An operating method of a computing device operated by at least one processor includes collecting traffic packets; extracting particular field data from the traffic packets, transforming the extracted particular field data to a vector with a reduced dimension for each traffic packet, and creating training data with the vector for each traffic packet; training a traffic prediction model with the training data, the traffic prediction model predicting from an input traffic packet a next input traffic packet and whether the next input traffic packet is abnormal; and predicting with the trained traffic prediction model a frequency of abnormal traffic packets to be input, and outputting an abnormal traffic warning by comparing the predicted frequency and a threshold.