Dataset Restricted Access

IoT-deNAT: Outbound flow-based network traffic data of IoT and non-IoT devices behind a home NAT

Meidan, Yair; Sachidananda, Vinay; Peng, Hongyi; Sagron, Racheli; Elovici, Yuval; Shabtai, Asaf

Data collector(s)
Meidan, Yair
Project manager(s)
Elovici, Yuval
Shabtai, Asaf

This dataset is comprised of NetFlow records, which capture the outbound network traffic of 8 commercial IoT devices and 5 non-IoT devices, collected during a period of 37 days in a lab at Ben-Gurion University of The Negev. The dataset was collected in order to develop a method for telecommunication providers to detect vulnerable IoT models behind home NATs. Each NetFlow record is labeled with the device model which produced it; for research reproducibilty, each NetFlow is also allocated to either the "training" or "test" set, in accordance with the partitioning described in:

Y. Meidan, V. Sachidananda, H. Peng, R. Sagron, Y. Elovici, and A. Shabtai, A novel approach for detecting vulnerable IoT devices connected behind a home NAT, Computers & Security, Volume 97, 2020, 101968, ISSN 0167-4048, (


Please note:

  • The dataset itself is free to use, however users are requested to cite the above-mentioned paper, which describes in detail the research objectives as well as the data collection, preparation and analysis.
  • Following is a brief description of the features used in this dataset.


# NetFlow features, used in the related paper for analysis

'FIRST_SWITCHED': System uptime at which the first packet of this flow was switched
'IN_BYTES': Incoming counter for the number of bytes associated with an IP Flow
'IN_PKTS': Incoming counter for the number of packets associated with an IP Flow
'IPV4_DST_ADDR': IPv4 destination address
'L4_DST_PORT': TCP/UDP destination port number
'L4_SRC_PORT': TCP/UDP source port number
'LAST_SWITCHED': System uptime at which the last packet of this flow was switched
'PROTOCOL': IP protocol byte (6: TCP, 17: UDP)
'SRC_TOS': Type of Service byte setting when there is an incoming interface
'TCP_FLAGS': Cumulative of all the TCP flags seen for this flow


# Features added by the authors

'IP': Prefix of the destination IP address, representing the network (without the host)
'DURATION': Time (seconds) between first/last packet switching


# Label
'device_model': <type>.<manufacturer>.<model number>


# Partition
'partition': Training or test


# Additional NetFlow features (mostly zero-variance)
'SRC_AS': Source BGP autonomous system number
'DST_AS': Destination BGP autonomous system number
'INPUT_SNMP': Input interface index
'OUTPUT_SNMP': Output interface index
'IPV4_SRC_ADDR': IPv4 source address
'MAC': MAC address of the source


# Additional data
'category': IoT or non-IoT
'type': IoT, access_point, smartphone, laptop
'date': Datepart of FIRST_SWITCHED
'inter_arrival_time': Time (seconds) between successive flows of the same device (identified by its MAC address)

Restricted Access

You may request access to the files in this upload, provided that you fulfil the conditions below. The decision whether to grant/deny access is solely under the responsibility of the record owner.

This dataset is intended to enable scientific reproducibility in the domain of (NATed) IoT model identification.

Anyone who uses this dataset is requested to cite the following related paper:

title = "A novel approach for detecting vulnerable IoT devices connected behind a home NAT",
journal = "Computers & Security",
volume = "97",
pages = "101968",
year = "2020",
issn = "0167-4048",
doi = "",
url = "",
author = "Yair Meidan and Vinay Sachidananda and Hongyi Peng and Racheli Sagron and Yuval Elovici and Asaf Shabtai",
keywords = "Internet of things (IoT), Device identification, Network address translation (NAT), Machine learning, DeNAT"

  • Meidan et al. (2020). A Novel Approach for Detecting Vulnerable IoT Devices Connected Behind a Home NAT. Computers & Security

All versions This version
Views 1,5281,528
Downloads 8484
Data volume 25.6 GB25.6 GB
Unique views 1,2561,256
Unique downloads 6161


Cite as