{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T11:58:00Z","timestamp":1775044680984,"version":"3.50.1"},"reference-count":66,"publisher":"Elsevier BV","issue":"8","license":[{"start":{"date-parts":[[1999,4,1]],"date-time":"1999-04-01T00:00:00Z","timestamp":922924800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computer Networks"],"published-print":{"date-parts":[[1999,4]]},"DOI":"10.1016\/s1389-1286(98)00017-6","type":"journal-article","created":{"date-parts":[[2002,7,25]],"date-time":"2002-07-25T12:08:22Z","timestamp":1027598902000},"page":"805-822","source":"Crossref","is-referenced-by-count":446,"title":["Towards a taxonomy of intrusion-detection systems"],"prefix":"10.1016","volume":"31","author":[{"given":"Herv\u00e9","family":"Debar","sequence":"first","affiliation":[]},{"given":"Marc","family":"Dacier","sequence":"additional","affiliation":[]},{"given":"Andreas","family":"Wespi","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/S1389-1286(98)00017-6_BIB1","doi-asserted-by":"crossref","unstructured":"S.M. Bellovin, W.R. Cheswick, Network firewalls, IEEE Communications Magazine 32 (9) (1994) 50\u201357.","DOI":"10.1109\/35.312843"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB2","unstructured":"J. Cannady, J. Harrell, A comparative analysis of current intrusion detection technologies, Proc. 4th Technology for Information Security Conf. (TISC'96), Houston, TX, May 1996."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB3","unstructured":"CERT Coordination Center, Denial-of-service attack via ping, available by anonymous ftp from ftp.cert.org, December 1986."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB4","doi-asserted-by":"crossref","unstructured":"CERT Coordination Center, Syslog vulnerability \u2013 a workaround for sendmail, available by anonymous ftp from ftp.cert.org, October 1995.","DOI":"10.1016\/1353-4858(95)90258-9"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB5","unstructured":"W.R. Cheswick, S.M. Bellovin, Firewalls and Internet Security \u2013 Repelling the Wily Hacker, Professional Computing Series, Addison-Wesley, Reading, MA, 1994."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB6","unstructured":"Cisco Systems Inc, NetRanger \u2013 enterprise-scale, real-time, network intrusion detection system, available from the company's website at http:\/\/www.cisco.com\/warp\/public\/751\/netranger\/netra_ds.htm, 1998."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB7","doi-asserted-by":"crossref","unstructured":"H. Debar, M. Becker, D. Siboni, A neural network component for an intrusion detection system, Proc. 1992 IEEE Computer Society Symp. on Research in Security and Privacy Oakland, CA, May 1992, pp. 240\u2013250.","DOI":"10.1109\/RISP.1992.213257"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB8","doi-asserted-by":"crossref","unstructured":"H. Debar, M. Dacier, A. Wespi, Fixed versus variable-length patterns for detecting suspicious process behavior, Technical Report RZ 3012, IBM Zurich Research Laboratory, S\u00e4umerstrasse 4, CH-8803 R\u00fcschlikon, Switzerland, April 1998, submitted to Esorics'98.","DOI":"10.1007\/BFb0055852"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB9","unstructured":"H. Debar, M. Dacier, A. Wespi, Reference audit information generation for intrusion detection systems, in: R. Posch, G. Papp (Eds.), Proc. 14th International Information Security Conference IFIP SEC'98, Chapman and Hall, Vienna, Austria and Budapest, Hungaria, August 31\u2013September 4, 1998."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB10","doi-asserted-by":"crossref","unstructured":"D. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering 13 (2) (1987) 222\u2013232.","DOI":"10.1109\/TSE.1987.232894"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB11","unstructured":"D.E. Denning, P.G. Neumann, Requirements and model for IDES \u2013 a real-time intrusion detection expert system, Technical report, Computer Science Laboratory, SRI International, Menlo Park, CA, 1985."