A method, a device, and a computer program product detect changes to the connection of a device, such as a mobile device to a network, and initiate at least one measure when changes are detected. Changes might be caused by malicious users or malicious mobile phone SW in order to perform Denial of Service (DoS) attacks to the network. Those changes could be, for example, frequent handover actions, frequent attach/detach actions or frequent Packet Data Protocol context activation, deactivation or modification actions initiated by a mobile device or a group of mobile devices. The changes to the connection are detected by checking if parameters related to the mobile device, or related to network elements, violate defined policy rules. The detection itself is done in a network element, such as a core network element.