Implications of IDS Classification on Attack Detection
Paper i proceeding, 2003

Accurate taxonomies are critical for the advancement of research fields. Taxonomies for intrusion detection systems (IDSs) are not fully agreed upon, and further lack convincing motivation of their categories. We survey and summarize previously made taxonomies for intrusion detection. Focusing on categories relevant for detection methods, we extract commonly used concepts and define three new attributes: the reference model type, the reference model generation process, and the reference model updating strategy. Using our framework, the range of previously used terms can easily be explained. We study the usefulness of these attributes with two empirical evaluations. Firstly, we use the taxonomy to create a survey of existing research IDSs, with a successful result, i.e. the IDSs are well scattered in the defined space. Secondly, we investigate whether we can reason about the detection capability based on detection method classes, as defined by our framework. We establish that different detection methods vary in their capability to detect specific attack types. The reference model type seems better suited than reference model generation process for such reasoning. However, our results are tentative and based on a relatively small number of attacks.

intrusion detection

classification

detection methods

taxonomy

Författare

Magnus Almgren

Chalmers, Institutionen för datorteknik, Datasäkerhet

Emilie Lundin

Chalmers, Institutionen för datorteknik, Datasäkerhet

Erland Jonsson

Chalmers, Institutionen för datorteknik, Datasäkerhet

Nordic Workshop on Secure IT Systems (NordSec)

57--70-

Styrkeområden

Informations- och kommunikationsteknik

Ämneskategorier

Data- och informationsvetenskap

ISBN

82-993980-4-5