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB12","unstructured":"C. Dowell, P. Ramstedt, The ComputerWatch data reduction tool, Proc. 13th National Computer Security Conf., Washington, DC, October 1990, pp. 99\u2013108."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB13","unstructured":"M. Esmaili, R. Safavi-Naini, J. Pieprzyk, Computer intrusion detection: a comparative survey, Technical Report 95-07, Center for Computer Security Research, University of Wollongong, Wollongong, NSW 2522, Australia, May 1995."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB14","unstructured":"D. Farmer, Cops overview, available from http:\/\/www.trouble.org\/cops\/overview.html, May 1993."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB15","unstructured":"D. Farmer, W. Venema, Improving the security of your site by breaking into it, available at http:\/\/www.trouble.org\/security\/admin-guide-to-cracking.html, 1993, Internet white paper."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB16","doi-asserted-by":"crossref","unstructured":"D. Farmer, E. Spafford, The cops security checker system, Proc. Summer USENIX Conf., Anaheim, CA, June 1990, pp. 165\u2013170.","DOI":"10.1016\/0921-4534(90)90163-9"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB17","doi-asserted-by":"crossref","unstructured":"S. Forrest, S.A. Hofmeyr, A. Somayaji, Computer immunology, Communications of the ACM 40 (10) (October 1997) 88\u201396.","DOI":"10.1145\/262793.262811"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB18","unstructured":"J. Frank, Artificial intelligence and intrusion detection: current and future directions, Proc. 17th Nat. Computer Security Conf. , Baltimore, MD, October 1994."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB19","doi-asserted-by":"crossref","unstructured":"P. Gallinari, S. Thiria, F. Fogelman-Soulie, Multilayer perceptrons and data analysis, Proc. IEEE Annual Int. Conf. on Neural Networks (ICNN88), Vol. I, San Diego, CA, July 1988, pp. 391\u2013399.","DOI":"10.1109\/ICNN.1988.23871"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB20","unstructured":"T. Garvey, T. Lunt, Model-based intrusion detection, Proc. 14th National Computer Security Conf., October 1991, pp. 372\u2013385."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB21","doi-asserted-by":"crossref","unstructured":"N. Habra, B. Le Charlier, A. Mounji, I. Mathieu, Asax: software architecture and rule-based language for universal audit trail analysis, in: Y. Deswarte, G. Eizenberg, J.-J. Quisquater (Eds.), Proc. 2nd European Symp. on Research in Computer Security (ESORICS), Toulouse, Berlin, Lecture Notes in Computer Science, vol. 648, Springer, Berlin, November 1992.","DOI":"10.1007\/BFb0013912"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB22","unstructured":"S.E. Hansen, E.T. Atkins, Automated system monitoring and notification with swatch, Proc. 7th Systems Administration Conf. (LISA'93), Monterey, CA, November 1993."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB23","unstructured":"Haystack Labs, Inc.Stalker, available from the company's website at http:\/\/www.haystack.com\/stalk.htm, 1997."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB24","doi-asserted-by":"crossref","unstructured":"L.T. Heberlein, G.V. Dias, K.N. Levitt, B. Mukherjee, J. Wood, D. Wolber, A network security monitor, Proc. Symp. on Research in Security and Privacy, IEEE Computer Society Press, Los Alamitos, CA, Oakland, CA, May 1990, pp. 296\u2013304.","DOI":"10.1109\/RISP.1990.63859"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB25","doi-asserted-by":"crossref","unstructured":"P. Helman, G. Liepins, Statistical foundations of audit trail analysis for the detection of computer misuse, IEEE Transactions on Software Engineering 19 (9) (September 1993) 886\u2013901.","DOI":"10.1109\/32.241771"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB26","doi-asserted-by":"crossref","unstructured":"P. Helman, G. Liepins, W. Richards, Foundations of intrusion detection, Proc. 5th Computer Security Foundations Workshop Franconic, NH, June 1992, pp. 114\u2013120.","DOI":"10.1109\/CSFW.1992.236783"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB27","doi-asserted-by":"crossref","unstructured":"K. Ilgun, Ustat: a real-time intrusion detection system for Unix, Proc. IEEE Symp. on Research in Security and Privacy Oakland, CA, May 1993, pp. 16\u201328.","DOI":"10.1109\/RISP.1993.287646"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB28","unstructured":"Internet Security Systems, Inc.RealSecure, Internet http:\/\/www.iss.net\/prod\/rsds.html, 1997."