Network attack visualization and response through intelligent icons

Determination of appropriate response to information system attack is jointly determined by confidence of classification, nature (type) of attack, and confidence in effectiveness of response. In this paper we present a technique to rapidly assess similarity of observed behavior to attack or normal models: displaying the similarity of observed data to learned Minimum Description Length Models for normal and attack behaviors using “intelligent icons”. These icons provide a visual indication of similarity to normal and attack signatures and can alert human operators to the key motifs and signatures that affect confidence in classification and indicated response.