Embodiments described herein relate generally to detecting network anomalies related to data flows, such as, for example, methods and apparatus for tracking data flow based on flow state values.
Known network traffic analyzers can be configured to detect undesirable network data flow anomalies (e.g., a denial of service of attack, a series of network routing errors) as packets are being processed (e.g., switched) within a network. These known network traffic analyzers, however, are unable to detect “zero-day” attacks in a desirable fashion because these network traffic analyzers often rely on previously-observed signatures to detect future data flow anomalies. Thus, a data flow anomaly that has a new signature may not be immediately detected. In addition, known network traffic analyzers configured to perform packet inspection based on previously-observed signatures for data flow anomaly detection at high data rates (e.g., terabits per second) can be prohibitively expensive from a power consumption, processing, and/or cost perspective. Thus, a need exists for methods and apparatus for tracking data flow that can address, for example, one or more of the shortfalls of existing network traffic analyzers.