I'm trying to develop a machine learning model that classifies attacks. My data has a number of IP addresses, and I do not know if I should use the IP address as an attack detection feature. I found this interesting argument:
"IP can be spoofed by the attacker. Therefore, it may be impossible to use it as an attack classification feature in intrusion detection systems. Features that are independent and can not be changed by the attacker can be helpful in classifying issues."
This is quite logical for me, but I do not know if I should completely ignore the IP address in attack detection, especially that my data (log files from different devices) consists of multiple attack scenarios. What do you think?
