The Internet has become a giant battlefield in the last ten years. Newly connected machines are being instantly flooded with automated attack probes, worms, and other types of information that stress their security. The traditional, and now fairly trendy, intrusion detection and prevention movement aims to find out about and stop attacks, by warning the administrator when pre-attack probes are being carried out using specially crafted traffic analysis tools. In heterogeneous or simply sufficiently complex environments, these often produce more noise and false positives than one can handle.

In some cases, however, the ability to observe attacks and the responses they trigger is a great way for the administrator ...