// reference · anomaly taxonomy
802.11 Anomaly Taxonomy
The classification system used by WiFi Analyser to categorize every 802.11 anomaly. Five top-level domains, modelled on production security tooling (Snort classtype, nDPI risk levels). Click any node to expand. Each leaf node includes IEEE clause or CVE reference.
— Shankar K. · Structure derived from: py-idstools classification.config, nDPI NDPI_PROTOCOL_CATEGORY, 802.11 field practice
CRITICALHIGHMEDIUMLOWINFO Click any node to expand
// taxonomy design notes
Domain vs Category vs Code
Three levels: Domain (5 top-level) → Category (2-4 per domain) → Anomaly Code (specific detection). Codes use dot notation: SECURITY.ROGUE_AP.EVIL_TWIN. Domain and Category inform dashboard filter chips; Code appears in PCAP report output.
Severity from nDPI model
8-level nDPI model (EMERGENCY → LOW) collapsed to 5 levels for 802.11 context. CRITICAL = active attack or data exposure. HIGH = SLA failure or security misconfiguration. MEDIUM = performance degradation. LOW = advisory. INFO = observation only.
IEEE + CVE cross-reference
Every SECURITY leaf node carries either an IEEE clause (for protocol violations) or a CVE number (for known exploits). This cross-referencing is how WiFi Analyser's citation pipeline links anomalies to standards - the same mechanism validated as novel by SCC scan.
See this taxonomy applied to your PCAP
WiFi Analyser classifies every anomaly by domain, category, and severity - with IEEE clause cited for each finding.