Anomaly detection is a general goal that can fulfill a number of missions, ranging from the prevention of activities perpetrated by malicious insiders to unintentional threats, as well as more generally managing human and operational risk.
Previous approaches to anomaly detection have included:                Rule-based compliance systems based on keyword matches or content identification (for example using a fingerprinting technology).        Correlation engines where different types of events are put in relation and the rules to trigger an alert are somewhat more flexible than the previous type of systems (producing for example one-dimensional anomalies based on histograms).        
There are essential limitations shared by all these systems. One of the main limitations is that they can be circumvented due to the static character of the rules used to configure them, so that they are unable to cover the infinite spectrum of potentially damaging behaviors and actions that can take place in a large organization.
In addition, even the most efficient of these previous systems are restricted to a vertical business domain, as the definition of the rules and correlation methods is highly dependent on the underlying business data and processes. Furthermore, even very domain-specific work is usually done in a cross-media, cross-system manner, in which (for example) emails, instant messages and phone calls can be an integral part of processes which in theory are implemented with a dedicated application. Nevertheless such unstructured, out-of-band communication is usually ignored by existing systems. An example of such a vertical domain is the banking and financial services industry in which compliance systems are very often tied to specific transactional systems.
Also, the fact that these systems rely on rules or patterns which, even when they are learned automatically by a machine, correspond to confirmed signs of malicious or otherwise risk-carrying activities, implies that they only detect these events after the fact, and that there is no way to anticipate them. This is a major limitation in their detection capabilities, since recent studies of espionage and IT sabotage cases have shown that nearly half of malicious insiders exhibited some inappropriate, unusual, or concerning behavior prior to the incident, but had no recorded incidents of violating organizational policies.
Most of these systems are limited in their analysis scope to data sources located within a particular organization, without the capability to take into account external sources such as public websites or personal communication channels [156] on which insiders also interact and exchange information.
Finally, most anomaly detection systems only report threats once they have harmed the organization or its employees. In particular, malicious insiders are typically flagged once they have perpetrated their actions (when they are flagged) and the associated damage can then only be mitigated rather than prevented.