DDoS Detector Module
This Module consists of six independent components, which we call experts, each specializing in its own domain of knowledge. All experts process all the flow records received by NetFlow Optimizer, apply their own analytics, and, if an attack is detected, send messages to the events correlator, indicating the type of detected attack, confidence level, and a trend of the event characteristics dynamics (increasing, steady, or abating). The event correlator combines the information received from the experts, assigns weight to each reported event, and makes a final determination on reporting and its confidence in event validity.
Events Correlator​
The events correlator receives messages from the experts containing information about the corresponding events and makes a decision about reporting a DDoS attack based on the latest received expert’s message and earlier messages received from same or other experts. When reporting a DDoS attack the events correlator classifies the event according to information received from the contributing experts.