This Cybersecurity Intrusion Detection Dataset is designed for detecting cyber intrusions based on network traffic and user behavior. Below, I’ll explain each aspect in detail, including the dataset structure, feature importance, possible analysis approaches, and how it can be used for machine learning.

1. Understanding the Features

The dataset consists of network-based and user behavior-based features. Each feature provides valuable information about potential cyber threats.

A. Network-Based Features

These features describe network-level information such as packet size, protocol type, and encryption methods.

1. network_packet_size (Packet Size in Bytes)

   • Represents the size of network packets, ranging between 64 to 1500 bytes.
   • Packets on the lower end (~64 bytes) may indicate control messages, while larger packets (~1500 bytes) often carry bulk data.
   • Attackers may use abnormally small or large packets for reconnaissance or exploitation attempts.

2. protocol_type (Communication Protocol)

   • The protocol used in the session: TCP, UDP, or ICMP.
   • TCP (Transmission Control Protocol): Reliable, connection-oriented (common for HTTP, HTTPS, SSH).
   • UDP (User Datagram Protocol): Faster but less reliable (used for VoIP, streaming).
   • ICMP (Internet Control Message Protocol): Used for network diagnostics (ping); often abused in Denial-of-Service (DoS) attacks.

3. encryption_used (Encryption Protocol)

   • Values: AES, DES, None.
   • AES (Advanced Encryption Standard): Strong encryption, commonly used.
   • DES (Data Encryption Standard): Older encryption, weaker security.
   • None: Indicates unencrypted communication, which can be risky.
   • Attackers might use no encryption to avoid detection or weak encryption to exploit vulnerabilities.

B. User Behavior-Based Features

These features track user activities, such as login attempts and session duration.

1. login_attempts (Number of Logins)

   • High values might indicate brute-force attacks (repeated login attempts).
   • Typical users have 1–3 login attempts, while an attack may have hundreds or thousands.

2. session_duration (Session Length in Seconds)

   • A very long session might indicate unauthorized access or persistence by an attacker.
   • Attackers may try to stay connected to maintain access.

3. failed_logins (Failed Login Attempts)

   • High failed login counts indicate credential stuffing or dictionary attacks.
   • Many failed attempts followed by a successful login could suggest an account was compromised.

4. unusual_time_access (Login Time Anomaly)

   • A binary flag (0 or 1) indicating whether access happened at an unusual time.
   • Attackers often operate outside normal business hours to evade detection.

5. ip_reputation_score (Trustworthiness of IP Address)

   • A score from 0 to 1, where higher values indicate suspicious activity.
   • IP addresses associated with botnets, spam, or previous attacks tend to have higher scores.

6. browser_type (User’s Browser)

   • Common browsers: Chrome, Firefox, Edge, Safari.
   • Unknown: Could be an indicator of automated scripts or bots.

2. Target Variable (attack_detected)

• Binary classification: 1 means an attack was detected, 0 means normal activity.
• The dataset is useful for supervised machine learning, where a model learns from labeled attack patterns.

3. Possible Use Cases

This dataset can be used for intrusion detection systems (IDS) and cybersecurity research. Some key applications include:

A. Machine Learning-Based Intrusion Detection

1. Supervised Learning Approaches

   • Classification Models (Logistic Regression, Decision Trees, Random Forest, XGBoost, SVM)
   • Train the model using labeled data (attack_detected as the target).
   • Evaluate using accuracy, precision, recall, F1-score.

2. Deep Learning Approaches

   • Use Neural Networks (DNN, LSTM, CNN) for pattern recognition.
   • LSTMs work well for time-series-based network traffic analysis.

B. Anomaly Detection (Unsupervised Learning)

If attack labels are missing, anomaly detection can be used: - Autoencoders: Learn normal traffic and flag anomalies. - Isolation Forest: Detects outliers based on feature isolation. - One-Class SVM: Learns normal behavior and detects deviations.

C. Rule-Based Detection

• If certain thresholds are met (e.g., failed_logins > 10 & ip_reputation_score > 0.8), an alert is triggered.

4. Challenges & Considerations

• Adversarial Attacks: Attackers may modify traffic to evade detection.
• Concept Drift: Cyber threats...

