StreamWorks: Near Real-Time Detection of Emerging Patterns of Cyberattacks in Massive Data Streams

Battelle Number: 30996, 31083 | N/A

Technology Overview

One hundred forty-six days—that’s how long, on average, it takes to detect a cyber breach from the time it begins. Pacific Northwest National Laboratory’s patented StreamWorks cuts that time significantly—to near real time—by detecting emerging patterns of sophisticated cyberattacks in massive data streams.

Combining several analytic approaches, never before seen together in a cybersecurity tool, StreamWorks tells a cyber analyst when major suspicious patterns are occurring. The tool also provides a description of the potential threat and a rationale for why the threat was selected—so the analyst doesn't have to guess but, instead, can act swiftly.

This R&D-100-Award-winning graph-analytics engine detects patterns within data as they flow between computers, users, and applications—at rate 10 to 100 times faster than current methods. The tool performs continuous matching for user-selected query patterns, which can be tailored to analyze computer network traffic, social media events, or other streams of data represented as a dynamic data graph. Users can tailor StreamWorks query graphs to different types of intrusions and produce visualizations showing the emerging and evolving patterns. This fast-pace, real-time monitoring and analysis allows cybersecurity analysts to detect cyberattacks quickly, before thieves steal data or crash a system.

This software application is intended to be used in a dynamic environment where network data is streamed in and is appended to a large-scale dynamic graph. This technology can be of benefit to organizations seeking to detect attacks within networks comprising multiple devices. For example, an organization’s cyber network can be observed as a graph, where each node represents a computing device (or IP address) and an edge represents the communication between the devices. As data is generated, the graph continuously updates so a threat can be identified sooner rather than later. Different types of graphical query patterns (expressed as subgraphs) may be defined for specific types of cyberattacks, including various network scans, reflector attacks, flood attack, viruses, worms, etc.

This tool caught the attention of the Department of Homeland Security, which featured StreamWorks in its 2017 cohort of eight patented technologies fit for its Transition to Practice program.


  • Detect emerging patterns of sophisticated cyberattacks in massive data streams in near real time
  • Identify intrusion and threat patterns 10 to 100 times faster than current methods
  • Produce easy-to-use visualization showing emerging and evolving threat patterns

State of Development

StreamWorks has applicability in real-time monitoring in cybersecurity, finance, and Internet of Things applications. The analysis framework is intended to be used in a dynamic environment where network data is streamed in and is represented as a large-scale evolving dynamic graph. The framework may be applied to identify emerging graph patterns that are known to users in advance or ones that spontaneously emerge that are deemed “significant” or “interesting” and then alerted to users as significant events.


Available for licensing in all fields


Data; data sciences; data analysis; graph analytics; cybersecurity; cyberattack



Data Sciences

Market Sectors

Data Sciences