Published July 1, 2020 | Version 1.0
Dataset Restricted

IoT-deNAT: Outbound flow-based network traffic data of IoT and non-IoT devices behind a home NAT

  • 1. Ben-Gurion University of the Negev
  • 2. National University of Singapore


Data collector:

Project manager:


  • 1. Ben-Gurion University of the Negev


This dataset is comprised of NetFlow records, which capture the outbound network traffic of 8 commercial IoT devices and 5 non-IoT devices, collected during a period of 37 days in a lab at Ben-Gurion University of The Negev. The dataset was collected in order to develop a method for telecommunication providers to detect vulnerable IoT models behind home NATs. Each NetFlow record is labeled with the device model which produced it; for research reproducibilty, each NetFlow is also allocated to either the "training" or "test" set, in accordance with the partitioning described in:

Y. Meidan, V. Sachidananda, H. Peng, R. Sagron, Y. Elovici, and A. Shabtai, A novel approach for detecting vulnerable IoT devices connected behind a home NAT, Computers & Security, Volume 97, 2020, 101968, ISSN 0167-4048, (


Please note:

  • The dataset itself is free to use, however users are requested to cite the above-mentioned paper, which describes in detail the research objectives as well as the data collection, preparation and analysis.
  • Following is a brief description of the features used in this dataset.


# NetFlow features, used in the related paper for analysis

'FIRST_SWITCHED': System uptime at which the first packet of this flow was switched
'IN_BYTES': Incoming counter for the number of bytes associated with an IP Flow
'IN_PKTS': Incoming counter for the number of packets associated with an IP Flow
'IPV4_DST_ADDR': IPv4 destination address
'L4_DST_PORT': TCP/UDP destination port number
'L4_SRC_PORT': TCP/UDP source port number
'LAST_SWITCHED': System uptime at which the last packet of this flow was switched
'PROTOCOL': IP protocol byte (6: TCP, 17: UDP)
'SRC_TOS': Type of Service byte setting when there is an incoming interface
'TCP_FLAGS': Cumulative of all the TCP flags seen for this flow


# Features added by the authors

'IP': Prefix of the destination IP address, representing the network (without the host)
'DURATION': Time (seconds) between first/last packet switching


# Label
'device_model': <type>.<manufacturer>.<model number>


# Partition
'partition': Training or test


# Additional NetFlow features (mostly zero-variance)
'SRC_AS': Source BGP autonomous system number
'DST_AS': Destination BGP autonomous system number
'INPUT_SNMP': Input interface index
'OUTPUT_SNMP': Output interface index
'IPV4_SRC_ADDR': IPv4 source address
'MAC': MAC address of the source


# Additional data
'category': IoT or non-IoT
'type': IoT, access_point, smartphone, laptop
'date': Datepart of FIRST_SWITCHED
'inter_arrival_time': Time (seconds) between successive flows of the same device (identified by its MAC address)



The record is publicly accessible, but files are restricted to users with access.

Request access

If you would like to request access to these files, please fill out the form below.

You need to satisfy these conditions in order for this request to be accepted:

This dataset is intended to enable scientific reproducibility in the domain of (NATed) IoT model identification.

Anyone who uses this dataset is requested to cite the following related paper:

title = "A novel approach for detecting vulnerable IoT devices connected behind a home NAT",
journal = "Computers & Security",
volume = "97",
pages = "101968",
year = "2020",
issn = "0167-4048",
doi = "",
url = "",
author = "Yair Meidan and Vinay Sachidananda and Hongyi Peng and Racheli Sagron and Yuval Elovici and Asaf Shabtai",
keywords = "Internet of things (IoT), Device identification, Network address translation (NAT), Machine learning, DeNAT"

You are currently not logged in. Do you have an account? Log in here

Additional details


CONCORDIA – Cyber security cOmpeteNCe fOr Research anD InnovAtion 830927
European Commission


  • Meidan et al. (2020). A Novel Approach for Detecting Vulnerable IoT Devices Connected Behind a Home NAT. Computers & Security