Cybersecurity Defense Training Dataset

  Dataset Description

This dataset contains 2,500 high-quality instruction-response pairs focused on defensive cybersecurity education. The dataset is designed to train AI models to provide accurate, detailed, and ethically-aligned guidance on information security principles while refusing to assist with malicious activities.

  Dataset Summary

Language: English License: Apache 2.0 Format: Parquet Size: 2,500 rows Domain:… See the full description on the dataset page: https://huggingface.co/datasets/AlicanKiraz0/Cybersecurity-Dataset-v1.

Dataset Card for Purple Team Cybersecurity Dataset Dataset Summary The Purple Team Cybersecurity Dataset is a synthetic collection designed to simulate collaborative cybersecurity exercises, integrating offensive (Red Team) and defensive (Blue Team) strategies. It encompasses detailed records of attack events, defense responses, system logs, network traffic, and performance metrics. This dataset serves as a valuable resource for training, analysis, and enhancing organizational security… See the full description on the dataset page: https://huggingface.co/datasets/Canstralian/Purple-Team-Cybersecurity-Dataset.

The Dataset "Cyber Security Indexes" includes four indicators which illustrate the current cyber security situation around the world. The data is provided on 193 countries and territories, grouped by five geographical regions - Africa, North America, South America, Europe and Asia-Pasific.

The Cybersecurity Exposure Index (CEI) defines the level of exposure to cybercrime by country from 0 to 1; the higher the score, the higher the exposure (provided by 10guard). The indicator was last updated in 2020.

The Global Cyber Security Index (GCI) is a trusted reference that measures the commitment of countries to cybersecurity at a global level – to raise awareness of the importance and different dimensions of the issue (provided by the International Telecommunication Union - ITU). The indicator was last updated in 2021.

The National Cyber Security Index (NCSI) measures a country's readiness to address cyber threats and manage cyber incidents. It is composed of categories, capacities, and indicators (provided by NCSI). The indicator was last updated in January 2023.

The Digital Development Level (DDL) defines the average percentage the country received from the maximum value of both indices (provided by NCSI). The indicator was last updated in January 2023.

The dataset can be used for practising data cleaning, data visualization (on maps and round/bar charts), finding correlations between the indexes and predicting the missing data.

The data was used in the analytical article research The Geography of Cybersecurity: Cyber Threats and Vulnerabilities

NIST Cybersecurity Training Dataset v1.1

The largest open-source NIST cybersecurity training dataset for fine-tuning LLMs

  Version 1.1 Highlights

What's New in v1.1:

✅ Added CSWP (Cybersecurity White Papers) series - 23 new documents ✅ Fixed 6,150 broken DOI links via format normalization ✅ Removed 202 malformed DOIs (double URL prefixes) ✅ Validated and fixed 124,946 total links ✅ Cataloged 72,698 broken links for future recovery ✅ 0 broken link markers remaining in… See the full description on the dataset page: https://huggingface.co/datasets/ethanolivertroy/nist-cybersecurity-training.

The Global Cybersecurity Index (GCI) is a trusted reference that measures the commitment of countries to cybersecurity at a global level – to raise awareness of the importance and different dimensions of the issue. As cybersecurity has a broad field of application, cutting across many industries and various sectors, each country's level of development or engagement is assessed along five pillars – (i) Legal Measures, (ii) Technical Measures, (iii) Organizational Measures, (iv) Capacity Development, and (v) Cooperation – and then aggregated into an overall score.​

The number of cybersecurity incident reports filed with local authorities and the estimated loss. Loss is calculated in USD. Some missing fields are imputed. Overall, it's consistent with the IC3 report.

luckwa/cybersecurity-dataset dataset hosted on Hugging Face and contributed by the HF Datasets community

Cybersecurity Defense Instruction-Tuning Dataset (v2.0)

Created by Alican Kiraz

  TL;DR

A ready-to-train dataset of 83,920 high-quality system / user / assistant triples for defensive, alignment-safe cybersecurity SFT training. Apache-2.0 licensed and production-ready. Scope: OWASP Top 10, MITRE ATT&CK, NIST CSF, CIS Controls, ASD Essential 8, modern authentication (OAuth 2 / OIDC / SAML), SSL / TLS, Cloud & DevSecOps, Cryptography, and AI Security.

