Zero Trust architectures require immediate identification of IoT devices before granting network access; however, most existing classification methods rely on extended traffic observation windows or computationally intensive deep learning models. This study proposes a lightweight multi-label IoT device classification framework based solely on early-stage DHCP and DNS metadata captured during device boot-up. Traditional supervised classifiers, including Naïve Bayes, Decision Tree, Random Forest, and Multi-Layer Perceptron, are adapted to support probabilistic multi-label prediction and integrated unknown device detection through confidence-based thresholding. The approach enables devices with identical or overlapping behavioral fingerprints to be grouped for policy enforcement while preserving detection sensitivity for unseen devices under open-set conditions. Experimental evaluation on 40 IoT devices representing 31 device types demonstrates that Random Forest achieves the most reliable balance between classification accuracy and unknown detection robustness, while maintaining low computational overhead suitable for constrained gateways. The results show that early metadata alone is sufficient for real-time Zero Trust enforcement and least-privilege policy activation. The proposed unified framework reduces architectural complexity by combining classification and unknown detection into a single model, making it practical for scalable IoT deployments.
Enaya et al. (Mon,) studied this question.