Skip to main content
SpringerLink
Log in

A revised taxonomy for intrusion-detection systems

Une Taxonomie RÉvisÉe Pour les Outils de DÉtection D’intrusions

  • Published:
Annales Des Télécommunications Aims and scope Submit manuscript

Abstract

Intrusion-detection systems aim at detecting attacks against computer systems and networks, or in general against information systems. Indeed, it is difficult to provide provably secure information systems and to maintain them in such a secure state during their lifetime and utilization. Sometimes, legacy or operational constraints do not even allow the definition of a fully secure information system. Therefore, intrusion- detection systems have the task of monitoring the usage of such systems to detect apparition of insecure states. They detect attempts and active misuse, either by legitimate users of the information systems or by external parties, to abuse their privileges or exploit security vulnerabilities. In a previous paper [Computer networks 31, 805–822 (1999)], we introduced a taxonomy of intrusion- detection systems that highlights the various aspects of this area. This paper extends the taxonomy beyond real- time intrusion detection to include additional aspects of security monitoring, such as vulnerability assessment.

Résumé

Les outils de détection d’intrusions ont pour but de détecter des attaques contre les systèmes informatiques et les réseaux, et en général contre les systèmes d’information. Il est difficile aujourd’hui de créer des systèmes d’information pour lesquels la sécurité est garantie et de les maintenir à ce niveau de sécurité tout au long de leur fonctionnement. C’est pourquoi les outils de détection d’intrusions ont pour rôle de surveiller les systèmes d’information pour détecter l’apparition ou l’exploitation de failles de sécurité. Cet article qui fait suite à un article [Computer Networks 31, 805–822 (1999)], introduit une taxonomie des outils de détection d’intrusions illustrant les différentes facettes du domaine et étend cette taxonomie à d’autres aspects de la surveillance des systèmes d’information, comme l’analyse de vulnérabilités.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Almgren (M.), Debar (H.), Dacier (M.), A lightweight tool for detecting web server attacks,in Symposium on Network and Distributed Systems Security (NDSS ’00), pp. 157–170, San Diego, CA, February 2000, Internet Society.

    Google Scholar 

  2. Anderson (T.), Avizienis (A.), Carter (W.C.), Costes (A.), Cristian (F.), Koga (Y.), Kopetz (H.), Lala (J.H.), Laprie (J.C.), Meyer (J.F.), Randell (B.), Robinson (A.S.), Simonici (L.), Voges (U.),Dependability: Basic Concepts and Terminology, Dependable Computing and Fault Tolerance. Springer-Verlag, Berlin Germany, 1992.

    Google Scholar 

  3. Steven (M.), Bellovin, William (R.), Cheswick. Network firewalls,IEEE Communications Magazine, 32 (9): pp. 50–57, September 1994.

    Article  Google Scholar 

  4. Cannady (J.), Harrel (J.), A comparative analysis of current intrusion detection technologies, inProceedings of the fourth Technology for Information Security Conference ’96 (TISC’96), Houston, TX, May 1996.

  5. Syslog vulnerability a workaround for sendmail. Cert Coordination Center, Available by anonymous ftp from ftp.cert.org, October 1995.

  6. William (R.), Cheswick (St.), Bfxlovin (M.).Firewalls and Internet security - repelling the Wily Hacker, Professional Computing Series, Addison-Wesley. ISBN 0-201-63357-4, 1994.

  7. Cisco Systems Inc. NetRanger - Enterprise-scale, Real-time, Network Intrusion Detection System, Internet http://www.dsco. com/, 1998.

  8. Debar (H.), Becker (M.), Siboni (D.), Hyperview: An intelligent security supervisor,in Proceedings of the Second International Conference on Intelligence in Networks, Bordeaux, France, March 1992.

  9. Debar (H.), Becker (M.), Siboni (D.), A neural network component for an intrusion detection system,in Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 240–250, Oakland, CA. May 1992.

