See <a href="http://isc.sans.org/diary.html?storyid=5345">http://isc.sans.org/diary.html?storyid=5345</a>, I think there are some interesting possible features, especially in the field of DNS and anomaly detection:<br><ul>
<li>DNS responses which had a low to very low TTL (time to live) value, which is somewhat unusual;</li><li>DNS responses which contained a domain that belonged to one of a long list of dynamic DNS providers;</li><li>DNS queries which were issued more frequently by the client than would be expected given the TTL for that hostname;</li>
<li>DNS
requests for a hostname outside of the local namespace which were
responded to with a resource record pointing to an IP address within
either <a href="http://127.0.0.0/8">127.0.0.0/8</a>, <a href="http://0.0.0.0/32">0.0.0.0/32</a>, RFC1918 IP space, or anywhere inside
the public or private IP space of the organization;</li><li>Consecutive
DNS responses for a single unique hostname which contained only a
single resource record, but which changed more than twice every 24
hours.</li><li>Persistent connections to HTTP servers on the internet, even outside
regular office hours, can be normal: just think of software update
mechanisms.</li></ul><br>