This paper extends and builds on previous work that presented a signature-based attack recognition technique. We present general requirements for “survivable attack recognition” and discuss how our approach fits the requirements. Empirical results are given along with an estimate of the measured performance. Other work is reviewed within the context of attack recognition for survivability.