Papers
Topics
Authors
Recent
Search
2000 character limit reached

CICIoMT2024: Benchmark Dataset for IoMT Security

Updated 8 July 2026
  • CICIoMT2024 is a benchmark dataset for IoMT intrusion detection research, featuring multi-protocol traffic from both real and simulated devices.
  • It offers structured, tabular data with variable feature dimensions to support binary, multiclass, and novelty detection evaluations.
  • The dataset has been utilized across diverse methodologies including incremental federated learning, deep learning, and explainable machine learning.

CICIoMT2024 is a publicly available benchmark dataset for intrusion-detection research in the Internet of Medical Things (IoMT). It is described as a multi-protocol corpus created by the Canadian Institute for Cybersecurity (CIC) to support security assessment in healthcare-oriented connected-device environments, and it has been used for conventional IDS benchmarking, zero-day and novelty detection, explainable machine learning, incremental federated learning under concept drift, and multiclass attack classification (Uddin et al., 14 Aug 2025, Yacoubi et al., 10 Sep 2025, Rehman et al., 11 Mar 2026). In the literature, the dataset name appears in both the forms CICIoMT2024 and CICIOMT2024 (Yacoubi et al., 10 Sep 2025).

1. Origin, provenance, and intended scope

CICIoMT2024 is attributed to the Canadian Institute for Cybersecurity, University of New Brunswick, and is linked in downstream studies to the publication by Dadkhah et al., Internet of Things, vol. 28, 2024, article 101351, with DOI 10.1016/j.iot.(2024.10135)1 (Yacoubi et al., 10 Sep 2025, Rehman et al., 11 Mar 2026). Another cited form is the preprint “Ciciomt2024: Attack vectors in healthcare devices—a multi-protocol dataset for assessing IoMT device security” (Uddin et al., 14 Aug 2025). A downstream study also provides the CIC dataset page https://www.unb.ca/cic/datasets/iomt-dataset-2024.html as an access point (Gueriani et al., 6 Apr 2026).

The dataset’s stated purpose is security assessment in IoMT environments rather than generic enterprise networking. Multiple papers describe that focus in complementary ways. One characterizes it as “a benchmark dataset for multi-protocol security assessment in IoMT” (Rehman et al., 11 Mar 2026). Another emphasizes that it targets connected medical devices, home automation supporting patient monitoring, network infrastructure, and auxiliary hardware relevant to hospital and home-care ecosystems (Yacoubi et al., 10 Sep 2025). A further study frames it as addressing gaps left by general-purpose intrusion corpora and IoT-only datasets by centering medical IoT traffic, device operating states, and protocol diversity characteristic of healthcare deployments (Chandekar et al., 17 Feb 2025).

The capture setting is likewise described as healthcare-grade and heterogeneous. One study reports traffic from 40 devices, of which 25 were real and 15 simulated, communicating over Wi‑Fi, MQTT, and Bluetooth (Rehman et al., 11 Mar 2026). Another emphasizes Wi‑Fi–enabled IoMT devices and simulated MQTT-based devices (Uddin et al., 14 Aug 2025). Taken together, these descriptions establish the dataset as an IoMT-specific benchmark with explicit protocol diversity and mixed real/simulated device participation.

2. Traffic modalities, feature spaces, and label representations

CICIoMT2024 is used primarily as a tabular network-traffic dataset. Downstream modeling papers consistently treat it as a structured feature matrix derived from network traces rather than as raw payload corpora or system-log collections (Uddin et al., 14 Aug 2025, Yacoubi et al., 10 Sep 2025). One explainability study reports 46 features spanning network-flow and protocol-level attributes (Yacoubi et al., 10 Sep 2025). A federated-learning study reports a 45-feature structured representation after cleaning, normalization, and label encoding (Rehman et al., 11 Mar 2026). A hybrid deep-learning study, using a six-class subset, reports 83 input features with an input shape of 83×1 after dropping Attack_type, Attack_label, and frame.time from the inputs (Gueriani et al., 6 Apr 2026).

These differing dimensionalities are a central characteristic of the published use of CICIoMT2024. They are not presented as a single unified schema across all studies. A plausible implication is that researchers are operating on different exports, cleaned variants, or subset-specific feature pipelines rather than a universally fixed feature matrix.

Feature semantics reported through XAI analyses include IAT, Rate, Srate/srate, rst_count, psh_flag_number, ece_flag_number, Header_Length, and protocol indicators or counters such as ARP, DHCP, IRC, and HTTP (Yacoubi et al., 10 Sep 2025). The same paper also notes statistical descriptors such as Variance, Min, Number, Magnitude, and Weight. Another study describes the corpus as including multi-protocol data, attack-specific data, time-series data reflecting active/idle device states, and device-specific Bluetooth power/behavior profiles (Chandekar et al., 17 Feb 2025). This suggests that the dataset is not only multi-class but also methodologically useful for flow-based, sequence-based, and device-centric anomaly-detection paradigms.

