and models. On the CIC2022 dataset, all models perform strongly. XGBoost achieves the highest performance with 99% accuracy across all metrics, followed closely by Random Forest at 97%, while both KNN and SVM reach 94% accuracy and F1-score. These results indicate that WST features enable effective type classification even among similar device categories. For the more complex CIC2023 dataset, there is a slight drop in performance due to increased device diversity and traffic complexity. XGBoost still leads with 96% accuracy, followed by Random Forest (93%), SVM (88%), and KNN (87%). On the UNSW dataset, all models achieve near-perfect results, with XGBoost reaching 100% across all metrics and the remaining models (KNN, SVM, RF) each scoring 99%. This reflects the dataset’s lower complexity and well-separated device types, where WST-based models perform exceptionally well.

4.8. Performance Under Adversarial Conditions

In this experiment, we assess the robustness of the trained models from Scenario 3 and Scenario 4 by introducing network traffic generated under DDOS attack conditions that alter normal communication patterns.

The objective is to evaluate how well the proposed wavelet-based fingerprints maintain their identification performance in the presence of attack or environmental disruptions. This scenario is critical for understanding the real-world reliability of the system in secure IoT deployments, where the network may be partially compromised or operating under threat. In this experiment, we use only CICIoT2022 and CICIoT2023 datasets because the UNSW dataset provides only benign traffic. The evaluation is conducted in three phases: (1) testing baseline models using time-domain features, (2) evaluating the proposed solution with DWT features, and (3) assessing performance using WST features. The training data consist exclusively of benign traffic, while the test data include both benign traffic and DDoS attack traffic.

4.8.1. Baseline Models’ Performance

The results in

Table 9. Accuracy, precision, recall, and F1-score of baseline models for individual IoT device identification under DDOS attack.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.14 ± 0.03	0.13 ± 0.03	0.12 ± 0.03	0.13 ± 0.03
	SVM	0.11 ± 0.02	0.10 ± 0.02	0.10 ± 0.02	0.10 ± 0.02
	RF	0.19 ± 0.02	0.20 ± 0.02	0.19 ± 0.02	0.19 ± 0.02
	XGB	0.22 ± 0.02	0.23 ± 0.02	0.23 ± 0.02	0.23 ± 0.02
CIC2023	KNN	0.09 ± 0.03	0.07 ± 0.03	0.07 ± 0.03	0.07 ± 0.03
	SVM	0.10 ± 0.03	0.11 ± 0.03	0.11 ± 0.03	0.10 ± 0.03
	RF	0.14 ± 0.02	0.16 ± 0.02	0.14 ± 0.02	0.14 ± 0.02
	XGB	0.18 ± 0.01	0.17 ± 0.01	0.18 ± 0.01	0.17 ± 0.01

reveal a significant performance degradation across all models and metrics in the presence of DDoS attacks. For the CIC2022 dataset, even the best-performing model, XGBoost, achieves only 22% accuracy with an F1-score of 0.23, while Random Forest follows with 19% accuracy. KNN and SVM models perform worse, with accuracies of 14% and 11%, respectively, and correspondingly low F1-scores (0.13 and 0.11). On the CIC2023 dataset, the degradation is even more pronounced. XGBoost remains the top-performing model but only achieves 18% accuracy, while Random Forest reaches 14%. KNN and SVM perform the poorest under attack conditions, with accuracy as low as 9% and 10%, and F1-scores of 0.08 and 0.10, respectively.

