We continue our discussion of the third challenge in intrusion detection (making sense of the
anomalous output) in this section. Once the anomalous traffic has been extracted by the hourly
filters and tools have been used to discover more details about the anomalous traffic, we can start the
process of classifying what we’ve examined.