The dataset has been introduced by the below-mentioned researches: E. C. P. Neto, S. Dadkhah, R. Ferreira, A. Zohourian, R. Lu, A. A. Ghorbani. "CICIoT2023: A real-time dataset and benchmark for large-scale attacks in IoT environment," Sensor (2023) – (submitted to Journal of Sensors). The present data contains different kinds of IoT intrusions. The categories of the IoT intrusions enlisted in the data are as follows: DDoS Brute Force Spoofing DoS Recon Web-based Mirai

There are several subcategories are present in the data for each kind of intrusion types in the IoT. The dataset contains 1191264 instances of network for intrusions and 47 features of each of the intrusions. The dataset can be used to prepare the predictive model through which different kind of intrusive attacks can be detected. The data is also suitable for designing the IDS system.

Article Information

The work involved in developing the dataset and benchmarking its use of machine learning is set out in the article ‘IoMT-TrafficData: Dataset and Tools for Benchmarking Intrusion Detection in Internet of Medical Things’. DOI: 10.1109/ACCESS.2024.3437214.

Please do cite the aforementioned article when using this dataset.

Abstract

The increasing importance of securing the Internet of Medical Things (IoMT) due to its vulnerabilities to cyber-attacks highlights the need for an effective intrusion detection system (IDS). In this study, our main objective was to develop a Machine Learning Model for the IoMT to enhance the security of medical devices and protect patients’ private data. To address this issue, we built a scenario that utilised the Internet of Things (IoT) and IoMT devices to simulate real-world attacks. We collected and cleaned data, pre-processed it, and provided it into our machine-learning model to detect intrusions in the network. Our results revealed significant improvements in all performance metrics, indicating robustness and reproducibility in real-world scenarios. This research has implications in the context of IoMT and cybersecurity, as it helps mitigate vulnerabilities and lowers the number of breaches occurring with the rapid growth of IoMT devices. The use of machine learning algorithms for intrusion detection systems is essential, and our study provides valuable insights and a road map for future research and the deployment of such systems in live environments. By implementing our findings, we can contribute to a safer and more secure IoMT ecosystem, safeguarding patient privacy and ensuring the integrity of medical data.

ZIP Folder Content

The ZIP folder comprises two main components: Captures and Datasets. Within the captures folder, we have included all the captures used in this project. These captures are organized into separate folders corresponding to the type of network analysis: BLE or IP-Based. Similarly, the datasets folder follows a similar organizational approach. It contains datasets categorized by type: BLE, IP-Based Packet, and IP-Based Flows.

To cater to diverse analytical needs, the datasets are provided in two formats: CSV (Comma-Separated Values) and pickle. The CSV format facilitates seamless integration with various data analysis tools, while the pickle format preserves the intricate structures and relationships within the dataset.

This organization enables researchers to easily locate and utilize the specific captures and datasets they require, based on their preferred network analysis type or dataset type. The availability of different formats further enhances the flexibility and usability of the provided data.

Datasets' Content

Within this dataset, three sub-datasets are available, namely BLE, IP-Based Packet, and IP-Based Flows. Below is a table of the features selected for each dataset and consequently used in the evaluation model within the provided work.

Identified Key Features Within Bluetooth Dataset

Feature	Meaning
btle.advertising_header	BLE Advertising Packet Header
btle.advertising_header.ch_sel	BLE Advertising Channel Selection Algorithm
btle.advertising_header.length	BLE Advertising Length
btle.advertising_header.pdu_type	BLE Advertising PDU Type
btle.advertising_header.randomized_rx	BLE Advertising Rx Address
btle.advertising_header.randomized_tx	BLE Advertising Tx Address
btle.advertising_header.rfu.1	Reserved For Future 1
btle.advertising_header.rfu.2	Reserved For Future 2
btle.advertising_header.rfu.3	Reserved For Future 3
btle.advertising_header.rfu.4	Reserved For Future 4
btle.control.instant	Instant Value Within a BLE Control Packet
btle.crc.incorrect	Incorrect CRC
btle.extended_advertising	Advertiser Data Information
btle.extended_advertising.did	Advertiser Data Identifier
btle.extended_advertising.sid	Advertiser Set Identifier
btle.length	BLE Length
frame.cap_len	Frame Length Stored Into the Capture File
frame.interface_id	Interface ID
frame.len	Frame Length Wire
nordic_ble.board_id	Board ID
nordic_ble.channel	Channel Index
nordic_ble.crcok	Indicates if CRC is Correct
nordic_ble.flags	Flags
nordic_ble.packet_counter	Packet Counter
nordic_ble.packet_time	Packet time (start to end)
nordic_ble.phy	PHY
nordic_ble.protover	Protocol Version