Table 10. Accuracy, precision, recall, and F1-score of baseline models for IoT device type identification under DDOS attack.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.24 ± 0.02	0.22 ± 0.02	0.22 ± 0.02	0.22 ± 0.02
	SVM	0.18 ± 0.02	0.17 ± 0.02	0.17 ± 0.02	0.17 ± 0.02
	RF	0.29 ± 0.02	0.27 ± 0.02	0.28 ± 0.02	0.27 ± 0.02
	XGB	0.33 ± 0.02	0.33 ± 0.02	0.33 ± 0.02	0.33 ± 0.02
CIC2023	KNN	0.15 ± 0.03	0.14 ± 0.02	0.15 ± 0.02	0.15 ± 0.02
	SVM	0.12 ± 0.03	0.11 ± 0.03	0.11 ± 0.03	0.11 ± 0.03
	RF	0.24 ± 0.02	0.26 ± 0.02	0.24 ± 0.02	0.24 ± 0.02
	XGB	0.29 ± 0.02	0.27 ± 0.02	0.27 ± 0.02	0.27 ± 0.02

presents the performance metrics of baseline machine learning models for IoT device type identification under DDoS attack conditions, using time-domain features. On CIC2022 dataset, model performance is generally poor due to the disruptive nature of DDoS traffic. XGBoost achieves the highest accuracy at 33%, followed by Random Forest (29%), KNN (24%), and SVM (18%). Precision, recall, and F1-scores follow similar trends, all remaining below 0.35. These results indicate that traditional time-domain features are highly sensitive to attack-induced noise and fail to preserve distinctive patterns needed for reliable classification. On the more complex CIC2023 dataset, performance further degrades. XGBoost remains the top performer but only reaches 29% accuracy, with an F1-score of 0.27. Random Forest trails slightly at 24% accuracy, while KNN and SVM drop to 15% and 12% accuracy, respectively. This sharp decline highlights the increased difficulty of identifying device types under adversarial conditions in more heterogeneous environments.

4.8.2. Discrete Wavelet Transform (DWT) Performance

Table 11. Accuracy, precision, recall, and F1-score of DWT models for individual IoT device identification under DDOS attack.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.43 ± 0.02	0.43 ± 0.02	0.42 ± 0.02	0.43 ± 0.02
	SVM	0.41 ± 0.02	0.40 ± 0.02	0.40 ± 0.02	0.40 ± 0.02
	RF	0.59 ± 0.01	0.58 ± 0.01	0.59 ± 0.01	0.59 ± 0.01
	XGB	0.62 ± 0.01	0.63 ± 0.01	0.63 ± 0.01	0.63 ± 0.01
CIC2023	KNN	0.29 ± 0.02	0.28 ± 0.02	0.28 ± 0.02	0.28 ± 0.02
	SVM	0.20 ± 0.02	0.21 ± 0.02	0.21 ± 0.02	0.21 ± 0.02
	RF	0.53 ± 0.01	0.53 ± 0.01	0.54 ± 0.01	0.54 ± 0.01
	XGB	0.58 ± 0.01	0.57 ± 0.01	0.57 ± 0.01	0.57 ± 0.01

presents the performance metrics of various machine learning models for individual IoT device identification under DDoS attack conditions using Discrete Wavelet Transform (DWT) features. Compared to the time-domain baselines reported in Table 9, the results demonstrate a significant improvement in model robustness when utilizing DWT-based feature representations. On the CIC2022 dataset, XGBoost achieves the highest accuracy at 62%, followed by Random Forest at 59%, marking a substantial improvement over their baseline accuracies of 22% and 19%, respectively. Similarly, KNN and SVM also see meaningful gains, reaching 43% and 41% accuracy, with corresponding F1-scores of 0.43 and 0.40, compared to their baseline values of just 14% and 11%. On the more challenging CIC2023 dataset, while all models experience an expected performance drop due to increased traffic complexity and attack intensity, DWT-based features still offer considerable resilience. XGBoost and Random Forest maintain relatively high accuracies of 58% and 53%, significantly outperforming their baseline figures of 18% and 14%. KNN and SVM models although achieving lower accuracies of 29% and 20%, respectively, still show noticeable improvement over their time-domain counterparts (9% and 10%).

