Abstract
We describe a novel architecture for network de-fense designed for scaling to very high data rates (100 Gb/s) and very large user populations. Scaling requires both efficient attack detection algorithms as well as appropriate an execution envi-ronment. Our architecture considers the time budget of traffic data extraction and algorithmic processing, provides a suite of detection algorithms—each designed to present different and complementary views of the data—that generate many “traffic events,” and reduces false positives by correlating these traffic events into benign or malicious hypotheses.