Annales Des Télécommunications

, Volume 55, Issue 7–8, pp 361–378 | Cite as

A revised taxonomy for intrusion-detection systems

  • Hervé Debar
  • Marc Dacier
  • Andreas Wespi


Intrusion-detection systems aim at detecting attacks against computer systems and networks, or in general against information systems. Indeed, it is difficult to provide provably secure information systems and to maintain them in such a secure state during their lifetime and utilization. Sometimes, legacy or operational constraints do not even allow the definition of a fully secure information system. Therefore, intrusion- detection systems have the task of monitoring the usage of such systems to detect apparition of insecure states. They detect attempts and active misuse, either by legitimate users of the information systems or by external parties, to abuse their privileges or exploit security vulnerabilities. In a previous paper [Computer networks 31, 805–822 (1999)], we introduced a taxonomy of intrusion- detection systems that highlights the various aspects of this area. This paper extends the taxonomy beyond real- time intrusion detection to include additional aspects of security monitoring, such as vulnerability assessment.

Key words

Intruder detector Taxonomy System evaluation Knowledge base System behavior Computer system Telecommunication network 

Une Taxonomie RÉvisÉe Pour les Outils de DÉtection D’intrusions


Les outils de détection d’intrusions ont pour but de détecter des attaques contre les systèmes informatiques et les réseaux, et en général contre les systèmes d’information. Il est difficile aujourd’hui de créer des systèmes d’information pour lesquels la sécurité est garantie et de les maintenir à ce niveau de sécurité tout au long de leur fonctionnement. C’est pourquoi les outils de détection d’intrusions ont pour rôle de surveiller les systèmes d’information pour détecter l’apparition ou l’exploitation de failles de sécurité. Cet article qui fait suite à un article [Computer Networks 31, 805–822 (1999)], introduit une taxonomie des outils de détection d’intrusions illustrant les différentes facettes du domaine et étend cette taxonomie à d’autres aspects de la surveillance des systèmes d’information, comme l’analyse de vulnérabilités.

