Revised taxonomy for intrusion-detection systems

Abstract

Intrusion-detection systems aim at detecting attacks against computer systems and networks, or in general against information systems. Indeed, it is difficult to provide provably secure information systems and to maintain them in such a secure state during their lifetime and utilization. Sometimes, legacy or operational constraints do not even allow the definition of a fully secure information system. Therefore, intrusion-detection systems have the task of monitoring the usage of such systems to detect apparition of insecure states. They detect attempts and active misuse, either by legitimate users of the information systems or by external parties, to abuse their privileges or exploit security vulnerabilities. In a previous paper, we introduced a taxonomy of intrusion-detection systems that highlights the various aspects of this area. This paper extends the taxonomy beyond real-time intrusion detection to include additional aspects of security monitoring, such as vulnerability assessment.