This dataset supports researchers in the validation process of solutions such as Intrusion Detection Systems (IDS) based on artificial intelligence and machine learning techniques for the detection and categorization of threats in Cyber Physical Systems (CPS). To that aim, data have been acquired from a water distribution hardware-in-the-loop testbed which emulates water passage between nine tanks via solenoid-valves, pumps, pressure and flow sensors. The testbed is composed by a real partition which is virtually connected to a simulated one.


This dataset has related to the paper "A hardware-in-the-loop Water Distribution Testbed (WDT) dataset for cyber-physical security testing".
We provide four different acquisitions:
1) A normal acquisition without attacks ("normal.csv" for network traffic and "dataset_norm.csv" for physical measures)
2) Three acquisitions where different types of attacks and physical faults are reproduced ("attack_1.csv", "attack_2.csv" and "attack_3.csv" for network traffic and "dataset_att_1.csv", "dataset_att_2.csv" and "dataset_att_3.csv" for physical measures)
In addition to .csv files we provide four .pcap files ("attack_1.pcap", "attack_2.pcap", "attack_3.pcap" and "normal.pcap") which refer to network acquisitions for the four previous scenarios.
A README.xlsx file summarizes the key features of the entire dataset.


Supplemental material for paper "Energy Efficiency Analysis of Post-Quantum Cryptographic Algorithms."


Please see README file for instructions and information about the content of these files.


·       9/11 hijackers network dataset [20]: The 9/11 hijackers network incorporates 61 nodes (each node is a terrorist involved in 9/11 bombing at World Trade Centers in 2011). Dataset was prepared based on some news report, and ties range from ‘at school with’ to ‘on the same plane’. The Data consists of a mode matrix with 19*19 terrorist by terrorist having trusted prior contacts with 1 mode matrix of 61 edges of other involved associates.


The S3 dataset contains the behaviour (sensors, statistics of applications, and voice) of 21 volunteers interacting with their smartphones for more than 60 days. The type of users is diverse, males and females in the age range from 18 until 70 have been considered in the dataset generation. The wide range of age is a key aspect, due to the impact of age in terms of smartphone usage. To generate the dataset the volunteers installed a prototype of the smartphone application in on their Android mobile phones.



The data set is compressed into a zip file. Please unzip this file in the desired place and inside the main folder, you will find the file with the instructions and the details of the database.


The Development of an Internet of Things (IoT) Network Traffic Dataset with Simulated Attack Data.

Abstract— This research focuses on the requirements for and the creation of an intrusion detection system (IDS) dataset for an Internet of Things (IoT) network domain.

DARPA is releasing these files in the public domain to stimulate further research. Their release implies no obligation or desire to support additional work in this space. The data is released as-is. DARPA makes no warranties as to the correctness, accuracy, or usefulness of the released data. In fact, since the data was produced by research prototypes, it is practically guaranteed to be imperfect.

The data containing red team activities is divided into three sets, each corresponding to the three days of evaluation: 23Sep19, 24Sep19, and 25Sep19. The fourth set (23Sep19-night) contains no threats and contains data from the first night of evaluations, when clients were left running unattended overnight to collect additional baseline data.

During the initial one thousand client test, each mainframe server hosted fifty Windows clients. Half of the clients were taken down from each server for data collection, reducing the number of clients to five hundred, which resulted in a client machine naming continuity gap (e.g. Sys001-Sys025, Sys051-Sys075, …, Sys951-Sys975).

A full description of the contents, including message formats and file structure can be found in the file attached to this page and included in the root directory of the OpTC.tar.gz.


The Internet of Things (IoT) is reshaping our connected world, due to the prevalence of lightweight devices connected to the Internet and their communication technologies. Therefore, research towards intrusion detection in the IoT domain has a lot of significance. Network intrusion datasets are fundamental for this research, as many attack detection strategies have to be trained and evaluated using these datasets.


This dataset is a supplementary material for paper "A Comprehensive and Reproducible Comparison of Cryptographic Primitives Execution on Android Devices"  with the measurements collected from 17 mobile devices and the code for reproducibility.


The primary data related to the collected data is located in folder Measurement and each device has the corresponding subfolder with the measurement file. The dataset consists of JSON files, each containing measurements of available devices' security primitives execution times. The data was gathered in a span of multiple 250 iterations. Each measurement was taken with a 50 repetitions interval for every primitive. We define the main components of the dataset in the following:


1)    context[] – provides the details about the device and OS including device name, model, battery-related information, Software Development Kit~(SDK) version, and basic technical specification.

2)    benchmarks[] – provides entries per primitive, such as:

i)      name – the overall identification title of the primitive, including paddung and other optional fields;

ii)     params – additional parameters unilized for the execution if any;

iii)   totalRunTimeNs – the overall time of the primitive's execution time;

iv)   metrics[] – provides entries per execution, such as:

(a)   timeNs[] – the collected/processed information of the collected data inluding entries per execution in runs[] and statistical parameters in maximumminimum, and median.

(b)  warmupIterations – number of iterations of warmup before measurements started;

(c)   repeatIterations – the number of iterations;

(d)  thermalThrottleSleepSeconds – the duration of sleep due to thermal throttling.


An example of the dataset entry:



    "context": {

        "build": {

            "device": "mooneye",

            "fingerprint": "mobvoi/mooneye/mooneye:8.0.0/OWDR.180307.020/5000261:user/release-keys",

            "model": "Ticwatch E", 

            "version": {

                "sdk": 26



        "cpuCoreCount": 2, 

        "cpuLocked": true, 

        "cpuMaxFreqHz": -1,

        "batteryCapacity, mAh": 300,

        "memTotalBytes": 514560000,

        "sustainedPerformanceModeEnabled": false


    "benchmarks": [


            "name": "benchmarkRsa4096EcbOaepSHA1AndMgf1Padding",

            "params": {},

            "className": "cz.vutbr.benchmark.AsymmetricDecryptionBenchmark",

            "totalRunTimeNs": 20873248463,

            "metrics": {

                "timeNs": {

                    "minimum": 242466000, 

                    "maximum": 284698307, 

                    "median": 245293231,

                    "runs": [







            "warmupIterations": 33,

            "repeatIterations": 1,

            "thermalThrottleSleepSeconds": 0








Note: Project group was supported by the Graduate School of Business National Research University Higher School of Economics. 


Dataset with diverse type of attacks in Programmable Logic Controllers:

1- Denial of Service 

  • Flooding
  • Amplification/Volumetric

2- Man in the Middle


The full documentation of the dataset is available at: 


The dataset if composed of several files regarding the DoS attacks and MiTM attacks.


A sample CSV file is also provided to illustrate the contents of the collected data. The majority of data is available at pcap format.


Full instructions are available at: 


Datasets as described in the research paper "Intrusion Detection using Network Traffic Profiling and Machine Learning for IoT Applications".There are two main dataset provided here, firstly is the data relating to the initial training of the machine learning module for both normal and malicious traffic, these are in binary visulisation format, compresed into the document


Each dataset is provided in compressed ZIP files, no password protection is present and no malicious files are contained herein, only their network traffic and image representations relevant to the project.