With the continuous expansion of data exchange, the threat of cybercrime and network invasions is also on the rise. This project aims to address these concerns by investigating an innovative approach: an Attentive Transformer Deep Learning Algorithm for Intrusion Detection of IoT Systems using Automatic Xplainable Feature Selection. The primary focus of this project is to develop an effective Intrusion Detection System (IDS) using the aforementioned algorithm. To accomplish this, carefully curated datasets have been utilized, which have been created through a meticulous process involving data extraction from the University of New Brunswick repository. This repository houses the datasets used in this research and can be accessed publically in order to replicate the findings of this research.

Intruder Detection Systems Market size is set to expand from $ 4.95 Billion in 2023 to $ 8.33 Billion by 2032, with an anticipated CAGR of around 5.3% from 2024 to 2032.

The Intrusion Detection System (IDS) Software market is experiencing robust growth, driven by the escalating need for robust cybersecurity solutions across diverse sectors. The increasing frequency and sophistication of cyberattacks, coupled with stringent data privacy regulations like GDPR and CCPA, are compelling organizations of all sizes to invest heavily in advanced threat detection and prevention mechanisms. This market, estimated at $15 billion in 2025, is projected to exhibit a Compound Annual Growth Rate (CAGR) of 12% from 2025 to 2033. This growth is fueled by the rising adoption of cloud-based IDS solutions, which offer scalability, flexibility, and cost-effectiveness compared to on-premises deployments. The market is segmented by application (large enterprises and SMEs) and type (on-premises and cloud-based), with the cloud-based segment expected to dominate due to its inherent advantages. Furthermore, the growing adoption of Artificial Intelligence (AI) and Machine Learning (ML) in IDS software enhances threat detection accuracy and reduces false positives, further boosting market expansion. Significant regional variations exist. North America currently holds the largest market share, driven by high technological adoption and robust cybersecurity infrastructure. However, Asia-Pacific is expected to witness the fastest growth rate during the forecast period, fueled by rapid digital transformation and increasing internet penetration in emerging economies. The market faces certain restraints, including the rising costs associated with implementation and maintenance of sophisticated IDS systems, as well as the skills gap in cybersecurity professionals capable of effectively managing these systems. Nonetheless, the overall market outlook remains overwhelmingly positive, driven by sustained demand for enhanced cybersecurity and evolving technological advancements within the IDS software landscape. The prominent vendors mentioned—including SolarWinds, ManageEngine, Cisco, and others—are actively innovating and expanding their product portfolios to capitalize on this growing opportunity.

Security is the main challenge in Supervisory Control and Data Acquisition (SCADA) systems since SCADA systems must be connected to heterogeneous networks to save costs. SCADA devices such as RTUs have limited resources, so a small-scale cyber attack on a computer network will have a major impact on the SCADA system. This study discusses the SCADA system with the IEC 60870-5-104 protocol which is widely used in the power plant industry. A physical testbed is built to simulate the electrical distribution process. The SCADA system in the distribution section is more vulnerable than other parts because it is located directly in the community environment so that many holes can be entered by attackers. The purpose of this study is to obtain relevant datasets in the SCADA system. The simulation carried out in this study is a normal communication between the HMI and the RTU, then attacked to disrupt the communication. The attack activities carried out are port scan, brute force and DoS. DoS attacks carried out are ICMP flood, Syn flood, and IEC 104 flood. IEC 104 flood attack is a modified attack to attack RTU where RTU is flooded with an unknown typeid ASDU (Application Service Data Unit). Attacks are carried out using Kali Linux operating system. All scenarios are recorded and saved in pcap. To prove that there is attack data traffic on the IDS dataset Snort and Suricata are used to detect it. In this study, there are also intrusion detection performance results from Snort and Suricata

Article Information

The work involved in developing the dataset and benchmarking its use of machine learning is set out in the article ‘IoMT-TrafficData: Dataset and Tools for Benchmarking Intrusion Detection in Internet of Medical Things’. DOI: 10.1109/ACCESS.2024.3437214.

Please do cite the aforementioned article when using this dataset.

