IoT-deNAT: Outbound flow-based network traffic data of IoT and non-IoT devices behind a home NAT

This dataset is comprised of NetFlow records, which capture the outbound network traffic of 8 commercial IoT devices and 5 non-IoT devices, collected during a period of 37 days in a lab at Ben-Gurion University of The Negev. The dataset was collected in order to develop a method for telecommunication providers to detect vulnerable IoT models behind home NATs. Each NetFlow record is labeled with the device model which produced it; for research reproducibilty, each NetFlow is also allocated to either the "training" or "test" set, in accordance with the partitioning described in: Y. Meidan, V. Sachidananda, H. Peng, R. Sagron, Y. Elovici, and A. Shabtai, A novel approach for detecting vulnerable IoT devices connected behind a home NAT, Computers & Security, Volume 97, 2020, 101968, ISSN 0167-4048, https://doi.org/10.1016/j.cose.2020.101968. (http://www.sciencedirect.com/science/article/pii/S0167404820302418)   Please note: The dataset itself is free to use, however users are requested to cite the above-mentioned paper, which describes in detail the research objectives as well as the data collection, preparation and analysis. Following is a brief description of the features used in this dataset.   # NetFlow features, used in the related paper for analysis 'FIRST_SWITCHED': System uptime at which the first packet of this flow was switched 'IN_BYTES': Incoming counter for the number of bytes associated with an IP Flow 'IN_PKTS': Incoming counter for the number of packets associated with an IP Flow 'IPV4_DST_ADDR': IPv4 destination address 'L4_DST_PORT': TCP/UDP destination port number 'L4_SRC_PORT': TCP/UDP source port number 'LAST_SWITCHED': System uptime at which the last packet of this flow was switched 'PROTOCOL': IP protocol byte (6: TCP, 17: UDP) 'SRC_TOS': Type of Service byte setting when there is an incoming interface 'TCP_FLAGS': Cumulative of all the TCP flags seen for this flow   # Features added by the authors 'IP': Prefix of the destination IP address, representing the network (without the host) 'DURATION': Time (seconds) between first/last packet switching   # Label 'device_model': ..   # Partition 'partition': Training or test   # Additional NetFlow features (mostly zero-variance) 'SRC_AS': Source BGP autonomous system number 'DST_AS': Destination BGP autonomous system number 'INPUT_SNMP': Input interface index 'OUTPUT_SNMP': Output interface index 'IPV4_SRC_ADDR': IPv4 source address 'MAC': MAC address of the source   # Additional data 'category': IoT or non-IoT 'type': IoT, access_point, smartphone, laptop 'date': Datepart of FIRST_SWITCHED 'inter_arrival_time': Time (seconds) between successive flows of the same device (identified by its MAC address)