Many networks storing data, such as web applications, web pages, or other content, include traffic management computing devices that, among other functions, protect the server devices storing the data from malicious attacks. One such attack is a distributed denial of service (DDoS) attack, although many other malicious attacks exist. The malicious attacks can be identified based on anomalous network traffic received by the traffic management computing devices.
Currently, traffic management computing devices identify anomalous network traffic based on a set of thresholds corresponding to various signals in the network traffic. However, the thresholds, as well as which signals are monitored, are established by administrators and are relatively static. Accordingly, the thresholds have limited effectiveness, particularly for networks in which characteristics of the observed traffic change over time.
Moreover, malicious attacks often target many different storage networks that have traffic management computing devices. If a malicious attack is thwarted by one traffic management device, then the attacker may move on to target another storage network. However, traffic management computing devices currently operate in relative isolation and are not aware of other attacks that have been observed by other traffic management computing devices in other networks. Accordingly, traffic management computing devices are unable to prepare for, or defend against, network attacks in an early and effective manner.