Labeling is also used at multiple granularities. Binary benign vs. attack tasks are common (Yacoubi et al., 10 Sep 2025, Rehman et al., 11 Mar 2026). Other studies use attack-family or subtype labels for multiclass classification (Uddin et al., 14 Aug 2025, Rehman et al., 11 Mar 2026). One study consolidates the data into six classes—Normal traffic, DDoS UDP flood, DoS UDP flood, MITM, MQTT, Recon—for a subset-based benchmark (Gueriani et al., 6 Apr 2026). Because this six-class subset does not match the full family taxonomy reported elsewhere, it should be understood as a study-specific reformulation rather than the canonical label space of the dataset.

3. Attack taxonomy and class composition

A detailed taxonomy is reported in the hierarchical IDS study. It describes one benign class and five attack families: DoS, DDoS, Reconnaissance, Spoofing, and MQTT-based attacks, with the statement that “each category is further divided into 18 specific attack subtypes” (Uddin et al., 14 Aug 2025). A federated-learning study gives an explicit family-level grouping of those sub-attacks and notes that MQTT‑DoS‑Publish_Flood was removed after cleaning because no valid instances remained (Rehman et al., 11 Mar 2026).

The subtype inventory reported across these papers includes: ARP Spoofing; Ping Sweep, Recon VulScan, OS Scan, Port Scan; Malformed Data, DoS Connect Flood, DDoS Publish Flood, DoS Publish Flood for MQTT; DoS TCP, DoS ICMP, DoS SYN, DoS UDP; and DDoS SYN, DDoS TCP, DDoS UDP, DDoS ICMP (Uddin et al., 14 Aug 2025).

One paper reports a total of 9,378,297 records and provides named class counts and percentages, highlighting severe imbalance, especially for Ping Sweep at approximately 0.01% (Uddin et al., 14 Aug 2025).

Class or subtype Records Share
Benign 1,048,575 11.19%
Ping Sweep 926 ≈0.01%
DDoS UDP 1,998,026 21.30%
DDoS SYN 974,359 10.39%
DDoS TCP 987,063 10.53%
DoS UDP 704,503 7.51%
DoS SYN 540,498 5.76%
DoS ICMP 514,724 5.49%
DoS TCP 462,480 4.94%
Port Scan 106,603 1.14%
OS Scan 20,666 0.22%
Recon VulScan 3,207 0.03%
MQTT DoS Publish Flood 52,881 0.56%
MQTT DDoS Publish Flood 36,039 0.38%
MQTT DoS Connect Flood 15,904 0.17%
MQTT Malformed Data 6,877 0.07%
ARP Spoofing 717,791 percentage inconsistent in source table
Total 9,378,297 100%

This composition has two implications for benchmark design. First, class imbalance is structurally significant rather than incidental. Second, the dataset supports evaluation at both family level and fine-grained subtype level, which explains why some studies report binary or six-class results while others use deeper hierarchical or subtype-aware classification pipelines.

4. Preprocessing, splitting, and evaluation protocols

Published workflows on CICIoMT2024 vary substantially in preprocessing. One study applies Min–Max scaling to every feature according to

Xnorm=XXminXmaxXmin,X_{norm} = \frac{X - X_{min}}{X_{max} - X_{min}},

with the stated goal of balancing feature ranges and preventing large-value features from dominating training (Uddin et al., 14 Aug 2025). A federated-learning study also uses Min–Max scaling, removes rows with missing/NA values, and applies label encoding to categorical attributes with consistent mappings across time periods and clients (Rehman et al., 11 Mar 2026). By contrast, an ensemble anomaly-detection paper reports feature-wise mean imputation for missing or infinite values, StandardScaler, and a sliding window length of 4 for LSTM and CNN-LSTM models (Chandekar et al., 17 Feb 2025). A six-class deep-learning study reports LabelEncoder for protocol-related categorical fields and for the target variable, but does not describe normalization or missing-value handling (Gueriani et al., 6 Apr 2026).

Splitting strategies also differ. The hierarchical IDS paper uses stratified 10-fold cross-validation and averages performance across folds (Uddin et al., 14 Aug 2025). The explainable ensemble paper samples 1,000,000 rows and applies a 70% train / 30% test split (Yacoubi et al., 10 Sep 2025). The federated-learning study uses an initial 80% training / 20% testing split stratified by the attack label, then further distributes time-segmented data across 5 IID clients, with 15 global rounds, 100 local epochs, and FedAvg aggregation (Rehman et al., 11 Mar 2026). The SE-ViT-BiLSTM study uses 80% training / 20% validation on a preprocessed subset and does not report a separate test set (Gueriani et al., 6 Apr 2026).

Benchmark protocols extend beyond conventional supervised learning. The zero-day IDS paper withholds one attack family at a time to simulate novelty at test time, both in meta-learning and in one-class anomaly-detection settings (Uddin et al., 14 Aug 2025). The federated-learning paper constructs explicit temporal drift through periods t0–t6, progressively introducing MQTT, DoS, DDoS, Recon, and Spoofing families (Rehman et al., 11 Mar 2026). These protocols make CICIoMT2024 a benchmark not only for static classification but also for novelty detection, concept drift, catastrophic forgetting, and continual learning.

