A standard method of detecting network intrusion is to have an automated system continually watching network traffic patterns and flagging anomalous behavior for a human operator to investigate. This approach requires all traffic on the network to flow through a centralized monitoring station, which not only introduces a single point of failure to the network but also provides a potential bottleneck that may reduce achieved network bandwidth significantly (while, at the same time, increasing network latency).
MAGNeT provides an alternative solution. We have shown that MAGNeT, unlike tcpdump, runs almost transparently for most applications, even on high-speed networks. Thus, MAGNeT may be deployed on every computer in an installation. If this is the case, there is no need for all traffic to flow through a central monitoring machine. Instead, each machine may collect its own traffic patterns and then periodically have magnet.cron send its collected data to a central processor. This processor is then able to analyze campus-wide network activity with a finer granularity than currently available.9 Unlike current solutions, if for some reason the central processor goes down, the rest of the computers on the network continue to operate without difficulty. Thus, the problems of a single network-traffic sink are eliminated.