A monitoring apparatus for detection of a malicious attack in a communications network comprises a pattern matching engine (406), a data store (408) and an alert generator (410, 412). The pattern matching engine (406) is arranged to receive a bit stream and identify a characteristic of a malicious attack from at least one datagram represented by at least part of the bit stream. The data store (408) is operably coupled to the pattern matching engine and the data store (408) is arranged to retain identification data to enable the pattern matching engine to identify the characteristic of the malicious attack. The alert generator (410, 412) is arranged to generate an alert in response to an identification of the characteristic of the malicious attack. The data store (408) is remotely updatable.