RT-IoT2022 — Real-Time IoT IDS Dataset [41 Features, Multi-Attack]
Abstract
"Real-time IoT network security dataset from a live IoT infrastructure with 41 bidirectional flow features. Includes ThingSpeak-LED, Wipro-Bulb, and MQTT-Temp devices with SSH brute force, DDoS (Hping/Slowloris), and Nmap attack scenarios. CSV format. Used for adaptive IDS development."
Description
Overview
RT-IoT2022 is a proprietary-origin dataset derived from a real-time, operational IoT infrastructure, donated to the UCI Machine Learning Repository in January 2024. It integrates traffic from diverse consumer IoT devices — including a ThingSpeak-LED smart bulb, Wipro smart bulb, and an MQTT-based temperature sensor — alongside targeted attack simulations.
Network flows are captured bidirectionally using the Zeek network monitoring tool combined with the Flowmeter plugin, producing a rich tabular feature set of 41 columns per flow record. Attack scenarios include brute-force SSH attacks, volumetric DDoS attacks launched via Hping3 and the Slowloris application-layer tool, and reconnaissance activity using Nmap network scanning patterns.
With approximately 2.09 million total records (1.96M normal, 138K attack), the dataset supports classification, regression, and clustering tasks. Its real-time IoT provenance — rather than purely simulated conditions — makes it particularly valuable for developing robust and adaptive security solutions for production IoT deployments.
Column Schema
| Column | Description |
|---|---|
| proto | Transport protocol of the flow. |
| service | Application-layer service detected by Zeek. |
| flow_duration | Duration of the bidirectional flow. |
| fwd_pkts_tot / bwd_pkts_tot | Total forward and backward packet counts. |
| fwd_data_pkts_tot | Forward data packet count. |
| fwd_pkts_per_sec / bwd_pkts_per_sec | Forward and backward packet rates. |
| flow_pkts_per_sec | Overall flow packet rate. |
| down_up_ratio | Ratio of download to upload traffic. |
| Attack_type | Label: specific attack type or normal traffic class. |
Key Statistics
- Total Records: ~2,095,319 (Normal: ~1,956,847; Attack: ~138,472)
- Features: 41 columns
- Attack Types: SSH brute force, DDoS-Hping, DDoS-Slowloris, Nmap scanning
- IoT Devices: ThingSpeak-LED, Wipro-Bulb, MQTT-Temp
- File Format: CSV
- Capture Tool: Zeek + Flowmeter plugin
- Donated to UCI: January 2024
Use Cases
- Intrusion detection system development for real-world IoT deployments
- ML-based attack classification (binary and multi-class)
- Evaluation of IDS adaptability across volumetric and application-layer attacks
- Feature selection and dimensionality reduction for IoT network security models
Source & Attribution
RT-IoT2022 was donated to the UCI Machine Learning Repository in January 2024 and is directly available for download from the UCI dataset page. It is maintained as an open academic resource for IoT security and intrusion detection research.
Data Preview
| proto | service | flow_duration | flow_pkts_per_sec | Attack_type |
|---|---|---|---|---|
| tcp | http | 0.004210 | 473.87 | Normal |
| udp | dns | 0.000142 | 14084.50 | Normal |
| tcp | ssh | 1.234500 | 3.24 | MQTT_Publish |
| tcp | - | 0.000001 | 1000000.0 | DDoS_Hping |
| tcp | - | 30.12300 | 0.43 | Slowloris |
Showing first few rows for preview
Cite This Dataset
RT-IoT2022 Contributors (2024). RT-IoT2022 — Real-Time IoT IDS Dataset [41 Features, Multi-Attack]. [Dataset]. UCI Machine Learning Repository. https://archive.ics.uci.edu/dataset/942/rt-iot2022
Source: UCI Machine Learning Repository (2024)
Indexed by IoTDataset.com on Apr 13, 2026
Ready to Start Your Research?
Download this dataset directly from the official repository and start building your next breakthrough project.