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB29","unstructured":"K. Jackson, D. DuBois, C. Stallings, An expert system application for network intrusion detection, Proc. 14th National Computer Security Conf., November 1991, pp. 215\u2013225."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB30","unstructured":"R. Jagannathan, T. Lunt, D. Anderson, C. Dodd, F. Gilham, C. Jalali, H. Javitz, P. Neumann, A. Tamaru, A. Valdes, System design document: Next-generation intrusion detection expert system (NIDES), Technical Report A007\/A008\/A009\/A011\/A012\/A014, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, March 1993."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB31","doi-asserted-by":"crossref","unstructured":"H. Javitz, A. Valdes, The SRI IDES statistical anomaly detector, Proc. IEEE Symp. on Research in Security and Privacy, May 1991, pp. 316\u2013326.","DOI":"10.1109\/RISP.1991.130799"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB32","unstructured":"H.S. Javitz, A. Valdez, T.F. Lunt, A. Tamaru, M. Tyson, J. Lowrance, Next generation intrusion detection expert system (NIDES). 1. Statistical algorithms rationale. 2. Rationale for proposed resolver, Technical Report A016 Rationales, SRI International, 333 Ravenswood Avenue, Menlo Park, CA, March 1993."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB33","unstructured":"Y.F. Jou, F. Gong, C. Sargor, S.F. Wu, W.R. Cleaveland, Architecture design of a scalable intrusion detection system for the emerging network infrastructure, Technical Report CDRL A005, MCNC Information Technologies Division, Research Triangle Park, NC 27709, April 1997."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB34","doi-asserted-by":"crossref","unstructured":"G.H. Kim, E.H. Spafford, The design and implementation of tripwire: A file system integrity checker, in: J. Stern (Ed.), 2nd ACM Conf. on Computer and Communications Security, ACM Press, COAST, Purdue, November 1994, pp. 18\u201329.","DOI":"10.1145\/191177.191183"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB35","unstructured":"S. Kumar, E. Spafford, A pattern matching model for misuse intrusion detection, Proc. 17th National Computer Security Conf. October 1994, pp. 11\u201321."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB36","doi-asserted-by":"crossref","unstructured":"C.E. Landwehr, A.R. Bull, J.P. McDermott, W.S. Choi, A taxonomy of computer program security flaws, ACM Computing Surveys 26 (3) (September 1994) 211\u2013254.","DOI":"10.1145\/185403.185412"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB37","unstructured":"G. Liepins, H.S. Vaccaro, Anomaly detection: purpose and framework, Proc. 12th National Computer Security Conf., October 1989, pp. 495\u2013504."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB38","doi-asserted-by":"crossref","unstructured":"T. Lunt, R. Jagannathan, A prototype real-time intrusion-detection expert system, Proc. Symp. on Security and Privacy, Oakland, CA, April 1988, pp. 59\u201366.","DOI":"10.1109\/SECPRI.1988.8098"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB39","doi-asserted-by":"crossref","unstructured":"T.F. Lunt, Automated audit trail analysis and intrusion detection: a survey, Proc. 11th National Computer Security Conf., Baltimore, MD, October 1988.","DOI":"10.1016\/0167-4048(92)90256-Q"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB40","doi-asserted-by":"crossref","unstructured":"T.F. Lunt, A survey of intrusion detection techniques, Computers & Security 12 (4) (June 1993) 405\u2013418.","DOI":"10.1016\/0167-4048(93)90029-5"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB41","unstructured":"T.F. Lunt, R. Jagannathan, R. Lee, S. Listgarten, D.L. Edwards, P.G. Neumann, H.S. Javitz, A. Valdes, IDES: The enhanced prototype \u2013 a real-time intrusion-detection expert system, Technical Report SRI-CSL-88-12, SRI International, 333 Ravenswood Avenue, Menlo Park, CA, October 1988."