MULAN: Multi-Level Adaptive Network Filter

A security engine should detect network traffic attacks at line-speed. When an attack is detected, a good security engine should screen away the offending packets and continue to forward all other traffic. Anomaly detection engines must protect the network from new and unknown threats before the vulnerability is discovered and an attack is launched. Thus, the engine should integrate intelligent “learning” capabilities. The principal way for achieving this goal is to model anticipated network traffic behavior, and to use this model for identifying anomalies.