Existing state of art solutions relating to network security implements traffic monitoring based on information corresponding to lower level network layers—for example layers 2, 3 or 4 i.e. within the subnet (or MAC) stack, internet (or IP) stack and transport (or TCP/UDP) stack. These existing approaches are based on monitoring Ethernet frames and IP packets at the network level—and are effective in achieving network security between specific end network devices. Such solutions for API security have so far adopted a singular approach—focusing on one particular attack at a time using user entered policies, as well as a “one-size fits all” type approach, where network monitors search for one or more identified patterns of abnormal behaviour. Existing approaches fail to take into account that normal and abnormal patterns of behaviour can vary significantly based on the target API, and that traffic patterns that are considered entirely normal or benign in respect of one API may, if observed in connection with another API, be indicative of severe indicators of compromise. There is accordingly a need to implement machine based approaches to threat and/or attach detection keeping in mind (and appropriately accounting for) a plurality of different APIs and/or application traffic patterns.