SoK: Harmonizing Attack Graphs and Intrusion Detection Systems

Detecting and responding to cyber attacks is increasingly difficult as high-volume, complex network traffic allows threats to remain concealed. While Intrusion Detection Systems (IDSs) identify anomalous behavior, Attack Graphs (AGs) serve as the primary threat model for analyzing attacker strategies and informing any response. Despite the conceptual connection being recognized in early research, the field of AG and IDS integration lacks a common structure. This paper presents the first systematic analysis of AG-IDS integration, reviewing a 73 comprehensive works in literature. We introduce a novel taxonomy revealing that current research is dominated by specialized, single-purpose integrations, such as using AGs to filter IDS false positives or using IDS alerts to prune AGs. Our analysis highlights a critical gap: the absence of a unifying framework that treats IDSs and AGs as a cohesive, integrated system. To address this gap, we propose a formal AG-IDS lifecycle. This framework establishes a continuous feedback loop where IDSs refine the accuracy of AG models, and those updated models, in turn, enhance IDS detection capabilities. We provide a proof-of-concept implementation demonstrating the practical advantages of this lifecycle for threat detection and incident response. Finally, we conclude by elaborating on significant opportunities for future development within the AG-IDS domain.