Known anti-virus technologies used in computer networks typically rely on software to detect a pattern that is abnormal to system network traffic. An alternative to this type of virus protection for network traffic is to use a virus throttling process that looks at the behavior of the traffic to identify virus activity. For example, virus throttling may look at network connections to see if a computer in the network is attempting to quickly connect to many computers at the same time. These types of virus diagnostics identify the rate of new connections per second that a network device is generating to detect abnormal behavior to detect a virus, as well as provide information to other management applications that may also care about changes in the connection rate.
To implement this type of virus detection, software is used to maintain a list or table of currently active network connections. An algorithm compares each data packet being transmitted on the network to the table entries to detect new connections. Maintaining the table is fairly expensive because each entry includes a source IP address, a destination IP address, a layer 3 protocol, a layer 4 source port and layer 4 destination port information for the data packet that requires significant hardware and software resources. Each time a data packet is received by a network device, some type of search is performed to determine if an entry in the table matches the data packet that was just received. If the algorithm is unable to find a match in the table, then a new connection has occurred and a table entry would be set up for the new connection, assuming there is room in the table. In the background of the algorithm, another task would be running to remove old or closed connections.