  10. Debar (H.), Dacier (M.), Nassehi (M.), Wespi (A.), Fixed vs variable-length patterns for detecting suspicious process behavior,in Jean-Jacques Quisquater, Yves Deswarte, Catherine Meadows, and Dieter Gollmann, editors,Computer Security - ESO-RICS 98, 5 th European Symposium on Research in Computer Security, volume 1485 ofLNCS, pages 1–15, Louvain-la-Neuve, Belgium, Springer Verlag, September 1998.

    Google Scholar 

  11. Debar (H.), Dacier (M.), Wespi (A.), Reference Audit Information Generation for Intrusion Detection Systems,in Reinhard Posch and Gyorgy Papp, editors.Information Systems Security, Proceeding of the 14 th International Information Security Conference IFIP SEC98, pp. 405–417. Vienna, Austria and Budapest, Hungaria, August 31–September 4 1998.

  12. Debar (H.), Dacier (M.), Wespi (A.), Towards a taxonomy of intrusion detection systems.Computer Networks, 31(8):805–822, Special issue on Computer Network Security, April 1999.

    Article  Google Scholar 

  13. Denning (D.), An intrusion-detection model,IEEE Transactions on Software Engineering, 13(2):222–232, 1987.

    Article  Google Scholar 

  14. Denning (D.), Peter Neumann (G.), Requirements and model for IDES - a real-time intrusion detection expert system, Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA, 1985.

    Google Scholar 

  15. Renaud (D.), The nessus project, http://www.nessus.org/documentation.html, 1999.

  16. Dowell (C), Ramstedt (P.), The ComputerWatch data reduction tool,in Proceedings of the 13 th National Computer Security Conference, pp. 99–108, Washington, DC, October 1990.

  17. Esmaili (M.), Safavi-Naini (R.), Pieprzyk (J.), Computer intrusion detection: A comparative survey, Technical Report 95-07, Center for Computer Security Research, University of Wollon-gong, Wollongong, NSW 2522, Australia, May 1995.

    Google Scholar 

  18. Farmer (D.), Cops overview, Available from http://www.trouble. org/cops/overview.html, May 1993.

  19. Farmer (D.), Venema (W.), Improving the security of your site by breaking into it. Available at http :/ Avww.trouble.org/secu-rity/ admin-guide-to-cracking.html, Internet white paper, 1993.

  20. Farmer (D.), Spafford (E.), The cops security checker system,in Proceedings of Summer USENIX conference, pp. 165–170, Anaheim, CA, June 1990.

  21. Forrest (S.), Steven (A.) Hofmeyr Somayaji (A.), Computer immunology,Communications of the ACM, 40(10): 88–96, October 1997.

    Article  Google Scholar 

  22. Frank (J.), Artificial intelligence intrusion detection: Current and future directions,in Proceedings of the 17 th National Computer Security Conference, Baltimore, MD, October 1994.

  23. Gallinari (P.), Thiria (S.), Fogelman-Soulie (F.), Multilayer perceptrons and data analysis,in Proceedings of the IEEE Annual International Conference on Neural Networks (ICNN88), volume I, pp. 391–399, San Diego, CA, July 1988.

  24. Garvey (T.), Lunt (T.), Model-based intrusion detection,in Proceedings of the 14 th National Computer Security Conference, pp. 372–385, October 1991.

  25. Grundschober (S.), Design and implementation of a sniffer detector,in Proceedings of RAID 98, Workshop on Recent Advances in Intrusion Detection, Louvain-la-Neuve, Belgium, September 1998.

  26. Habra (N.), Le Charlier (B.), Mounji (A.), Mathieu (I.), Asax: Software architecture and rule-based language for universal audit trail analysis,in Y. Deswarte, G. Eizenberg, and J.-J. Quisquater, editors,Proceedings of the Second European Symposium on Research in Computer Security (Esorics), volume 648 ofLecture Notes in Computer Science, Toulouse, France, November 1992. Springer-Verlag, Berlin Germany.

