A new taxonomy for comparing intrusion detection systems

The purpose of this paper is to propose a new taxonomy for intrusion detection systems as a way of generating further research topics focussed on improving intrusion system performance.

The paper shows that intrusion systems are characterised by the type of output they are capable of producing, such as intrusion/non‐intrusion declarations, through to intrusion plan determination. The output type is combined with the data scale used to undertake the intrusion determination, to produce a two‐dimensional intrusion matrix.

The paper finds that different approaches to intrusion detection can produce different footprints on the intrusion matrix. Qualitative comparison of systems can be undertaken by examining the area covered within the footprint and the footprint overlap between systems. Quantitative comparison can be achieved in the areas of overlap.

The paper shows that the comparison of systems based on their footprint on the intrusion matrix may allow a deeper understanding of the limits of performance to be developed. The separation of what was previously understood as “detection” into the three areas of Detection, Recognition and Identification may provide further impetus for the development of a theoretical framework for intrusion systems.

The paper shows that the intrusion matrix can be divided into areas in which the achievement of arbitrarily high performance is relatively easily achievable. Other areas within the matrix, such as the Prosecution and Enterprise regions, present significant practical difficulties and therefore are opportunities for further research.

The use of a taxonomy based on the type of output produced by an intrusion system is new to this paper, as is the combination with data scale to produce an intrusion matrix. The recognition that the network data scale should also be split to differentiate trusted and untrusted networks is new and presents challenging opportunities for further research topics.