  1 What’s… See the full description on the dataset page: https://huggingface.co/datasets/AlicanKiraz0/Cybersecurity-Dataset-Fenrir-v2.0.

Overview

MedSec-25 is a comprehensive, labeled network traffic dataset designed specifically for the Internet of Medical Things (IoMT) in healthcare environments. It addresses the limitations of existing generic IoT datasets by capturing realistic traffic from a custom-built healthcare IoT lab that mimics real-world hospital operations. The dataset includes both benign (normal) traffic and malicious traffic from multi-staged attack campaigns inspired by the MITRE ATT&CK framework. This allows for the development and evaluation of machine learning-based intrusion detection systems (IDS) tailored to IoMT scenarios, where patient safety and data privacy are critical. The dataset was generated using a variety of medical sensors (e.g., ECG, EEG, HHI, Respiration, SpO2) and environmental sensors (e.g., thermistor, ultrasonic, PIR, flame) connected via Raspberry Pi nodes and an IoT server. Traffic was captured over 7.5 hours using tools like Wireshark and tcpdump, resulting in PCAPNG files. These were processed with CICFlowMeter to extract flow-based features, producing a cleaned CSV dataset with 554,534 bidirectional network flows and 84 features.

Key Highlights:

Realistic Setup: Built in a physical lab at Rochester Institute of Technology, Dubai, incorporating diverse IoMT devices, protocols (e.g., MQTT, SSH, Telnet, FTP, HTTP, DNS), and real-time patient interactions (anonymized to comply with privacy regulations like HIPAA).

Multi-Staged Attacks: Unlike datasets focusing on isolated attacks, MedSec-25 simulates full attack chains: Reconnaissance (e.g., SYN/TCP scans, OS fingerprinting), Initial Access (e.g., brute-force, malformed MQTT packets), Lateral Movement (e.g., exploiting vulnerabilities to pivot between devices), and Exfiltration (e.g., data theft via MQTT).

Imbalanced Nature: This is the cleaned (imbalanced) version of the dataset. Users may need to apply balancing techniques (e.g., SMOTE oversampling + random undersampling) for model training, as demonstrated in the associated paper.

Size and Quality: 554,534 rows, no duplicates, no missing values (except 111 NaNs in Flow Byts/s, ~0.02%, which can be handled via imputation). Data types include float64 (45 columns), int64 (34 columns), and object (5 columns: Flow ID, Src IP, Dst IP, Timestamp, Label).

Utility: Preliminary models trained on this dataset (e.g., KNN: 98.09% accuracy, Decision Tree: 98.35% accuracy) show excellent performance for detecting attack stages.

This dataset is ideal for researchers in cybersecurity, machine learning, and healthcare IoT, enabling the creation of an IDS that can detect attacks at different phases to prevent escalation.

Data Collection

Benign Traffic: Generated over two days with active sensors, services (HTTP dashboard for patient monitoring, SSH/Telnet for remote access, FTP for file transfers), and real users (students/faculty) interacting with medical devices. No personally identifiable information was stored.

Malicious Traffic: Two Kali Linux attacker machines simulated MITRE ATT&CK-inspired campaigns using tools like Nmap, Scapy, Metasploit, and custom Python scripts.

Capture Tools: Wireshark and tcpdump for PCAPNG files (total ~1GB: 600MB benign, 400MB malicious).

Processing: Combined PCAP files per label, extracted features with CICFlowMeter, labeled flows manually based on attack phases, and cleaned for ML readiness. The final cleaned CSV is ~350MB.

Features

The dataset includes 84 features extracted by CICFlowMeter, categorized as:

Identifiers: Flow ID, Src IP, Src Port, Dst IP, Dst Port, Protocol, Timestamp.

Time-Series Metrics: Flow Duration, Flow IAT Mean/Std/Max/Min, Fwd/Bwd IAT Tot/Mean/Std/Max/Min.

Size/Count Statistics: Tot Fwd/Bwd Pkts, TotLen Fwd/Bwd Pkts, Fwd/Bwd Pkt Len Max/Min/Mean/Std, Pkt Len Min/Max/Mean/Std/Var, Pkt Size Avg.

