N-BaIoT Dataset - IoT Botnet Attack Detection from Network Traffic

Dataset Introduction

The N-BaIoT dataset focuses specifically on detecting botnet-infected IoT devices through network traffic behavioral analysis. This dataset addresses the growing threat of IoT botnets like Mirai that compromised millions of devices worldwide for massive DDoS attacks.

Device Coverage - 9 Real IoT Devices

Network traffic captured from authentic commercial IoT devices:

• Smart Home: Doorbell, baby monitor, security camera, thermostat
• Entertainment: Smart TV, streaming device
• Connectivity: WiFi extenders, network cameras
• Storage: Network-attached storage (NAS) devices

Malware Variants Simulated

Mirai Botnet

The notorious malware that infected IoT devices using default credentials, creating the largest botnet in history responsible for record-breaking DDoS attacks. The dataset includes multiple Mirai attack variants:

• UDP flooding
• TCP connection flooding
• HTTP flooding
• Junk packet transmission

BASHLITE (Gafgyt)

Another prevalent IoT botnet exploiting shell vulnerabilities. Multiple BASHLITE variants captured with different attack patterns and command-and-control behaviors.

Behavioral Feature Extraction

Rather than raw packet analysis, the dataset provides extracted behavioral features characterizing device communication patterns:

• Statistical Features: Packet size distributions, inter-arrival times, flow durations
• Behavioral Metrics: Connection patterns, protocol usage, destination diversity
• Temporal Patterns: Time-based traffic characteristics revealing botnet activity cycles

Binary Classification Focus

Each device has separate datasets for:

• Benign Traffic: Normal operational behavior baseline
• Infected Traffic: Behavior after malware infection for each variant

This structure enables training precise binary classifiers (normal vs compromised) for each device type.

Research Advantages

Real Device Traffic

Unlike simulated datasets, N-BaIoT uses actual commercial IoT devices, capturing authentic protocol implementations and manufacturer-specific behaviors.

Device-Specific Models

Separate datasets per device allow researchers to develop device-specific detection models that account for unique operational characteristics.

Lightweight Detection

Behavioral features enable efficient detection suitable for deployment on IoT gateways with limited computational resources.

Machine Learning Applications

• Anomaly Detection: Identify deviations from normal device behavior
• Binary Classification: Classify traffic as benign or botnet-infected
• Multi-Class Classification: Identify specific malware variants
• Ensemble Methods: Combine device-specific models for network-wide protection

Practical Deployment

Models trained on N-BaIoT can be deployed at network edge or on IoT gateways to provide real-time detection of compromised devices, enabling rapid quarantine before they participate in botnet attacks.