Temporal Analysis Framework for Intrusion Detection Systems: A Novel Taxonomy for Time-Aware Cybersecurity

TL;DR

This paper presents a new temporal analysis framework and taxonomy for network intrusion detection systems, emphasizing early detection through time-aware methods and exposing dataset biases hindering proactive cybersecurity.

Contribution

It introduces a systematic taxonomy for time-aware NIDS and highlights the importance of temporal modeling for early attack detection.

Findings

Temporal coverage varies across methods, with inter-flow sequential approaches offering broadest detection capabilities.

Widely used datasets are biased towards late-stage attacks, limiting early detection research.

The framework guides development of proactive, time-aware intrusion detection systems.

Abstract

Most intrusion detection systems still identify attacks only after significant damage has occurred, detecting late-stage tactics rather than early indicators of compromise. This paper introduces a temporal analysis framework and taxonomy for time-aware network intrusion detection. Through a systematic review of over 40 studies published between 2020 and 2025, we classify NIDS methods according to their treatment of time, from static per-flow analysis to multi-window sequential modeling. The proposed taxonomy reveals that inter-flow sequential and temporal window-based methods provide the broadest temporal coverage across MITRE ATT&CK tactics, enabling detection from Reconnaissance through Impact stages. Our analysis further exposes systematic bias in widely used datasets, which emphasize late-stage attacks and thus limit progress toward early detection. This framework provides essential groundwork for developing IDS capable of anticipating rather than merely reacting to cyber threats, advancing the field toward truly proactive defense mechanisms.