Sure Ehsan,
Stealthwatch actually uses several different databases tools but the one you are probably most interested in is our analytics database: which uses HP Vertica.
Put very simply; Stealthwatch uses unsupervised machine learning to creates models of what is 'normal' for the network. When a host deviates from 'normal' it accumulates points; based in part on the amount of deviation. Points can also be assigned based on defined negative or bad activities. When a hosts point score reaches a certain point an alarm is raised.
I hope this helps.
Brian
Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.