The article considers the problem of detecting a time-distributed network attack. Reports on the state of information space security from Kaspersky Lab and IBM Security are analyzed, as well as stages of a retrospective analysis of network traffic based on research in the field of computer forensics are identified. Assumptions were made about possible problems at each stage and solutions were proposed. Existing network traffic analysis systems used to solve the existing problem are investigated, a comparative description is made and their limitations are revealed.