ids – Scenario categorization with deep packet inspection – intrusion detection

I am researching intrusion detection systems (IDS) and deep packet inspections (DPI). For example, suppose a system in which values ​​are passed to a validation system and the validation system validates the data passed (verifies anomalies, such as statistics, machine learning, etc.).

  • Is the validation process called DPI, even if only the payload is examined?
  • Is the screening process called network-based attack detection or something else?

Google Cloud Intrusion – Exchange Information Security Stacks

I received an email from Google this morning reporting that my Compute Engine instance of my project was using to scan Port 3389 out of 144,000 IP addresses.
I enabled Compute Engine for this project a few months ago, but recently I only used the Maps Javascript API and there were no VM instances in the project.
This is the e-mail
E-mail

And this is the screenshot of the last activities of the project:
Enter image description here

I'm sorry that the language is Italian, but as you can see, the user is reported francesco.re1107@gmail.com (that's me) made those changes.
I was wondering how they could log into my account.
I have not seen any malicious login to my Google Account …

I deleted the project and turned off account billing to avoid other issues. Do I have to do something else?

Thank you very much

Can the IP address be considered a useful intrusion detection feature?

I'm trying to develop a machine learning model that classifies attacks. My data has a number of IP addresses, and I do not know if I should use the IP address as an attack detection feature. I found this interesting argument:

"IP can be spoofed by the attacker. Therefore, it may be impossible to use it as an attack classification feature in intrusion detection systems. Features that are independent and can not be changed by the attacker can be helpful in classifying issues."

This is quite logical for me, but I do not know if I should completely ignore the IP address in attack detection, especially that my data (log files from different devices) consists of multiple attack scenarios. What do you think?