Flag Counts: Fwd/Bwd PSH/URG Flags, FIN/SYN/RST/PSH/ACK/URG/CWE/ECE Flag Cnt.

Rates and Ratios: Flow Byts/s, Flow Pkts/s, Fwd/Bwd Pkts/s, Down/Up Ratio, Active/Idle Mean/Std/Max/Min.

Segmentation and Others: Fwd/Bwd Seg Size Avg/Min, Subflow Fwd/Bwd Pkts/Byts, Init Fwd/Bwd Win Byts, Fwd Act Data Pkts, Fwd/Bwd Byts/b Avg, Fwd/Bwd Pkts/b Avg, Fwd/Bwd Blk Rate Avg.

Labels

The dataset is labeled with 5 classes representing benign behavior and attack stages:

Reconnaissance: 401,683 flows Initial Access: 102,090 flows Exfiltration: 25,915 flows Lateral Movement: 12,498 flows Benign: 12,348 flows

Note: The dataset is imbalanced, with Reconnaissance dominating. Apply balancing techniques for optimal ML performance.

Usage

Preprocessing Suggestions: Encode categorical features (e.g., Protocol, Label) using LabelEncoder. Normalize numerical features with Min-Max Scaler or StandardScaler. Handle the minor NaNs in Flow Byts/s via mean imputation.

Model Training: Split into train/test (e.g., 80/20). Suitable for classification tasks w...

According to a 2024 survey of Chief Information Security Officers (CISO) worldwide, Ransomware attacks were a leading cybersecurity risk, with roughly ** percent naming it as one of the three major cybersecurity threats. A further share of ** percent of the respondents found malware to be a significant risk to their organizations' cybersecurity. Email fraud compromise and DDoS attacks followed closely, with ** percent.

On June 4-6, 2019, the National Information Technology and Networking Research and Development (NITRD) Program's Artificial Intelligence Research and Development (R&D) and Cyber Security and Information Assurance Interagency Working Groups (IWG), held a workshop to assess the research challenges and opportunities at the intersection of cybersecurity and artificial intelligence (AI). This document summarizes the workshop discussions.

cyber-security-events

  Dataset Description

This dataset contains cybersecurity events collected from honeypot infrastructure. The data has been processed and feature-engineered for machine learning applications in threat detection and security analytics.

  Feature Categories





  Network Features

Connection flow statistics (bytes, packets, duration) Protocol-specific metrics Geographic information IP reputation data

  Behavioral Features

Session… See the full description on the dataset page: https://huggingface.co/datasets/pyToshka/cyber-security-events.

The President`s Cyberspace Policy Review challenges the Federal community to develop a framework for research and development strategies that focus on game-changing technologies that can significantly enhance the trustworthiness of cyberspace. The Cybersecurity Game-Change Research and Development R and D Recommendations, coordinated through the Federal Networking and Information Technology Research and Development NITRD Program www.nitrd.gov and its Cyber Security Information Assurance CSIA Interagency Working Group IWG, have identified three 3 initial R and D themes to exemplify and motivate future Federal cybersecurity research activities: a Moving Target, Tailored Trustworthy Spaces, and Cyber Economic Incentives...

The foundation for this measure is the Framework Core, a set of cybersecurity activities, desired outcomes and applicable references that are common across critical infrastructure/industry sectors. These activities come from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) published standard, along with the information security and customer privacy controls it references (NIST 800 Series Special Publications). The Framework Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous functions – identify, protect, detect, respond, and recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core identifies underlying key categories and subcategories for each function, and matches them with example references, such as existing standards, guidelines and practices for each subcategory. This page provides data for the Cybersecurity performance measure.Cybersecurity Framework (CSF) scores by each CSF category per fiscal year quarter (Performance Measure 5.12)The performance measure dashboard is available at 5.12 Cybersecurity.Additional InformationSource: Maturity assessment /https://www.nist.gov/topics/cybersecurityContact: Scott CampbellContact E-Mail: Scott_Campbell@tempe.govData Source Type: ExcelPreparation Method: The data is a summary of a detailed and confidential analysis of the city's cyber security program. Maturity scores of subcategories within NIST CFS are combined, averaged and rolled up to a summary score for each major category.Publish Frequency: Annual

In early 2025, a small tech startup in Austin, Texas, discovered its customer database had been silently siphoned off over a period of three months. The breach wasn’t sophisticated, it was a simple phishing email that bypassed outdated filters. But the consequences were staggering: legal fees, compliance penalties, and reputational...

