53
Annex A: table of the NSL-KDD features
Table 9: list of all the features in NSL-KDD
#
feature
description
type
value
range
0
duration
time length of the connection
continuous
integer
0-54451
1
protocol type
protocol used in the connection
categorical
string
NaN
2
service
destination network service used
categorical
string
NaN
3
flag
status of the connection
categorical
string
NaN
4
src bytes
number of bytes transferred in a single connection
(source to destination)
continuous
integer
0-1379963888
5
dst bytes
number of bytes transferred in a single connection
(destination to source)
continuous
integer
0-309937401
6
land
if src. and dst. IP addresses and port numbers are equal
then =1, else =0
binary
integer
0 or 1
7
wrong
fragment
number of wrong fragments in the connection
discrete
integer
0, 1 or 3
8
urgent
number of urgent packets in the connection (urgent bit
activated)
discrete
integer
0-3
9
hot
number of "hot" indicators in the content (entering
system dir., creating/executing programs)
continuous
integer
0-101
10
num failed
logins
count of failed login attempts
continuous
integer
0-4
11 logged in
if successful login status =1, else =0
binary
integer
0 or 1
12
num
compromised
number of compromised conditions
continuous
integer
0-7479
13 root shell
if root shell is obtained =1, else =0
binary
integer
0 or 1
14 su attempted
if "su root" command is attempted or used =1, else =0
(dataset also contains the value 2)
discrete
integer
0, 1 or 2
15 num root
number of "root" accesses or operations performed as a
root in the connection
continuous
integer
0-7468
16
num file
creations
number of the file creation operations in the connection
continuous
integer
0-100
17 num shells
number of shell prompts
continuous
integer
0-2
18
num access
files
number of operations on access control files
continuous
integer
0-9
19
num outbound
cmds
number of outbound commands in an ftp session
continuous
integer
0
20 is hot login
if the login belongs to the "hot" list (root/admin) =1, else
=0
binary
integer
0 or 1
21 is guest login
if the login is a "guest" =1, else =0
binary
integer
0 or 1