IIoT Network Traffic - 21% Attacks [4K rows] #6a63
Abstract
"Synthetic Network Security dataset with 4,000 data points. 16 columns. Config: Attack rate: 21%. CC0 licensed."
Description
Overview
This dataset provides synthetic Industrial Internet of Things (IIoT) network traffic captured within a simulated SCADA/ICS environment. It reproduces communications across six Operational Technology (OT) protocols: Modbus TCP, OPC UA, DNP3, MQTT, BACnet, and EtherNet/IP. Traffic originates from heterogeneous ICS devices including PLCs, HMIs, RTUs, SCADA servers, Engineering Workstations, and simulated External attackers, representing a realistic industrial network topology with an internal subnet of 10.0.1.x/24.
The dataset contains 4,000 labeled network flow records across 16 features. A controlled attack injection rate of 21% (approximately 840 malicious flows) simulates real-world threat scenarios targeting OT infrastructure, while the remaining 79% (approximately 3,160 flows) represents legitimate industrial communications. Each attack scenario follows a structured four-phase lifecycle: reconnaissance, escalation, peak, and cooldown, aligned with adversarial campaign models observed in ICS threat intelligence.
Dataset Statistics
- Total records: 4,000 labeled flow entries
- Features (columns): 16
- Normal traffic: approximately 3,160 records (79%)
- Malicious traffic: approximately 840 records (21%)
- Sampling interval: 5 seconds per record
- OT Protocols covered: Modbus TCP (port 502), OPC UA (port 4840), DNP3 (port 20000), MQTT (port 1883), BACnet (port 47808), EtherNet/IP (port 44818)
- Attack types: Man-in-the-Middle (MitM), Replay, False Data Injection, Denial of Service (DoS), Reconnaissance
- Device roles: PLC, HMI, RTU, SCADA Server, Engineering Workstation, External
- License: CC0 1.0 Universal (Public Domain)
Column Schema
| Column | Type | Description |
|---|---|---|
Timestamp | datetime | ISO 8601 formatted timestamp; 5-second sampling interval starting from simulation epoch (2026-04-27) |
Source_IP | string | IPv4 source address; internal ICS devices use the 10.0.1.x/24 subnet; external attackers originate from routable public IP addresses |
Dest_IP | string | IPv4 destination address; all target nodes reside within the 10.0.1.x/24 ICS network segment |
Source_Port | integer | Ephemeral TCP/UDP source port assigned by the originating host (range: 1024-65535) |
Dest_Port | integer | Destination port mapped to the target OT service: 502 (Modbus TCP), 4840 (OPC UA), 20000 (DNP3), 1883 (MQTT), 47808 (BACnet/IP), 44818 (EtherNet/IP) |
Protocol | categorical | OT communication protocol identifier; values: Modbus_TCP, OPC_UA, DNP3, MQTT, BACnet, EtherNet_IP |
Packet_Size | integer | Layer 4 payload size per packet in bytes; reflects protocol-specific message sizes |
Connection_Duration | float | Session duration in seconds; abnormally short durations may indicate scanning or probing behavior characteristic of reconnaissance |
Packets_Sent | integer | Total number of packets transmitted within the flow session; elevated counts may signal flooding or DoS activity |
Bytes_Transferred | integer | Total bytes transferred per session; derived as Packet_Size multiplied by Packets_Sent |
Flow_Rate | float | Network throughput in bytes per second; computed as Bytes_Transferred divided by Connection_Duration; high variance is a key discriminating feature between normal and attack traffic |
Device_Role | categorical | Functional role of the source node within the ICS hierarchy: PLC, HMI, RTU, SCADA_Server, Engineering_Workstation, External (off-network attacker) |
Function_Code | integer | Protocol-specific command code; for Modbus TCP, values 1-16 represent standard read/write operations; value 0 is assigned to non-Modbus protocols |
Attack_Type | categorical | Cyber threat category label; values: Normal, MitM, Replay, False_Data_Injection, DoS, Reconnaissance |
Attack_Phase | categorical | Temporal stage within the attack lifecycle; values: none (normal traffic), recon, escalation, peak, cooldown |
Label | binary | Ground-truth binary classification target; values: Normal or Malicious; primary target variable for supervised learning models |
Attack Taxonomy
- False Data Injection (FDI): Manipulated sensor readings or counterfeit control commands injected into the SCADA data stream to mislead operators and automated safety systems. Dominant attack type in this dataset, targeting Modbus TCP and DNP3 channels.
- Man-in-the-Middle (MitM): The attacker intercepts and optionally alters OT protocol messages between ICS nodes across OPC UA, DNP3, Modbus TCP, and MQTT sessions.
- Replay Attack: Previously captured legitimate OT commands retransmitted to trigger unauthorized state changes in PLCs or RTUs; detectable through sequence number anomalies and timing inconsistencies.
- Denial of Service (DoS): High-frequency traffic directed at ICS devices to exhaust processing capacity and disrupt availability of critical control functions.
- Reconnaissance: Systematic low-volume scanning of the ICS network to enumerate active devices, open OT service ports, and supported function codes.