Table 12. Accuracy, precision, recall, and F1-score of DWT models for IoT device type identification under DDOS attack.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.53 ± 0.02	0.52 ± 0.02	0.52 ± 0.02	0.52 ± 0.02
	SVM	0.50 ± 0.02	0.50 ± 0.02	0.50 ± 0.02	0.50 ± 0.02
	RF	0.63 ± 0.02	0.62 ± 0.01	0.62 ± 0.01	0.62 ± 0.01
	XGB	0.68 ± 0.02	0.67 ± 0.01	0.67 ± 0.01	0.67 ± 0.01
CIC2023	KNN	0.44 ± 0.03	0.44 ± 0.03	0.44 ± 0.03	0.44 ± 0.03
	SVM	0.38 ± 0.02	0.37 ± 0.02	0.37 ± 0.02	0.37 ± 0.02
	RF	0.60 ± 0.02	0.60 ± 0.01	0.60 ± 0.01	0.60 ± 0.01
	XGB	0.66 ± 0.01	0.66 ± 0.01	0.66 ± 0.01	0.66 ± 0.01

presents the performance metrics of DWT-based models for IoT device type identification under DDoS attack. On the CIC2022 dataset, all models show improved performance compared to time-domain baselines (as seen in Table 10). XGBoost achieves the highest accuracy at 68%, followed by Random Forest at 63%, both maintaining consistent precision, recall, and F1-scores. KNN and SVM also show moderate performance with accuracy and F1-scores of 53% and 50%, respectively. These results demonstrate that DWT features enhance resilience to DDoS traffic for moderate datasets. For the more complex CIC2023 dataset, all models experience a drop in performance, yet DWT still enables relatively strong classification. XGBoost again leads with 66% accuracy, followed by Random Forest (60%), while KNN (44%) and SVM (38%) perform less effectively. Nevertheless, all DWT-based models outperform their time-domain counterparts, showing that DWT provides a robust feature space for device type classification under adversarial conditions.

4.8.3. Wavelet Scattering Transform (WST) Performance

The results in

Table 13. Accuracy, precision, recall, and F1-score of WST models for IoT device identification under DDOS attack.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.56 ± 0.02	0.54 ± 0.01	0.54 ± 0.01	0.54 ± 0.01
	SVM	0.57 ± 0.01	0.56 ± 0.01	0.56 ± 0.01	0.56 ± 0.01
	RF	0.68 ± 0.01	0.68 ± 0.01	0.68 ± 0.01	0.68 ± 0.01
	XGB	0.71 ± 0.01	0.70 ± 0.01	0.70 ± 0.01	0.70 ± 0.01
CIC2023	KNN	0.47 ± 0.03	0.47 ± 0.03	0.47 ± 0.03	0.47 ± 0.03
	SVM	0.42 ± 0.03	0.41 ± 0.03	0.41 ± 0.03	0.41 ± 0.03
	RF	0.62 ± 0.02	0.62 ± 0.02	0.63 ± 0.02	0.63 ± 0.02
	XGB	0.69 ± 0.02	0.68 ± 0.02	0.68 ± 0.02	0.68 ± 0.02

show that WST-based models deliver the best overall robustness under attack when compared to both time-domain and DWT-based counterparts (Table 9 and Table 11). On the CIC2022 dataset, XGBoost achieves the highest accuracy of 71%, with precision, recall, and F1-score all matching at 0.70. Random Forest follows with a strong 68% accuracy, while KNN and SVM both perform reasonably better, achieving 56–57% accuracy, with balanced F1-scores (0.55–0.56). These results reflect an improvement over baseline and DWT models. On the more challenging CIC2023 dataset, model performance understandably declines but remains superior to previous approaches. XGBoost still leads with 69% accuracy, and Random Forest closely follows at 62%, both maintaining F1-scores above 0.63. KNN and SVM experience moderate drops to 47% and 42% accuracy, respectively, but still outperform their time-domain versions, which fell below 10%.

