| S. No | Feature | Description | Data Type | S. No | Feature | Description | Data Type |
| 1 | Duration | Duration of the connection. | C | 22 | Is guest login | 1 if the login is a “guest” login; 0 otherwise | D |
| 2 | Protocol type | Connection protocol | D | 23 | Count | Number of connections to the same host as the current connection in the past two seconds | C |
| 3 | Service | Destination service | D | 24 | Srv count | Number of connections to the same service as the current connection in the past two seconds | C
|
| 4 | Flag | Status flag of the connection | D | 25 | Serror rate | % of connections that have “SYN” errors | C |
| 5 | Source bytes | Bytes sent from source to destination | C | 26 | Srv serror rate | % of connections that have “SYN” errors | C |
| 6 | Destination bytes | Bytes sent from destination to source | C | 27 | Rerror rate | % of connections that have “REJ” errors | C |
| 7 | Land | 1 if connection is from/to the same host/port; 0 otherwise | D | 28 | Srv rerror rate | % of connections that have “REJ” errors | C |
| 8 | Wrong fragment | Number of wrong fragments | C | 29 | Same srv rate | % of connections to the same service | C |
| 9 | Urgent | Number of urgent packets | C | 30 | Diff srv rate | % of connections to different Services | C
|
| 10 | Hot | Number of “hot” indicators | C | 31 | Srv diff host rate | % of connections to different hosts | C |
| 11 | Failed Login | Logins number of failed logins | C | 32 | Dst host count
| Count of connections having the same destination host | C
|
| 12 | Logged in | 1 if successfully logged in; 0 otherwise | D | 33 | Dst host srv count
| Count of connections having the same destination host and using the same service | C
|
| 13 | Compromised | Number of “compromised” conditions | C | 34 | Dst host same srv rate | % of connections having the same destination host and using the same service | C
|
| 14 | Root shell | 1 if root shell is obtained; 0 otherwise | C | 35 | Dst host diff srv rate | % of different services on the current host
| C
|
| 15 | Su attempted | 1 if “su root” command attempted; 0 otherwise | C | 36 | Dst host same src port rate | % of connections to the current host having the same src port | C
|
| 16 | Root | Number of “root” accesses | C | 37 | Dst host srv diff host rate | % of connections to the same service coming from different hosts | C
|
| 17 | File creations | Number of file creation operations | C | 38 | Dst host serror rate | % of connections to the current host that have an S0 error | C
|
| 18 | Shells | Number of shell prompts | C | 39 | Dst host srv serror rate | % of connections to the current host and specified service that have an S0 error | C
|
| 19 | Access files | Number of operations on access control files | C | 40 | Dst host rerror rate | % of connections to the current host that have an RST error | C
|
| 20 | Outbound cmds | Number of outbound commands in an ftp session | C | 41 | Dst host srv rerror rate | % of connections to the current host and specified service that have an RST error | C
|
| 21 | Is hot login | 1 if the login belongs to the “hot” list; 0 otherwise | D |
|
|
|
|