Abstract

The increasing importance of securing the Internet of Medical Things (IoMT) due to its vulnerabilities to cyber-attacks highlights the need for an effective intrusion detection system (IDS). In this study, our main objective was to develop a Machine Learning Model for the IoMT to enhance the security of medical devices and protect patients’ private data. To address this issue, we built a scenario that utilised the Internet of Things (IoT) and IoMT devices to simulate real-world attacks. We collected and cleaned data, pre-processed it, and provided it into our machine-learning model to detect intrusions in the network. Our results revealed significant improvements in all performance metrics, indicating robustness and reproducibility in real-world scenarios. This research has implications in the context of IoMT and cybersecurity, as it helps mitigate vulnerabilities and lowers the number of breaches occurring with the rapid growth of IoMT devices. The use of machine learning algorithms for intrusion detection systems is essential, and our study provides valuable insights and a road map for future research and the deployment of such systems in live environments. By implementing our findings, we can contribute to a safer and more secure IoMT ecosystem, safeguarding patient privacy and ensuring the integrity of medical data.

ZIP Folder Content

The ZIP folder comprises two main components: Captures and Datasets. Within the captures folder, we have included all the captures used in this project. These captures are organized into separate folders corresponding to the type of network analysis: BLE or IP-Based. Similarly, the datasets folder follows a similar organizational approach. It contains datasets categorized by type: BLE, IP-Based Packet, and IP-Based Flows.

To cater to diverse analytical needs, the datasets are provided in two formats: CSV (Comma-Separated Values) and pickle. The CSV format facilitates seamless integration with various data analysis tools, while the pickle format preserves the intricate structures and relationships within the dataset.

This organization enables researchers to easily locate and utilize the specific captures and datasets they require, based on their preferred network analysis type or dataset type. The availability of different formats further enhances the flexibility and usability of the provided data.

Datasets' Content

Within this dataset, three sub-datasets are available, namely BLE, IP-Based Packet, and IP-Based Flows. Below is a table of the features selected for each dataset and consequently used in the evaluation model within the provided work.

Identified Key Features Within Bluetooth Dataset

Feature	Meaning
btle.advertising_header	BLE Advertising Packet Header
btle.advertising_header.ch_sel	BLE Advertising Channel Selection Algorithm
btle.advertising_header.length	BLE Advertising Length
btle.advertising_header.pdu_type	BLE Advertising PDU Type
btle.advertising_header.randomized_rx	BLE Advertising Rx Address
btle.advertising_header.randomized_tx	BLE Advertising Tx Address
btle.advertising_header.rfu.1	Reserved For Future 1
btle.advertising_header.rfu.2	Reserved For Future 2
btle.advertising_header.rfu.3	Reserved For Future 3
btle.advertising_header.rfu.4	Reserved For Future 4
btle.control.instant	Instant Value Within a BLE Control Packet
btle.crc.incorrect	Incorrect CRC
btle.extended_advertising	Advertiser Data Information
btle.extended_advertising.did	Advertiser Data Identifier
btle.extended_advertising.sid	Advertiser Set Identifier
btle.length	BLE Length
frame.cap_len	Frame Length Stored Into the Capture File
frame.interface_id	Interface ID
frame.len	Frame Length Wire
nordic_ble.board_id	Board ID
nordic_ble.channel	Channel Index
nordic_ble.crcok	Indicates if CRC is Correct
nordic_ble.flags	Flags
nordic_ble.packet_counter	Packet Counter
nordic_ble.packet_time	Packet time (start to end)
nordic_ble.phy	PHY
nordic_ble.protover	Protocol Version

Identified Key Features Within IP-Based Packets Dataset

Feature	Meaning
http.content_length	Length of content in an HTTP response
http.request	HTTP request being made
http.response.code	Sequential number of an HTTP response
http.response_number	Sequential number of an HTTP response
http.time	Time taken for an HTTP transaction
tcp.analysis.initial_rtt	Initial round-trip time for TCP connection
tcp.connection.fin	TCP connection termination with a FIN flag
tcp.connection.syn	TCP connection initiation with SYN flag
tcp.connection.synack	TCP connection establishment with SYN-ACK flags
tcp.flags.cwr	Congestion Window Reduced flag in TCP
tcp.flags.ecn	Explicit Congestion Notification flag in TCP
tcp.flags.fin	FIN flag in TCP
tcp.flags.ns	Nonce Sum flag in TCP
tcp.flags.res	Reserved flags in TCP
tcp.flags.syn	SYN flag in TCP
tcp.flags.urg	Urgent flag in TCP
tcp.urgent_pointer	Pointer to urgent data in TCP
ip.frag_offset	Fragment offset in IP packets
eth.dst.ig	Ethernet destination is in the internal network group
eth.src.ig	Ethernet source is in the internal network group
eth.src.lg	Ethernet source is in the local network group
eth.src_not_group	Ethernet source is not in any network group
arp.isannouncement	Indicates if an ARP message is an announcement