Identified Key Features Within IP-Based Packets Dataset

Feature	Meaning
http.content_length	Length of content in an HTTP response
http.request	HTTP request being made
http.response.code	Sequential number of an HTTP response
http.response_number	Sequential number of an HTTP response
http.time	Time taken for an HTTP transaction
tcp.analysis.initial_rtt	Initial round-trip time for TCP connection
tcp.connection.fin	TCP connection termination with a FIN flag
tcp.connection.syn	TCP connection initiation with SYN flag
tcp.connection.synack	TCP connection establishment with SYN-ACK flags
tcp.flags.cwr	Congestion Window Reduced flag in TCP
tcp.flags.ecn	Explicit Congestion Notification flag in TCP
tcp.flags.fin	FIN flag in TCP
tcp.flags.ns	Nonce Sum flag in TCP
tcp.flags.res	Reserved flags in TCP
tcp.flags.syn	SYN flag in TCP
tcp.flags.urg	Urgent flag in TCP
tcp.urgent_pointer	Pointer to urgent data in TCP
ip.frag_offset	Fragment offset in IP packets
eth.dst.ig	Ethernet destination is in the internal network group
eth.src.ig	Ethernet source is in the internal network group
eth.src.lg	Ethernet source is in the local network group
eth.src_not_group	Ethernet source is not in any network group
arp.isannouncement	Indicates if an ARP message is an announcement

Identified Key Features Within IP-Based Flows Dataset

Feature	Meaning
proto	Transport layer protocol of the connection
service	Identification of an application protocol
orig_bytes	Originator payload bytes
resp_bytes	Responder payload bytes
history	Connection state history
orig_pkts	Originator sent packets
resp_pkts	Responder sent packets
flow_duration	Length of the flow in seconds
fwd_pkts_tot	Forward packets total
bwd_pkts_tot	Backward packets total
fwd_data_pkts_tot	Forward data packets total
bwd_data_pkts_tot	Backward data packets total
fwd_pkts_per_sec	Forward packets per second
bwd_pkts_per_sec	Backward packets per second
flow_pkts_per_sec	Flow packets per second
fwd_header_size	Forward header bytes
bwd_header_size	Backward header bytes
fwd_pkts_payload	Forward payload bytes
bwd_pkts_payload	Backward payload bytes
flow_pkts_payload	Flow payload bytes
fwd_iat	Forward inter-arrival time
bwd_iat	Backward inter-arrival time
flow_iat	Flow inter-arrival time
active	Flow active duration

building IoT IDS requires the availability of datasets to process

The data set includes attack implementations in an Internet of Things (IoT) context. The IoT nodes use Contiki-NG as their operating system and the data is collected from the Cooja simulation environment where a large number of network topologies are created. Blackhole and DIS-flooding attacks are implemented to attack the RPL routing protocol. The datasets includes log file output from the Cooja simulator and a pre-processed feature set as input to an intrusion detection model.

The CICIoT2023 dataset is a large-scale, realistic intrusion detection dataset designed to support security analytics and machine learning research in the Internet of Things (IoT) domain. Created by the Canadian Institute for Cybersecurity (CIC), the dataset captures 33 different types of attacks (including DDoS, DoS, Recon, Web-based, Brute Force, Spoofing, and Mirai) executed by malicious IoT devices against other IoT targets.

The testbed consists of 105 real IoT devices of different types and manufacturers, including smart home devices and industrial equipment, configured in a complex network topology to emulate real-world conditions. The dataset includes benign and malicious traffic in various formats and supports feature extraction for both traditional ML and deep learning models.

This dataset aims to address the lack of diversity and scale in previous IoT security datasets, offering a robust benchmark for evaluating intrusion detection systems (IDS) and enabling research in IoT cybersecurity, anomaly detection, and network forensics.

Source https://www.mdpi.com/1424-8220/23/13/5941

Datasets as described in the research paper "Intrusion Detection using Network Traffic Profiling and Machine Learning for IoT Applications".There are two main dataset provided here, firstly is the data relating to the initial training of the machine learning module for both normal and malicious traffic, these are in binary visulisation format, compresed into the document traffic-dataset.zip.The remainin data is provided by this repository in attackScenario.zip and attackSenarioImages.zip, thee are the images generated from each of the five attack scenario packet captures, as well as their associated PCAP files.

