Image Number 4 for United States Patent #7738377.
A method and apparatus for analyzing traffic arriving at and/or departing from a traffic aggregate defined as a given IP-related protocol, a given port associated with a given protocol, an IP address or subset of IP addresses, or by other traffic aggregation, during a given time interval, to determine whether there is a significant increase or decrease in traffic aggregate's traffic volume as compared to the traffic aggregate's expected traffic volume are disclosed. In one embodiment, the present method defines a traffic share ratio threshold associated with a given protocol or a given protocol port or a given IP address or a given subset of IP addresses or other traffic aggregation using said collected volumetric traffic data. The present method also defines a current traffic share, a baseline traffic share and a traffic share ratio to be evaluated for the said traffic aggregate. In turn, the present method raises an alarm if the traffic aggregate's traffic share ratio to be evaluated exceeds or falls below the traffic share ratio threshold defined for the traffic aggregate.