Table 3.
TCP/UDP features computed from the network flows.
| Total Features | ARP | Last Flow 1 | TCP/UDP × All Directions 2 |
TCP/UDP × Internal/External Incoming/Outgoing 3 |
Features |
|---|---|---|---|---|---|
| 11 | 1 | 2 | 8 | Number of flows. | |
| 8 | 8 | % of flows. | |||
| 18 | 2 | 16 | Mean and stddev of the flow durations. | ||
| 18 | 2 | 16 | Mean and stddev of time between two consecutive flows. | ||
| 8 | 8 | Number of different destination IPs. | |||
| 8 | 8 | Entropy of destination IPs. | |||
| 60 | 12 | 48 | Sum, max, min, mean, stddev and median of total packets. | ||
| 60 | 12 | 48 | Sum, max, min, mean, stddev and median of source packets. | ||
| 60 | 12 | 48 | Sum, max, min, mean, stddev and median of total bytes. | ||
| 60 | 12 | 48 | Sum, max, min, mean, stddev and median of source bytes. | ||
| 60 | 12 | 48 | Sum, max, min, mean, stddev and median of total load. | ||
| 60 | 12 | 48 | Sum, max, min, mean, stddev and median of source load. | ||
| 16 | 16 | % of source/destination ports >1024. | |||
| 16 | 16 | % of source/destination ports <1025. | |||
| 16 | 16 | Number of different source and destination ports. | |||
| 16 | 16 | Entropy of source and destination ports. | |||
| 1 | 1 | Number of different destination IPs. | |||
| 1 | 1 | Entropy of destination IP. | |||
| 1 | 1 | Median of the duration. | |||
| 3 | 3 | Protocol used (TCP, UDP, ARP). | |||
| 4 | 4 | State (INT, RST, FIN, CON). | |||
| 2 | 2 | Source or destination port <1024. | |||
| 1 | 1 | Destination port. | |||
| 4 | 4 | Direction(incoming, outgoing, internal, external). | |||
| 8 | 8 | Total packets, source packets, total bytes, source bytes, load, source load, source mean interpacket arrival time and destination mean interpacket arrival time. | |||
| 520 | Total features computed. | ||||
Extracted from the last flow; Computed per protocol; Computed per pair (protocol, direction).