Abstract In network security, traffic analysis is usually seen as a building block towards building a reactive intrusion detection or prevention system - some mechanism that can use traffic data to either inform analysts or actively block hostile traffic before it becomes a significant threat. These goals mean that an IDS is not quite a passive sensor, and not quite a firewall, but somewhere in between. The focus of this talk is on the problem of placing IDS in context with these other defense mechanisms, to do so, I focus on the problems of intelligence, actionability, and payoff. The problem of intelligence is focused on the distinction between IDS and sensors. We distinguish IDS from simple sensors by their reactive capability --- an IDS somehow informs either operators or networks that some form of defensive action must be taken in response to a current problems. IDS therefore rely on sensors for intelligence, but in comparison to pure sensors, they must make a decision with some potential consequence. This relationship between timing and information gathered means that under specific situations, an IDS may tolerate a high false positive rate in order to provide a rapid response. The problem of actionability focuses on the relationship between alerts and responses. The majority of attacks taking place on modern networks are effectively harmless --- attackers constantly scan networks for vulnerabilities and automated attack tools try exploiting vulnerabilities on every possible IP address. As a result, simply identifying an "attack" is both insufficient and deceptive - attacks are very easy to find, but the majority of them are effectively harmless. Consequently, an IDS must not only determine whether a system is being attacked, but whether the attack matters. The problem of payoff focuses on the relationship between IDS and attackers by treating IDS is effectively a design specification. If a rational attacker knows that a particular defense will be applied under certain conditions, then he will act in such a way to avoid triggering the defense. To evaluate the impact of IDS on attackers, we evaluate the relationship between attackers and IDS as a zero-sum game with specific payoff models. By evaluating defensive mechanisms in terms of their payoff, we can potentially unify the problems of training and intelligence into a single mechanism. Speaker Bio Michael Collins is the chief scientist for RedJack, LLC., a Network Security and Data Analysis company located in the Washington D.C. area. Prior to his work at RedJack, Dr. Collins was a member of the technical staff at the CERT/Network Situational Awareness group at Carnegie Mellon University. His primary focus is on network instrumentation and traffic analysis, in particular on the analysis of large datasets and the impact of distributed attacks on Internet infrastructure.