    Google Scholar 

  27. E. Hansen (S.), Todd Atkins (E.), Automated system monitoring and notification with swatch,in Proceedings of the seventh Systems Administration Conference (LISA ’93), Monterey, CA, November 1993.

  28. Haystack Labs, Inc, Stalker, http://www.haystack.com/stalk.htm, 1997.

  29. Todd Heberlein (L.), Gihan Dias (V), Karl Levitt (N.), Mukherjee (B.), Wood (J.), Wolber (D.), A network security monitor,in Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, pp. 296–304, Oakland, CA, IEEE Computer Society Press, Los Alamitos, CA, May 1990.

    Google Scholar 

  30. Helman (P.), Liepins (G.), Statistical foundations of audit trail analysis for the detection of computer misuse,IEEE Transactions on Software Engineering, 19(9): pp. 886–901, September 1993.

    Article  Google Scholar 

  31. Helman (P.), Liegins (G.), Richards (W.), Foundations of intrusion detection,in Proceedings of the Fifth Computer Security Foundations Workshop, pp. 114–120, Franconic, NH, June 1992.

    Chapter  Google Scholar 

  32. Ilgun (K.), Ustat: A real-time intrusion detection system for unix,in Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, pp. 16–28, Oakland, CA, May 1993.

  33. Internet Security Systems, Inc. RealSecure, Internet http://www.iss.net/prod/rsds.html, 1997.

  34. Jackson (K.), Intrusion detection system product survey, Research report LA-UR-99-3883, Los Alamos National Laboratory, June 1999.

  35. Jackson (K.), DuBois (D.), Stallings (C), An expert system application for network intrusion detection,in Proceedings of the 14 th National Computer Security Conference, pp. 215–225, November 1991.

  36. Jagannathan Lunt (R.), Anderson (D.), Dodd (C), Gilham (F.), Jalali (C), Javitz (H.), Neumann (P.), Tamaru (A.), Valdes (A.), System design document: Next-generation intrusion detection expert system (NIDES),Technical Report A007/A008/A009/A011/A012/A014, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, March 1993.

  37. Javit (H.), Valdes (A.), The SRI ides statistical anomaly detector,in Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 316–326, May 1991.

  38. Harold Javitz (S.), Valdez (A.), F.Lunt (T.), Tamaru (A.), Tyson (M.), Lowrance (J.), Next generation intrusion detection expert system (nides) - 1. statistical algorithms rationale - 2. rationale for proposed resolver, Technical Report A016-Rationales, SRI International, 333 Ravenswood Avenue, Menlo Park, CA, March 1993.

    Google Scholar 

  39. Yank Jou (Y.), Gong (F.), Sargor (C), Felix Wu (S.), Rance Cleaveland (W.), Architecture design of a scalable intrusion detection system for the emerging network infrastructure,Technical report CDRL A005, MCNC Information Technologies Division, Research Triangle Park, N.C. 27709, April 1997.

    Google Scholar 

  40. Gene Kim (H.), Eugene Spafford (H.), The design and implementation of tripwire: A file system integrity checker,in Jacques Stern, editor,2nd ACM Conference on Computer and Communications Security, pp. 18–29, COAST, Purdue, ACM Press, November 1994.

    Google Scholar 

  41. Kumar (S.), Spafford (E.), A pattern matching model for misuse intrusion detection,in Proceedings of the 17 th National Computer Security Conference, pp. 11–21, October 1994.

  42. What is packet sniffing, Inc LOpht Heavy Industries, http://wwwlOpht.com/antisniff/overview.html, 1999.

  43. Landwehr (C.E.), AlanBull (H.), McDermott (J.H.), William Choi (S.), A taxonomy of computer program security flaws,ACM Computing Surveys, 26(3): pp. 211–254, September 1994.

    Article  Google Scholar 

  44. Liepins (G.), Vaccaro (H.S.), Anomaly detection: Purpose and framework,in Proceedings of the 12 th National Computer Security Conference, pp. 495–504, October 1989.