The performance metrics of WST-based models for IoT device type identification under DDoS attack conditions is presented in

Table 14. Accuracy, precision, recall, and F1-score of WST models for IoT device type identification under DDOS attack.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
CIC2022	KNN	0.61 ± 0.02	0.61 ± 0.02	0.61 ± 0.02	0.61 ± 0.02
	SVM	0.57 ± 0.02	0.56 ± 0.01	0.56 ± 0.01	0.56 ± 0.01
	RF	0.69 ± 0.01	0.68 ± 0.01	0.69 ± 0.01	0.69 ± 0.01
	XGB	0.73 ± 0.01	0.73 ± 0.01	0.73 ± 0.01	0.73 ± 0.01
CIC2023	KNN	0.47 ± 0.01	0.47 ± 0.01	0.47 ± 0.01	0.47 ± 0.01
	SVM	0.42 ± 0.01	0.41 ± 0.01	0.41 ± 0.01	0.41 ± 0.01
	RF	0.61 ± 0.01	0.61 ± 0.01	0.61 ± 0.01	0.61 ± 0.01
	XGB	0.70 ± 0.01	0.67 ± 0.01	0.67 ± 0.01	0.67 ± 0.01

. On the CIC2022 dataset, all models exhibit resilience under DDoS attacks. XGBoost achieves the best overall performance with 73% accuracy, precision, recall, and F1-score—indicating robustness and stability. Random Forest follows closely with 69% accuracy, while KNN and SVM reach 61% and 57% accuracy, respectively. These results show that WST features enhance model performance under adversarial conditions compared to time-domain and even DWT-based approaches.

5. Discussion

The evaluation across all tables reveals consistent and insightful trends regarding the impact of feature type, dataset complexity, and machine learning classifier choice on the performance of IoT device fingerprinting models. These trends are observed across both individual device identification and device type classification, under both benign and adversarial conditions.

5.1. Impact of Feature Type

The used feature representation significantly affects model performance. Time-domain features perform the weakest overall—particularly on complex datasets like CIC2023—with accuracy dropping as low as 41–43%. These results highlight the limited ability of shallow time-domain statistics to capture the nuanced communication behaviors of IoT devices, especially in heterogeneous and large-scale deployments. Their susceptibility to noise and inability to generalize across varying traffic patterns make them unsuitable for reliable fingerprinting in complex environments.

In contrast, Discrete Wavelet Transform (DWT) captures low-frequency behavioral patterns that reflect stable, device-specific characteristics. This allows for more robust classification across datasets. However, DWT still struggles to capture high-frequency signal components and bursty or irregular behaviors, which are common in real-world IoT communications.

Wavelet Scattering Transform (WST) outperforms both time-domain and DWT features, offering a more powerful and resilient feature representation. WST improves the performance of models like KNN and SVM, making them viable alternatives for simple algorithms in resource-constrained environments where deep models or ensembles may not be practical. Its advantage lies in its multi-layered, translation-invariant, and energy-preserving structure, which mimics the expressive power of deep neural networks while remaining computationally efficient and interpretable. WST effectively captures both fine-grained transient behaviors and long-term communication patterns, making it adaptable to diverse network conditions.

Under DDoS attack scenarios, while all models experience degradation, WST demonstrates better resilience compared to time-domain and DWT features. Its ability to learn deep structural patterns enables it to maintain reasonable performance even when traffic is saturated with attack flows.

5.2. Impact of Machine Learning Classifiers

The four classifiers evaluated—KNN, SVM, Random Forest (RF), and XGBoost (XGB)—show distinct performance characteristics. XGB and RF, both ensemble-based learning algorithms, consistently outperform KNN and SVM across all feature types and datasets. These ensemble models aggregate the predictions of multiple base learners to reduce variance and improve generalization, making them especially well-suited for complex, high-dimensional feature spaces such as those derived from DWT and WST.

On the other hand, KNN, while simpler and less computationally intensive, benefits greatly from richer feature representations. In particular, WST features significantly boost its accuracy, allowing this model to compete with more advanced classifiers in less complex datasets or constrained deployment scenarios.

5.3. Effect of Dataset Complexity

We evaluated our approach using three datasets that differ substantially in terms of the number of devices, class imbalance, and traffic heterogeneity. Among them, the CIC2023 dataset is the largest and most diverse, containing traffic from over 100 IoT devices, which introduces significantly higher variability, noise, and class imbalance. In contrast, the UNSW dataset, which includes 28 IoT devices, exhibits comparatively lower variability and noise, more balanced class distributions, and more homogeneous traffic patterns. Consistent with these differences, we observe that all evaluated models—including the weaker baseline classifiers—achieve higher accuracy on the UNSW dataset than on CIC2023.