Identified Key Features Within IP-Based Flows Dataset

Feature	Meaning
proto	Transport layer protocol of the connection
service	Identification of an application protocol
orig_bytes	Originator payload bytes
resp_bytes	Responder payload bytes
history	Connection state history
orig_pkts	Originator sent packets
resp_pkts	Responder sent packets
flow_duration	Length of the flow in seconds
fwd_pkts_tot	Forward packets total
bwd_pkts_tot	Backward packets total
fwd_data_pkts_tot	Forward data packets total
bwd_data_pkts_tot	Backward data packets total
fwd_pkts_per_sec	Forward packets per second
bwd_pkts_per_sec	Backward packets per second
flow_pkts_per_sec	Flow packets per second
fwd_header_size	Forward header bytes
bwd_header_size	Backward header bytes
fwd_pkts_payload	Forward payload bytes
bwd_pkts_payload	Backward payload bytes
flow_pkts_payload	Flow payload bytes
fwd_iat	Forward inter-arrival time
bwd_iat	Backward inter-arrival time
flow_iat	Flow inter-arrival time
active	Flow active duration

The global intrusion prevention detection system (IPDS) market is projected to reach a value of USD 22.8 billion by 2033, exhibiting a CAGR of 10.5% during the forecast period (2025-2033). The rising need for network and data protection against cyber threats is a primary driver of this growth. Key market players include Cisco, IBM, Check Point, and HP. The market is segmented based on type (network intrusion detection solution, host-based intrusion detection solution), application (finance, government, IT and telecom, health, utilities), and region (North America, South America, Europe, Middle East & Africa, Asia Pacific). The increasing adoption of cloud computing, virtualization, and IoT devices has created new avenues for cybercriminals to exploit vulnerabilities and compromise systems. This has led to a growing demand for IPDS solutions that can provide real-time protection against sophisticated attacks. Additionally, government regulations and industry standards mandating the implementation of intrusion detection systems are driving the adoption of IPDS in various sectors. However, factors such as the high cost of implementation, operational complexity, and the availability of alternative security solutions may restrain the market's growth to some extent.

Accuracy Analysis of Intrusion Detection System

According to Cognitive Market Research, the global Perimeter Intrusion Detection Systems market size is USD 25.1 billion in 2024 and will expand at a compound annual growth rate (CAGR) of 15.2% from 2024 to 2031. Market Dynamics of Perimeter Intrusion Detection Systems Market

Key Drivers for Perimeter Intrusion Detection Systems Market

The proliferation of smart city infrastructures- In addition to providing real-time feedback to identify the need for maintenance, smart buildings can also provide space management or structural health monitoring. Furthermore, the market growth is being driven by the following factors: growing sophistication in cross-border infiltration, digitalization, volatile geopolitics, an increase in the number of unlawful intrusions, and a greater emphasis on perimeter protection by the government. Additionally, the market is being driven by the rising population, the development of digital infrastructures globalization, economic growth, rapid urbanization, the demand for efficient resource utilization management, public safety concerns, and the emerging demand for a society with efficient energy utilization. Furthermore, market expansion is anticipated to be spurred by the increasing prevalence of nanotechnology, big data analytics, artificial intelligence (A.I.), Internet of Things (IoT), machine learning (ML), cloud computing, cognitive computing, and open data.
Rising number of security System video surveillance installations is anticipated to drive the Perimeter Intrusion Detection Systems market's expansion in the years ahead.

Key Restraints for Perimeter Intrusion Detection Systems Market

The incorporation of new technologies into existing systems may poses a serious threat to the Perimeter Intrusion Detection Systems industry.
The market also faces significant difficulties related to installation and maintenance are expensive for SMEs.