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB42","doi-asserted-by":"crossref","unstructured":"N. McAuliffe, D. Wolcott, L. Schaefer, N. Kelem, B. Hubbard, T. Haley, Is your computer being misused? a survey of current intrusion detection system technology, Proc. 6th Annual Computer Security Applications Conf., Tucson, AZ, IEEE Computer Society Press, Los Alamitos, CA, December 1990, pp. 260\u2013272.","DOI":"10.1109\/CSAC.1990.143785"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB43","unstructured":"A. Mounji, languages and tools for rule-based distributed intrusion detection, Doctor of science, Facult\u00e9s Universitaires Notre Dame de la Paix, Namur, Belgium, September 1997."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB44","unstructured":"Network Associates Inc., Cybercop scanner, available from the company's website at http:\/\/www.nai.com\/products\/security\/ballista\/default.asp, 1998."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB45","unstructured":"Network Associates Inc., Cybercop server, available from the company's website at http:\/\/www.nai.com\/products\/security\/cybercopsvr\/index.asp, 1998."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB46","unstructured":"V. Paxson, Bro: a system for detecting network intruders in real-time, Proc. 7th USENIX Security Symp., San Antonio, TX, January 1998."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB47","doi-asserted-by":"crossref","unstructured":"P. Porras, R. Kemmerer, Penetration state transition analysis \u2013 a rule-based intrusion detection approach, Proc. 8th Annual Computer Security Applications Conf., November 1992, pp. 220\u2013229.","DOI":"10.1109\/CSAC.1992.228217"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB48","unstructured":"P.A. Porras, A. Valdes, Live traffic analysis of tcp\/ip gateways, Proc. ISOC Symp. on Network and Distributed System Security (NDSS'98), San Diego, CA, March 1998 (Internet Society)."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB49","unstructured":"K.E. Price, Host-based misuse detection and conventional operating systems' audit data collection, Master of science, Purdue University, Purdue, IN, December 1997."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB50","unstructured":"T.H. Ptacek, T.N. Newsham, Insertion, evasion, and denial of service: eluding network intrusion detection, Technical Report, Secure Networks, Inc., Suite 330, 1201 5th Street S. W, Calgary, Alberta, Canada, T2R-0Y6, January 1998."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB51","unstructured":"M.J. Ranum, K. Landfield, M. Stolarchuk, M. Sienkiewicz, A. Lambeth, E. Wall, Implementing a generalized tool for network monitoring, Proc. 11th Systems Administration Conf. (LISA'97), San Diego, CA, October 1997."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB52","doi-asserted-by":"crossref","unstructured":"P. Rolin, L. Toutain, S. Gombault, Network security probe, CCS'94, Proc. 2nd ACM Conf. on Computer and Communication Security, November 1994, pp. 229\u2013240.","DOI":"10.1145\/191177.191235"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB53","unstructured":"D.R. Safford, D.L. Schales, D.K. Hess, The tamu security package: an ongoing response to internet intruders in an academic environment, Proc. 4th USENIX Security Symp, Santa Clara, CA, October 1993, pp. 91\u2013118."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB54","unstructured":"W.S. Sarle, Neural networks and statistical models, Proc. 19th Annual SAS Users Group Int. Conf., Cary, NC, April 1994, pp. 1538\u20131550."