including some laptops or smart phones

The Intrusion Detection and Prevention System (IDS/IPS) market is experiencing robust growth, driven by the escalating sophistication of cyber threats and the increasing reliance on digital infrastructure across various sectors. The market, estimated at $15 billion in 2025, is projected to maintain a healthy Compound Annual Growth Rate (CAGR) of 8% through 2033, reaching approximately $28 billion. This growth is fueled by several key factors. The expanding adoption of cloud computing and the Internet of Things (IoT) creates a vast attack surface, increasing the demand for robust security solutions. Furthermore, stringent government regulations regarding data privacy and security are compelling organizations to invest heavily in IDS/IPS technologies to ensure compliance. The rise of advanced persistent threats (APTs) and sophisticated malware necessitates more sophisticated detection and prevention capabilities, further driving market expansion. Competitive innovation within the market, with vendors like Checkpoint, Cisco, and Juniper Networks continuously improving their offerings, contributes to the overall growth trajectory. However, market growth is not without its challenges. The high initial investment cost associated with implementing and maintaining IDS/IPS systems can be a barrier for smaller organizations. Furthermore, the complexity of managing and interpreting the large volumes of data generated by these systems requires specialized expertise, which can lead to skilled workforce shortages. The need for ongoing updates and maintenance to address evolving threat landscapes also poses a continuous operational expense. Despite these restraints, the overwhelming benefits of enhanced security posture and minimized risks associated with data breaches are expected to outweigh these challenges, maintaining a strong positive growth outlook for the IDS/IPS market throughout the forecast period.

The CICIoT2023 dataset is a comprehensive and modern dataset designed for research in Internet of Things (IoT) security, particularly for intrusion detection and anomaly detection systems. Released by the Canadian Institute for Cybersecurity (CIC), this dataset reflects real-world IoT network traffic and attack scenarios, providing a valuable resource for machine learning and cybersecurity research.

The dataset was generated using a realistic testbed that simulates various IoT devices communicating over a network, including smart TVs, webcams, smart thermostats, and wearable devices. It captures both benign traffic and a wide variety of attack types such as Denial of Service (DoS), Distributed Denial of Service (DDoS), brute-force attacks, botnets, reconnaissance, and more advanced threats.

Key Features of CICIoT2023:

Contains a mix of normal and malicious IoT network traffic.

Includes 34 distinct attack types, covering modern and advanced cyber threat scenarios.

Provides labeled data suitable for supervised machine learning models.

Offers extracted network flow features (e.g., packet size, duration, flags, statistical summaries) which can be used for traffic classification and anomaly detection.

Supports research in intrusion detection, anomaly detection, and IoT security strategy development.

This dataset helps bridge the gap between traditional network security datasets and the unique, evolving patterns of IoT device communication, making it an excellent benchmark for evaluating the performance of AI-based security solutions.

I have further broken downed the data into these 3 parts Train: (5491971, 47) Validation: (1176851, 47) Test: (1176851, 47)

According to Cognitive Market Research, the global Perimeter Intrusion Detection Systems market size is USD 25.1 billion in 2024 and will expand at a compound annual growth rate (CAGR) of 15.2% from 2024 to 2031. Market Dynamics of Perimeter Intrusion Detection Systems Market

Key Drivers for Perimeter Intrusion Detection Systems Market

The proliferation of smart city infrastructures- In addition to providing real-time feedback to identify the need for maintenance, smart buildings can also provide space management or structural health monitoring. Furthermore, the market growth is being driven by the following factors: growing sophistication in cross-border infiltration, digitalization, volatile geopolitics, an increase in the number of unlawful intrusions, and a greater emphasis on perimeter protection by the government. Additionally, the market is being driven by the rising population, the development of digital infrastructures globalization, economic growth, rapid urbanization, the demand for efficient resource utilization management, public safety concerns, and the emerging demand for a society with efficient energy utilization. Furthermore, market expansion is anticipated to be spurred by the increasing prevalence of nanotechnology, big data analytics, artificial intelligence (A.I.), Internet of Things (IoT), machine learning (ML), cloud computing, cognitive computing, and open data.
Rising number of security System video surveillance installations is anticipated to drive the Perimeter Intrusion Detection Systems market's expansion in the years ahead.

Key Restraints for Perimeter Intrusion Detection Systems Market

The incorporation of new technologies into existing systems may poses a serious threat to the Perimeter Intrusion Detection Systems industry.
The market also faces significant difficulties related to installation and maintenance are expensive for SMEs.

Introduction of the Perimeter Intrusion Detection Systems Market

A perimeter intrusion detection system (PIDS) is employed to identify, monitor, and trace an unauthorized physical intruder who is attempting to infiltrate a secured area. It consists of active infrared or microwave systems, cables, and sensors that are either embedded underground or mounted on a fence. Additionally, it features audio alarm verification, which enables operators to respond promptly and effectively. Furthermore, it assists in the analysis of threats, the management of risks, the protection of assets, critical infrastructure, and borders, and the assurance of personnel safety. In recent years, a multi-layered approach has garnered traction, which employs a combination of video analytics to characterize intruders and ground-based sensors to detect potential intrusions. As a result, PDIS is extensively employed in a variety of locations, including military bases, government agencies, critical infrastructure, correctional institutions, petrochemical sites, airports, and storage yards, on a global scale.

