December 12, 2024 6m read

Leveraging MAC Address Logic for IoT Classification 

Adam Fershtman
Adam Fershtman
Leveraging Custom IOC Feeds
for Enhanced Threat Detection Blog

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

When an enterprise looks for a network security provider, whether implementing a SASE solution or [against their better judgement] not, one of its pillar requirements is complete visibility of the assets it holds, which provides the ability to manage its devices. Identifying devices in a network, commonly known as device fingerprinting, provides an enterprise with the ability to control their inventory, which could be a challenging task for companies spread across multiple sites, countries, hybrid datacenters or continents. However, more importantly, each identified device can have its risk assessed and be assigned to the appropriate security policy in the network. 

Each fingerprinted device can be examined for known weaknesses, CVEs or even be analyzed for anomalous behavior. When a network is only secure as its most vulnerable device, it is crucial to provide this type of protection to all devices, especially riskier devices like clientless IoTs. Thus, device fingerprinting is a cornerstone for network security.  

Traditional device fingerprinting is based on observing the network traffic and applying deep packet inspection (dpi) to fingerprint the device. This technique is also used to identify the device operating system (os) as seen in this previous blog. These rule-based identifications provide the data required for device fingerprinting based on the device mac address, as explained below. 

Device identification based on MAC address lookup: 

A mac address is a unique identifier assigned to a device’s network interface card (NIC). Every manufacturer buys bulk sequential mac addresses from the Institute of Electrical and Electronics Engineers (IEEE). Every manufacturer is assigned a mac address prefix that provides an Organizational Unique Identifier (OUI), and IEEE provides a public list of OUIs

A device mac address is a sequence of 12 hexadecimals (two of which make a byte), where each hexadecimal can be one of 16 characters: 0-9 or A-F. The first 3 bytes of the mac address are the OUI which is used to identify the device manufacturer. The rest of the mac address bytes do not hold any specific meaning and are just required to create a unique identifier for each specific device. However, these bytes are crucial to allow statistical analysis capable of more granular fingerprints compared to OUI when combined with Cato’s labeled fingerprint. Below is an example of a mac address of a VoIP PolycomVVX 250: 

48:25:67:12:6A:7A

It is important to note that having a unique mac address identifier can violate user privacy as the mac address can be used to geographically follow a specific device through different networks. To counter this privacy issue, a randomized mac is a default setting for most mobile devices when connecting to Wi-Fi networks. The randomization of the mac address does not allow any statistical mac address fingerprint. However, randomized mac addresses can be easily identified and excluded from the algorithm explained below, as their second hexadecimal must be either A, E, 2 or 6. The randomization of mac addresses limits the potential fingerprinting impact of the mac address lookup algorithm for mobile devices but is very practical for more static network connected devices 

Mac addresses are assigned sequentially to devices manufactured in batched in a factory line. Thus, in theory, when for example Polycom produces ten thousand Polycom VVX 350 in the same factory, the VoIPs will all have sequential mac addresses.  

Using rule-based fingerprinting, Cato maintains a large database with device mac addresses and their corresponding fingerprint. The algorithm described below takes advantage of the mac address assignment procedure and Cato’s labeled data to statistically create a mac address lookup file. The lookup is a list of sub mac addresses and their correlated device fingerprint. When a new device is seen in the network, its mac address is compared to those in the lookup file, if a match is found the new device is fingerprinted accordingly.  

The statistical algorithm creating the lookup file is based on the following two procedures: 

1. Extracting one hexadecimal at a time from the mac address, the algorithm groups multiple devices with the same sub mac address. If the group has a big enough sample size (n) and the percentage (p) of the recognized devices have the same device fingerprint, then the sub mac address can be classified as this device type. Let us go over an example: 

mac address
(10 hexadecimals)
mac address
(11 hexadecimals)
Device type Total device grouped in 11 hexadecimals
64:16:7F:6A:68 64:16:7F:6A:68:5 Polycom VVX 350 13
64:16:7F:6A:68 64:16:7F:6A:68:6 Polycom VVX 1
64:16:7F:6A:68 64:16:7F:6A:68:9 Polycom VVX 350 10
64:16:7F:6A:68 64:16:7F:6A:68:b Polycom VVX 350 15

All the rows have the same first 5 bytes in their mac address. As two hexadecimals are missing from the full length, the amount of unique device that can be grouped is 162 =256. Of the grouping of these 5 bytes, the number of devices seen is the sum of total devices grouped under the 11 hexadecimals, sample size n=39. 

The probability p of these devices to be Polycom VVX 350 is 97%, counting 38 of 39 devices. Thus, the lookup will infer that all devices with a mac address starting with 64:16:7F:6A:68 are Polycom VVX 350. 

It is important to note that Polycom VVX (second row) is the parent device of Polycom VVX 350 as it is considered the product while 350 is the model. Thus, the two devices are in the same device hierarchy tree. The 10 bytes mac address could thus get an identification of Polycom VVX with p equal to 100%. However, in this case Cato will prefer giving the higher granularity identification of Polycom VVX 350. 

In this process, multiple statistical hyper-parameters are controlled to provide confident predictions for different sub mac addresses lengths. This stage of the algorithm provides a wide fingerprint coverage, as extracting each hexadecimal increases the potential coverage by a factor of 16.  

2. If two devices with the same fingerprint have close mac addresses, then the algorithm infers that all the mac addresses between them are the same device type. For example, if 48:25:67:12:6A:7A and 48:25:67:12:6A:7E are both VoIP Polycom VVX 250, then all three (:7B, :7C, :7D) mac addresses in-between can be confidently fingerprinted as the same device type. As devices are manufactured in bulk, the likelihood that the factory created different devices between these two fingerprinted mac addresses is minimal. The mac address distance considered for this neighboring filler technique is a hyper parameter dependent on the sub mac address length. This technique can also be done when the two devices are on the same hierarchy tree. For example, if the second mac address was VoIP Polycom (without the specific model), then the three mac addresses can still confidently be identified as VoIP Polycom. This procedure is also applied on the results of the first stage of the algorithm presented above. 

Wrapping up  

The post describes how devices receive a mac address and how this process can be leveraged to create a mac address lookup to identify new devices. The main steps of the algorithm are described, with corresponding examples which make it clear how the algorithm provides deeper identification than what the OUI can give. Additionally, mac address lookup fingerprinting provides an immediate identification based on the mac address, unlike rule-based fingerprint where an identification might be delayed until a specific packet is sent.  

Cato’s extensive network sprawls over many different industries, protecting and observing hundreds of thousands of devices daily. This ample data provides an accurate and reliable foundation for fingerprinting, and allows Cato to continuously improve upon our algorithm, tuning it based on real data from our network. 

These advanced methods are already embedded inside the Cato service performing device identification in real-time, and among other capabilities it is used in the recently released “Device Inventory”, allowing administrators a robust single pane of glass into all the devices in their organizations. 

To learn more about Device Inventory head to Cato’s Knowledge Base – https://support.catonetworks.com/hc/en-us/articles/14529548359709-Using-the-Device-Inventory 

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Adam Fershtman

Adam Fershtman

Adam is a data scientist in Cato Research Labs at Cato Networks. Adam has a Phd in Fluid Mechanics and enjoys using his experience in statistics and modeling to initiate and pursue research questions. Since leaving Academia, Adam has discovered an interest in network and cybersecurity research, where he applies his knowledge in state-of-the-art and novel machine learning methods to solve domain problems.

Read More