I am trying to create a tool that identifies network attacks using machine learning, something like a small intrusion detection system. I have collected benign traffic from the network and then deployed a couple of nmap scanning, hping, etc. To identify attacks, I am focusing on processing attributes from each packet individually and not a series of packets and this seems to work great so far, specifically with desicion trees.
For example some attacks that I have deployed on this network include: DoS using hping, man in the middle, spoofing, various scans with nmap.
However, I am questioning it as I am not sure if one packet is enough to indicate these attacks? Could you explain in which cases one packet could be enough and in which ones it wouldn’t?