IoT-23: A Labeled Dataset with Malicious and Benign IoT Network Traffic

Dataset Overview

The IoT-23 dataset is a comprehensive collection of network traffic from Internet of Things devices infected with malware. Created by the Stratosphere Laboratory, it contains 23 different malware captures plus 3 benign scenarios, representing one of the most extensive labeled IoT botnet datasets available for research purposes.

Key Features

• 23 malware infection scenarios with real IoT botnets
• 3 benign traffic scenarios for baseline comparison
• Over 325 million labeled network connections
• PCAP files with complete packet captures
• Bidirectional NetFlow data (argus format)
• Labeled connections (Malicious, Benign, or Unknown)
• Multiple malware families: Mirai, Torii, Hide and Seek, Hakai
• Real IoT devices used: Philips HUE, Amazon Echo, Somfy doorlock

Data Structure

Each scenario in the dataset includes multiple data formats:

• PCAP Files: Complete packet captures for deep analysis
• Conn.log Files: Connection summaries in Zeek/Bro format
• Labeled Flows: CSV files with labeled connections
• Metadata: Information about infection type and device
• Network Features: Duration, protocol, packets, bytes, ports
• Behavioral Labels: Malicious, Benign, Background, or Unknown

Data Collection Method

The dataset was created by intentionally infecting real IoT devices with malware in a controlled laboratory environment. Traffic was captured during the infection process and normal operation, providing authentic examples of IoT botnet behavior. All captures were performed with proper isolation to prevent actual attacks.

Malware Families Included

• Mirai: Famous IoT botnet targeting cameras and routers
• Torii: Advanced persistent IoT botnet
• Hide and Seek: P2P-based IoT botnet
• Hakai: Variant of Mirai targeting specific devices
• Others: Various IoT-specific malware strains

Research Applications

• IoT botnet detection and classification
• Malware behavior analysis in IoT environments
• Development of network-based intrusion detection systems
• Machine learning model training for threat detection
• IoT security protocol evaluation
• Behavioral analysis of infected IoT devices
• Comparative studies of different malware families

Machine Learning Use Cases

• Binary classification (Malicious vs. Benign traffic)
• Multi-class malware family classification
• Anomaly detection in IoT network behavior
• Time-series analysis of infection patterns
• Deep learning for packet-level analysis
• Feature engineering from network flows
• Botnet command and control detection
• Zero-day malware detection using behavioral models