The dataset was systematically developed to capture memory-level behavioral dynamics of malware and benign processes through interval-based snapshot analysis. Unlike prior datasets that predominantly rely on static binaries or network-level observations, this dataset focuses on runtime memory behavior and process persistence, enabling a deeper understanding of how malicious activities evolve over time. It integrates diverse malware families and benign software, ensuring realistic and unbiased modeling of system-level threats in dynamic execution environments.

Captured and labeled 2 Data sources: Memory snapshot data and process-level behavioral logs
Testbed: Controlled execution environment with interval-based memory dumping across multiple time windows
Attack Profile: Eight malware categories, including Backdoor, Hoax, HackTool, Trojan, Worm, Virus, Rootkit, and Exploit, alongside benign software samples
Data size: 40 TB memory snapshots and associated behavioral records across multiple execution intervals
Data records: 2000 malware samples and 250 benign samples with varying persistence patterns across snapshots
Data capturing: Interval-based memory snapshot collection capturing transient and persistent process behaviors
Extracted Features: Memory and process-level features capturing temporal persistence, behavioral transitions, and execution patterns

This dataset introduces a temporal memory-based analysis framework, where malware and benign processes are observed across multiple time intervals to capture both transient and persistent behaviors. A novel representation of process persistence patterns (single, multiple, and timeout-based appearances across snapshots) enables fine-grained modeling of execution dynamics. By combining memory snapshots with behavioral logs, the dataset supports multi-perspective analysis of system-level activities, going beyond traditional static or network-based approaches. This design enables the development of advanced AI and LLM-based detection systems that leverage temporal evolution, contextual behavior, and cross-snapshot correlations to identify sophisticated malware that evades conventional detection mechanisms.

The dataset was systematically developed by augmenting and refining the Aposemat-Bot-IoT-23 dataset to address limitations in class imbalance, labeling consistency, and feature representation. Unlike prior datasets that include limited or uneven distributions of malware families, this dataset focuses on high-quality botnet traffic and benign behavior, ensuring reliable and scalable modeling of IoT botnet activities. It captures detailed network and transport-layer behaviors using protocol-aware flow representations, enabling comprehensive analysis of bot-driven cyber threats in IoT environments.

Captured and labeled 1 Data source: TCP/IP-based network traffic converted into bidirectional flow representations
Testbed: Real-world IoT network traffic scenarios from the Aposemat-Bot-IoT benchmark environment
Attacks Profile: Multiple botnet families including Mirai, Gagfyt, IRCBot, Kenjiro, Torii, Linux Mira, Okiru, and others, alongside benign traffic
Data size: Hundreds of millions of network flow records derived from large-scale PCAP files
Data records: Over 235 million malicious bot records in addition to benign traffic samples
Data capturing: Derived from labeled PCAP files with Zeek logs and flow reconstruction
Extracted Features: 315 flow-based features capturing packet-level, statistical, temporal, and bidirectional traffic characteristics.

This dataset introduces a robust flow-based representation framework using the NTLFlowLyzer analyzer, enabling the extraction of bidirectional, time-dependent behavioral features across the network and transport layers. A novel and precise labeling methodology was applied by aligning flow records with Zeek-generated logs using IP-port matching, thereby ensuring accurate binary and multi-class annotations. To address significant class imbalance and scalability challenges, a cluster-based undersampling (CBUS) strategy was employed to preserve the data's structural characteristics while maintaining computational feasibility. Furthermore, careful preprocessing steps, including the removal of ambiguous “suspicious” samples, normalization, and proportional sampling, ensure high-quality, reliable training data. This dataset supports the development of advanced AI and LLM-based intrusion detection systems, enabling behavior-centric, scalable, and realistic modeling of IoT botnet threats in complex network environments.

The dataset was systematically developed by integrating and augmenting multiple high-quality MQTT-based intrusion detection datasets, enabling a comprehensive and protocol-aware representation of IoT communication. Unlike prior datasets that predominantly focus on packet-level or TCP-based analysis with limited consideration of application-layer semantics, this dataset captures rich MQTT behavioral patterns by leveraging protocol-aware feature extraction and diverse attack scenarios across multiple sources.

Captured and labeled 1 Data source: MQTT-based network traffic transformed into protocol-aware flow representations
Source datasets: Combination of MQTTset, MQTT-IoT-IDS2020, and DoS/DDoS-MQTT-IoT datasets
Attacks Profile: Diverse MQTT-specific attacks including brute-force authentication, malformed messages, SlowITe flooding, scanning, and DoS/DDoS variants
Data size: Multi-gigabyte-scale PCAP data aggregated from multiple datasets
Data records: Millions of packets and MQTT flows across all categories
Data capturing: Aggregated from multiple benchmark datasets with controlled preprocessing and balancing
Extracted Features: 404 MQTT-aware features (reduced to 378 after preprocessing) capturing session behavior, message patterns, and bidirectional interactions

This dataset introduces a protocol-aware, flow-based representation via the MQTTFlowLyzer analyzer, enabling the extraction of temporal, statistical, and behavioral characteristics beyond traditional packet-level inspection. By incorporating MQTT semantics into flow construction, the dataset enables deeper modeling of session dynamics and message-level interactions, which are critical for detecting sophisticated attacks that mimic benign traffic. Furthermore, the dataset is designed to support advanced AI and LLM-based intrusion detection, where high-dimensional behavioral features can be leveraged by attention-based and deep tabular models for adaptive feature selection and contextual threat analysis. This framework facilitates the development of next-generation intrusion detection systems that move beyond isolated traffic analysis toward context-aware, protocol-sensitive security intelligence tailored for IoT environments.