PRC's Information Security Officer's Assistant (ISOA) is a state-of-the-art system for monitoring security#030#relevant behavior in computer networks. The ISOA serves as the central point for real-time collection and analysis of audit information. When an anomalous situation is identified, associated indicators are triggered. The ISOA automates analysis of audit trails, allowing indications and warnings of security threats to be generated in a timely manner such that threats can be countered. The ISOA reduces massive amounts of audit records into a form which is meaningful and readily comprehended. After receipt and normalization of audit records, the ISOA performs analysis in a number of dimensions, including: detection of specified events and/or situations, threshold exceptions, statistical checks, and expert system threat evaluation. ISOA allows a single designated workstation to perform automated security monitoring, analysis, and warning. Without requiring constant interaction, the ISOA user interface alerts the security officer to a variety of security situations. The security status of the monitored network is represented in graphical and textual form. When unusual or anomalous situations are detected, they are brought to the attention of the security officer who can obtain further information, initiate more involved analysis, and optionally intervene or terminate the situation. Automated responses may be defined, including terminating user sessions, locking user accounts, forcing biometric identification, and shutting down hosts. While ISOA is not a commercial product, it is a fully functional research product which requires configuration for new environments. This system was developed by PRC under an approved and formally reviewed IR&D program.