Network Analytics

Real-Time Network Anomaly Detection

Analyze NetFlow, DNS query, and connection event streams from Kafka continuously using SQL. RisingWave surfaces traffic anomalies, command-and-control indicators, and data exfiltration signals within milliseconds, without batch network monitoring delays.

Start FreeThreat Detection
Sub-Second
Anomaly Detection
Network flow events analyzed continuously, surfacing traffic volume anomalies, new connection patterns, and protocol deviations within milliseconds
SQL
Detection Rules
Express traffic baseline comparisons, connection graph anomalies, and DNS tunneling indicators as SQL window aggregations over NetFlow and DNS streams
Multi-Protocol
Coverage
Analyze TCP, UDP, DNS, HTTP, and ICMP traffic streams simultaneously in a single SQL pipeline without per-protocol infrastructure
PostgreSQL
NDR Integration
Feed enriched network anomaly signals to NDR platforms, SIEM, and ticketing systems via standard PostgreSQL protocol

Why Streaming Analysis

Why does network anomaly detection require streaming traffic analysis?

Traditional network monitoring tools aggregate NetFlow data in 5 to 10 minute bins before running anomaly detection queries. In that window, a malware beacon can complete its first command-and-control checkin, a data exfiltration can transfer gigabytes, or a scanning attack can map an entire subnet. Streaming traffic analysis evaluates anomaly rules against every flow record as it arrives, detecting deviations within milliseconds of the first anomalous packet.

FactorTraditional ToolsRisingWave
Detection Latency5 to 10 minutes (flow aggregation)Milliseconds (per-flow streaming)
Baseline UpdatesHourly or nightly batchPer-event incremental update
CoverageHigh-volume flows only (sampling)All flows with configurable sampling
Rule LanguageProprietary threshold configurationStandard SQL
  • Detect command-and-control beaconing within the first beacon interval rather than after the next flow aggregation cycle
  • Maintain current traffic baselines that update with every flow record rather than lagging behind by hours
  • Correlate DNS query patterns, connection graphs, and flow volume anomalies in a single SQL detection rule
  • Cover all network segments by ingesting flow data from multiple collectors into a unified Kafka stream

Detection Patterns

What network anomaly patterns does streaming SQL detect?

Network anomalies range from subtle beaconing patterns to high-volume exfiltration events. SQL window aggregations over flow and DNS streams can detect each category because they evaluate network state continuously rather than on scheduled queries, maintaining the per-host and per-connection context required to distinguish anomalies from normal traffic variation.

Command-and-Control Beaconing

Detect malware C2 communication by analyzing the periodicity and regularity of outbound connections per internal host using SQL window aggregations over NetFlow streams. Regular connection intervals at unusual hours to low-reputation external IPs surface as beaconing candidates within the first beacon cycle

DNS Tunneling and Exfiltration

Identify DNS tunneling by aggregating query volumes per internal resolver, query length distributions, and unique subdomain counts per queried domain from DNS log streams. Tunneling traffic produces query patterns that SQL aggregations distinguish from legitimate DNS resolution within seconds of the first tunnel session

Internal Lateral Movement

Detect scanning and lateral movement within the internal network by counting unique destination IPs contacted per source host per time window from internal NetFlow streams, flagging hosts that contact significantly more internal endpoints than their rolling baseline

Data Exfiltration by Volume

Surface large outbound data transfers by aggregating bytes per source host and destination subnet from NetFlow streams, comparing current transfer rates against per-host baselines and flagging sessions that exceed expected thresholds for the time of day and destination category

How It Works

How does RisingWave analyze network flow streams for anomaly detection?

RisingWave ingests NetFlow and DNS event streams from Kafka and maintains per-host and per-connection behavioral baseline materialized views that update incrementally with each flow record. Anomaly detection rules compare current traffic window aggregations against baseline views in SQL. When a deviation crosses a configured threshold, the anomaly surfaces in the detection output view with enriched context for analyst review.

  • Create Kafka sources in RisingWave for NetFlow, sFlow, and DNS query log streams using SQL CREATE SOURCE statements
  • Define per-host traffic baseline materialized views that maintain rolling average connection rates, byte volumes, and destination diversity per source IP
  • Write anomaly detection rules as SQL expressions comparing current window aggregations against baseline views, flagging deviation ratios that exceed configurable thresholds
  • Enrich anomaly signals with IP geolocation, ASN reputation, and internal asset classification data via stream-table joins
  • Query the anomaly detection materialized view from your NDR platform or SIEM via the PostgreSQL interface to ingest enriched anomaly records for analyst investigation

Frequently Asked Questions

How do I detect network anomalies in real time using NetFlow streams?
How does streaming network anomaly detection compare to traditional NDR tools?
Can I detect DNS tunneling using streaming SQL?
How do I correlate network anomalies with other security event streams?

Surface network anomalies at flow speed, not batch speed

Analyze NetFlow and DNS streams in SQL and detect beaconing, lateral movement, and exfiltration signals within milliseconds of the first anomalous packet.

Start Free
Best-in-Class Event Streaming
for Agents, Apps, and Analytics
Start Free
SlackJoin our Slack
GitHubXLinkedInSlackYouTube
Sign up for our to stay updated.