IIoT Network Traffic - 29% Attacks [10K rows] #8d6c

Overview

This dataset provides synthetic Industrial Internet of Things (IIoT) network traffic captured within a simulated SCADA/ICS environment. It reproduces communications across six Operational Technology (OT) protocols: Modbus TCP, OPC UA, DNP3, MQTT, BACnet, and EtherNet/IP. Traffic originates from heterogeneous ICS devices including PLCs, HMIs, RTUs, SCADA servers, Engineering Workstations, Historians, and simulated External attackers, representing a realistic industrial network topology with an internal subnet of 10.0.1.x/24.

The dataset contains 10,000 labeled network flow records distributed across 16 features. A controlled attack injection rate of 29% (approximately 2,900 malicious flows) simulates real-world threat scenarios targeting OT infrastructure, while the remaining 71% (approximately 7,100 flows) represents legitimate industrial communications. Each attack scenario follows a structured four-phase lifecycle: reconnaissance, escalation, peak, and cooldown, aligned with adversarial campaign models observed in ICS threat intelligence.

Dataset Statistics

• Total records: 10,000 labeled flow entries
• Features (columns): 16
• Normal traffic: approximately 7,100 records (71%)
• Malicious traffic: approximately 2,900 records (29%)
• Sampling interval: 10 seconds per record
• OT Protocols covered: Modbus TCP (port 502), OPC UA (port 4840), DNP3 (port 20000), MQTT (port 1883), BACnet (port 47808), EtherNet/IP (port 44818)
• Attack types: Man-in-the-Middle (MitM), Replay, False Data Injection, Denial of Service (DoS), Reconnaissance
• Device roles: PLC, HMI, RTU, SCADA, Engineering Workstation, Historian, External
• License: CC0 1.0 Universal (Public Domain)

Column Schema

Attack Taxonomy

• Man-in-the-Middle (MitM): The attacker intercepts and optionally alters OT protocol messages between ICS nodes. Simulated across OPC UA, DNP3, Modbus TCP, and MQTT sessions, targeting PLC-to-SCADA and HMI-to-PLC communication channels.
• Replay Attack: Previously captured legitimate OT commands are retransmitted to trigger unauthorized state changes in PLCs or RTUs. Detectable through sequence number anomalies and timing inconsistencies in stateful protocols.
• False Data Injection (FDI): Manipulated sensor readings or counterfeit control commands are injected into the SCADA data stream to mislead operators and automated safety systems, potentially causing incorrect physical process decisions.
• Denial of Service (DoS): High-frequency traffic is directed at ICS devices to exhaust processing capacity and disrupt the availability of critical control functions, particularly targeting PLCs and RTUs over Modbus TCP and OPC UA.
• Reconnaissance: Systematic low-volume scanning of the ICS network to enumerate active devices, open OT service ports, and supported function codes. Serves as the preparatory phase before active exploitation.

Attack Lifecycle Model

Each attack scenario in this dataset follows a structured four-phase progression consistent with observed adversarial campaigns against ICS environments:

• Recon: Low-intensity probing phase; the attacker maps network topology, identifies live hosts, and enumerates supported OT protocols and function codes
• Escalation: The attacker establishes an active foothold, increases interaction frequency with target devices, and prepares for the main attack phase
• Peak: Maximum attack intensity; highest observed packet rates, byte volumes, and flow rates; represents the primary window for detection
• Cooldown: Gradual reduction in malicious activity as the attacker withdraws, pivots to new targets, or awaits the next attack cycle

Normal Traffic Model

Legitimate traffic is generated using protocol-specific periodic polling patterns characteristic of industrial automation systems operating under standard process control conditions. OPC UA sessions use subscription-based data exchange with configurable publish intervals. Modbus TCP follows cyclic read/write request cycles against holding registers and coil banks. DNP3 implements unsolicited response messaging and integrity polls. MQTT uses publish/subscribe broker communication at regular telemetry intervals consistent with IIoT sensor reporting.

Use Cases

• Training and evaluation of Intrusion Detection Systems (IDS) for SCADA and ICS environments
• Benchmarking supervised classifiers including Random Forest, XGBoost, LSTM, GRU, and Transformer-based models for binary and multi-class attack detection
• OT protocol traffic analysis, feature engineering, and anomaly detection research
• Federated learning experiments for distributed and privacy-preserving ICS threat detection
• Industrial cybersecurity education and hands-on curriculum development
• Feature importance and explainability studies (e.g., SHAP, LIME) for network flow-based detection models
• Class imbalance benchmarking using SMOTE, ADASYN, or cost-sensitive learning techniques on a 71/29 split

Limitations

• Data is fully synthetic; real-world traffic may exhibit additional variability in timing jitter, TCP retransmissions, packet fragmentation, and vendor-specific protocol extensions not reproduced in this dataset
• Attack scenarios represent common OT threat vectors but do not model advanced persistent threats (APTs), firmware exploits, supply chain attacks, or zero-day vulnerabilities
• The 71%/29% class distribution introduces moderate imbalance; researchers are advised to apply appropriate resampling or threshold-tuning strategies before training classifiers
• External attacker IPs are randomly assigned from public address space and do not reflect real threat actor infrastructure or geolocation

Reproducibility

Seed: 165981527. Applying the same seed and generation parameters in IoTSyn will produce an identical dataset, ensuring full experimental reproducibility. Generated by IoTSyn v3.2.