Detecting Layer 7 DoS attacks involves monitoring for abnormal patterns and changes in traffic. Monitoring for a threshold of increased number of transactions per second per URL helps identify sudden spikes in activity, which could indicate a DoS attack. Monitoring for a percentage change in transactions per second per URL allows for detection of relative changes rather than absolute numbers, making it useful for varying baseline levels of traffic. Monitoring for a percentage change in server latency or transactions per second measures the performance impact of the traffic on the server, which can signal an ongoing attack. Monitoring for a threshold of increased server latency or transactions per second can also help identify patterns that might go unnoticed if only relative changes are considered. Together, these methods provide a comprehensive approach to detecting Layer 7 DoS attacks.