The exponential growth of the Internet of Things (IoT) devices provides a large attack surface for intruders to launch more destructive cyber-attacks. The intruder aimed to exhaust the target IoT network resources with malicious activity. New techniques and detection algorithms required a well-designed dataset for IoT networks. We proposed a new dataset, namely IoTID20, generated dataset from [1]. The new IoT botnet dataset has a more comprehensive network and flow-based features. The flow-based feature can be used to analyze and evaluate a flow-based intrusion detection system. Our proposed IoT botnet dataset will provide a reference point to identify anomalous activity across the IoT networks. The IoT Botnet dataset can be accessed from [2]. The new IoTID20 dataset will provide a foundation for the development of new intrusion detection techniques in IoT networks.

According to a survey conducted in December 2022, more than ** percent of smartphone users in Japan neither knew the term nor the meaning of an Internet of Things (IoT) device intrusion. IoT devices are nonstandard computing devices that are able to connect with other devices and exchange data via wireless technology. Their intrusion presents a security risk, which can be mitigated by an intrusion detection system (IDS).

The global Intrusion Detection and Prevention System (IDPS) market is experiencing robust growth, driven by the escalating need for robust cybersecurity solutions across various sectors. The increasing frequency and sophistication of cyberattacks targeting businesses and critical infrastructure are fueling demand for advanced IDPS technologies. Organizations are adopting multi-layered security approaches, incorporating IDPS as a crucial element for threat detection and prevention. The market's expansion is further propelled by the growing adoption of cloud computing and the Internet of Things (IoT), which expand the attack surface and necessitate comprehensive security measures. Significant investment in research and development is leading to the evolution of IDPS from primarily signature-based systems to more advanced solutions leveraging machine learning and artificial intelligence for threat detection and response. This shift towards AI-powered IDPS is enhancing accuracy, reducing false positives, and enabling proactive threat mitigation. While the on-premise deployment model still holds a significant market share, the Software-as-a-Service (SaaS) model is gaining traction due to its scalability, cost-effectiveness, and ease of deployment. The BFSI, Healthcare, and IT & Telecom sectors remain key drivers of market growth due to their heightened vulnerability to cyber threats and strict regulatory compliance requirements. The competitive landscape is characterized by a mix of established players and emerging vendors. Major players like IBM, Cisco, Symantec, and McAfee are leveraging their established brand recognition and extensive product portfolios to maintain their market dominance. However, innovative startups and smaller vendors are challenging the status quo by introducing specialized solutions and focusing on niche market segments. Geographical growth varies, with North America currently holding a substantial market share, primarily due to the region's advanced technological infrastructure and strong regulatory frameworks. However, Asia-Pacific is projected to experience significant growth in the coming years, driven by rapid economic expansion and increasing digital adoption in developing countries. Market restraints include the high cost of implementation and maintenance of advanced IDPS solutions, particularly for smaller organizations. Furthermore, the complexity of managing and integrating diverse IDPS systems within existing security infrastructures presents a challenge for many organizations. Despite these challenges, the long-term growth outlook for the IDPS market remains positive, driven by persistent cybersecurity threats and evolving technological advancements. We estimate the market size in 2025 at $15 Billion, growing at a CAGR of 12% from 2025 to 2033.

The CIC IoT Dataset 2023 is a comprehensive benchmark developed by the Canadian Institute for Cybersecurity (CIC) to advance intrusion detection research in real-world Internet of Things (IoT) environments. This dataset was created using a network of 105 actual IoT devices, encompassing smart home gadgets, sensors, and cameras, to simulate authentic IoT traffic and attack scenarios.

Key Features:

• Diverse Attack Scenarios: The dataset includes 33 distinct attacks categorized into seven classes: DDoS, DoS, Reconnaissance, Web-based, Brute Force, Spoofing, and Mirai. These attacks were executed by compromised IoT devices targeting other IoT devices, reflecting realistic threat vectors.(University of New Brunswick)

• Extensive Data Collection: Network traffic was captured in real-time, resulting in over 46 million records. The data is available in various formats, including raw PCAP files and pre-extracted CSV features, facilitating different research needs.

• Realistic IoT Topology: Unlike many datasets that rely on simulations, this dataset was generated using a large-scale IoT testbed with devices from multiple vendors, providing a heterogeneous and realistic network environment.

