WUSTL EHMS 2020 Dataset for Internet of Medical Things (IoMT) Cybersecurity Research

The WUSTL-EHMS-2020 dataset was created using a real-time Enhanced Healthcare Monitoring System (EHMS) testbed [1]. This testbed collects both the network flow metrics and patients' biometrics due to the scarcity of a dataset that combines these biometrics.

The EHMS testbed is divided into four parts: medical sensors, gateway, network, and control with visualization, as shown in Fig. 1. The data flow starts from the sensors attached to the patent's body, to the gateway. Then the gateway sends the data to the server for visualization via the switch and router. An attacker can intercept these data before they arrive at the server. The Intrusion Detection System (IDS) is responsible for capturing the real-time network flow traffic and the patient's biometric data and abnormalities detection.

EHMS Testbed
Figure 1: EHMS Testbed

The type of attacks included in this dataset is man-in-the-middle attacks: spoofing and data injection. The spoofing attack is only to sniff the packets between the gateway and the server, which violates the patient's data confidentiality. The data injection attack is used to modify the packets on-the-fly, which violates the data's integrity.

The network flow traffic and the patient's biometric data were captured and stored as a "CSV" file by the Audit Record Generation and Utilization System (ARGUS) tool [2]. Table 1 presents the statistical information on the WUSTL-EHMS-2020 dataset. This dataset consists of 44 features where 35 features are network flow metrics, eight patients' biometric features, and one feature for the label [1]. We used the Source MAC address feature to label the data where the samples with the attacker laptop MAC addresses are labeled as 1, while the rest as 0.

Table 1: Dataset Statistical Information
Measurement Value
Dataset size 4.4 MB
Number of normal samples 14,272 (87.5%)
Number of attack samples   2,046 (12.5%)
Total number of samples 16,318

Download the WUSTL-EHMS-2020 dataset from HERE (4,404,265 bytes)

Acknowledgment: This work has been supported in part by the grant ID NPRP-10-0125-170250 funded by the Qatar National Research Fund (QNRF), in part by the NSF under Grant CNS-1718929, and in part by the United States Agency for International Development, Ministry of Higher Education, Egypt, and in part by Prince Sattam Bin Abdulaziz University, AlKharj, Saudi Arabia. The statements made herein are solely the responsibility of the authors.


  1. A. A. Hady, A. Ghubaish, T. Salman, D. Unal and R. Jain, "Intrusion Detection System for Healthcare Systems Using Medical and Network Data: A Comparison Study," in IEEE Access, vol. 8, pp. 106576-106584, 2020, doi: 10.1109/ACCESS.2020.3000421. https://ieeexplore.ieee.org/document/9109651
  2. Argus. Available online: https://openargus.org (accessed Nov. 13, 2020).

Back to Raj Jain's home page