TON_IoT: UNSW Telemetry, Network & OS Attack Traces [Multi-Source IIoT]

Overview

The TON_IoT dataset is a next-generation cybersecurity benchmark developed by the Cyber Range and IoT Labs at UNSW Canberra, Australian Defence Force Academy. It is designed to evaluate the fidelity and efficiency of AI-based cybersecurity applications including intrusion detection systems, malware detection, threat hunting, and digital forensics in Industry 4.0 and IoT/IIoT environments.

Unlike single-source datasets, TON_IoT integrates heterogeneous data streams collected in parallel: network traffic (PCAP and Zeek/Bro logs), Windows OS audit traces, Linux OS audit traces, and IoT sensor telemetry from more than 10 devices including weather sensors and Modbus industrial controllers. This multi-source structure closely mirrors real enterprise IoT deployments.

Nine attack categories are represented — DoS, DDoS, ransomware, backdoor, data injection, XSS, password cracking, scanning, and man-in-the-middle — all launched across IoT gateways, MQTT protocols, Node-Red web applications, Linux, Windows, and cloud systems using Kali Linux attack machines.

Column Schema

Key Statistics

• Data Sources: Network traffic, Windows OS, Linux OS, IoT sensor telemetry
• IoT Sensors: 10+ devices (weather, Modbus, GPS tracker, fridge, garage door, etc.)
• Attack Types: 9 categories
• File Formats: CSV, LOG (Zeek/Bro), PCAP
• Features: 44 network flow features (network sub-dataset)
• Published: 2019–2020

Use Cases

• AI-based IoT intrusion detection and anomaly detection
• Multi-class attack classification across network and OS telemetry layers
• Ransomware and backdoor detection in IIoT networks
• Digital forensics and adversarial ML evaluation in IoT environments

Source & Attribution

Created by Nour Moustafa and colleagues at the Cyber Range Research Group, UNSW Canberra. Published through IEEE Dataport and documented in multiple journal articles. The dataset page at UNSW Research provides direct access to downloads.