One option is to setup CloudWatch Billing Alerts that will send you an email when your usage hits a certain threshold. You will receive an email when your threshold is reached, and then you can investigate the cause and take appropriate action.
While I haven't tried this, you should be able to set up a more automated approach. Those CloudWatch Alerts are posted to an SNS topic called "CloudWatchNotifications". You could add a subscription to this topic that delivers notifications to an HTTP endpoint. This endpoint could automatically restrict access to your S3 bucket until you determine which action to take.
Regarding your concern for a specific malicious user, see this post for a general idea of how IP address restrictions could be put in place once you identify a malicious user.