Introduction of the Perimeter Intrusion Detection Systems Market

A perimeter intrusion detection system (PIDS) is employed to identify, monitor, and trace an unauthorized physical intruder who is attempting to infiltrate a secured area. It consists of active infrared or microwave systems, cables, and sensors that are either embedded underground or mounted on a fence. Additionally, it features audio alarm verification, which enables operators to respond promptly and effectively. Furthermore, it assists in the analysis of threats, the management of risks, the protection of assets, critical infrastructure, and borders, and the assurance of personnel safety. In recent years, a multi-layered approach has garnered traction, which employs a combination of video analytics to characterize intruders and ground-based sensors to detect potential intrusions. As a result, PDIS is extensively employed in a variety of locations, including military bases, government agencies, critical infrastructure, correctional institutions, petrochemical sites, airports, and storage yards, on a global scale.

Perimeter Intrusion Detection Systems Market valued at $13.26 B in 2023, and is projected to $USD 44.08 B by 2032, at a CAGR of 14.28% from 2023 to 2032.

The Intrusion Detection and Prevention System Market size is expected to reach a valuation of USD 9.06 billion in 2033 growing at a CAGR of 6.5%. The Intrusion Detection and Prevention System market research report classifies market by share, trend, demand, forecast and based on segmentation.

IEC 60870-5-104

Intrusion Detection Dataset

Readme File

ITHACA – University of Western Macedonia - https://ithaca.ece.uowm.gr/

Authors: Panagiotis Radoglou-Grammatikis, Thomas Lagkas, Vasileios Argyriou, Panagiotis Sarigiannidis

Publication Date: September 23, 2022

1.Introduction

The evolution of the Industrial Internet of Things (IIoT) introduces several benefits, such as real-time monitoring, pervasive control and self-healing. However, despite the valuable services, security and privacy issues still remain given the presence of legacy and insecure communication protocols like IEC 60870-5-104. IEC 60870-5-104 is an industrial protocol widely applied in critical infrastructures, such as the smart electrical grid and industrial healthcare systems. The IEC 60870-5-104 Intrusion Detection Dataset was implemented in the context of the research paper entitled "Modeling, Detecting, and Mitigating Threats Against Industrial Healthcare Systems: A Combined Software Defined Networking and Reinforcement Learning Approach" [1], in the context of two H2020 projects: ELECTRON: rEsilient and seLf-healed EleCTRical pOwer Nanogrid (101021936) and SDN-microSENSE: SDN - microgrid reSilient Electrical eNergy SystEm (833955). This dataset includes labelled Transmission Control Protocol (TCP)/Internet Protocol (IP) network flow statistics (Common-Separated Values (CSV) format) and IEC 60870-5-104 flow statistics (CSV format) related to twelve IEC 60870-5-104 cyberattacks. In particular, the cyberattacks are related to unauthorised commands and Denial of Service (DoS) activities against IEC 60870-5-104. Moreover, the relevant Packet Capture (PCAP) files are available. The dataset can be utilised for Artificial Intelligence (AI)-based Intrusion Detection Systems (IDS), taking full advantage of Machine Learning (ML) and Deep Learning (DL).

2.Instructions

The IEC 60870-5-104 dataset was implemented following the methodology of A. Gharib et al. in [2], including eleven features: (a) Complete Network Configuration, (b) Complete Traffic, (c) Labelled Dataset, (d) Complete Interaction, (e) Complete Capture, (f) Available Protocols, (g) Attack Diversity, (h) Heterogeneity, (i) Feature Set and (j) Metadata.

A network topology consisting of (a) seven industrial entities, (b) one Human Machine Interfaces (HMI) and (c) three cyberattackers was used to construct the IEC 60870-5-104 Intrusion Detection Dataset. The industrial entities use IEC TestServer[1], while the HMI uses Qtester104[2]. On the other hand, the cyberattackers use Kali Linux[3] equipped with Metasploit[4], OpenMUC j60870[5] and Ettercap[6]. The cyberattacks were performed during the following days.

On Saturday, April 25, 2020, a DoS cyberattack (M_SP_NA_1_DoS) was executed for 2 hours, using the M_SP_NA_1 command.

On Sunday, April 26, 2020, two cyberattacks were executed, namely (a) DoS (C_CI_NA_1_DoS) and (b) unauthorised injection (C_CI_NA_1), using the C_CI_NA_1 command for 2 hours.

