Misuse intrusion detection systems detect signatures of attack scenarios. Existing systems are split into two categories: transition-based and declarative. In the transition-based systems what are the significant traces of attacks is hidden behind how they should be detected. This means that writing a signature is a very heavy task. In the declarative systems the signatures only contain what are the significant traces of attacks and an algorith addresses how they should be detected. Writing signatures is thus much easier. However, the algorithm is a black box, and the security officer has no control over it.

In this article, we propose to refine the declarative approach. We formally specify the algorithm in two stages: firstly we classify the signature instances, secondly we give a detection rule set which detects in an audit trail a representative of each class. The rules are formally specified with "parsing schemata", a high level formalism used to specify grammar parsers. The algorithm defined by the rules is proved sound and complete. With our approach, the what (signatures) and the how (detection algorithm) are still cleanly separated, but the security officer can possibly parameterize the detection by choosing a class for each signature.