| Attribute/Feature Name | Type of attribute | Description of Connection-based content attribute |
| hot | continuous | hot indicators e.g., creation, and execution of programs, access to system directories, etc |
| num failed logins | continuous | login attempts failed count |
| logged in | binary | if logged in successfully then 1; otherwise 0 |
| num compromised | continuous | number of compromised/warning states on the destination host (e.g., Jump to instructions, and file/path not found errors, etc.) |
| root shell | binary | if root shell is acquired then 1; otherwise 0 |
| su attempted | binary | if su root command tried then 1; otherwise 0 |
| num root | continuous | total root accesses |
| num file creations | continuous | number of file operations(creation) |
| num shells | continuous | number of prompts(shell) |