Cybersecurity Dataset: Are We Ready in Latin America and the Caribbean? (2016)

This dataset supports the 2016 Cybersecurity Report, Are We Ready in Latin America and the Caribbean?, produced by the Inter-American Development Bank (IDB), Organization of American States (OAS), and Global Cyber Security Capacity Centre (GCSCC) at Oxford.

Data were collected via an online survey using the Cybersecurity Capability Maturity Model (CMM), developed by the GCSCC. The survey was translated into English and Spanish. Following a pilot phase, it was administered to a diverse group of national stakeholders across 32 countries in Latin America and the Caribbean.

The responses were aggregated, reviewed, cleaned, and supplemented with additional information from external sources to ensure completeness and accuracy.

Business Context: We are in a time where businesses are more digitally advanced than ever, and as technology improves, organizations’ security postures must be enhanced as well. Failure to do so could result in a costly data breach, as we’ve seen happen with many businesses. The cybercrime landscape has evolved, and threat actors are going after any type of organization, so in order to protect your business’s data, money and reputation, it is critical that you invest in an advanced security system. Cyber security can be described as the collective methods, technologies, and processes to help protect the confidentiality, integrity, and availability of computer systems, networks and data, against cyber-attacks or unauthorized access. a. Information Security vs. Cyber Security vs. Network Security: Information security (also known as InfoSec) ensures that both physical and digital data is protected from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. Information security differs from cyber security in that InfoSec aims to keep data in any form secure, whereas cyber security protects only digital data. Cyber security, a subset of information security, is the practice of defending your organization’s networks, computers and data from unauthorized digital access, attack or damage by implementing various processes, technologies and practices. With the countless sophisticated threat actors targeting all types of organizations, it is critical that your IT infrastructure is secured at all times to prevent a full-scale attack on your network and risk exposing your company’ data and reputation. Network security, a subset of cyber security, aims to protect any data that is being sent through devices in your network to ensure that the information is not changed or intercepted. The role of network security is to protect the organization’s IT infrastructure from all types of cyber threats including: Viruses, worms and Trojan horses a. Zero-day attacks b. Hacker attacks c. Denial of service attacks d. Spyware and adware Your network security team implements the hardware and software necessary to guard your security architecture. With the proper network security in place, your system can detect emerging threats before they infiltrate your network and compromise your data. There are many components to a network security system that work together to improve your security posture. The most common network security components include: a. Firewalls b. Anti-virus software c. Intrusion detection and prevention systems (IDS/IPS) d. Virtual private networks (VPN) Network Intrusions vs. Computer intrusions vs. Cyber Attacks 1. Computer Intrusions: Computer intrusions occur when someone tries to gain access to any part of your computer system. Computer intruders or hackers typically use automated computer programs when they try to compromise a computer’s security. There are several ways an intruder can try to gain access to your computer. They can Access your a. Computer to view, change, or delete information on your computer, b. Crash or slow down your computer c. Access your private data by examining the files on your system d. Use your computer to access other computers on the Internet. 2. Network Intrusions: A network intrusion refers to any unauthorized activity on a digital network. Network intrusions often involve stealing valuable network resources and almost always jeopardize the security of networks and/or their data. In order to proactively detect and respond to network intrusions, organizations and their cyber security teams need to have a thorough understanding of how network intrusions work and implement network intrusion, detection, and response systems that are designed with attack techniques and cover-up methods in mind. Network Intrusion Attack Techniques: Given the amount of normal activity constantly taking place on digital networks, it can be very difficult to pinpoint anomalies that could indicate a network intrusion has occurred. Below are some of the most common network intrusion attack techniques that organizations should continually look for: Living Off the Land: Attackers increasingly use existing tools and processes and stolen credentials when compromising networks. These tools like operating system utilities, business productivity software and scripting languages are clearly not malware and have very legitimate usage as well. In fact, in most cases, the vast majority of the usage is business justified, allowing an attacker to blend in. Multi-Routing: If a network allows for asymmetric routing, attackers will often leverage multiple routes to access the targeted device or network. This allows them to avoid being detected by having a large portion of suspicious packets bypass certain network segments and any relevant network intrusion systems. Buffer Overwrit...