Attack Lifecycle Model
Each attack scenario follows a structured four-phase progression consistent with observed adversarial campaigns against ICS environments:
- Recon: Low-intensity probing phase; attacker maps network topology and enumerates supported OT protocols and function codes
- Escalation: Attacker establishes an active foothold and increases interaction frequency with target devices
- Peak: Maximum attack intensity; highest observed packet rates, byte volumes, and flow rates
- Cooldown: Gradual reduction in malicious activity as the attacker withdraws or pivots to new targets
Normal Traffic Model
Legitimate traffic is generated using protocol-specific periodic polling patterns characteristic of industrial automation systems. OPC UA sessions use subscription-based data exchange; Modbus TCP follows cyclic read/write request cycles; DNP3 implements unsolicited response messaging and integrity polls; MQTT uses publish/subscribe broker communication at regular telemetry intervals; EtherNet/IP and BACnet flows reflect typical controller and building automation communications.
Use Cases
- Training and evaluation of Intrusion Detection Systems (IDS) for SCADA and ICS environments
- Benchmarking supervised classifiers including Random Forest, XGBoost, LSTM, GRU, and Transformer-based models
- False Data Injection detection research targeting DNP3 and Modbus TCP industrial protocols
- OT protocol traffic analysis, feature engineering, and anomaly detection research
- Federated learning experiments for distributed ICS threat detection
- Class imbalance benchmarking on a 79/21 split using SMOTE or cost-sensitive learning
- Feature importance and explainability studies (SHAP, LIME) for network flow-based detection models
Limitations
- Data is fully synthetic; real-world traffic may exhibit additional variability in timing jitter, TCP retransmissions, and vendor-specific protocol extensions
- Attack scenarios represent common OT threat vectors but do not model APTs, firmware exploits, or zero-day vulnerabilities
- The 79%/21% class distribution introduces moderate imbalance; resampling or threshold-tuning strategies are advised before training classifiers
Reproducibility
Seed: 1695713840. Applying the same seed and generation parameters in IoTSyn will produce an identical dataset, ensuring full experimental reproducibility. Generated by IoTSyn v3.2.
Sample Data (50 rows · 16 columns)
| # | Timestamp | Source_IP | Dest_IP | Source_Port | Dest_Port | Protocol | Packet_Size | Connection_Duration | Packets_Sent | Bytes_Transferred | Flow_Rate | Device_Role | Function_Code | Attack_Type | Attack_Phase | Label |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | 2026-04-27 08:03:46 | 10.0.1.26 | 10.0.1.21 | 34745 | 20000 | DNP3 | 117 | 0.47 | 6 | 702 | 1,510.48 | Engineering_Workstation | 16 | Normal | none | Normal |
| 2 | 2026-04-27 08:03:51 | 10.0.1.17 | 10.0.1.11 | 29767 | 47808 | BACnet | 54 | 0.25 | 8 | 432 | 1,742.73 | HMI | 0 | Normal | none | Normal |
| 3 | 2026-04-27 08:03:56 | 198.109.200.84 | 10.0.1.22 | 34269 | 20000 | DNP3 | 284 | 0.27 | 5 | 1420 | 5,343.37 | External | 6 | False_Data_Injection | recon | Malicious |
| 4 | 2026-04-27 08:04:01 | 198.109.200.84 | 10.0.1.13 | 62699 | 502 | Modbus_TCP | 104 | 0.25 | 5 | 520 | 2,111.30 | External | 6 | False_Data_Injection | recon | Malicious |
| 5 | 2026-04-27 08:04:06 | 198.109.200.84 | 10.0.1.15 | 59586 | 502 | Modbus_TCP | 213 | 0.14 | 2 | 426 | 3,109.70 | External | 16 | False_Data_Injection | escalation | Malicious |
| 6 | 2026-04-27 08:04:11 | 198.109.200.84 | 10.0.1.12 | 26610 | 20000 | DNP3 | 207 | 0.04 | 3 | 621 | 16,761.64 | External | 6 | False_Data_Injection | escalation | Malicious |
| 7 | 2026-04-27 08:04:16 | 198.109.200.84 | 10.0.1.16 | 2224 | 502 | Modbus_TCP | 103 | 0.14 | 4 | 412 | 2,880.95 | External | 16 | False_Data_Injection | escalation | Malicious |
| 8 | 2026-04-27 08:04:21 | 198.109.200.84 | 10.0.1.19 | 20954 | 502 | Modbus_TCP | 201 | 0.21 | 2 | 402 | 1,943.06 | External | 16 | False_Data_Injection | peak | Malicious |
| 9 | 2026-04-27 08:04:26 | 198.109.200.84 | 10.0.1.14 | 18863 | 20000 | DNP3 | 271 | 0.10 | 1 | 271 | 2,715.87 | External | 16 | False_Data_Injection | peak | Malicious |
| 10 | 2026-04-27 08:04:31 | 198.109.200.84 | 10.0.1.24 | 51327 | 20000 | DNP3 | 84 | 0.05 | 5 | 420 | 9,131.13 | External | 6 | False_Data_Injection | peak | Malicious |
Showing first 10 of 50 sample rows
Data Visualization Interactive
Numeric Trends
Category Distribution
Cite This Dataset
IoTSyn Generated (2026). IIoT Network Traffic - 21% Attacks [4K rows] #6a63. [Dataset]. IoTSyn Generated. https://iotsyn.com/view.php?uid=iotsyn_69f852e2450f21.85117884
Source: IoTSyn Generated (2026)
Indexed by IoTDataset.com on May 04, 2026
Ready to Start Your Research?
Download this dataset directly from the official repository and start building your next breakthrough project.