With the wide deployment of flow monitoring in IP networks, the analysis of the exported flow data has become an important research area. It has been shown that flow data can be used to detect traffic anomalies, DoS attacks, and the propagation of worms. In practice, anomalies and attacks should be detected as fast as possible in order to allow taking appropriate countermeasures. We describe the necessary steps from the raw flow data to the detection result in a systematic way. Furthermore, we present TOPAS, a system and framework for real-time analysis of flow data, that has been developed in order to meet these requirements. Performance measurements and various application examples point out the capabilities and benefits of our approach.