TON_IoT — UNSW Telemetry, Network & OS Attack Traces [Multi-Source IIoT]
Abstract
"Heterogeneous IoT/IIoT dataset from UNSW Canberra Cyber Range with network traffic, Windows/Linux OS traces, and IoT sensor telemetry. Labeled for 9 attack types including DoS, DDoS, ransomware, and XSS. CSV and PCAP formats. Benchmark for AI-based IDS evaluation."
Description
Overview
The TON_IoT dataset is a next-generation cybersecurity benchmark developed by the Cyber Range and IoT Labs at UNSW Canberra, Australian Defence Force Academy. It is designed to evaluate the fidelity and efficiency of AI-based cybersecurity applications including intrusion detection systems, malware detection, threat hunting, and digital forensics in Industry 4.0 and IoT/IIoT environments.
Unlike single-source datasets, TON_IoT integrates heterogeneous data streams collected in parallel: network traffic (PCAP and Zeek/Bro logs), Windows OS audit traces, Linux OS audit traces, and IoT sensor telemetry from more than 10 devices including weather sensors and Modbus industrial controllers. This multi-source structure closely mirrors real enterprise IoT deployments.
Nine attack categories are represented — DoS, DDoS, ransomware, backdoor, data injection, XSS, password cracking, scanning, and man-in-the-middle — all launched across IoT gateways, MQTT protocols, Node-Red web applications, Linux, Windows, and cloud systems using Kali Linux attack machines.
Column Schema
| Column | Description |
|---|---|
| ts | Timestamp of the network event. |
| src_ip / dst_ip | Source and destination IP addresses. |
| src_port / dst_port | Source and destination port numbers. |
| proto | Network protocol (TCP, UDP, ICMP, etc.). |
| service | Detected application-layer service. |
| duration | Duration of the connection in seconds. |
| orig_bytes / resp_bytes | Bytes sent by originator and responder. |
| label | Binary label: 0 = Normal, 1 = Attack. |
| type | Specific attack type (dos, ddos, ransomware, etc.). |
Key Statistics
- Data Sources: Network traffic, Windows OS, Linux OS, IoT sensor telemetry
- IoT Sensors: 10+ devices (weather, Modbus, GPS tracker, fridge, garage door, etc.)
- Attack Types: 9 categories
- File Formats: CSV, LOG (Zeek/Bro), PCAP
- Features: 44 network flow features (network sub-dataset)
- Published: 2019–2020
Use Cases
- AI-based IoT intrusion detection and anomaly detection
- Multi-class attack classification across network and OS telemetry layers
- Ransomware and backdoor detection in IIoT networks
- Digital forensics and adversarial ML evaluation in IoT environments
Source & Attribution
Created by Nour Moustafa and colleagues at the Cyber Range Research Group, UNSW Canberra. Published through IEEE Dataport and documented in multiple journal articles. The dataset page at UNSW Research provides direct access to downloads.
View Data Structure
To explore column names, data types, and sample rows, visit the official dataset page on University.
Preview on UniversityCite This Dataset
Moustafa, Nour (2021). TON_IoT — UNSW Telemetry, Network & OS Attack Traces [Multi-Source IIoT]. Sustainable Cities and Society. [Dataset]. Elsevier. https://research.unsw.edu.au/projects/toniot-datasets
Source: Elsevier (2021)
Indexed by IoTDataset.com on Apr 13, 2026
Ready to Start Your Research?
Download this dataset directly from the official repository and start building your next breakthrough project.