This data is KDDCUP’99 data set, which is widely used as one of the few publicly available data sets for network-based anomaly detection systems.
For more about data: http://www.unb.ca/cic/datasets/nsl.html
- Duration: Length of time duration of the connection
- Protocol_type: Protocol used in the connection
- Service: Destination network service used
- Flag: Status of the connection – Normal or Error
- Src_bytes: Number of data bytes transferred from source to destination in single connection
- Dst_bytes: Number of data bytes transferred from destination to source in single connection
- Land: if source and destination IP addresses and port numbers are equal then, this variable takes value 1 else 0
- Wrong_fragment: Total number of wrong fragments in this connection
- Urgent: Number of urgent packets in this connection. Urgent packets are packets with the urgent bit activated
-
DoS : Back, Land, Neptune, Pod, Smurf,Teardrop,Apache2, Udpstorm, Processtable, Worm (10)
-
Probe : Satan, Ipsweep, Nmap, Portsweep, Mscan, Saint (6)
-
R2L : Guess_Password, Ftp_write, Imap, Phf, Multihop, Warezmaster, Warezclient, Spy, Xlock, Xsnoop, Snmpguess, Snmpgetattack, Httptunnel, Sendmail, Named (16)
-
U2R : Buffer_overflow, Loadmodule, Rootkit, Perl, Sqlattack, Xterm, Ps (7)
- DOS: Denial of service is an attack category, which depletes the victim‟s resources thereby making it unable to handle legitimate requests – e.g. syn flooding. Relevant features: “source bytes” and “percentage of packets with errors”
- Probing: Surveillance and other probing attack‟s objective is to gain information about the remote victim e.g. port scanning. Relevant features: “duration of connection” and “source bytes”
- U2R: unauthorized access to local super user (root) privileges is an attack type, by which an attacker uses a normal account to login into a victim system and tries to gain root/administrator privileges by exploiting some vulnerability in the victim e.g. buffer overflow attacks. Relevant features: “number of file creations” and “number of shell prompts invoked,”
- R2L: unauthorized access from a remote machine, the attacker intrudes into a remote machine and gains local access of the victim machine. E.g. password guessing Relevant features: Network level features – “duration of connection” and “service requested” and host level features - “number of failed login attempts”