31
Figure 12: protocols distribution in training set
Figure 13: protocols distribution in test set
The services (column #2) are all about the application layer (top level in both the OSI and
TCP/IP models). In the dataset, there are protocols that enable capabilities such as email
exchange, website navigation, data storage and manipulation, DNS, etc. and work in a server-
client or a peer-to-peer philosophy.
Since the NSL-KDD is labelled with 70 different services, a list of them and their encounters in
the datasets is going to be given in Annex B. Below, are the diagrams produced from counting
all the featured services, to get an idea of what applications are the most common in the
network. We can see that, in both the training (Figure
15), http
(communication between web clients and servers) and private network (e.g. VPN) traffic
accounts for about half of the total traffic, followed by domain requests and telnet respectively.