Network security is an important issue in modern computer environments. In computer environments such as computer networks, activities and events are sometimes monitored using products such as firewalls and intrusion detection systems (IDS). Network administrators may be alerted when suspicious events or security incidents occur so that they may take appropriate actions.
Monitored systems often generate large volumes of network events such as traffic sessions, logins, probes, etc. The amount of data available sometimes makes it difficult to identify events that pose risks to the system. Sifting through the events to identify the security incidents is typically resource intensive, therefore the systems that support incident identification tend to be slow and expensive. It would be useful to have a technique that would more efficiently and accurately identify security incidents. The present invention addresses such needs.