This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.


ISOT Botnet Dataset
External Dataset
External Data Source
University of Victoria
56 (lowest rank is 56)

Category & Restrictions

malicious traffic, network data, cyber attack, honeypots, cyber defense


The ISOT Botnet dataset is the combination of several existing publicly available malicious and non-malicious datasets.

Two separate datasets containing malicious traffic from the French chapter of the honeynet project [1] involving the Storm and Waledac botnets were used. Waledac is currently one of the most prevalent P2P botnets and is widely considered as the successor of the Storm botnet with a more decentralized communication protocol. Unlike Storm using overnet as a communication channel, Waledac utilizes HTTP communication and a fast-flux based DNS network exclusively. To represent non-malicious, everyday usage traffic, two different were incorporated datasets, one from the Traffic Lab at Ericsson Research in Hungary [2] and the other from the Lawrence Berkeley National Lab (LBNL) [3]. The Ericsson Lab dataset contains a large number of general traffic from a variety of applications, including HTTP web browsing behavior, World of Warcraft gaming packets, and packets from popular bittorrent clients such as Azureus. We also incorporated all the datasets from the LBNL trace data to provide additional non-malicious background traffic.

Additional Details

dataset, botnet, isot, 1281, isot botnet dataset, inferlink, external, corporation, external data source, inferlink corporation, source, malicious, datasets, existing, combination, publicly, traffic, communication, lab, storm, waledac, packets, http, ericsson, lbnl, botnets, incorporated, gaming, popular, behavior, national, project, web, variety, trace, channel, applications, p2p, represent, azureus, prevalent, considered, usage, berkeley, fast, flux, everyday, bittorrent, hungary, network, exclusively, based, background, provide, browsing, utilizes, warcraft, decentralized, including, overnet, separate, french, protocol, involving, honeynet, additional, lawrence, clients, successor, other, chapter, dns