Real-time intrusion characterization in cyber networks is a highly complex problem that requires network-informed anomaly detection tools for success. Dynamic analysis of network traffic features provides a means for detecting anomalies related to novel intrusions, however, is challenged by data storage, real-time querying, and processing constraints. Since a large proportion of features are irrelevant in determining specific intrusion characteristics, efficient algorithms can be constructed, based on bespoke selected features. In this talk, we discuss a variety of current computational methods, and their pitfalls, for selecting real-time feature subsets over a range of different network attack types. In doing so, we highlight a novel capability being developed at Sandia National Laboratories for network traffic intrusion detection.