Attribute-based policies for integrity monitoring and network intrusion detection

A method of detecting anomalous behaviour in data traffic on a data communication network, a first host and a second host being connected to the data communication network, the data traffic on the data communication network forming a link between the first host and the second host, the method comprising: a) parsing the data traffic to extract protocol field values of a protocol message of the data traffic; b) deriving, from the extracted protocol field values, attribute values of attributes of one of the first host, the second host, and the link; c) selecting from a set of models, a model relating to the one of the first host, the second host, and the link, wherein the selected model comprises a plurality of attributes to describe the one of the first host, the second host, and the link, wherein at least one of the attributes is a semantic attribute, the semantic attribute expressing a semantic meaning for the one of the first host, the second host, and the link, d) updating the selected model with the derived attribute values, if the derived attribute values are not featured in the selected model upon selection; e) assessing if the updated, selected model complies with a set of attribute based policies, each attribute based policy defining a security constraint of the data communication network based on at least one of the attributes of the first host, the second host or the link, and f) generating an alert signal in case the attribute based policies indicate that the updated selected model violates at least one of the attribute based policies.