Intrusion detection systems are used by an enterprise to detect and identify unauthorized or unwanted use (commonly called an attack) of the enterprise's computer network, which normally comprises a large number of nodes and network operations centers. In general, these enterprise intrusion detection systems receive data using sensors or other intrusion detection devices. The system then scans the incoming data for specific patterns in network traffic, audit trails, and other data sources to detect malicious activity. The data that is received in the input stream is passively gathered. In other words, traditional intrusion detection systems are reactive in the sense that they wait for data to be sent to it before performing any sort of correlation or other data processing. As a result, certain additional data that may be useful in detecting malicious activity may not be considered by the system.