An active network defense system is provided that is operable to monitor
and block traffic in an automated fashion. This active network defense
system is placed in-line with respect to the packet traffic data flow as
a part of the network infrastructure. In this configuration, inspection
and manipulation of every passing packet is possible. An algorithmic
filtering operation applies statistical threshold filtering to the data
flow in order to identify threats existing across multiple sessions. A
trigger filtering operation applies header and content match filtering to
the data flow in order to identify threats existing within individual
sessions. Threatening packet traffic is blocked and threatening sessions
are terminated. Suspicious traffic is extracted from the data flow for
further examination with more comprehensive content matching as well as
asset risk analysis. A flow control mechanism is provided to control
passage rate for packets passing through the data flow.