On Monday, April 27, 2020, one unauthorised injection attack (C_SE_NA_1) was executed for 4 hours, using the C_SE_NA_1 command.

Tuesday, April 28, 2020 two cyberattacks were executed, namely (a) unauthorised injection (C_SC_NA_1) and (b) DoS (C_SE_NA_1_DoS), using the C_SC_NA_1 and C_SE_NA_1 commands for 2 hours and 4 hours, respectively.

Wednesday, April 29, 2020, one DoS (C_SC_NA_1) cyberattack was performed for 2 hours, using the C_SC_NA_1 command.

Friday, June 05, 2020, two cyberattacks were executed, namely (a) DoS (C_RD_NA_1_DoS) and (b) unauthorised injection (C_RD_NA_1), using the C_RD_NA_1 command for 2 and 4 hours, respectively.

Saturday, June 06, 2020, two cyberattacks were executed, namely (a) DoS (C_RP_NA_1_DoS) and (b) unauthorised injection (C_RP_NA_1), using the C_RP_NA_1 command for 2 and 4 hours, respectively.

Monday, June 08, 2020, a Man In The Middle (MITM) cyberattack was executed for 2 hours, filtering and dropping the IEC 60870-5-104 packets.

For each attack, a 7zip file is provided, including the network traffic and the network flow statistics for each entity. Moreover, a relevant diagram is provided, illustrating the corresponding cyberattack. In particular, for each entity, a folder is given, including (a) the relevant pcap file, (b) Transmission Control Protocol (TCP) / Internet Protocol (IP) network flow statistics in a Common Separated Value (CSV) format and (c) IEC 60870-5-104 flow statistics in a CSV format. The TCP/IP network flow statistics were generated by CICFlowMeter[7], while the IEC 60870-5-104 flow statistics were generated based on a Custom IEC 60870-5-104 Python Parser[8], taking full advantage of Scapy[9].

3.Dataset Structure

The dataset consists of the following files:

20200425_UOWM_IEC104_Dataset_m_sp_na_1_DoS.7z: A 7zip file including the pcap and CSV files related to the M_SP_NA_1 attack.

20200426_UOWM_IEC104_Dataset_c_ci_na_1_DoS.7z: A 7zip file including the pcap and CSV files related to the C_CI_NA_1_DoS attack.

20200426_UOWM_IEC104_Dataset_c_ci_na_1.7z: A 7zip file including the pcap and CSV files related to C_CI_NA_1 attack.

20200427_UOWM_IEC104_Dataset_c_se_na_1.7z: A 7zip file including the pcap and CSV files related to the C_SE_NA_1 attack.

20200428_UOWM_IEC104_Dataset_c_sc_na_1.7z: A 7zip file including the pcap and CSV files related to the C_SC_NA_1 attack.

20200428_UOWM_IEC104_Dataset_c_se_na_1_DoS.7z: A 7zip file including the pcap and CSV files related to the C_SE_NA_1_DoS attack.

20200429_UOWM_IEC104_Dataset_c_sc_na_1_DoS.7z: A 7zip file including the pcap and CSV files related to the C_SC_NA_1_DoS attack.

20200605_UOWM_IEC104_Dataset_c_rd_na_1_DoS.7z: A 7zip file including the pcap and CSV files related to the C_RD_NA_1_DoS attack.

20200605_UOWM_IEC104_Dataset_c_rd_na_1.7z: A 7zip file including the pcap and CSV files related to the C_RD_NA_1 attack.

20200606_UOWM_IEC104_Dataset_c_rp_na_1_DoS.7z: A 7zip file including the pcap and CSV files related to the C_RP_NA_1_DoS attack.

20200606_UOWM_IEC104_Dataset_c_rp_na_1.7z: A 7zip file including the pcap and CSV files related to the C_RP_NA_1 attack.

20200608_UOWM_IEC104_Dataset_mitm_drop.7z: A 7zip file including the pcap and CSV files related to the MITM attack.

Balanced_IEC104_Train_Test_CSV_Files.zip: This zip file includes balanced CSV files from CICFlowMeter and the Custom IEC 60870-5-104 Python Parser that could be utilised for training ML and DL methods. The zip file includes different folders for the corresponding flow timeout values used for CICFlowMeter and IEC 60870-5-104 Python Parser, respectively.

