The growing adoption of the Internet of Things (IoT) has brought a significant increase in attacks targeting those devices. Machine learning (ML) methods have shown promising results for intrusion detection; however, the scarcity of IoT datasets remains a limiting factor in developing ML-based security systems for IoT scenarios. Static datasets get outdated due to evolving IoT architectures and threat landscape; meanwhile, the testbeds used to generate them are rarely published. This paper presents the Gotham testbed, a reproducible and flexible security testbed extendable to accommodate new emulated devices, services or attackers. Gotham is used to build an IoT scenario composed of 100 emulated devices communicating via MQTT, CoAP and RTSP protocols, among others, in a topology composed of 30 switches and 10 routers. The scenario presents three threat actors, including the entire Mirai botnet lifecycle and additional red-teaming tools performing DoS, scanning, and attacks targeting IoT protocols. The testbed has many purposes, including a cyber range, testing security solutions, and capturing network and application data to generate datasets. We hope that researchers can leverage and adapt Gotham to include other devices, state-of-the-art attacks and topologies to share scenarios and datasets that reflect the current IoT settings and threat landscape.

翻译：物联网（IoT）的日益普及导致针对此类设备的攻击显著增加。机器学习（ML）方法在入侵检测方面展现出良好前景；然而，物联网数据集的匮乏仍是开发基于ML的物联网安全系统的关键制约因素。随着物联网架构与威胁态势的持续演进，静态数据集逐渐过时；同时，用于生成这些数据集的测试平台鲜有公开发布。本文提出Gotham测试平台——一个可复现且灵活的安全测试平台，可扩展以容纳新型仿真设备、服务或攻击者。Gotham被用于构建由100台仿真设备组成的物联网场景，这些设备通过MQTT、CoAP及RTSP等协议在包含30台交换机和10台路由器的拓扑中进行通信。该场景呈现三种威胁行为体，包括完整的Mirai僵尸网络生命周期，以及执行拒绝服务攻击（DoS）、扫描和针对物联网协议攻击的额外红队工具。该测试平台具备多重用途，包括作为网络靶场、测试安全解决方案、以及捕获网络与应用数据以生成数据集。我们期望研究人员能够利用并改进Gotham，纳入其他设备、最新攻击方法与拓扑结构，从而共享反映当前物联网环境与威胁态势的场景及数据集。