1. Field of the Invention
Embodiments of the present invention generally relate to traffic monitoring in a network and, more particularly, to a method and apparatus for detecting anomalies in aggregated traffic volume data.
2. Description of the Related Art
Networks typically monitor data traffic passing through one or more network elements in order to detect abnormal activities that may suggest some type of malicious attack is underway. One type of traffic alarm process relies on a complex frequency domain analysis of traffic volume. Other types of traffic alarm processes employ static thresholds for alarming based on traffic volume. However, Internet traffic is complex and difficult to characterize and model. The aggregated traffic is a mixture of difference applications and protocols. The traffic is evolving as the applications and protocols change. Any alarm process that uses static thresholds is only effective for a short period of time, since the traffic is dynamic and under constant change. Accordingly, there exists a need in the art for a method and apparatus for detecting anomalies in aggregated traffic volume data that can accurately detect abnormal changes in traffic and is less complex.