Common Intrusion Detection Framework

The Common Intrusion Detection Framework (CIDF) is an effort to develop protocols and application programming interfaces so that intrusion detection research projects can share information and resources and so that intrusion detection components can be reused in other systems.

This effort was started by Teresa Lunt <> while she was at the Information Technology Office (ITO) of the Defense Advanced Research Projects Agency (DARPA). It began as part of the Information Survivability program with a focus on allowing DARPA projects to work together.

However, under the direction of its first coordinator, Stuart Staniford-Chen, it broadened significantly and there is now participation from a number of companies and organizations with no relationship to DARPA. Most contributors are from the United States, but we have gotten some international participation. We encourage all intrusion detection researchers or developers to get involved. This is an open process--the more good ideas and experience that go into the project, the better the final result is likely to be.

The CIDF effort is being coordinated by Dan Schnackenberg <> and Brian Tung <>. Contact us if you'd like to participate. Dan Schnackenberg handles external affairs--arranging meetings, demonstrations, and public relations--and Brian Tung handles internal affairs--editing standards documents and managing this web page.

Demonstrations and Experiments

CIDF periodically holds demonstrations and experiments in order to test and evaluate the language and its features. To date, we have had two bake-offs of different levels of "blindness"; we are currently into our third. To find out more about these activities, check out our Demonstrations and Experiments page. If you are participating in the September 1999 Interoperability Experiment, please go to that page.


Here are the latest versions of the CIDF specification documents:

Further Information

Mailing Lists

Much of the work done in CIDF is conducted on mailing lists. Participants include contributors from various companies, research organizations, and government agencies. To subscribe to the primary CIDF mailing list, send e-mail to <> with the subject line subscribe cidf. The mailing list itself resides at <>. Please do not send subscription requests to this address.
Other mailing lists include the CIDF events mailing list <> and the CIDF demo mailing list <>. The former is dedicated to the Common Intrusion Specification Language and the latter to preparations for a CIDF demonstration planned to take place around June 1999. You can subscribe to them in the same way as to the main CIDF mailing list; again, please do not send subscription requests to the mailing lists.
You can access the archive for the main mailing list here. The event and demo mailing list archives are also available.


To supplement the work done on the mailing list (and to force people to meet deadlines!), CIDF conducts meetings once every two or three months. You can access notes for the meetings here.


Staniford-Chen, S., Tung, B., and Schnackenberg, D. The Common Intrusion Detection Framework (CIDF). Position paper accepted to the Information Survivability Workshop, Orlando FL, October 1998.
Kahn, C., Porras, P., Staniford-Chen, S., and Tung, B. A Common Intrusion Detection Framework. Submitted to the Journal of Computer Security.


Some of the ideas involved in CIDF have encouraged the creation of an Internet Engineering Task Force (IETF) working group, named the Intrusion Detection Working Group (idwg). This working group is co-chaired by Mike Erlinger and Stuart Staniford-Chen, erstwhile CIDF coordinator. Though inspired by the desire to share the ideas of CIDF in a wider community, the idwg is now a separate activity and may or may not use the results of CIDF.

Maintained by Brian Tung
Last updated 10 September 1999