Design a Cybersecurity Threat Detection System

Requirements Definition

Functional Requirements:

• The system should detect potential cybersecurity threats in network traffic entering the data center.
• It should capture and analyze network packets at two points: the network layer (e.g., firewall) and inside the API Gateway.
• The system should focus on incoming (ingress) traffic.
• It should support two main detection approaches: pattern/rule-based detection and anomaly detection (using ML models).
• Upon detecting a potential threat, the system should be able to log the event, send notifications to administrators, and optionally block or flag suspicious packets.

Non-Functional Requirements:

• The system must introduce minimal latency (e.g., less than 10ms additional delay per request).
• Threat detection should occur within a short timeframe (e.g., within 10 minutes of packet arrival).
• The system should be able to handle high throughput (up to 1 million requests per second).
• The false negative rate (missed threats) should be kept low.
• The system should be scalable to accommodate growth in traffic volume.

Out of Scope:

• Outgoing (egress) traffic analysis.
• Deep packet inspection of encrypted payloads beyond what is available at the capture points.
• Automated remediation actions beyond logging, notification, and basic blocking.