Category 1: Root Level Intrusion (Incident): Unauthorized privileged access to a DoD system.
Category 2: User Level Intrusion (Incident): Unauthorized non-privileged access to a DoD system. If the system is compromised with malicious code that provides remote interactive control, it will be reported in this category.
Category 3: Unsuccessful Activity Attempt (Event): Deliberate attempts to gain unauthorized access to a DoD system that are defeated by normal defensive mechanisms.
Category 4: Denial of Service (Incident): Activity that denies, degrades, or disrupts normal functionality of system or network.
Category 5: Non-Compliance Activity (Event): Activity that potentially exposes DoD systems to increased risk as a result of the action or inaction of authorized users. (IE: Failure to make proper password)
Category 6: Reconnaissance (Event): Activity that seeks to gather information used to characterize DoD systems, applications, networks, and users that may be useful in formulating an attack. This activity does not directly result in a compromise.
Category 7: Malicious Logic (Event): Installation of software designed and/or deployed by adversaries with malicious intentions for the purpose of gaining access to resources or information without the consent or knowledge of the user.
Category 8: Investigating (Event): Events that are potentially malicious or anomalous activity deemed suspicious and warrant, or are undergoing further review. Category 8 will be re-categorized to appropriate Category 1-7 or 9 prior to closure.
Category 9: Explained Anomaly (Event): Suspicious events that, after further investigation, are determined to be non-malicious activity and do not fit the criteria for any other categories