Snapshot img

Cybersecurity Services Market Size 2024-2028

The cybersecurity services market size is forecast to increase by USD 49 billion at a CAGR of 9.23% between 2023 and 2028. The market is experiencing significant growth due to several key drivers. The increasing number of data breaches and cyber-attacks has heightened the awareness and importance of cybersecurity, leading to an increase in demand for these services. Another trend in the market is the integration of artificial intelligence (AI) and machine learning (ML) technologies to enhance threat detection and response capabilities. However, the high cost of implementing cybersecurity services remains a challenge for many organizations, particularly smaller businesses and governments with limited budgets. Despite this, the market is expected to continue growing as businesses recognize the need for cybersecurity to protect their valuable digital assets.

What will be the Size of the Market During the Forecast Period?

Request Free Sample

The market is witnessing significant growth due to the increasing reliance on digital technologies and the subsequent rise in cyber threats. With the proliferation of cloud computing, remote work, and digital transactions, enterprises across various sectors including banking, financial services, healthcare, e-commerce platforms, and critical infrastructure are increasingly vulnerable to cyberattacks. Digital technologies have revolutionized the way businesses operate, enabling them to offer new services and reach wider audiences. However, they also introduce new risks. Cybersecurity risks, such as malicious attacks, are a major concern for organizations, particularly those dealing with sensitive data.

Moreover, the energy sector and critical infrastructure are also at risk from physical threats that can have digital consequences. Advanced security solutions are essential to mitigate these risks. AI and machine learning technologies are being increasingly adopted to enhance cybersecurity capabilities. Risk-based security approaches are becoming the norm, with organizations prioritizing resources to protect their most valuable assets. The shift to remote work has further complicated cybersecurity efforts. With employees working from home, the traditional perimeter security model is no longer sufficient. Organizations must ensure their networks and data are secure, regardless of where their employees are located. The cybersecurity skills gap is another challenge.

Similarly, with the increasing complexity of cyber threats, there is a growing demand for skilled cybersecurity professionals. Organizations must invest in training and development to ensure they have the necessary expertise in-house. In conclusion, the market is crucial in helping organizations navigate the digital landscape and protect against cyber threats. The market is expected to grow as businesses continue to adopt digital technologies and as cybercriminals become more sophisticated in their attacks. Organizations must prioritize cybersecurity to safeguard their assets and maintain customer trust.

Market Segmentation

The market research report provides comprehensive data (region-wise segment analysis), with forecasts and estimates in 'USD billion' for the period 2024-2028, as well as historical data from 2018-2022 for the following segments.

Deployment

  On-premises
  Cloud based


End-user

  Government
  BFSI
  ICT
  Manufacturing
  Others


Geography

  North America

    Canada
    US


  APAC

    China
    India
    Japan
    South Korea


  Europe

    Germany
    UK
    France


  Middle East and Africa



  South America

By Deployment Insights

The on-premises segment is estimated to witness significant growth during the forecast period. On-premises cybersecurity services offer organizations advanced security solutions to safeguard their infrastructure from cyberattacks. These solutions are installed and managed within an organization's own physical environment, providing a high degree of control and customization. With on-premises cybersecurity, businesses can fine-tune security configurations, set up strict access controls, and maintain direct supervision over their security operations. This level of control is essential for industries with stringent regulatory requirements, sensitive data handling policies, or unique security considerations. Machine Learning (ML) and threat detection technologies are increasingly being integrated into on-premises cybersecurity solutions to enhance their capabilities. Cloud security services are also becoming a significant component of on-premises cybersecurity offerings, allowing organizations to extend their security perimeter to the cloud. The demand for cybersecurity professionals is at an all-time high due to the increasing number of cyberattacks.

However, there is a significant cyber talent shortage, making it challen