Activity detection, both friendly and malicious, has long been a priority for computer network administrators. In known public and private computer networks, users employ devices such as desktop computers, laptop computers, tablets, smart phones, browsers, etc. to interact with others through computers and servers that are coupled to the network. Digital data, typically in the form of data packets, are passed along the network by interconnected network devices.
Malicious activities can cause harm to the network's software or hardware, and its users. Malicious activities may include unauthorized and/or unusual access or use of network resources and data. Network administrators seek to detect such activities, for example, by searching for patterns of behavior that are unusual or that otherwise vary from the expected use pattern of a particular entity, such as an organization or subset thereof, individual user, IP address, node or group of nodes in the network.
Network security tools (e.g., software, hardware) may be installed on nodes (e.g., servers) of a computer network to detect unusual activity. Such security tools monitor traffic over the computer network to perform malware detection, intrusion detection, detection of atypical or unusual behavior, and the like. An administrator may be alerted when such activities are detected so that the administrator can take actions to mitigate the effects of the activities. Existing security tools, however, use rigid, hard-coded logic to detect the same unusual activity in different computer networks. Yet unusual activities that pose a legitimate concern to the network of one organization may not pose any concern to the network of another organization. As a result, existing network security tools tend to be either under-inclusive to avoid overwhelming network administrators with false positives, or over-inclusive, which requires evaluation by a user of detected activities to determine whether a legitimate concern exists. Thus, existing security tools tend to be unreliable and/or ineffective.