Implications of IDS Classification on Attack Detection
Paper in proceedings, 2003

Accurate taxonomies are critical for the advancement of research fields. Taxonomies for intrusion detection systems (IDSs) are not fully agreed upon, and further lack convincing motivation of their categories. We survey and summarize previously made taxonomies for intrusion detection. Focusing on categories relevant for detection methods, we extract commonly used concepts and define three new attributes: the reference model type, the reference model generation process, and the reference model updating strategy. Using our framework, the range of previously used terms can easily be explained. We study the usefulness of these attributes with two empirical evaluations. Firstly, we use the taxonomy to create a survey of existing research IDSs, with a successful result, i.e. the IDSs are well scattered in the defined space. Secondly, we investigate whether we can reason about the detection capability based on detection method classes, as defined by our framework. We establish that different detection methods vary in their capability to detect specific attack types. The reference model type seems better suited than reference model generation process for such reasoning. However, our results are tentative and based on a relatively small number of attacks.

intrusion detection


detection methods



Magnus Almgren

Chalmers, Department of Computer Engineering, Computer Security

Emilie Lundin

Chalmers, Department of Computer Engineering, Computer Security

Erland Jonsson

Chalmers, Department of Computer Engineering, Computer Security

Nordic Workshop on Secure IT Systems (NordSec)


Areas of Advance

Information and Communication Technology

Subject Categories

Computer and Information Science



More information