• Benchmarking and Evaluation: The dataset has been utilized to evaluate the performance of machine learning and deep learning algorithms in classifying and detecting malicious versus benign IoT network traffic.(University of New Brunswick)

This dataset serves as a valuable resource for researchers and practitioners aiming to develop and test security analytics applications, intrusion detection systems, and other cybersecurity solutions tailored for IoT ecosystems.(University of New Brunswick)

The global Intruder Detection Systems (IDS) market is experiencing robust growth, driven by increasing cybersecurity threats across various sectors and the rising adoption of advanced technologies like AI and machine learning in security solutions. The market, estimated at $15 billion in 2025, is projected to achieve a Compound Annual Growth Rate (CAGR) of 12% from 2025 to 2033, reaching an estimated market value of $45 billion by 2033. This growth is fueled by several key factors, including the escalating number of cyberattacks targeting businesses and government entities, the expanding adoption of cloud-based services and the Internet of Things (IoT), and the increasing need for robust security solutions to protect critical infrastructure. The demand for sophisticated IDS solutions is particularly high in sectors such as BFSI (Banking, Financial Services, and Insurance), government, and military, owing to their heightened security requirements and sensitive data handling. Network-based intrusion detection systems (NIDS) currently hold a significant market share, but the market is witnessing a notable shift towards host-based intrusion detection systems (HIDS) and virtual machine-based IDS (VMIDS) due to their enhanced capabilities in detecting and mitigating threats in virtualized and cloud environments. Further segment analysis reveals a significant contribution from North America and Europe, primarily driven by higher technological adoption rates and stringent security regulations. However, the Asia-Pacific region is expected to demonstrate substantial growth in the coming years, fueled by rapid digitalization and rising investments in cybersecurity infrastructure across emerging economies like India and China. Market restraints include the high cost of implementation and maintenance of advanced IDS systems, the complexity of managing and interpreting large volumes of security data, and the challenge of keeping up with the ever-evolving landscape of cyber threats. Nevertheless, ongoing technological advancements, coupled with the growing awareness of cyber risks, are expected to propel the market’s overall growth trajectory throughout the forecast period.

The Development of an Internet of Things (IoT) Network Traffic Dataset with Simulated Attack Data. Abstract— This research focuses on the requirements for and the creation of an intrusion detection system (IDS) dataset for an Internet of Things (IoT) network domain. A minimal requirements Internet of Things (IoT) network system was built to produce a dataset according to IDS testing needs for IoT security. Testing was performed with 12 scenarios and resulted in 24 datasets which consisted of normal, attack and combined normal-attack traffic data. Testing focused on three denial of service (DoS) and distributed denial of service (DDoS) attacks—“finish” (FIN) flood, User Datagram Protocol (UDP) flood, and Zbassocflood/association flood—using two communication protocols, IEEE 802.11 (WiFi) and IEEE 802.15.4 (ZigBee). A preprocessing test result obtained 95 attributes for the WiFi datasets and 64 attributes for the Xbee datasets . TCP FIN Flood Attack Pattern Recognition on Internet of Things with Rule Based Signature Analysis Abstract-Focus of this research is TCP FIN flood attack pattern recognition in Internet of Things (IoT) network using rule based signature analysis method. Dataset is taken based on three scenarios normal, attack and normal-attack. The process of identification and recognition of TCP FIN flood attack pattern is done based on observation and analysis of packet attribute from raw data (pcap) using a feature extraction and feature selection method. Further testing was conducted using snort as an IDS. The results of the confusion matrix detection rate evaluation against the snort as IDS show the average percentage of the precision level. Citing Citation data : "TCP FIN Flood Attack Pattern Recognition on Internet of Things with Rule Based Signature Analysis" - https://online-journals.org/index.php/i-joe/article/view/9848 @article{article, author = {Stiawan, Deris and Wahyudi, Dimas and Heryanto, Ahmad and Sahmin, Samsuryadi and Idris, Yazid and Muchtar, Farkhana and Alzahrani, Mohammed and Budiarto, Rahmat}, year = {2019}, month = {04}, pages = {124}, title = {TCP FIN Flood Attack Pattern Recognition on Internet of Things with Rule Based Signature Analysis}, volume = {15}, journal = {International Journal of Online and Biomedical Engineering (iJOE)}, doi = {10.3991/ijoe.v15i07.9848} } Features Extraction on IoT Intrusion Detection System Using Principal Components Analysis (PCA) Feature extraction solves the problem of finding the most efficient and comprehensive set of features. A Principle Component Analysis (PCA) feature extraction algorithm is applied to optimize the effectiveness of feature extraction to build an effective intrusion detection method. This paper uses the Principal Components Analysis (PCA) for features extraction on intrusion detection system with the aim to improve the accuracy and precision of the detection. The impact of features extraction to attack detection was examined. Experiments on a network traffic dataset created from an Internet of Thing (IoT) testbed network topology were conducted and the results show that the accuracy of the detection reaches 100 percent. Citing Citation data : "Features Extraction on IoT Intrusion Detection System Using Principal Components Analysis (PCA)" - https://ieeexplore.ieee.org/document/9251292 @inproceedings{inproceedings, author = {Sharipuddin, and Purnama, Benni and Kurniabudi, Kurniabudi and Winanto, Eko and Stiawan, Deris and Hanapi, Darmawiiovo and Idris, Mohd and Budiarto, Rahmat}, year = {2020}, month = {10}, pages = {114-118}, title = {Features Extraction on IoT Intrusion Detection System Using Principal Components Analysis (PCA)}, doi = {10.23919/EECSI50503.2020.9251292} }

