| | Class | Selected features |
| | DoS | Protocol type, service, flag, src_bytes, dst_bytes, count, srv_count, serror_rate, srv_serror_rate, dst_host_count, dst_host_srv_count, dst_host_serror_rate, dst_host_srv_serror_rate. |
| | Probe | Duration, protocol_type, service, flag, src_bytes, dst_bytes, count, srv_count, srv_serror_rate, rerror_rate, srv_rerror_rate, same_srv_rate, diff_srv_rate, srv_diff_host_rate, dst_host_count, dst_host_srv_count, dst_host_same_srv_rate, dst_host_diff_srv_rate, dst_host_same_src_port_rate, dst_host_srv_diff_host_rate, dst_host_srv_serror_rate, dst_host_rerror_rate, dst_host_srv_rerror_rate. |
| | R2L | Services, flag, hot, logged_in, is_guest_login, count, same_srv_rate, dst_host_count, dst_host_srv_count, dst_host_same_srv_rate, dst_host_diff_srv_rate, dst_host_same_src_port_rate, dst_host_srv_diff_host_rate. |
| | U2R | Duration, protocol_type, service, flag, src_bytes, dst_bytes, hot, logged_in, num_compromised, root_shell, num_root, num_file_creations, num_shells, count, srv_count, same_srv_rate, dst_host_count, dst_host_srv_count, dst_host_same_srv_rate, dst_host_same_src_port_rate. |
| | Normal | Protocol_type, service, flag, src_bytes, dst_bytes, logged_in, count, srv_count, same_srv_rate, srv_diff_host_rate, dst_host_count, dst_host_srv_count, dst_host_same_srv_rate, dst_host_same_src_port_rate. |
|
|
