Security is an important administrative task in computers and networks. Unauthorized or even authorized users may try to obtain access to resources for a detrimental purpose. Pranksters may be intent on defacing a company's website. A disgruntled, soon-to-be-laid-off employee may be stealing valuable trade secrets. A hacker may be searching computers networked to the Internet for his/her next identity theft victim. Security systems, applications, or processes are employed to prevent and detect intrusions and other threats. However, in a typical environment such security systems, applications, or processes generate a substantial amount of information, in many cases more than can be effectively processed in real time given the typically limited administrative and processing resources available. Given the potentially overwhelming amount of security-related information requiring attention, security personnel attempt to prioritize such information so that the most serious security threats are addressed in a timely manner.
Although profiling intruders based on their actions with respect to the protected environment may be useful in performing such prioritization and/or in otherwise determining an appropriate response to an intruder's activities, it is often a difficult and manual task. As used herein, an “intruder” may be any unauthorized user or an otherwise authorized user engaging in an unauthorized activity. The unconstrained environment of a typical computer system or network, or even a system specifically designed to lure and monitor the behavior of intruders (e.g., a honeypot), makes interpretation of an intruder's behavior in an automated manner difficult. Profiling based on one or more characteristics of an intruder associated with a security incident or information is therefore sometimes done manually by a computer administrator. However, manual profiling takes the computer administrator away from other tasks and often cannot be performed quickly enough to be useful in responding to threats in real time. Automatically profiling an intruder would be useful in situations such as these.