The method and system are provided for monitoring a protected network for strain. The method includes receiving a learned model having clusters of learning requests of learning network traffic observed during non-strain operation of the protected network, observing network traffic, classifying each of the traffic requests with one of the clusters based on fields of the traffic request and fields used for clustering the learning requests, determining an analysis response time for respective traffic requests associated with the classified traffic requests, determining an analysis response time characteristic per cluster based on an analysis response time associated with the respective classified traffic requests classified with the cluster, determining a difference per cluster between the analysis response time and the learning response times associated with the cluster, and notifying a mitigation device when the difference determined for enough of the clusters exceeds a predetermined threshold.