[2602.24047] Unsupervised Baseline Clustering and Incremental Adaptation for IoT Device Traffic Profiling

Computer Science > Networking and Internet Architecture arXiv:2602.24047 (cs) [Submitted on 27 Feb 2026] Title:Unsupervised Baseline Clustering and Incremental Adaptation for IoT Device Traffic Profiling Authors:Sean M. Alderman, John D. Hastings View a PDF of the paper titled Unsupervised Baseline Clustering and Incremental Adaptation for IoT Device Traffic Profiling, by Sean M. Alderman and 1 other authors View PDF HTML (experimental) Abstract:The growth and heterogeneity of IoT devices create security challenges where static identification models can degrade as traffic evolves. This paper presents a two-stage, flow-feature-based pipeline for unsupervised IoT device traffic profiling and incremental model updating, evaluated on selected long-duration captures from the Deakin IoT dataset. For baseline profiling, density-based clustering (DBSCAN) isolates a substantial outlier portion of the data and produces the strongest alignment with ground-truth device labels among tested classical methods (NMI 0.78), outperforming centroid-based clustering on cluster purity. For incremental adaptation, we evaluate stream-oriented clustering approaches and find that BIRCH supports efficient updates (0.13 seconds per update) and forms comparatively coherent clusters for a held-out novel device (purity 0.87), but with limited capture of novel traffic (share 0.72) and a measurable trade-off in known-device accuracy after adaptation (0.71). Overall, the results highlight a practical trade...