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB55","unstructured":"Secure Networks, Inc. Ballista security auditing system, available from the company's website at http:\/\/www.securenetworks.com\/ballista\/ballista.html, 1997."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB56","doi-asserted-by":"crossref","unstructured":"S. Smaha, Haystack: an intrusion detection system, 4th Aerospace Computer Security Applications Conf., October 1988, pp. 37\u201344.","DOI":"10.1109\/ACSAC.1988.113412"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB57","unstructured":"S.R. Snapp, J. Brentano, G.V. Dias, T.L. Goan, L.T. Heberlein, C.l. Ho, K.N. Levitt, B. Mukherjee, S.E. Smaha, T. Grance, D.M. Teal, D. Mansur, DIDS (distributed intrusion detection system) \u2013 motivation, architecture, and an early prototype, Proc. 14th National Computer Security Conf., Washington, DC, October 1991, pp. 167\u2013176."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB58","doi-asserted-by":"crossref","unstructured":"M. Sobirey, Intrusion detection system bibliography, Internet: http:\/\/www-rnks.informatik.tu-cottbus.de\/ sobirey\/ids.html, March 1998.","DOI":"10.1007\/978-3-322-86850-3_3"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB59","unstructured":"P. Spirakis, S. Katsikas, D. Gritzalis, F. Allegre, J. Darzentas, C. Gigante, D. Karagiannis, P. Kess, H. Putkonen, T. Spyrou, SECURENET: a network-oriented intelligent intrusion prevention and detection system, Network Security Journal 1 (1) (1994)."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB60","doi-asserted-by":"crossref","unstructured":"T. Spyrou, J. Darzentas, Intention modelling: approximating computer user intentions for detection and prediction of intrusions, in: S.K. Katsikas, D. Gritzalis (Eds.), Information Systems Security, Samos, Greece, May 1996, pp. 319\u2013335.","DOI":"10.1007\/978-1-5041-2919-0_28"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB61","unstructured":"S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle, GrIDS \u2013 a graph based intrusion detection system for large networks, Proc. 19th National Information Systems Security Conf., 1996."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB62","unstructured":"S. Staniford-Chen, B. Tung, P. Porras, C. Kahn, D. Schnackenberg, R. Feiertag, M. Stillman, The Common Intrusion Detection Framework-data Formats, Internet draft draft-ietf-cidf-data-formats-00.txt, March 1998."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB63","unstructured":"U.S. Department of Defense, Trusted computer systems evaluation criteria, August 1983."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB64","doi-asserted-by":"crossref","unstructured":"H.S. Vaccaro, G.E. Liepins, Detection of anomalous computer session activity, Proc. IEEE Symp. on Research in Security and Privacy, 1989, pp. 280\u2013289.","DOI":"10.1109\/SECPRI.1989.36302"},{"key":"10.1016\/S1389-1286(98)00017-6_BIB65","unstructured":"D. Vincenzetti, M. Cotrozzi, Atp \u2013 anti tampering program, Proc. 4th USENIX Security Symp., Santa Clara, CA, October 1993, pp. 79-9."},{"key":"10.1016\/S1389-1286(98)00017-6_BIB66","unstructured":"WheelGroup Corporation, Brochure of the netranger intrusion detection system, available from the company's website at http:\/\/www.wheelgroup.com\/netrangr\/netranger_broch.html."}],"container-title":["Computer Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S1389128698000176?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S1389128698000176?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2024,12,3]],"date-time":"2024-12-03T20:02:54Z","timestamp":1733256174000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S1389128698000176"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[1999,4]]},"references-count":66,"journal-issue":{"issue":"8","published-print":{"date-parts":[[1999,4]]}},"alternative-id":["S1389128698000176"],"URL":"https:\/\/doi.org\/10.1016\/s1389-1286(98)00017-6","relation":{},"ISSN":["1389-1286"],"issn-type":[{"value":"1389-1286","type":"print"}],"subject":[],"published":{"date-parts":[[1999,4]]}}}