Table 2 Features description in network TON_IoT

1

ts

Timestamp of connection between flow identifiers

dns_rejected

DNS rejection, where the DNS queries are rejected by the server

2

src_ip

Source IP addresses which originate endpoints’ IP addresses

ssl_version

SSL version which is offered by the server

3

Src_port

Source ports which Originate endpoint’s TCP/UDP ports

ssl_cipher

SSL cipher suite which the server chose

4

Dst_ip

Destination IP addresses which respond to endpoint’s IP addresses

ssl_resumed

SSL flag indicates the session that can be used to initiate new connections, where T refers to the SSL connection is initiated

5

Dst_port

Destination ports which respond to endpoint’s TCP/UDP ports

ssl_established

SSL flag indicates establishing connections between two parties, where T refers to establishing the connection

6

proto

Transport layer protocols of flow connections

ssl_subject

Subject of the X.509 cert offered by the server

7

Service

Dynamically detected protocols, such as DNS, HTTP and SSL

ssl_issuer

Trusted owner/originator of SLL and digital certificate (certificate authority)

8

Duration

The time of the packet connections, which is estimated by subtracting ‘time of the last packet seen’ and ‘time of the first packet seen’

http_trans_depth

Pipelined depth into the HTTP connection

9

src_bytes

Source bytes which are originated from payload bytes of TCP sequence number

http_method

HTTP request methods such as GET, POST and HEAD

10

dst_bytes

Destination bytes which are responded payload bytes from TCP sequence numbers

http_uri

URIs used in the HTTP request

11

conn_state

Various connection states, such as S0 (connection without replay), S1 (connection established), and REJ (connection attempt rejected)

http_version

The HTTP versions utilized such as V1.1

12

missed_bytes

Number of missing bytes in content gaps

http_request_body_len

Actual uncompressed content sizes of the data transferred from the HTTP client

13

src_pkts

Number of original packets which is estimated from source systems

http_response_body_len

Actual uncompressed content sizes of the data transferred from the HTTP server

14

src_ip_bytes

Number of original IP bytes which is the total length of IP header field of source systems

http_status_code

Status codes returned by the HTTP server

15

dst_pkts

Number of destination packets which is estimated from destination systems

http_user_agent

Values of the UserAgent header in the HTTP protocol

16

dst_ip_bytes

Number of destination IP bytes which is the total length of IP header field of destination systems

http_orig_mime_types

Ordered vectors of mime types from source system in the HTTP protocol

17

dns_query

Domain name subjects of the DNS queries

http_resp_mime _types

Ordered vectors of mime types from destination system in the HTTP protocol

18

dns_qclass

Values which specifie the DNS query classes

weird_name

Names of anomalies/violations related to protocols that happened

19

dns_qtype

Value which specifies the DNS query types

weird_addl

Additional information is associated to protocol anomalies/violations

20

dns_rcode

Response code values in the DNS responses

weird_notice

It indicates if the violation/anomaly was turned into a notice

21

dns_AA

Authoritative answers of DNS, where T denotes server is authoritative for query

Label

Tag normal and attack records, where 0 indicates normal and 1 indicates attacks

22

dns_RD

Recursion desired of DNS, where T denotes request recursive lookup of query

Type

Tag attack categories, such as normal, DoS, DDoS and backdoor attacks, and normal records

23

dns_RA

Recursion available of DNS, where T denotes server supports recursive queries