1.Introduction

In the digital era of the Industrial Internet of Things (IIoT), the conventional Critical Infrastructures (CIs) are transformed into smart environments with multiple benefits, such as pervasive control, self-monitoring and self-healing. However, this evolution is characterised by several cyberthreats due to the necessary presence of insecure technologies. DNP3 is an industrial communication protocol which is widely adopted in the CIs of the US. In particular, DNP3 allows the remote communication between Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA). It can support various topologies, such as Master-Slave, Multi-Drop, Hierarchical and Multiple-Server. Initially, the architectural model of DNP3 consists of three layers: (a) Application Layer, (b) Transport Layer and (c) Data Link Layer. However, DNP3 can be now incorporated into the Transmission Control Protocol/Internet Protocol (TCP/IP) stack as an application-layer protocol. However, similarly to other industrial protocols (e.g., Modbus and IEC 60870-5-104), DNP3 is characterised by severe security issues since it does not include any authentication or authorisation mechanisms. More information about the DNP3 security issue is provided in [1-3]. This dataset contains labelled Transmission Control Protocol (TCP) / Internet Protocol (IP) network flow statistics (Common-Separated Values - CSV format) and DNP3 flow statistics (CSV format) related to 9 DNP3 cyberattacks. These cyberattacks are focused on DNP3 unauthorised commands and Denial of Service (DoS). The network traffic data are provided through Packet Capture (PCAP) files. Consequently, this dataset can be used to implement Artificial Intelligence (AI)-powered Intrusion Detection and Prevention (IDPS) systems that rely on Machine Learning (ML) and Deep Learning (DL) techniques.

2.Instructions

This DNP3 Intrusion Detection Dataset was implemented following the methodological frameworks of A. Gharib et al. in [4] and S. Dadkhah et al in [5], including eleven features: (a) Complete Network Configuration, (b) Complete Traffic, (c) Labelled Dataset, (d) Complete Interaction, (e) Complete Capture, (f) Available Protocols, (g) Attack Diversity, (h) Heterogeneity, (i) Feature Set and (j) Metadata.

A network topology consisting of (a) eight industrial entities, (b) one Human Machine Interfaces (HMI) and (c) three cyberattackers was used to implement this DNP3 Intrusion Detection Dataset. In particular, the following cyberattacks were implemented.

On Thursday, May 14, 2020, the DNP3 Disable Unsolicited Messages Attack was executed for 4 hours.

On Friday, May 15, 2020, the DNP3 Cold Restart Message Attack was executed for 4 hours.

On Friday, May 15, 2020, the DNP3 Warm Restart Message Attack was executed for 4 hours.

On Saturday, May 16, 2020, the DNP3 Enumerate Attack was executed for 4 hours.

On Saturday, May 16, 2020, the DNP3 Info Attack was executed for 4 hours.

On Monday, May 18, 2020, the DNP3 Initialisation Attack was executed for 4 hours.

On Monday, May 18, 2020, the Man In The Middle (MITM)-DoS Attack was executed for 4 hours.

On Monday, May 18, 2020, the DNP3 Replay Attack was executed for 4 hours.

On Tuesday, May 19, 2020, the DNP3 Stop Application Attack was executed for 4 hours.

The aforementioned DNP3 cyberattacks were executed, utilising penetration testing tools, such as Nmap and Scapy. For each attack, a relevant folder is provided, including the network traffic and the network flow statistics for each entity. In particular, for each cyberattack, a folder is given, providing (a) the pcap files for each entity, (b) the Transmission Control Protocol (TCP)/ Internet Protocol (IP) network flow statistics for 120 seconds in a CSV format and (c) the DNP3 flow statistics for each entity (using different timeout values in terms of second (such as 45, 60, 75, 90, 120 and 240 seconds)). The TCP/IP network flow statistics were produced by using the CICFlowMeter, while the DNP3 flow statistics were generated based on a Custom DNP3 Python Parser, taking full advantage of Scapy.

1. Dataset Structure

The dataset consists of the following folders:

20200514_DNP3_Disable_Unsolicited_Messages_Attack: It includes the pcap and CSV files related to the DNP3 Disable Unsolicited Message attack.

20200515_DNP3_Cold_Restart_Attack: It includes the pcap and CSV files related to the DNP3 Cold Restart attack.

20200515_DNP3_Warm_Restart_Attack: It includes the pcap and CSV files related to DNP3 Warm Restart attack.

