A.2.10 Unusually High Network Traffic
One of the first integrated behavioral detections implemented in Argus was to monitor IP Fragments, to see if there was re-assembly overlapping. This type of behavior is a direct indication of packet protocol manipulation, and is still today a very serious (nation state level) indication of intrusion.