System and method of detecting whether a source of a packet flow transmits packets which bypass an operating system stack

What is claimed is: 1. A method comprising: first capturing first data associated with a first packet flow originating from a computing device, the first capturing occurring at first layer of a network; second capturing second data associated with a second packet flow originating from the computing device, the second capturing occurring at a second layer of the network different from the first layer; in response to a difference between the first and second data exceeding a threshold value; determining a portion of the second data includes hidden network traffic transmitted by bypassing an operating stack of the computing device or a packet capture agent of the computing device; and performing a corrective action to reduce future flow of hidden traffic from the computer device. 2. The method of claim 1 , the corrective action comprising one or more of: isolating a virtual machine, isolating a container, limiting packets to and from a first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator. 3. The method of claim 2 , wherein the corrective action includes requiring all packets to and from the computing device to flow through an operating stack of the computing device. 4. The method of claim 2 , wherein the corrective action includes isolating a virtual machine and/or a container. 5. The method of claim 2 , wherein the corrective action includes the computing device. 6. The method of claim 2 , wherein the corrective action includes shutting down the computing device. 7. The method of claim 1 , further comprising predicting a presence of a malicious entity in the computing device based on the hidden network traffic. 8. A non-transitory computer-readable storage medium storing instructions which, when executed by a processor, cause the processor to perform operations comprising: first capturing first data associated with a first packet flow originating from a computing device, the first capturing occurring at first layer of a network; second capturing second data associated with a second packet flow originating from the computing device, the second capturing occurring at a second layer of the network different from the first layer; in response to a difference between the first and second data exceeding a threshold value; determining a portion of the second data includes hidden network traffic transmitted by bypassing an operating stack of the computing device or a packet capture agent of the computing device; and performing a corrective action to reduce future flow of hidden traffic from the computer device. 9. The non-transitory computer-readable storage medium of claim 8 , the corrective action comprising one or more of: isolating a virtual machine, isolating a container, limiting packets to and from a first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator. 10. The non-transitory computer-readable storage medium of claim 9 , wherein the corrective action includes requiring all packets to and from the computing device to flow through an operating stack of the computing device. 11. The non-transitory computer-readable storage medium of claim 9 , wherein the corrective action includes isolating a virtual machine and/or a container. 12. The non-transitory computer-readable storage medium of claim 9 , wherein the corrective action includes isolating the computing device. 13. The non-transitory computer-readable storage medium of claim 9 , wherein the corrective action includes shutting down the computing device. 14. The non-transitory computer-readable storage medium of claim 8 , further comprising predicting a presence of a malicious entity in the computing device based on the hidden network traffic. 15. A system comprising: a non-transitory computer-readable memory storing instructions; a processor programmed to cooperate with the instructions in memory to perform operations comprising: first capturing first data associated with a first packet flow originating from a computing device, the first capturing occurring at first layer of a network; second capturing second data associated with a second packet flow originating from the computing device, the second capturing occurring at a second layer of the network different from the first layer; in response to a difference between the first and second data exceeding a threshold value; determining a portion of the second data includes hidden network traffic transmitted by bypassing an operating stack of the computing device or a packet capture agent of the computing device; and performing a corrective action to reduce future flow of hidden traffic from the computer device. 16. The system of claim 15 , the corrective action comprising one or more of: isolating a virtual machine, isolating a container, limiting packets to and from a first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator. 17. The system of claim 16 , wherein the corrective action includes requiring all packets to and from the computing device to flow through an operating stack of the computing device. 18. The system of claim 16 , wherein the corrective action includes isolating a virtual machine and/or a container. 19. The system of claim 16 , wherein the corrective action includes isolating and/or shutting down the computing device. 20. The system of claim 15 , further comprising predicting a presence of a malicious entity in the computing device based on the hidden network traffic.