Latency-based policy activation

What is claimed is: 1. A system for latency-based policy activation, comprising: a processor of a network device configured to: collect a plurality of latency measures associated with monitored network communications; correlate the plurality of latency measures associated with the monitored network communications to detect anomalous network activity based on a profile, comprising to: perform one or more of the following: A) determine whether a latency of an Internet Control Message Protocol (ICMP) ping between the network device and a monitored service's IP address exceeds a first predetermined threshold; and in response to a determination that the latency of the ICMP ping between the network device and the monitored service's IP address exceeds the first predetermined threshold, determine that the latency of the ICMP ping is abnormal; B) determine whether a latency between a new TCP session's SYN and a server's SYN/ACK response exceeds a second predetermined threshold; and in response to a determination that the latency between the new TCP session's SYN and the server's SYN/ACK response exceeds the second predetermined threshold, determine that the latency between the new TCP session's SYN and the server's SYN/ACK response is abnormal; C) determine whether a latency between a new UDP session's initial packets exceeds a third predetermined threshold; and in response to a determination that the latency between the new UDP session's initial packets exceeds the third predetermined threshold, determine that the latency between the new UDP session's initial packets is abnormal; or D) determine whether a latency of an HTTP GET operation or an HTTP POST operation exceeds a fourth predetermined threshold; and in response to a determination that the latency of the HTTP GET operation or the HTTP POST operation exceeds the fourth predetermined threshold, determine that the latency of the HTTP GET operation or the HTTP POST operation is abnormal; perform a mitigation response to the anomalous network activity based on a policy; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system recited in claim 1 , wherein the anomalous network activity is determined to be associated with a Denial of Service (DoS) attack. 3. The system recited in claim 1 , wherein the network device includes a firewall. 4. The system recited in claim 1 , wherein the processor is further configured to: monitor network communications at the network device. 5. The system recited in claim 1 , wherein the processor is further configured to: generate a profile for a protected application or a protected service on an enterprise network based on the plurality of latency measures associated with the monitored network communications, wherein the profile includes one or more latency thresholds. 6. The system recited in claim 1 , wherein the processor is further configured to: dynamically update a profile for a protected application or a protected service on an enterprise network based on one or more latency measures associated with the protected application or the protected service on the enterprise network based on the monitored network communications. 7. The system recited in claim 1 , wherein the processor is further configured to: send data associated with the anomalous network activity to another network device or a cloud security service. 8. The system recited in claim 1 , wherein the processor is further configured to: receive data associated with another anomalous network activity from another network device or a cloud security service. 9. The system recited in claim 1 , wherein anomalous network activity is determined to be associated with a Denial of Service (DoS) attack, and wherein the processor is further configured to: throttle or block network communications in response to the DoS attack based on the policy. 10. The system recited in claim 1 , wherein the processor is further configured to: reduce or terminate the mitigation response if one or more of the latency measures no longer exceeds one or more latency thresholds. 11. The system recited in claim 1 , wherein the correlating of the plurality of latency measures associated with the monitored network communications to detect anomalous network activity comprises to: perform five or more of the following: A) determine whether a latency of an Internet Control Message Protocol (ICMP) ping between the network device and a monitored service's IP address exceeds a first predetermined threshold; and in response to a determination that the latency of the ICMP ping between the network device and the monitored service's IP address exceeds the first predetermined threshold, determine that the latency of the ICMP ping is abnormal; B) determine whether a latency between a new TCP session's SYN and a server's SYN/ACK response exceeds a second predetermined threshold; and in response to a determination that the latency between the new TCP session's SYN and the server's SYN/ACK response exceeds the second predetermined threshold, determine that the latency between the new TCP session's SYN and the server's SYN/ACK response is abnormal; C) determine whether a latency between a new UDP session's initial packets exceeds a third predetermined threshold; and in response to a determination that the latency between the new UDP session's initial packets exceeds the third predetermined threshold, determine that the latency between the new UDP session's initial packets is abnormal; D) determine whether a latency of an HTTP GET operation or an HTTP POST operation exceeds a fourth predetermined threshold; and in response to a determination that the latency of the HTTP GET operation or the HTTP POST operation exceeds the fourth predetermined threshold, determine that the latency of the HTTP GET operation or the HTTP POST operation is abnormal; E) determine whether connections per second (CPS) for new connections accessing a server exceeds a fifth predetermined threshold; and in response to a determination that the CPS for the new connections accessing the server exceeds the fifth predetermined threshold, determine that the CPS for the new connections accessing the server is abnormal; F) determine whether packets per second (PPS) for traffic flows going to and from the service exceeds a sixth predetermined threshold; and in response to a determination that the PPS for the traffic flows going to and from the service exceeds the sixth predetermined threshold, determine that the PPS for the traffic flows going to and from the service is abnormal; or G) determine whether bandwidth used by a protected service exceeds a seventh predetermined threshold; and in response to a determination that the bandwidth used by the protected service exceeds the seventh predetermined threshold, determine that the bandwidth used by the protected service is abnormal. 12. A method for latency-based policy activation, comprising: collecting a plurality of latency measures associated with monitored network communications at a network device; correlating the plurality of latency measures associated with the monitored network communications to detect anomalous network activity based on a profile using a processor of the network device, comprising: performing one or more of the following: A) determining whether a latency of an Internet Control Message Protocol (ICMP) ping between the network device and a monitored service's IP address exceeds a first predetermined threshold; and in response to a determination that the latency of the ICMP ping between the network device and the monitored service's IP address