| Feature | Description | Type | Feature | Description | Type | ||
| 1 | Duration | Duration of the connection | Cont. | 22 | Is guest login | 1 if the login is a “guest” login; 0 otherwise | Disc. |
| 2 | Protocol type | Connection protocol (e.g. tcp, udp) | Disc. | 23 | Count | Number of connections to the same host as the current connection in the past two seconds | Cont. |
| 3 | Service | Destination servfice (e.g. telnet, tfp) | Disc. | 24 | srv count | Number of connections to the same service as the current connection in the past two seconds | Cont. |
| 4 | Flag | Status flag of the connection | Disc. | 25 | serror rate | % of connections that have “SYN” errors | Cont. |
| 5 | Source bytes | Bytes sent from source to destination | Cont. | 26 | srv serror rate | % of connections that have “SYN” errors | Cont. |
| 6 | Destination bytes | Bytes sent from destination to source | Cont. | 27 | rerror rate | % of connections that have “REJ” errors | Cont. |
| 7 | Land | 1 if connection is from to the same host; 0 otherwise | Disc. | 28 | srv rerror rate | % of connections that have “REJ” errors | Cont. |
| 8 | Wrong fragment | Number of wrong fragments | Cont. | 29 | same srv rate | % of connections to the same service | Cont. |
| 9 | Urgent | Number of urgent packets | Cont. | 30 | diff srv rate | % of connections to the different services | Cont. |
| 10 | Hot | Number of “hot” indicators | Cont. | 31 | srv diff host rate | % of connection to different hosts | Cont. |
| 11 | Failed login | Number of failed logins | Cont. | 32 | dst host count | Count of connections having the same destination host | Cont. |
| 12 | Logged in | 1 if successfully loggedin; 0 otherwise | Disc. | 33 | dst host srv count | Count of connections having the same destination host and using the same service | Cont. |
| 13 | # compromised | Number of “compromised” conditions | Cont. | 34 | dst host same srv rate | % of connections having the same destination host and using the same service | Cont. |
| 14 | Root shell | 1 if root shell is obtained; 0 otherwise | Cont. | 35 | dst host diff srv rate | % of different service on the current host | Cont. |
| 15 | Su attempt | 1 if “su root” command attempt; 0 otherwise | Cont. | 36 | dst host same src port rate | % of connections to the current host having the same src port | Cont. |
| 16 | # root | Number of “root” accesses | Cont. | 37 | dst host srv diff host rate | % of connections to the same service coming from different hosts | Cont. |
| 17 | # file creations | Number of file creation operations | Cont. | 38 | dst host serror rate | % of connections to the current host that have an S0 error | Cont. |
| 18 | # shells | Number of shell prompts | Cont. | 39 | dst host srv serror rate | % of connections to the current host and specified service that have an S0 error | Cont. |
| 19 | # access files | Number of operations on access control files | Cont. | 40 | dst host rerror rate | % of connections to the current host that have an RST error | Cont. |
| 20 | # outbound cmds | Number of outbound commands in an ftp session | Cont. | 41 | dst host srv reeror rate | % of connections to the current host and specified service that have an RST error | Cont. |
| 21 | Is hot login | 1 if the login belongs to the “hot” list; 0 otherwise | Disc. | ||||