Mots clés

Détecteur intrus Taxinomie Évaluation système Base connaissances Comportement système Système informatique Réseau télécommuinication 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Almgren (M.), Debar (H.), Dacier (M.), A lightweight tool for detecting web server attacks,in Symposium on Network and Distributed Systems Security (NDSS ’00), pp. 157–170, San Diego, CA, February 2000, Internet Society.Google Scholar
  2. [2]
    Anderson (T.), Avizienis (A.), Carter (W.C.), Costes (A.), Cristian (F.), Koga (Y.), Kopetz (H.), Lala (J.H.), Laprie (J.C.), Meyer (J.F.), Randell (B.), Robinson (A.S.), Simonici (L.), Voges (U.),Dependability: Basic Concepts and Terminology, Dependable Computing and Fault Tolerance. Springer-Verlag, Berlin Germany, 1992.Google Scholar
  3. [3]
    Steven (M.), Bellovin, William (R.), Cheswick. Network firewalls,IEEE Communications Magazine, 32 (9): pp. 50–57, September 1994.CrossRefGoogle Scholar
  4. [4]
    Cannady (J.), Harrel (J.), A comparative analysis of current intrusion detection technologies, inProceedings of the fourth Technology for Information Security Conference ’96 (TISC’96), Houston, TX, May 1996.Google Scholar
  5. [5]
    Syslog vulnerability a workaround for sendmail. Cert Coordination Center, Available by anonymous ftp from, October 1995.Google Scholar
  6. [6]
    William (R.), Cheswick (St.), Bfxlovin (M.).Firewalls and Internet security - repelling the Wily Hacker, Professional Computing Series, Addison-Wesley. ISBN 0-201-63357-4, 1994.Google Scholar
  7. [7]
    Cisco Systems Inc. NetRanger - Enterprise-scale, Real-time, Network Intrusion Detection System, Internet http://www.dsco. com/, 1998.Google Scholar
  8. [8]
    Debar (H.), Becker (M.), Siboni (D.), Hyperview: An intelligent security supervisor,in Proceedings of the Second International Conference on Intelligence in Networks, Bordeaux, France, March 1992.Google Scholar
  9. [9]
    Debar (H.), Becker (M.), Siboni (D.), A neural network component for an intrusion detection system,in Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 240–250, Oakland, CA. May 1992.Google Scholar
  10. [10]
    Debar (H.), Dacier (M.), Nassehi (M.), Wespi (A.), Fixed vs variable-length patterns for detecting suspicious process behavior,in Jean-Jacques Quisquater, Yves Deswarte, Catherine Meadows, and Dieter Gollmann, editors,Computer Security - ESO-RICS 98, 5 th European Symposium on Research in Computer Security, volume 1485 ofLNCS, pages 1–15, Louvain-la-Neuve, Belgium, Springer Verlag, September 1998.Google Scholar
  11. [11]
    Debar (H.), Dacier (M.), Wespi (A.), Reference Audit Information Generation for Intrusion Detection Systems,in Reinhard Posch and Gyorgy Papp, editors.Information Systems Security, Proceeding of the 14 th International Information Security Conference IFIP SEC98, pp. 405–417. Vienna, Austria and Budapest, Hungaria, August 31–September 4 1998.Google Scholar
  12. [12]
    Debar (H.), Dacier (M.), Wespi (A.), Towards a taxonomy of intrusion detection systems.Computer Networks, 31(8):805–822, Special issue on Computer Network Security, April 1999.CrossRefGoogle Scholar
  13. [13]
    Denning (D.), An intrusion-detection model,IEEE Transactions on Software Engineering, 13(2):222–232, 1987.CrossRefGoogle Scholar
  14. [14]
    Denning (D.), Peter Neumann (G.), Requirements and model for IDES - a real-time intrusion detection expert system, Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA, 1985.Google Scholar
  15. [15]
    Renaud (D.), The nessus project,, 1999.Google Scholar
  16. [16]
    Dowell (C), Ramstedt (P.), The ComputerWatch data reduction tool,in Proceedings of the 13 th National Computer Security Conference, pp. 99–108, Washington, DC, October 1990.Google Scholar
  17. [17]
    Esmaili (M.), Safavi-Naini (R.), Pieprzyk (J.), Computer intrusion detection: A comparative survey, Technical Report 95-07, Center for Computer Security Research, University of Wollon-gong, Wollongong, NSW 2522, Australia, May 1995.Google Scholar
  18. [18]
    Farmer (D.), Cops overview, Available from http://www.trouble. org/cops/overview.html, May 1993.Google Scholar
  19. [19]