5. Representative research results on the dataset

CICIoMT2024 has been used to evaluate several distinct IDS paradigms. A hierarchical zero-day IDS reports 99.77 percentage accuracy and 97.8 percentage F1-score, with a near-edge first layer designed to detect zero-day attacks without retraining on new datasets (Uddin et al., 14 Aug 2025). An explainable binary classifier benchmark on 1,000,000 rows reports for Random Forest: 99.92% accuracy, 99.97% precision, 99.95% recall, 99.96% F1-score, 100.00% ROC-AUC, and 140 s training time; for CatBoost it reports 99.90% accuracy, 99.97% precision, 99.93% recall, 99.95% F1-score, 100.00% ROC-AUC, and 23 s training time (Yacoubi et al., 10 Sep 2025).

Under explicit concept drift, incremental federated-learning results are materially lower, which reflects a harder task. In binary classification, representative incremental learning achieves 95.73% average accuracy, cumulative incremental learning 93.30%, and retention-based methods 91.92–92.74% (Rehman et al., 11 Mar 2026). In the multiclass six-label setting, cumulative incremental learning reaches 66.7% average accuracy, representative incremental learning 64.5%, and retention-based methods 61.0–64.6% (Rehman et al., 11 Mar 2026). These results show that CICIoMT2024 supports substantially more difficult non-stationary evaluations than static binary detection.

A hybrid SE ViT-BiLSTM model evaluated on a six-class subset reports 96.10% accuracy, 0.1440 loss, 96.10% precision, 96.10% recall, 96.10% F1-score, 0.0223% FPR, and 0.00053 sec/instance latency before balancing; after RandomOverSampler, it reports 98.16% accuracy, 0.0578 loss, 98.16% precision, 98.16% recall, 98.15% F1-score, 0.0036% FPR, and 0.00014 sec/instance latency (Gueriani et al., 6 Apr 2026). An ensemble anomaly-detection study reports that on attack-specific data, stacking with XGBoost achieved test accuracy reported as 1.0, while on time-series active/idle data Logistic Regression achieved approximately 84% accuracy and LSTM/CNN-LSTM each approximately 76% (Chandekar et al., 17 Feb 2025).

Direct comparison across these results requires caution. The studies do not share a single task definition, feature dimensionality, split protocol, or label space. Aggregate metrics therefore measure different problems rather than a single leaderboard.

6. Interpretive issues, limitations, and position within the IDS benchmark landscape

The main strength of CICIoMT2024, as represented in the current literature, is its IoMT specificity combined with multi-protocol breadth. Papers contrast it implicitly or explicitly with general-purpose datasets such as CICIDS2017 and with more botnet-centered IoT corpora such as BoT-IoT or MedBIoT, arguing that CICIoMT2024 is more aligned with medical-device ecosystems, hospital infrastructure, and mixed healthcare/home-monitoring environments (Yacoubi et al., 10 Sep 2025, Chandekar et al., 17 Feb 2025). It is therefore particularly suitable when research questions depend on heterogeneous protocols, healthcare-relevant attack vectors, or device-context realism.

At the same time, the downstream literature identifies several limitations. Feature schemas are often incompletely enumerated; one paper explicitly states that the full feature list is not provided (Uddin et al., 14 Aug 2025). Exact class prevalences are not always reported, even when binary metrics are near-perfect (Yacoubi et al., 10 Sep 2025). Licensing, file layout, and documentation details are frequently deferred to the CIC portal rather than specified in the experimental papers (Yacoubi et al., 10 Sep 2025, Rehman et al., 11 Mar 2026, Gueriani et al., 6 Apr 2026). One explainability study explicitly warns that extremely high aggregate metrics warrant checks for temporal leakage, duplicated flows, or overlapping sessions across train and test splits (Yacoubi et al., 10 Sep 2025).

A second interpretive issue is the plurality of study-specific dataset variants. Reported representations span 45, 46, and 83 features; some studies use the full family hierarchy, others cap samples per class, and one uses a six-class subset containing MITM, which is not part of the five-family taxonomy reported elsewhere (Rehman et al., 11 Mar 2026, Yacoubi et al., 10 Sep 2025, Gueriani et al., 6 Apr 2026). This suggests that reproducibility on CICIoMT2024 depends heavily on reporting the exact cleaned export, feature pipeline, and label consolidation strategy.

For research practice, the published record points to a consistent set of priorities: document imbalance handling, preserve stratification or time awareness in splits, report per-class behavior rather than only aggregate accuracy, and specify whether evaluation targets known-attack classification, zero-day novelty detection, or evolving-threat adaptation. Within those constraints, CICIoMT2024 has become a reference dataset for IoMT IDS research because it supports all three regimes within a single healthcare-centered, multi-protocol benchmark (Uddin et al., 14 Aug 2025, Yacoubi et al., 10 Sep 2025, Rehman et al., 11 Mar 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to CICIoMT2024 Dataset.