FlowIoMT

The FlowIoMT dataset captures over 1.4 million flow records with approximately 30 flow-level features, representing benign and attack traffic in Internet of Medical Things (IoMT) networks. It focuses specifically on reconnaissance and ARP spoofing attacks, two stealthy and underrepresented threat vectors in healthcare environments. FlowIoMT demonstrates how low-rate, non-volumetric attacks can compromise medical network integrity, making it highly valuable for intrusion detection, anomaly detection, and IoMT security research.

Context

  • The FlowIoMT dataset was generated in a controlled IoMT testbed designed to emulate realistic medical device communications and early-stage cyberattacks.
  • Unlike datasets dominated by volumetric DDoS or flooding attacks, FlowIoMT targets subtle and stealthy intrusions that commonly precede major compromises in healthcare networks. The dataset captures how attackers perform network reconnaissance (e.g., scanning and service probing) and ARP spoofing–based man-in-the-middle (MITM) attacks against medical devices such as patient monitors and infusion controllers, without overwhelming traffic volume.
  • This design reflects real-world attack surfaces in medical environments, where low-rate attacks pose significant safety and privacy risks while remaining difficult to detect.

Dataset Composition

  • Number of samples: 1,434,347 flow records
  • Classes: Normal traffic and Attack traffic (Reconnaissance and ARP Spoofing)
  • Features: ~30 flow-level features extracted using Argus
  • Data format: CSV (machine learning–ready)
  • Granularity: Flow/session-level (not packet-level)

Feature Descriptions

The FlowIoMT dataset includes flow-level statistical, temporal, and protocol-related features such as:

  • Dur – Flow duration (seconds)
  • SrcBytes – Bytes sent from source to destination
  • DstBytes – Bytes sent from destination to source
  • SrcPkts – Packets from source to destination
  • DstPkts – Packets from destination to source
  • TotBytes – Total bytes in the flow
  • TotPkts – Total packets in the flow
  • SrcRate – Packet rate from source to destination
  • DstRate – Packet rate from destination to source
  • Load – Bits per second over the flow
  • Proto – Transport protocol (TCP/UDP)
  • State – Connection state (Argus-defined)
  • IdleTime – Flow idle time

These features preserve privacy while enabling accurate behavioral modeling and real-time intrusion detection.

Descriptive Statistics (Selected Highlights)

  • Flow Duration (Dur): mean ≈ 0.52 s, max > 60 s
  • Total Packets (TotPkts): mean ≈ 6.1, max > 12,000
  • Total Bytes (TotBytes): mean ≈ 1,780, max > 15 MB
  • Packet Rate (Rate): mean ≈ 180 pps, max > 3,000,000 pps
  • Load: mean ≈ 1.9 Mbps, max > 10 Gbps

Download Link

IoMTattack.csv

IoMTnormal.csv

 

Citation

Lu, W., Lloyd, S., Yu, Q.Y.: FlowIoMT: A Flow-Level Dataset for Reconnaissance and ARP Spoofing Attacks in IoMT Networks. In: Proc. of the International Conference on Advanced Information Networking and Applications (AINA), Springer, Cham (2026).

---

## Notes
- Access to some datasets may require completing a data use agreement.
- For questions, please contact Dr. Wei Lu at wlu@usnh.edu.

Scroll to Top