    Farmer (D.), Venema (W.), Improving the security of your site by breaking into it. Available at http :/ admin-guide-to-cracking.html, Internet white paper, 1993.Google Scholar
  20. [20]
    Farmer (D.), Spafford (E.), The cops security checker system,in Proceedings of Summer USENIX conference, pp. 165–170, Anaheim, CA, June 1990.Google Scholar
  21. [21]
    Forrest (S.), Steven (A.) Hofmeyr Somayaji (A.), Computer immunology,Communications of the ACM, 40(10): 88–96, October 1997.CrossRefGoogle Scholar
  22. [22]
    Frank (J.), Artificial intelligence intrusion detection: Current and future directions,in Proceedings of the 17 th National Computer Security Conference, Baltimore, MD, October 1994.Google Scholar
  23. [23]
    Gallinari (P.), Thiria (S.), Fogelman-Soulie (F.), Multilayer perceptrons and data analysis,in Proceedings of the IEEE Annual International Conference on Neural Networks (ICNN88), volume I, pp. 391–399, San Diego, CA, July 1988.Google Scholar
  24. [24]
    Garvey (T.), Lunt (T.), Model-based intrusion detection,in Proceedings of the 14 th National Computer Security Conference, pp. 372–385, October 1991.Google Scholar
  25. [25]
    Grundschober (S.), Design and implementation of a sniffer detector,in Proceedings of RAID 98, Workshop on Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium, September 1998.Google Scholar
  26. [26]
    Habra (N.), Le Charlier (B.), Mounji (A.), Mathieu (I.), Asax: Software architecture and rule-based language for universal audit trail analysis,in Y. Deswarte, G. Eizenberg, and J.-J. Quisquater, editors,Proceedings of the Second European Symposium on Research in Computer Security (Esorics), volume 648 ofLecture Notes in Computer Science, Toulouse, France, November 1992. Springer-Verlag, Berlin Germany.Google Scholar
  27. [27]
    E. Hansen (S.), Todd Atkins (E.), Automated system monitoring and notification with swatch,in Proceedings of the seventh Systems Administration Conference (LISA ’93), Monterey, CA, November 1993.Google Scholar
  28. [28]
    Haystack Labs, Inc, Stalker,, 1997.Google Scholar
  29. [29]
    Todd Heberlein (L.), Gihan Dias (V), Karl Levitt (N.), Mukherjee (B.), Wood (J.), Wolber (D.), A network security monitor,in Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, pp. 296–304, Oakland, CA, IEEE Computer Society Press, Los Alamitos, CA, May 1990.Google Scholar
  30. [30]
    Helman (P.), Liepins (G.), Statistical foundations of audit trail analysis for the detection of computer misuse,IEEE Transactions on Software Engineering, 19(9): pp. 886–901, September 1993.CrossRefGoogle Scholar
  31. [31]
    Helman (P.), Liegins (G.), Richards (W.), Foundations of intrusion detection,in Proceedings of the Fifth Computer Security Foundations Workshop, pp. 114–120, Franconic, NH, June 1992.CrossRefGoogle Scholar
  32. [32]
    Ilgun (K.), Ustat: A real-time intrusion detection system for unix,in Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, pp. 16–28, Oakland, CA, May 1993.Google Scholar
  33. [33]
    Internet Security Systems, Inc. RealSecure, Internet, 1997.Google Scholar
  34. [34]
    Jackson (K.), Intrusion detection system product survey, Research report LA-UR-99-3883, Los Alamos National Laboratory, June 1999.Google Scholar
  35. [35]
    Jackson (K.), DuBois (D.), Stallings (C), An expert system application for network intrusion detection,in Proceedings of the 14 th National Computer Security Conference, pp. 215–225, November 1991.Google Scholar
  36. [36]
    Jagannathan Lunt (R.), Anderson (D.), Dodd (C), Gilham (F.), Jalali (C), Javitz (H.), Neumann (P.), Tamaru (A.), Valdes (A.), System design document: Next-generation intrusion detection expert system (NIDES),Technical Report A007/A008/A009/A011/A012/A014, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, March 1993.Google Scholar
  37. [37]
    Javit (H.), Valdes (A.), The SRI ides statistical anomaly detector,in Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 316–326, May 1991.Google Scholar
  38. [38]
