Consolidation and Evaluation of IDS Taxonomies

Accurate taxonomies are critical for the advancement of research fields. Taxonomies for intrusion detection systems (IDSs) are not fully agreed upon, and further lack convincing motivation of their categories. We survey and summarize previously made taxonomies for intrusion detection. Focusing on categories relevant for detection methods, we extract commonly used concepts and define three new attributes: the reference model type, the reference model generation process, and the reference model updating strategy. Using our framework, the range of previously used terms can easily be explained. We study the usefulness of these attributes with two empirical evaluations. Firstly, we use the taxonomy to create a survey of existing research IDSs, with a successful result, i.e. the IDSs are well scattered in the defined space. Secondly, we investigate whether we can reason about the detection capability based on detection method classes, as defined by our framework. We establish that different detection methods vary in their capability to detect specific attack types. The reference model type seems better suited than reference model generation process for such reasoning. However, our results are tentative and based on a relatively small number of attacks.