In a conversation with a Partner NOC, they mentioned that if a server deviates significantly from its typical server-wide bandwidth consumption (e.g. 5 mbps to 0.05 mbps) that it may signify a server compromise.

Their idea is to have a setting that when server-wide bandwidth consumption (measured on a per-second basis) deviates significantly from the historical/trend levels that when the deviation is beyond a percentage you set, that the server administrator is notified.

What do you think?