  45. Lunt (T.), Jagannathan (R.), A prototype real-time intrusion-detection expert system,in Proceedings of the 1988 Symposium on Security and Privacy, pp. 59–66, Oakland, CA, April 1988.

  46. Lunt (F.T.), Automated audit trail analysis, and intrusion detection: A survey,in Proceedings of the 11 th National Computer Security Conference, Baltimore, MD, October 1988.

  47. Lunt (F.T.), A survey of intrusion detection techniques,Computers & Security, 12(4): pp. 405–418, June 1993.

    Article  Google Scholar 

  48. Lunt (F.T.), Jagannathan (R.), Lee (R.), Listgarten (S.), Edwards (L.D.), G. Neumann, Valdes (A.),: The enhanced prototype - a real-time intrusion-detection expert system, Technical Report SRI-CSL-88-12, SRI International, 333 Ravenswood Avenue, Menlo Park, CA, October 1988.

    Google Scholar 

  49. McAuliffe (N.), Wolcott (D.), Schaefer (L.), Kelem (N.), Hubbard (B.), Haley (T.), Is your computer being misused? a survey of current intrusion detection system technology,in Proceedings of the Sixth AnnualComputer Security Applications Conference, pp. 260–72, Tucson, AZ, IEEE Computer Society Press, Los Alamitos, CA, December 1990.

    Chapter  Google Scholar 

  50. Mounji (A.),Languages and tools for rule-based distributed intrusion detection, Doctor of science, Facultés Universitaires Notre-Dame dé la Paix, Namur (Belgium), September 1997.

  51. Network Associates Inc. Cybercop scanner. Available from the company’s website at http://www.nai.com/products/security/ballista/ default.asp, 1998.

  52. Network Associates Inc, Cybercop server. Available from the company’s website at http://www.nai.com/products/security/cybercopsvr/index, asp, 1998.

  53. Paxson (V), Bro: A system for detecting network intruders in real-time,in Proceedings of the 7 th USENIX Security Symposium, San Antonio, TX, January 1998.

  54. Porras (P.), Kemmerer (R.), Penetration state transition analysis - a rule-based intrusion detection approach,in Proceedings of the Eighth Annual Computer Security Applications Conference, pp. 220–229, San Antonio, TX, IEEE, IEEE Computer Society Press, November 30th–December 4th 1992.

    Chapter  Google Scholar 

  55. Porras (P.A.), Valdes (A.), Live traffic analysis of tcp/ip gateways,in Proceedings of the 1998 ISOC Symposium on Network and Distributed System Security (NDSS’98), San Diego, CA, Internet Society, March 1998.

    Google Scholar 

  56. Katherine (E.), Price, Host-based misuse detection and conventional operating systems’ audit data collection, Master of science thesis, Purdue University, Purdue, IN, December 1997.

    Google Scholar 

  57. Ptacek (H.T.), Newsham (N.T.), Insertion, evasion, and denial of service: Eluding network intrusion detection, Technical report, Secure Networks, Inc., Suite 330, 1201 5th Street S.W, Calgary, Alberta, Canada, T2R-OY6, January 1998.

    Google Scholar 

  58. Puldy (M.), Lessons learned in the implementation of a multi- location network based real time intrusion detection system,in Proceedings of RAID 98, Workshop on Recent Advances in Intrusion Detection, Louvain-la-neuve, Belgium, September 1998.

  59. Ranum (J.M.), Landfield (K.), Stolarchuk (M.), Sienkie-wicz (M.), Lambeth (A.), Wall (E.), Implementing a generalized tool for network monitoring,in Proceedings of the Eleventh Systems Administration Conference (LISA ’97), San Diego, CA, October 1997.

  60. Rolin (P.), Toutain (L.), Gombault (S.), Network security probe,in CCS ’94, Proceedings of the 2nd ACM Conference on Computer and Communication Security, pp. 229–240, November 1994.

