CICIoT2023: Real-Time IoT Attack Dataset [47M+ Labeled Flows, 33 Attack Types]
Abstract
"Large-scale IoT cybersecurity dataset with 47M+ labeled network flows from 105 real IoT devices across 33 attack types in 7 categories. PCAP and CSV formats. Built for IDS/IPS development and ML-based IoT traffic classification research."
Description
Overview
CICIoT2023 is a comprehensive, real-time IoT network traffic dataset created by the Canadian Institute for Cybersecurity (CIC) at the University of New Brunswick. It was designed to address the growing demand for realistic, large-scale IoT attack data to foster the development of intrusion detection systems and security analytics tools tailored to IoT environments.
The dataset was generated using a testbed of 105 heterogeneous IoT devices — including smart cameras, sensors, microcontrollers, and Zigbee/Z-Wave endpoints — organized across five home automation hubs. Critically, attacks were performed by malicious IoT devices targeting other IoT devices, reflecting the realistic lateral-movement threat model in smart environments.
33 distinct attack types are included, hierarchically grouped into seven broad categories: DDoS, DoS, Reconnaissance, Web-based, Brute Force, Spoofing, and Mirai. Each bidirectional flow record contains 45–46 numeric features extracted from PCAP captures. The compressed dataset occupies approximately 2.7 GB and expands to ~13 GB when uncompressed.
Column Schema
| Column | Description |
|---|---|
| flow_duration | Duration of the network flow in microseconds. |
| Header_Length | Total header length of the flow packets. |
| Protocol Type | Protocol identifier (TCP, UDP, ICMP, etc.). |
| Duration | Flow duration value in alternate unit. |
| Rate | Flow packet rate. |
| Srate / Drate | Source and destination packet rates. |
| fin_flag_number … urg_flag_number | TCP flag counts per flow (FIN, SYN, RST, PSH, ACK, ECE, URG). |
| Magnitude / Radius / Covariance / Variance | Statistical features derived from packet size and timing. |
| label | Attack class label: Benign or one of 33 attack types. |
Key Statistics
- Total Flows: 47,665,723 labeled records
- Benign flows: ~42.6M (89.4%); Attack flows: ~5M (10.6%)
- Attack Types: 33 across 7 categories
- IoT Devices: 105 (67 active + 38 Zigbee/Z-Wave)
- Features: 45–46 per flow record (CSV)
- File Format: PCAP and CSV
- Compressed size: ~2.7 GB; Uncompressed: ~13 GB
- Published: 2023
Use Cases
- IoT intrusion detection system (IDS/IPS) development and benchmarking
- Multi-class and binary attack classification using ML/DL algorithms
- Federated learning and LLM-based IoT security research
- DDoS, Mirai botnet, and spoofing detection in smart home environments
Source & Attribution
Created by Neto et al. at the Canadian Institute for Cybersecurity, University of New Brunswick. Published in Sensors (MDPI) 2023. The dataset is freely downloadable from the CIC website and also mirrored on Kaggle.
View Data Structure
To explore column names, data types, and sample rows, visit the official dataset page on University.
Preview on UniversityCite This Dataset
Neto, Euclides Carlos Pinto, Dadkhah, Sajjad, Ferreira, Raphael, Zohourian, Arash, Lu, Rongxing, & Ghorbani, Ali A. (2023). CICIoT2023: Real-Time IoT Attack Dataset [47M+ Labeled Flows, 33 Attack Types]. Sensors. [Dataset]. MDPI. https://www.unb.ca/cic/datasets/iotdataset-2023.html
Source: MDPI (2023)
Indexed by IoTDataset.com on Apr 13, 2026
Ready to Start Your Research?
Download this dataset directly from the official repository and start building your next breakthrough project.