In order to detect excessively high traffic volumes that may be malicious, traffic thresholds for alarming on spikes in flow, packet or byte traffic arrivals at and/or departures from a given IP protocol, a given port associated with a protocol, a given IP address or subset of IP addresses, or other traffic aggregations, need to be properly defined and monitored. These thresholds are protocol-specific, specific to a port and protocol, IP address-specific, or specific to other traffic aggregations. For instance, if large volume of suspicious traffic that deviates from, whether the suspicious traffic is a significant increase or decrease when compared to the regular traffic pattern, the regular traffic pattern for a particular IP protocol, a particular port associated with a protocol, a particular IP address or subset of IP addresses, or other traffic aggregation is detected, the network needs to be able to raise an alarm to warn the network operator of the potential problem so that the appropriate actions can be taken to mitigate any potential risks.
Therefore, a need exists for a method and apparatus for volumetric thresholding and alarming in a packet network, e.g., an IP network.