20200516_DNP3_Enumerate: It includes the pcap and CSV files related to the DNP3 Enumerate attack.

20200516_DNP3_Ιnfo: It includes the pcap and CSV files related to the DNP3 Info attack.

20200518_DNP3_Initialize_Data_Attack: It includes the pcap and CSV files related to the DNP3 Data Initialisation attack.

20200518_DNP3_MITM_DoS: It includes the pcap and CSV files related to the DNP3 MITM-DoS attack.

20200518_DNP3_Replay_Attack: It includes the pcap and CSV files related to the DNP3 replay attack.

20200519_DNP3_Stop_Application_Attack: It includes the pcap and CSV files related to the DNP3 Stop Application attack.

Training_Testing_Balanced_CSV_Files: It includes balanced CSV files from CICFlowMeter and the Custom DNP3 Python Parser that could be utilised for training ML and DL methods. Each folder includes different sub-folder for the corresponding flow timeout values used by the DNP3 Python Custom Parser. For CICFlowMeter, only the timeout value of 120 seconds was used.

Each folder includes respective subfolders related to the entities/devices (described in the following section) participating in each attack. In particular, for each entity/device, there is a folder including (a) the DNP3 network traffic (pcap file) related to this entity/device during each attack, (b) the TCP/IP network flow statistics (CSV file) generated by CICFlowMeter for the timeout value of 120 seconds and finally (c) the DNP3 flow statistics (CSV file) from the Custom DNP3 Python Parser. Finally, it is noteworthy that the network flows from both CICFlowMeter and Custom DNP3 Python Parser in each CSV file are labelled based on the DNP3 cyberattacks executed for the generation of this dataset. The description of these attacks is provided in the following section, while the various features from CICFlowMeter and Custom DNP3 Python Parser are presented in Section 5.

4.Testbed & DNP3 Attacks

The following figure shows the testbed utilised for the generation of this dataset. It is composed of eight industrial entities that play the role of the DNP3 outstations/slaves, such as Remote Terminal Units (RTUs) and Intelligent Electron Devices (IEDs). Moreover, there is another workstation which plays the role of the Master station like a Master Terminal Unit (MTU). For the communication between, the DNP3 outstations/slaves and the master station, opendnp3 was used.

Table 1: DNP3 Attacks Description

DNP3 Attack

Description

Dataset Folder

DNP3 Disable Unsolicited Message Attack

This attack targets a DNP3 outstation/slave, establishing a connection with it, while acting as a master station. The false master then transmits a packet with the DNP3 Function Code 21, which requests to disable all the unsolicited messages on the target.

20200514_DNP3_Disable_Unsolicited_Messages_Attack

DNP3 Cold Restart Attack

The malicious entity acts as a master station and sends a DNP3 packet that includes the “Cold Restart” function code. When the target receives this message, it initiates a complete restart and sends back a reply with the time window before the restart process.

20200515_DNP3_Cold_Restart_Attack

DNP3 Warm Restart Attack

This attack is quite similar to the “Cold Restart Message”, but aims to trigger a partial restart, re-initiating a DNP3 service on the target outstation.

20200515_DNP3_Warm_Restart_Attack

DNP3 Enumerate Attack

This reconnaissance attack aims to discover which DNP3 services and functional codes are used by the target system.

20200516_DNP3_Enumerate

DNP3 Info Attack

This attack constitutes another reconnaissance attempt, aggregating various DNP3 diagnostic information related the DNP3 usage.

20200516_DNP3_Ιnfo

Data Initialisation Attack

This cyberattack is related to Function Code 15 (Initialize Data). It is an unauthorised access attack, which demands from the slave to re-initialise possible configurations to their initial values, thus changing potential values defined by legitimate masters

20200518_Initialize_Data_Attack

MITM-DoS Attack

In this cyberattack, the cyberattacker is placed between a DNP3 master and a DNP3 slave device, dropping all the messages coming from the DNP3 master or the DNP3 slave.

20200518_MITM_DoS

DNP3 Replay Attack

This cyberattack replays DNP3 packets coming from a legitimate DNP3 master or DNP3 slave.

20200518_DNP3_Replay_Attack

DNP3 Step Application Attack

This attack is related to the Function Code 18 (Stop Application) and demands from the slave to stop its function so that the slave cannot receive messages from the master.

20200519_DNP3_Stop_Application_Attack

1. Features

The TCP/IP network flow statistics generated by CICFlowMeter are summarised below. The TCP/IP network flows and their statistics generated by CICFlowMeter are labelled based on the DNP3 attacks described above, thus allowing the training of ML/DL models. Finally, it is worth mentioning that these statistics are generated when the flow timeout value is equal with 120 seconds.

