System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack

What is claimed is: 1. A method comprising: capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host using a second capture agent deployed at a second host to yield second flow data, wherein the first capturing agent is deployed in a first layer of a network and the second capturing agent is deployed in a second layer of the network; comparing the first flow data and the second flow data to yield a difference; and when the difference is above a threshold value, determining that the second packet flow was transmitted by a component that bypassed an operating stack of the first host or a packet capture agent on the first host, to yield a determination that hidden network traffic exists, and performing a correcting action comprising one or more of: isolating a virtual machine, isolating a container, limiting packets to and from the first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator. 2. The method of claim 1 , wherein the first data and the second data comprise metadata associated respectively with the first packet flow and the second packet flow. 3. The method of claim 1 , wherein the first data comprises first packet content of the first packet flow and the second data comprise second packet content of the second packet flow. 4. The method of claim 1 , wherein the first data and the second data comprise network data. 5. The method of claim 1 , wherein a collector receives the first flow data and the second flow data and performs the step of comparing the first flow data and the second flow data. 6. The method of claim 1 , wherein the corrective action includes requiring all packets to and from first host to flow through the operating stack of hte first host. 7. The method of claim 6 , wherein the correcting action includes isolating the virtual machine and/or the container. 8. The method of claim 1 , further comprising: identifying a computing environment that generated the first packet flow and the second packet flow. 9. The method of claim 1 , further comprising: determining that hidden network traffic exists based on the determination. 10. The method of claim 9 , wherein the corrective action includes isolating or shutting down the first host. 11. The method of claim 9 , further comprising: predicting a presence of a malicious entity in the first host based on the hidden network traffic. 12. A system comprising: a processor; and a computer-readable storage medium storing instructions which, when executed by the processor, cause the processor to perform operations comprising: capturing first data associated with a first packet flow originating from a first host using a first capture agent deployed at the first host to yield first flow data; capturing second data associated with a second packet flow originating from the first host using a second capture agent deployed at a second host to yield second flow data, wherein the first capturing agent is deployed in a first layer of a network and the second capturing agent is deployed in a second layer of the network; comparing the first flow data and the second flow data to yield a difference; and when the difference is above a threshold value, determining that the second packet flow was transmitted by a component that bypassed one of an operating stack of the first host and a packet capture agent on the first host, to yield a determination that hidden network traffic exists, and performing a correcting action comprising one or more of: isolating a virtual machine, isolating a container, limiting packets to and from the first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator. 13. The system of claim 12 , wherein the first data and the second data comprise one of (1) metadata associated respectively with the first packet flow and the second packet flow or (2) network data. 14. The system of claim 12 , wherein the first data comprises first packet content of the first packet flow and the second data comprise second packet content of the second packet flow. 15. The system of claim 12 , wherein a collector receives the first flow data and the second flow data and performs the step of comparing the first flow data and the second flow data. 16. The system of claim 12 , wherein the corrective action includes requiring all packets to and from the first host to flow through the operating stack of the first host. 17. The system of claim 16 , wherein the correcting action includes isolating the virtual machine and/or the container. 18. The system of claim 12 , wherein the computer-readable storage medium stores additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: identifying a computing environment that generated the first packet flow and the second packet flow. 19. The system of claim 12 , wherein the computer-readable storage medium stores additional instructions which, when executed by the processor, cause the processor to perform further operations comprising: based on the determination, determining that hidden network traffic exists. 20. The system of claim 19 , further comprising: predicting a presence of a malicious entity in the first host based on the hidden network traffic.