Each 7zip file includes respective folders related to the entities/devices (described in the following section) participating in each attack. In particular, for each entity/device, there is a folder including (a) the overall network traffic (pcap file) related to this entity/device during each attack, (b) the TCP/IP network flow statistics (CSV file) from CICFlowMeter for the overall network traffic, (c) the IEC 60870-5-104 network traffic (pcap file) related to this entity/device during each attack, (d) the TCP/IP network flow statistics (CSV file) from CICFlowMeter for the IEC 608770-5-104 network traffic, (e) the IEC 60870-5-104 flow statistics (CSV file) from the Custom IEC 60870-5-104 Python Parser for the IEC 608770-5-104 network traffic and finally, (f) an image showing how the attack was executed. Finally, it is noteworthy that the network flow from both CICFlowMeter and Custom IEC 60870-5-104 Python Parser in each CSV file are labelled based on the IEC 60870-5-104 cyberattacks executed for the generation of this dataset. The description of these attacks is given in the following section, while the various features from CICFlowMeter and Custom IEC 60870-5-104 Python Parser are presented in Section 5.

4.Testbed & IEC 60870-5-104 Attacks

The testbed created for generating this dataset is composed of five virtual RTU devices emulated by IEC TestServer and two real RTU devices. Moreover, there is another workstation which plays the role of Master Terminal Unit (MTU) and HMI, sending legitimate IEC 60870-5-104 commands to the corresponding RTUs. For this purpose, the workstation uses QTester104. In addition, there are three attackers that act as malicious insiders executing the following cyberattacks against the aforementioned RTUs. Finally, the network traffic data of each entity/device was captured through tshark.

Table 1: IEC 60870-5-104 Cyberattacks Description

IEC 60870-5-104 Cyberattack Description

Description

Dataset Files

MITM Drop

During this attack, the cyberattacker is placed between two endpoints, thus monitoring and dropping the network traffic exchanged.

20200608_UOWM_IEC104_Dataset_mitm_drop.7z

C_CI_NA_1

The C_CI_NA_1 is a Counter Interrogation command in the control direction. This cyberattack sends unauthorised IEC 60870-5-104 C_CI_NA_1 packets to the target system.

20200426_UOWM_IEC104_Dataset_c_ci_na_1.7z

C_SC_NA_1

The C_SC_NA_1 command is a single command. This cyberattack sends unauthorised C_SC_NA_1 60870-5-104 packets to the target system

20200428_UOWM_IEC104_Dataset_c_sc_na_1.7z

C_SE_NA_1

The C_SE_NA_1 command is a set-point command with normalised values. This cyberattack sends unauthorised IEC 60870-5-104 C_SE_NA_1 packets to the target system.

20200427_UOWM_IEC104_Dataset_c_se_na_1.7z

C_RD_NA_1

The C_RD_NA_1 command is a read command. This cyberattack sends unauthorised IEC 60870-5-104 C_RD_NA_1 packets to the target

The Australia Intrusion Detection and Preventions System market is projected to add more than USD 19 Million from 2024 to 2029 as rising cyber threats boost market for ids/ips.

The global intrusion detection and prevention software (IDPS) market is projected to reach a value of USD 5476.1 million by 2033, according to a report by Fortune Business Insights. The market is anticipated to exhibit a CAGR of 9.4% during the forecast period from 2025 to 2033. The rising incidence of cyberattacks and data breaches is a major factor driving the growth of the IDPS market. Enterprises across various sectors are increasingly adopting IDPS solutions to protect their sensitive data and critical infrastructure from unauthorized access, data theft, and other threats. Key market trends and drivers include the growing adoption of cloud computing and the Internet of Things (IoT), which has expanded the attack surface and increased the need for robust security measures. Additionally, government regulations and industry standards requiring compliance with data protection and privacy laws are driving the demand for IDPS solutions. Market leaders such as Cisco, Palo Alto Networks, and IBM continue to invest in research and development to enhance the capabilities of their IDPS products, offering advanced features such as machine learning and artificial intelligence for more effective threat detection and prevention capabilities.

Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions or anomalies on CANs. Producing vehicular CAN data with a variety of intrusions is a difficult task for most researchers as it requires expensive assets and deep expertise. To illuminate this task, we introduce the first comprehensive guide to the existing open CAN intrusion detection system (IDS) datasets. We categorize attacks on CANs including fabrication (adding frames, e.g., flooding or targeting and ID), suspension (removing an ID’s frames), and masquerade attacks (spoofed frames sent in lieu of suspended ones). We provide a quality analysis of each dataset; an enumeration of each datasets’ attacks, benefits, and drawbacks; categorization as real vs. simulated CAN data and real vs. simulated attacks; whether the data is raw CAN data or signal-translated; number of vehicles/CANs; quantity in terms of time; and finally a suggested use case of each dataset. State-of-the-art public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, lacking fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but is missing a corresponding “raw” binary version. This issue pigeon-holes CAN IDS research into testing on limited and often inappropriate data (usually with attacks that are too easily detectable to truly test the method). The scarcity of appropriate data has stymied comparability and reproducibility of results for researchers. As our primary contribution, we present the Real ORNL Automotive Dynamometer (ROAD) CAN IDS dataset, consisting of over 3.5 hours of one vehicle’s CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real (i.e. non-simulated) fuzzing, fabrication, unique advanced attacks, and simulated masquerade attacks. To facilitate a benchmark for CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures. Our contributions aim to facilitate appropriate benchmarking and needed comparability in the CAN IDS research field.

This dataset contains automotive Controller Area Network (CAN) bus data from three systems: two cars (Opel Astra and Renault Clio) and from a CAN bus prototype we built ourselves. Its purpose is meant to evaluate CAN bus Network Intrusion Detection Systems (NIDS). For each system, the dataset consists in a collection of log files captured from its CAN bus: normal (attack-free) data for training and testing detection algorithms, and different CAN bus attacks (Diagnostic, Fuzzing attacks, Replay attack, Suspension attack and Denial-of-Service attack).

Stay updated with Market Research Intellect's Physical Intrusion Detection And Prevention Systems Market Report, valued at USD 5.98 billion in 2024, projected to reach USD 10.23 billion by 2033 with a CAGR of 7.4% (2026-2033).

The Intrusion Detection Systems (IDS) market is experiencing robust growth, driven by the escalating need for robust cybersecurity measures across various sectors. The increasing frequency and sophistication of cyberattacks targeting both small and medium-sized enterprises (SMEs) and large enterprises are primary catalysts for this expansion. The market is segmented by application (SMEs and large enterprises) and type (Host-based Intrusion Detection Systems (HIDS) and Network-based Intrusion Detection Systems (NIDS)). While HIDS offers granular visibility into individual systems, NIDS provides a broader network-level perspective, leading to a diverse market landscape. Emerging trends, such as cloud adoption and the Internet of Things (IoT) expansion, are further fueling market growth. However, factors like the high initial investment costs associated with deploying and maintaining IDS solutions and the potential for false positives can act as market restraints. The competitive landscape is populated by a mix of established players like CrowdStrike, Palo Alto Networks, and Fortinet, and open-source solutions like Snort and Suricata, reflecting a market ripe for innovation and competition. Geographical growth is expected to be particularly strong in regions experiencing rapid digital transformation and economic growth, such as Asia Pacific. The overall market trajectory indicates significant potential for continued expansion throughout the forecast period. A reasonable estimate of the current market size, considering the lack of specific numerical values in the provided data, would place the 2025 market value for Intrusion Detection Systems between $15 billion and $20 billion. This estimation factors in the established presence of major players, the widespread adoption of cybersecurity measures, and the ongoing threat of cyberattacks. A CAGR of around 10-12% over the forecast period (2025-2033) seems plausible, driven by the factors discussed above. This growth would be distributed across the different segments and geographical regions, with North America and Europe maintaining significant market share, but strong growth from Asia-Pacific and other developing regions. The continuous evolution of cyber threats and the adaptation of IDS technologies to counteract these threats ensures a dynamic and expanding market in the long-term.

The global intrusion detection system (IDS) software market size was valued at USD 12.2 billion in 2022 and is expected to expand at a compound annual growth rate (CAGR) of 13.3% from 2023 to 2030. The rising number of cyber-attacks, increasing adoption of cloud-based services, and stringent government regulations are driving the market growth. Key factors driving the market growth include the increasing sophistication of cyber threats, the growing adoption of cloud computing, and the increasing demand for real-time threat detection and response. The market is also expected to benefit from the growing adoption of artificial intelligence (AI) and machine learning (ML) in IDS software, which can help to improve the accuracy and efficiency of threat detection. Additionally, the market is expected to be driven by the increasing demand for IDS software from small and medium-sized businesses (SMBs).

