Date Added: Nov 2009
The threat posed by modern network attacks requires novel means for detection of intrusions, as regular signature-based systems fail to cope with the amount and diversity of attacks. Recently, several methods for detection of anomalies in network payloads have been proposed to counteract this threat and identify novel attacks during their initial propagation. However, intrusion detection systems must not only flag malicious events but also provide information needed for assessment of security incidents. Previous work on payload-based anomaly detection has largely ignored this need for explainable decisions. In this paper, the authors present instruments for visualization and explanation of anomaly detection which can guide the decisions of a security operator.