A new taxonomy for comparing intrusion detection systems
- 6 February 2007
- journal article
- Published by Emerald in Internet Research
- Vol. 17 (1), 88-98
- https://doi.org/10.1108/10662240710730515
Abstract
Purpose – The purpose of this paper is to propose a new taxonomy for intrusion detection systems as a way of generating further research topics focussed on improving intrusion system performance. Design/methodology/approach – The paper shows that intrusion systems are characterised by the type of output they are capable of producing, such as intrusion/non-intrusion declarations, through to intrusion plan determination. The output type is combined with the data scale used to undertake the intrusion determination, to produce a two-dimensional intrusion matrix. Findings – The paper finds that different approaches to intrusion detection can produce different footprints on the intrusion matrix. Qualitative comparison of systems can be undertaken by examining the area covered within the footprint and the footprint overlap between systems. Quantitative comparison can be achieved in the areas of overlap. Research limitations/implications – The paper shows that the comparison of systems based on their footprint on the intrusion matrix may allow a deeper understanding of the limits of performance to be developed. The separation of what was previously understood as “detection” into the three areas of Detection, Recognition and Identification may provide further impetus for the development of a theoretical framework for intrusion systems. Practical implications – The paper shows that the intrusion matrix can be divided into areas in which the achievement of arbitrarily high performance is relatively easily achievable. Other areas within the matrix, such as the Prosecution and Enterprise regions, present significant practical difficulties and therefore are opportunities for further research. Originality/value – The use of a taxonomy based on the type of output produced by an intrusion system is new to this paper, as is the combination with data scale to produce an intrusion matrix. The recognition that the network data scale should also be split to differentiate trusted and untrusted networks is new and presents challenging opportunities for further research topics.Keywords
This publication has 9 references indexed in Scilit:
- Theoretical basis for intrusion detectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- Automated Detection of Malicious Reconnaissance to Enhance Network SecurityPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- A comparative study of techniques for intrusion detectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2004
- Intrusion detection systemsPublished by National Institute of Standards and Technology (NIST) ,2001
- Intrusion detection systems as evidenceComputer Networks, 1999
- The base-rate fallacy and its implications for the difficulty of intrusion detectionPublished by Association for Computing Machinery (ACM) ,1999
- Towards a taxonomy of intrusion-detection systemsComputer Networks, 1999
- The use and effectiveness of anti-virus softwareComputers & Security, 1998
- Computer viruses: Theory and experimentsComputers & Security, 1987