The Network Vertical Intrusion Model (NetVIM), proposed in [1], is a vertical four layer model that allows for the identification of emergent intrusive behavior via detection and profiling of network based attacks. The NetVIM models attack profiles consisting of the components involved in the physical delivery, the involved computation and communication processes and the states and state transitions inherent in an attack. Attack profiles allow for both forward and reverse prediction of attacks. Consider a system based on NetVIM: this system would detect suspicious activity at some point in an attack sequence, but likely after the attack has already been launched. The NetVIM system would match the detected suspicious activity to states in the attack profile, thereby also determining attack states that have already occurred, or likely to occur. The system could then scan past network or host logs for evidence of specific activities that would match with past states; and heighten scanning for expected future attacks. Advantages include expected better network attack identification together with the profiling of such network attacks.

The four layers of netVIM are as follows. The physical layer is the lowest layer and defines the components and devices necessary for an attack. The computation communication sequencing layer is the next layer and abstracts the processes that execute during an attack. The third layer is the state transition layer which models a network-based attack in terms of states and state transitions. The conceptual representation layer is the highest layer and provides for representation as well as facilitating the identification of emerging attack behavior.

The overall definition of the model is described in [1]. Preliminary results have primarily concentrated on the integration of the three lowest layers [2,3] as well as on conceptual modeling of intrusive attributes [4].