A revised taxonomy for intrusion-detection systems

Intrusion-detection systems aim at detecting attacks against computers syst ems and networks, or in general against information systems. Indeed it is d ifficult to provide provably secure information systems and to maintain the m in such a secure state during their lifetime and utilization. Sometimes, legacy or operational constraints do not even allow the definition of a ful ly secure information system. Therefore, intrusion-detection systems have t he task of monitoring the usage of such systems to detect apparition of ins ecure states. They detect attempts and active misuse, either by legitimate users of the information systems or by external parties, to abuse their pri vileges or exploit security vulnerabilities. In a previous paper [Computer networks 31, 805-822 (1999)], we introduced a taxonomy of intrusion-detecti on systems that highlights the various aspects of this area. This paper ext ends the taxonomy beyond real-time intrusion detection to include additiona l aspects of security monitoring, such as vulnerability assessment.