Table

namely

The size of the Internet of Things Security Industry market was valued at USD XXX Million in 2023 and is projected to reach USD XXX Million by 2032, with an expected CAGR of 33.53% during the forecast period.IoT security is referred to as the practice of protecting interconnected devices and systems from cyber threats. While the number of IoT devices is exponentially increasing, so does the potential attack surface. These range from smart home appliances to industrial sensors and because of the very nature of these devices, they usually do not have any strong measures to keep them away from hacking, data breaches, and malicious attacks.IoT security is a broad category, which includes secure device design, robust authentication and encryption, up-to-date software, and segmentation. All these measures can help reduce risk exposure, protect sensitive information, and ensure the integrity of an organization's IoT systems.The IoT security sector has developed at a very fast pace to keep up with the rising threat facing the cyber world. Security manufacturers and vendors are coming out with innovative solutions such as an intrusion detection system, a firewall, and the deployment of security analytics solutions aimed at protecting IoT deployments. Increasing expansion in the IoT landscape makes adequate security measures essential to fully realize the huge power of this transformative technology. Key drivers for this market are: , Increasing Number of Data Breaches; Emergence of Smart Cities. Potential restraints include: , Growing Complexity among Devices, Coupled with the Lack of Ubiquitous Legislation. Notable trends are: Network Security Is Expected to Witness the Fastest Growth Rate.

Intrusion Detection Systems Market Outlook

The global Intrusion Detection Systems (IDS) market size is projected to grow significantly, with an estimated value of USD 5.2 billion in 2023, expected to reach approximately USD 10.5 billion by 2032, driven by a robust CAGR of 7.8% from 2024 to 2032. The primary growth factor contributing to this surge is the increasing number of cyber threats and data breaches across various industries, compelling organizations to adopt advanced security measures such as IDS to protect their crucial assets.

One of the key growth factors for the IDS market is the increasing sophistication of cyber-attacks. As cybercriminals develop more advanced and complex methods to breach systems, the demand for sophisticated intrusion detection solutions has risen correspondingly. Organizations are increasingly investing in IDS solutions to detect, analyze, and respond to potential threats in real-time. Additionally, the growing awareness of the potential financial and reputational damage caused by cyber incidents is prompting businesses to prioritize cybersecurity investments, further propelling market growth.

Another critical factor driving the IDS market is the widespread adoption of digital transformation initiatives. As organizations across various sectors, including BFSI, healthcare, retail, and others, embrace digital technologies, their attack surfaces expand, making them more vulnerable to cyber threats. Intrusion detection systems play a crucial role in safeguarding these digital infrastructures by continuously monitoring network traffic and identifying suspicious activities. Furthermore, regulatory requirements mandating robust cybersecurity measures also contribute to the increased adoption of IDS solutions, thereby driving market growth.

The rise in cloud computing and the proliferation of Internet of Things (IoT) devices are also significant drivers for the IDS market. As businesses migrate their operations to the cloud and integrate IoT devices into their networks, the complexity and scale of potential security threats increase. IDS solutions are essential for monitoring and securing these dynamic environments. The need for real-time threat detection and response capabilities in cloud and IoT environments has led to the development of advanced IDS solutions, further fueling market growth.

From a regional perspective, North America is expected to dominate the IDS market during the forecast period. The region's strong focus on cybersecurity, coupled with stringent regulatory frameworks, drives the adoption of IDS solutions among businesses. Additionally, the presence of major IDS vendors and advanced technological infrastructure further supports market growth in North America. Meanwhile, the Asia Pacific region is anticipated to exhibit significant growth, driven by the increasing digitization and rising awareness of cybersecurity threats among enterprises. The expanding IT and telecommunications sector in countries like China and India also contributes to the growing demand for IDS solutions in the region.

Component Analysis

The IDS market is segmented into three primary components: hardware, software, and services. Each of these components plays a vital role in the overall efficacy and deployment of IDS solutions. Hardware components in IDS typically include network appliances and sensors that are essential for monitoring and detecting unusual activities within a network. The demand for robust and scalable hardware solutions is increasing as organizations seek to enhance their cybersecurity frameworks. Advanced hardware solutions equipped with high processing capabilities are becoming popular due to their ability to handle large volumes of data and provide real-time threat detection.

Software components are equally crucial in the IDS market, encompassing a wide range of applications designed to detect, analyze, and respond to potential security threats. These software solutions use advanced algorithms and machine learning techniques to identify anomalies and potential intrusions. The increasing sophistication of cyber-attacks has led to the development of more advanced software solutions capable of performing deep packet inspections and behavioral analysis. Additionally, the integration of artificial intelligence and machine learning technologies in IDS software enhances threat detection accuracy and reduces false positives, making these solutions indispensable for modern cybersecurity strategies.

Services in the IDS market include professional services and managed services. Professional