These observations highlight the strong influence of dataset complexity on IoT device fingerprinting performance and motivate an important research question regarding how network scale, traffic heterogeneity, and class imbalance jointly affect the effectiveness and robustness of machine-learning-based fingerprinting solutions. Addressing this question rigorously would require a controlled scaling study on a large dataset, in which the number of devices, per-device sample counts, and traffic diversity are systematically varied under both controlled and unconstrained conditions. Such an analysis would enable a more precise quantification of how individual complexity factors impact fingerprint stability and classification performance and represents a valuable direction for future work beyond the scope of the present study.

5.4. Performance Under Anomalous Conditions

While the inclusion of DDoS traffic provides useful insight into model behavior under anomalous conditions, we emphasize that the presented experiments do not constitute a comprehensive robustness evaluation against adversarial attacks. Within the evaluated settings, wavelet-based features (DWT and WST) consistently exhibit better performance under anomaly-induced traffic conditions compared to baseline feature representations, indicating a degree of resilience to traffic disruption. However, we avoid overclaiming robustness, as the experiments do not explicitly separate multiple training and testing regimes nor do they systematically assess generalization across varying attack intensities with quantified uncertainty. Accordingly, we interpret the DDoS-related results as partial performance evaluations under anomalous conditions rather than definitive robustness guarantees. A rigorous robustness analysis—incorporating controlled adversarial scenarios, performance degradation metrics, and uncertainty estimates across multiple tasks and classifiers—remains an important direction for future work.

5.5. Comparison with State-of-the-Art Methods

It is important to note that direct numerical comparisons with prior work are often infeasible due to several well-recognized limitations in this research domain. First, many published studies do not release source code or sufficiently detailed implementation descriptions, which significantly hinders reproducibility. Second, reported results are highly dataset-dependent: some authors rely on publicly available datasets, whereas others evaluate exclusively on proprietary or laboratory-collected data, making cross-study comparisons inherently inconsistent. Third, performance outcomes are further affected by differences in preprocessing pipelines, feature-engineering choices, and hyperparameter configurations—details that are frequently omitted or only partially described in the literature. Despite these constraints, prior work generally reports classification accuracies of 90% or higher, and our results are consistent with—and in several cases exceed—this performance range.

In terms of approach and methodology, our novel solution is based on wavelet analysis, leveraging both the rich information content of raw network traffic and the robustness of frequency-domain analysis. This represents a largely unexplored direction in the current literature. We rigorously evaluated the proposed wavelet-based fingerprinting approach across three different public datasets, testing it under novel conditions not previously explored in the state-of-the-art methods, including the impact of dataset size and heterogeneity, and IoT device fingerprinting accuracy under adversarial conditions such as DDoS attacks.

6. Conclusions

This work introduces the Wavelet IoT Device Fingerprint approach, a robust and scalable framework for identifying and classifying IoT devices through wavelet-based network traffic analysis, overcoming key limitations of traditional time-domain and radio frequency-based methods. By analyzing passively collected traffic at the network layer, the system supports both wired and wireless devices in heterogeneous IoT environments. Leveraging wavelet transforms (DWT and WST), it captures multi-scale behavioral patterns, which, when combined with PCA and machine learning models (SVM, KNN, RF, XGBoost), enable accurate device identification and type classification. Evaluations on three real-world datasets (CICIoT2022, CICIoT2023, and UNSW) under various scenarios show that wavelet-based features consistently outperform time-domain baselines. Ensemble models, particularly XGBoost, deliver the highest performance, and their integration with WST features shows strong potential for federated learning, supporting privacy-preserving, distributed fingerprinting. Overall, the results validate the framework’s effectiveness for secure, scalable, and deployment-ready IoT environments, with future work focusing on real-time applications, federated architectures, and advanced learning models.