    Harold Javitz (S.), Valdez (A.), F.Lunt (T.), Tamaru (A.), Tyson (M.), Lowrance (J.), Next generation intrusion detection expert system (nides) - 1. statistical algorithms rationale - 2. rationale for proposed resolver, Technical Report A016-Rationales, SRI International, 333 Ravenswood Avenue, Menlo Park, CA, March 1993.Google Scholar
  39. [39]
    Yank Jou (Y.), Gong (F.), Sargor (C), Felix Wu (S.), Rance Cleaveland (W.), Architecture design of a scalable intrusion detection system for the emerging network infrastructure,Technical report CDRL A005, MCNC Information Technologies Division, Research Triangle Park, N.C. 27709, April 1997.Google Scholar
  40. [40]
    Gene Kim (H.), Eugene Spafford (H.), The design and implementation of tripwire: A file system integrity checker,in Jacques Stern, editor,2nd ACM Conference on Computer and Communications Security, pp. 18–29, COAST, Purdue, ACM Press, November 1994.Google Scholar
  41. [41]
    Kumar (S.), Spafford (E.), A pattern matching model for misuse intrusion detection,in Proceedings of the 17 th National Computer Security Conference, pp. 11–21, October 1994.Google Scholar
  42. [42]
    What is packet sniffing, Inc LOpht Heavy Industries,, 1999.Google Scholar
  43. [43]
    Landwehr (C.E.), AlanBull (H.), McDermott (J.H.), William Choi (S.), A taxonomy of computer program security flaws,ACM Computing Surveys, 26(3): pp. 211–254, September 1994.CrossRefGoogle Scholar
  44. [44]
    Liepins (G.), Vaccaro (H.S.), Anomaly detection: Purpose and framework,in Proceedings of the 12 th National Computer Security Conference, pp. 495–504, October 1989.Google Scholar
  45. [45]
    Lunt (T.), Jagannathan (R.), A prototype real-time intrusion-detection expert system,in Proceedings of the 1988 Symposium on Security and Privacy, pp. 59–66, Oakland, CA, April 1988.Google Scholar
  46. [46]
    Lunt (F.T.), Automated audit trail analysis, and intrusion detection: A survey,in Proceedings of the 11 th National Computer Security Conference, Baltimore, MD, October 1988.Google Scholar
  47. [47]
    Lunt (F.T.), A survey of intrusion detection techniques,Computers & Security, 12(4): pp. 405–418, June 1993.CrossRefGoogle Scholar
  48. [48]
    Lunt (F.T.), Jagannathan (R.), Lee (R.), Listgarten (S.), Edwards (L.D.), G. Neumann, Valdes (A.),: The enhanced prototype - a real-time intrusion-detection expert system, Technical Report SRI-CSL-88-12, SRI International, 333 Ravenswood Avenue, Menlo Park, CA, October 1988.Google Scholar
  49. [49]
    McAuliffe (N.), Wolcott (D.), Schaefer (L.), Kelem (N.), Hubbard (B.), Haley (T.), Is your computer being misused? a survey of current intrusion detection system technology,in Proceedings of the Sixth AnnualComputer Security Applications Conference, pp. 260–72, Tucson, AZ, IEEE Computer Society Press, Los Alamitos, CA, December 1990.CrossRefGoogle Scholar
  50. [50]
    Mounji (A.),Languages and tools for rule-based distributed intrusion detection, Doctor of science, Facultés Universitaires Notre-Dame dé la Paix, Namur (Belgium), September 1997.Google Scholar
  51. [51]
    Network Associates Inc. Cybercop scanner. Available from the company’s website at default.asp, 1998.Google Scholar
  52. [52]
    Network Associates Inc, Cybercop server. Available from the company’s website at, asp, 1998.Google Scholar
  53. [53]
    Paxson (V), Bro: A system for detecting network intruders in real-time,in Proceedings of the 7 th USENIX Security Symposium, San Antonio, TX, January 1998.Google Scholar
  54. [54]
    Porras (P.), Kemmerer (R.), Penetration state transition analysis - a rule-based intrusion detection approach,in Proceedings of the Eighth Annual Computer Security Applications Conference, pp. 220–229, San Antonio, TX, IEEE, IEEE Computer Society Press, November 30th–December 4th 1992.CrossRefGoogle Scholar
  55. [55]
    Porras (P.A.), Valdes (A.), Live traffic analysis of tcp/ip gateways,in Proceedings of the 1998 ISOC Symposium on Network and Distributed System Security (NDSS’98), San Diego, CA, Internet Society, March 1998.Google Scholar
  56. [56]
    Katherine (E.), Price, Host-based misuse detection and conventional operating systems’ audit data collection, Master of science thesis, Purdue University, Purdue, IN, December 1997.Google Scholar
  57. [57]
