Table 6 Features in the NSL-KDD Dataset

Basic Features

 Duration

The length of the connection in seconds (continuous)

 Protocol Type

The protocol used in the connection (categorical: TCP, UDP, ICMP)

 Service

The network service on the destination machine (categorical)

 Flag

The status of the connection (categorical)

 Source Bytes

The number of data bytes sent by the source (continuous)

 Destination Bytes

The number of data bytes sent by the destination (continuous)

 Land

Indicator of a connection from/to the same host/port (categorical: 0, 1)

Content-Based Features

 Source IP Address

The IP address of the source machine (categorical)

 Destination IP Address

The IP address of the destination machine (categorical)

 Source Port Number

The port number used by the source machine (continuous)

 Destination Port Number

The port number used by the destination machine (continuous)

 Number of Failed Logins

The count of failed login attempts (continuous)

 Number of Successful Logins

The count of successful login attempts (continuous)

 Number of Root Shell

The count of root shell accesses (continuous)

 Number of File Creations

The count of file creation operations (continuous)

 Number of Sudo

The count of sudo (superuser) commands executed (continuous)

Traffic-Based Features

 Number of Inbound Connections

The count of inbound connections to the same host/IP address (continuous)

 Number of Outbound Connections

The count of outbound connections from the same host/IP address (continuous)

 Number of Same Service Connections

The count of connections to the same service (continuous)

 Number of Same Host Connections

The count of connections to the same host (continuous)

 Number of Same Host with Same Service Connections

The count of connections to the same host and service (continuous)

Attack Types

 DoS

Denial of Service

 R2L

Remote-to-Local

 U2R

User-to-Root

 Probing

Probing Attacks