Detecting computer hackers, unauthorized computer operations or other abnormal anomalies that can compromise computer networks and/or sensitive data stored therein, is increasingly becoming more difficult. Most systems keep track of potentially security sensitive events that occur on those systems. These are called audit events. The audit events are stored in a secure log referred to as a security event log. In larger server environments, where there may be multiple networks feeding into a central server, it is not unusual to track 500 million audit events in a month or hundreds of audit events per second.
Now, when an intrusion or any type of security irregularity (e.g., a break-in), is suspected in a network, it is necessary to review the event log in an attempt to identify the root cause of the suspected irregularity. Current software intrusion products are often unable to timely search such massive amounts of data and adroitly identify the suspected irregularity. Currently it may take hours or several days to search through the logs to identify the irregularity and take corrective action. Many times queries need to be tested, updated and often a manual review of certain audit events is necessary to identify the root cause of an irregularity. Until the culprit of a security irregularity is identified a network remains vulnerable to continued penetration, potentially causing data or service to be severely compromised.