This study addresses the challenge of rapidly and accurately identifying IoT devices at the moment of network接入, where existing methods often rely on prolonged traffic observation, payload inspection, or specialized infrastructure, thereby hindering timely security responses. To overcome these limitations, this work proposes a lightweight, passive identification approach that leverages only network flow metadata to extract flow-level features within the first few seconds of device communication—without requiring payload analysis or active probing. The research demonstrates that device-specific behavioral patterns emerge immediately upon connection, and surprisingly, extending the observation window can slightly degrade accuracy, challenging the conventional reliance on long-duration monitoring. Evaluated across 37 distinct IoT devices, the method achieves up to 99% early identification accuracy, confirming its feasibility for efficient, privacy-preserving, and low-overhead device recognition at the network edge.

The rapid proliferation of Internet of Things (IoT) devices introduces significant security challenges due to limited visibility and weak device-level guarantees. Accurate and timely identification of devices is essential for enforcing network policies and detecting unauthorised hardware, yet existing approaches often rely on long-term traffic observation, payload inspection, or infrastructure-dependent features. In this paper, we investigate whether IoT devices can be reliably identified during the early stages of network attachment using only passive traffic analysis. We propose a lightweight approach based on flow-level features extracted from metadata, avoiding payload inspection and active probing. Through systematic evaluation across multiple observation windows, we show that device-specific signatures emerge within the first few seconds of communication, enabling high-accuracy identification (up to 99%) across 37 IoT devices. Notably, extending the observation window does not consistently improve performance and may slightly degrade accuracy, indicating that the most discriminative behaviour occurs during initial device startup. These findings demonstrate the feasibility of fast, privacy-preserving IoT device identification at the network edge, supporting real-time enforcement, device inventory, and anomaly detection in practical deployments.