Intrusion detection systems are distributed applications that analyze the events in a networked system to identify malicious behavior. The analysis is performed using a number of attack models (or signatures) that are matched against a specific event stream. Intrusion detection systems may operate in heterogeneous environments, analyzing different types of event streams. Currently, intrusion detection systems and the corresponding attack modeling languages are developed following an ad hoc approach to match the characteristics of specific target environments. As the number of systems that have to be protected increases, this approach results in increased development effort. To overcome this limitation, we developed a framework, called STAT, that supports the development of new intrusion detection functionality in a modular fashion. The STAT framework can be extended following a well-defined process to implement intrusion detection systems tailored to specific environments, platforms, and event streams. The STAT framework is novel in the fact that the extension process also includes the extension of the attack modeling language. The resulting intrusion detection systems represent a software family whose members share common attack modeling features and the ability to reconfigure their behavior dynamically. The STAT framework allows an Intrusion Detection Administrator to express high-level configuration requirements that are mapped automatically to a detailed deployment and/or reconfiguration plan. This approach supports automation of the administrator tasks and better assurance of the effectiveness and consistency of the deployed sensing infrastructure.