    Ptacek (H.T.), Newsham (N.T.), Insertion, evasion, and denial of service: Eluding network intrusion detection, Technical report, Secure Networks, Inc., Suite 330, 1201 5th Street S.W, Calgary, Alberta, Canada, T2R-OY6, January 1998.Google Scholar
  58. [58]
    Puldy (M.), Lessons learned in the implementation of a multi- location network based real time intrusion detection system,in Proceedings of RAID 98, Workshop on Recent Advances in Intrusion Detection, Louvain-la-neuve, Belgium, September 1998.Google Scholar
  59. [59]
    Ranum (J.M.), Landfield (K.), Stolarchuk (M.), Sienkie-wicz (M.), Lambeth (A.), Wall (E.), Implementing a generalized tool for network monitoring,in Proceedings of the Eleventh Systems Administration Conference (LISA ’97), San Diego, CA, October 1997.Google Scholar
  60. [60]
    Rolin (P.), Toutain (L.), Gombault (S.), Network security probe,in CCS ’94, Proceedings of the 2nd ACM Conference on Computer and Communication Security, pp. 229–240, November 1994.Google Scholar
  61. [61]
    Safford (R.D.), Schales (L.D.), Hess (K.D.), The tamu security package: An ongoing response to internet intruders in an academic environment,in Proceedings of the Fourth USENIX Security Symposium, pp. 91–118, Santa Clara, CA, October 1993.Google Scholar
  62. [62]
    Sarle (S.W.), Neural networks and statistical models,in Proceedings of the Nineteenth Annual SAS Users Group International Conference, April, 1994, pp. 1538–1550, Cary, NC, SAS Institute, April 1994.Google Scholar
  63. [63]
    Secure Networks, Inc. Ballista security auditing system. Internet, 1997.Google Scholar
  64. [64]
    Smaha (S.), Haystack: An intrusion detection system,in Fourth Aerospace Computer Security Applications Conference, pp. 37–44, October 1988.Google Scholar
  65. [65]
    Snapp (R.S.), Brentano (J.), Dias (V.G.), Goan (L.T.), Heber-lein (T.L.), lin Ho (C), Levitt (N.K.), Mukherjee (B.), Smaha (E.S.), Grance (T.), Teal (M.D.), Mansur (D.), DIDS (distributed intrusion detection system) - motivation, architecture, and an early prototype,in Proceedings of the 14 th National Computer Security Conference, pp. 167–176, Washington, DC, October 1991.Google Scholar
  66. [66]
    Sobirey (M.), Intrusion detection system bibliography. Internet:, Work-in-progress, March 1998.Google Scholar
  67. [67]
    Spirakis (P.), Katsikas (S.), Gritzalis (D.), Allègre (F.), Dar- ZENTAS (J.), GIGANTE (C), KaRAGIANNIS (D.), KESS (P.), PUTKO- nen (H.), Spyrou (T.), securenet: A network-oriented intelligent intrusion prevention and detection system,Network Security Journal, 1(1), November 1994.Google Scholar
  68. [68]
    Spyrou (T.), Darzentas (J.), Intention modelling: Approximating computer user intentions for detection and prediction of intrusions,in S.K. Katsikas and D. Gritzalis, editors,Information Systems Security, pp. 319–335, Samos, Greece, Chapman & Hall, May 1996.Google Scholar
  69. [69]
    Staniford-Chen (S.), Cheung (S.), Crawford (R.), Dilger (M.), Frank (J.), Hoagland (J.), Levitt (K.), Wee (C), Yip (R.), Zerkle (D.), GrIDS -a graph-based intrusion detection system for large networks,in Proceedings of the 19th National Information Systems Security Conference, 1996.Google Scholar
  70. [70]
    Staniford-Chen (S.), Tung (B.), Porras (P.), Kahn (C.), Schnackenberg (D.), Feiertag (R.), Stillman (M.), The common intrusion detection framework - data formats. Internet draft draft-ietf-cidf-data-formats-00.txt, Work-in-progress, March 1998.Google Scholar
  71. [71]
    Trusted computer systems evaluation criteria, U.S. Department of Defense, August 1983.Google Scholar
  72. [72]
    Vaccaro (H.S.), Liepins (G.E.), Detection of anomalous computer session activity,in Proceedings of the 1989 IEEE Symposium on Research in Security and Privacy, pp.280–289, 1989.Google Scholar
  73. [73]
    Vincenzetti (D.), COTROZZI (M.), Atp - anti tampering Proceedings of the Fourth USENIX Security Symposium, pp. 79–89, Santa Clara, CA, October 1993.Google Scholar

Copyright information

© Springer-Verlag 2000

Authors and Affiliations

  1. 1.IBM Research Division, Zurich Research LaboratoryRüschlikonSwitzerland

Personalised recommendations