The Model

Detection->Co-stimulation->Active Response

Detection of non-self--what is happening is not something that normally occurs in this process or on this system.

Co-stimulate--evaluate system state attributes for indications that something bad is happening; essentially we are trying to identify supporting evidence that the anomaly is the result of an attack or other malicious action.

Active response--based on the level of co-stimulation, pick a pre-determined set of response actions (the response chain) and execute them.