The Intrusion Detection Systems (IDS) market is experiencing robust growth, projected to reach $5199.4 million in 2025 and maintain a Compound Annual Growth Rate (CAGR) of 4.5% from 2025 to 2033. This sustained expansion is driven by several key factors. The increasing sophistication of cyberattacks targeting critical infrastructure and enterprises necessitates robust security measures. The rising adoption of cloud computing and the expanding Internet of Things (IoT) ecosystem significantly expand the attack surface, creating a surge in demand for effective IDS solutions. Furthermore, stringent government regulations regarding data privacy and security compliance are compelling organizations to invest heavily in advanced security technologies, including IDS. Competitive pressures and the need to maintain business continuity also play a significant role. The market's growth is further fueled by continuous technological advancements in IDS technologies. Machine learning and artificial intelligence (AI) are being integrated into IDS to enhance threat detection accuracy and reduce false positives. The development of advanced threat intelligence platforms and the adoption of security information and event management (SIEM) systems are also contributing to the overall market expansion. However, challenges remain, such as the high cost of implementation and maintenance for advanced IDS solutions and the complexities associated with integrating these systems into existing IT infrastructures. Despite these challenges, the overall market outlook for Intrusion Detection Systems remains positive, driven by the persistent need for enhanced cybersecurity in a rapidly evolving digital landscape. Major players like Cisco, McAfee, IBM, HPE, and others are actively competing to capture market share through innovation and strategic acquisitions. This comprehensive report provides an in-depth analysis of the global Intrusion Detection Systems (IDS) market, projecting a market value exceeding $5 billion by 2028. It meticulously examines market concentration, technological advancements, regulatory impacts, and competitive landscapes, offering invaluable insights for stakeholders across the cybersecurity ecosystem. The report leverages extensive primary and secondary research, incorporating data from leading vendors like Cisco, McAfee, and IBM, alongside emerging players. Keywords: Intrusion Detection System, IDS, Network Security, Cybersecurity, Threat Detection, Anomaly Detection, SIEM, Market Analysis, Market Trends.

The global intrusion detection & protection system market has been valued at US$ 6.8 billion in 2024, as revealed in the updated Fact.MR research report. Market revenue has been forecasted to increase at a CAGR of 11% and reach US$ 19.2 billion by the end of 2034.

Report Attribute	Detail
Intrusion Detection & Protection System Market Size (2024E)	US$ 6.8 Billion
Forecasted Market Value (2034F)	US$ 19.2 Billion
Global Market Growth Rate (2024 to 2034)	11% CAGR
Japan Market Growth Rate (2024 to 2034)	12.5% CAGR
Market Share of BFSI Sector (2034F)	25%
North America Market Share (2034F)	24.6%
Key Companies Profiled	CheckPoint Security Software Market; IBM; Trustwave; Cisco Systems; SourceFire; Juniper Networks Inc.; Symantec Corporation; McAfee; Palo Alto Networks; Trend Micro; Fortinet; TippingPoint.

Country-wise Insights

Attribute	United States
Market Value (2024E)	US$ 769 Million
Growth Rate (2024 to 2034)	10.9% CAGR
Projected Value (2034F)	US$ 2.2 Billion

Attribute	China
Market Value (2024E)	US$ 762 Million
Growth Rate (2024 to 2034)	12% CAGR
Projected Value (2034F)	US$ 2.4 Billion

Attribute	Japan
Market Value (2024E)	US$ 450 Million
Growth Rate (2024 to 2034)	12.5% CAGR
Projected Value (2034F)	US$ 1.5 Billion

Category-wise Insights

Attribute	Small & Medium Enterprises
Segment Value (2024E)	US$ 4.9 Billion
Growth Rate (2024 to 2034)	10.4% CAGR
Projected Value (2034F)	US$ 13.1 Billion

Attribute	BFSI
Segment Value (2024E)	US$ 1.9 Billion
Growth Rate (2024 to 2034)	9.7% CAGR
Projected Value (2034F)	US$ 4.8 Billion