Network Intrusion Datasets: A Survey, Limitations, and Recommendations

TL;DR

This paper systematically reviews 89 network intrusion detection datasets, analyzing their properties, limitations, and suitability to guide future research and improve data quality in cybersecurity.

Contribution

It provides a comprehensive comparison of datasets, discusses domain challenges, and offers best practices for dataset selection and generation in NIDS research.

Findings

Many datasets remain underutilized and poorly understood.

Data limitations hinder the development of robust NIDS.

Best practices can improve dataset quality and research outcomes.

Abstract

Data-driven cyberthreat detection has become a crucial defense technique in modern cybersecurity. Network defense, supported by Network Intrusion Detection Systems (NIDSs), has also increasingly adopted data-driven approaches, leading to greater reliance on data. Despite the importance of data, its scarcity has long been recognized as a major obstacle in NIDS research. In response, the community has published many new datasets recently. However, many of them remain largely unknown and unanalyzed, leaving researchers uncertain about their suitability for specific use cases. In this paper, we aim to address this knowledge gap by performing a systematic literature review (SLR) of 89 public datasets for NIDS research. Each dataset is comparatively analyzed across 13 key properties, and its potential applications are outlined. Beyond the review, we also discuss domain-specific challenges and common data limitations to facilitate a critical view on data quality. To aid in data selection, we conduct a dataset popularity analysis in contemporary state-of-the-art NIDS research. Furthermore, the paper presents best practices for dataset selection, generation, and usage. By providing a comprehensive overview of the domain and its data, this work aims to guide future research toward improving data quality and the robustness of NIDS solutions.