the L7_PROTO will be an important feature as certain protocols are at higher risk of exploit
If able to create a time metric, that will be valuable to see when attacks are real (i.e. attacks during 'working hours' are likely so as to blend in with regular traffic or exploit system users who are working)
Precision of True Positives is preferred to be over 60%
List 1-3 assumptions about feature importance or how you anticipate the model to perform.