Thank you for your reply,brford.

so you meant learning network is no longer sold independently but sold as a component of stealthwatch?

And i have another question,as mentioned in

https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3056.pdf

Anomaly detection in stealthwatch is (usually but not exclusively) implemented by unsupervised algorithm, more in detail, it model what is normal behaviour for some time(few days or few weeks in customer environment). But how does the user guarantee that the network environment is normal during this period, whether the network administrator must intervene to ensure that no abnormalities occur?

If my description is not clear enough, please let me know,thank you very much!

This is a very common question raised when almost any security product is installed.  How do we know what normal is? What if my site is under attack or has been compromised when the security product is installed?

The way that I address this question is that it is important that the security product be able to display information about the data that makes up it's baseline.

In Stealthwatch Enterprise the user has the capability of being able to drill down on an alarm to see where the data that contributes to that alarm is coming from. You can track backwards to see the exporter interface that contributed the data that drives a host alarm.  From that interface you can investigate everything that the exporter reports.  That gives the user the capability to assess that interface and compare it with another or compare the data exported at different points in time.

It's these comparisons that often yield issues to investigate.  Sometimes these issues are non malicious.  It could be a hardware fault in a network interface.  But sometimes they result in taking actions; such as deploying an access control list (ACL) to temporarily block traffic to determine which, if any applications might be impacted.

Sometimes you investigate and you find evidence of known malware and you mitigate.