In IoT network attack detection, feature inconsistency across heterogeneous flow exporters undermines model generalization and robustness. Method: This paper proposes a feature-consistency framework based on raw PCAP reprocessing: leveraging the HERA tool to uniformly parse and perform fine-grained flow labeling on Bot-IoT, IoT-23, and CICIoT23 datasets, thereby extracting standardized, exporter-agnostic features; subsequently, a Bagging–gradient-boosted decision tree ensemble is employed for modeling. Results: Experiments demonstrate significant improvements in cross-dataset detection accuracy and stability, validating that low-level traffic reconstruction and feature standardization critically enhance ML model robustness. The core contribution lies in unifying the feature generation pipeline at the PCAP source—bypassing heterogeneous flow exporters—thereby effectively mitigating dataset shift and evaluation bias.

To ensure that Machine Learning (ML) models can perform a robust detection and classification of cyberattacks, it is essential to train them with high-quality datasets with relevant features. However, it can be difficult to accurately represent the complex traffic patterns of an attack, especially in Internet-of-Things (IoT) networks. This paper studies the impact that seemingly similar features created by different network traffic flow exporters can have on the generalization and robustness of ML models. In addition to the original CSV files of the Bot-IoT, IoT-23, and CICIoT23 datasets, the raw network packets of their PCAP files were analysed with the HERA tool, generating new labelled flows and extracting consistent features for new CSV versions. To assess the usefulness of these new flows for intrusion detection, they were compared with the original versions and were used to fine-tune multiple models. Overall, the results indicate that directly analysing and preprocessing PCAP files, instead of just using the commonly available CSV files, enables the computation of more relevant features to train bagging and gradient boosting decision tree ensembles. It is important to continue improving feature extraction and feature selection processes to make different datasets more compatible and enable a trustworthy evaluation and comparison of the ML models used in cybersecurity solutions.