  61. Safford (R.D.), Schales (L.D.), Hess (K.D.), The tamu security package: An ongoing response to internet intruders in an academic environment,in Proceedings of the Fourth USENIX Security Symposium, pp. 91–118, Santa Clara, CA, October 1993.

  62. Sarle (S.W.), Neural networks and statistical models,in Proceedings of the Nineteenth Annual SAS Users Group International Conference, April, 1994, pp. 1538–1550, Cary, NC, SAS Institute, April 1994.

    Google Scholar 

  63. Secure Networks, Inc. Ballista security auditing system. Internet http://www.securenetworks.com/, 1997.

  64. Smaha (S.), Haystack: An intrusion detection system,in Fourth Aerospace Computer Security Applications Conference, pp. 37–44, October 1988.

  65. Snapp (R.S.), Brentano (J.), Dias (V.G.), Goan (L.T.), Heber-lein (T.L.), lin Ho (C), Levitt (N.K.), Mukherjee (B.), Smaha (E.S.), Grance (T.), Teal (M.D.), Mansur (D.), DIDS (distributed intrusion detection system) - motivation, architecture, and an early prototype,in Proceedings of the 14 th National Computer Security Conference, pp. 167–176, Washington, DC, October 1991.

  66. Sobirey (M.), Intrusion detection system bibliography. Internet: http://www-rnks.informatik.tucottbus.de/sobirey/ids.html, Work-in-progress, March 1998.

  67. Spirakis (P.), Katsikas (S.), Gritzalis (D.), Allègre (F.), Dar- ZENTAS (J.), GIGANTE (C), KaRAGIANNIS (D.), KESS (P.), PUTKO- nen (H.), Spyrou (T.), securenet: A network-oriented intelligent intrusion prevention and detection system,Network Security Journal, 1(1), November 1994.

  68. Spyrou (T.), Darzentas (J.), Intention modelling: Approximating computer user intentions for detection and prediction of intrusions,in S.K. Katsikas and D. Gritzalis, editors,Information Systems Security, pp. 319–335, Samos, Greece, Chapman & Hall, May 1996.

    Google Scholar 

  69. Staniford-Chen (S.), Cheung (S.), Crawford (R.), Dilger (M.), Frank (J.), Hoagland (J.), Levitt (K.), Wee (C), Yip (R.), Zerkle (D.), GrIDS -a graph-based intrusion detection system for large networks,in Proceedings of the 19th National Information Systems Security Conference, 1996.

  70. Staniford-Chen (S.), Tung (B.), Porras (P.), Kahn (C.), Schnackenberg (D.), Feiertag (R.), Stillman (M.), The common intrusion detection framework - data formats. Internet draft draft-ietf-cidf-data-formats-00.txt, Work-in-progress, March 1998.

  71. Trusted computer systems evaluation criteria, U.S. Department of Defense, August 1983.

  72. Vaccaro (H.S.), Liepins (G.E.), Detection of anomalous computer session activity,in Proceedings of the 1989 IEEE Symposium on Research in Security and Privacy, pp.280–289, 1989.

  73. Vincenzetti (D.), COTROZZI (M.), Atp - anti tampering program.in Proceedings of the Fourth USENIX Security Symposium, pp. 79–89, Santa Clara, CA, October 1993.

Download references

Author information

Authors and Affiliations

  1. IBM Research Division, Zurich Research Laboratory, Säumerstrasse 4, CH-8803, Rüschlikon, Switzerland

    Hervé Debar, Marc Dacier & Andreas Wespi

Authors
  1. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marc Dacier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andreas Wespi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Hervé Debar, Marc Dacier or Andreas Wespi.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Debar, H., Dacier, M. & Wespi, A. A revised taxonomy for intrusion-detection systems. Ann. Télécommun. 55, 361–378 (2000). https://doi.org/10.1007/BF02994844

Download citation

  • Received:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF02994844

Mots clés

Key words

Search

Navigation