DNP3 Intrusion Detection Dataset — Industrial SCADA Cyberattacks [194.9 MB]
Abstract
"Industrial IoT IDS dataset with labelled TCP/IP and DNP3 flow statistics plus PCAP files for 9 SCADA cyberattacks. CSV and PCAP formats for ML/DL IDS research."
Description
Overview
The DNP3 Intrusion Detection Dataset targets industrial IoT, ICS, and SCADA security research. DNP3 is widely used in critical infrastructure and smart-grid environments, and the dataset focuses on its security weaknesses.
The dataset includes labelled TCP/IP network flow statistics and DNP3 protocol flow statistics in CSV format. Raw packet-capture files are also provided, allowing researchers to perform packet-level, flow-level, and protocol-aware analysis.
Nine DNP3 cyberattack scenarios were executed using penetration-testing tools such as Nmap and Scapy. The attacks include unauthorised DNP3 commands, replay, enumerate, information, warm/cold restart, stop application, and MITM-DoS activity.
Column Schema
| Column | Description |
|---|---|
| FlowIAT_MAX | Maximum DNP3 packet inter-arrival time. |
| FlowIAT_MIN | Minimum DNP3 packet inter-arrival time. |
| TotalFwdIAT | Sum of DNP3 packet inter-arrival time in the forward direction. |
| fwdPkts/sec | DNP3 packets per second in the forward direction. |
| bwdPkts/sec | DNP3 packets per second in the backward direction. |
| frameSrc | Source MAC address. |
| frameDst | Destination MAC address. |
| TotPktsInFlow | Total number of DNP3 packets in the flow. |
| firstPacketDIR | Whether the flow was initiated by a DNP3 master or slave device. |
| pktsFromMASTER | Number of packets transmitted by a DNP3 master device. |
| pktsFromSLAVE | Number of packets transmitted by a DNP3 slave device. |
| Label | Attack label. |
Key Statistics
- Total Records: Labelled DNP3 and TCP/IP flow files plus PCAP files
- Features: TCP/IP flow statistics and DNP3 protocol-specific flow statistics
- File Format: CSV, PCAP, 7z archive
- File Size: 194.9 MB
- Time Period: Attacks executed May 2020; dataset published 2022
- Attack Scenarios: 9 DNP3 cyberattacks
Use Cases
- DNP3-based SCADA intrusion detection
- Industrial IoT cyberattack classification
- Protocol-aware feature engineering for IDS
- ML and DL evaluation for smart-grid security
Source & Attribution
Created by Panagiotis Radoglou-Grammatikis, Vasiliki Kelli, Thomas Lagkas, Vasileios Argyriou, and Panagiotis Sarigiannidis. Published on Zenodo with DOI 10.21227/s7h0-b081 and licensed under CC BY 4.0.
View Data Structure
To explore column names, data types, and sample rows, visit the official dataset page on Zenodo.
Preview on ZenodoCite This Dataset
Radoglou-Grammatikis, Panagiotis, Kelli, Vasiliki, Lagkas, Thomas, Argyriou, Vasileios, & Sarigiannidis, Panagiotis (2022). DNP3 Intrusion Detection Dataset — Industrial SCADA Cyberattacks [194.9 MB]. [Dataset]. Zenodo. https://doi.org/10.21227/s7h0-b081
Source: Zenodo (2022) · DOI: 10.21227/s7h0-b081
Indexed by IoTDataset.com on Jun 02, 2026
Ready to Start Your Research?
Download this dataset directly from the official repository and start building your next breakthrough project.