Users are increasingly performing tasks using remote computing resources, often referred to as part of “the cloud.” This has many advantages, as users do not have to purchase and maintain dedicated hardware and software, and instead can pay for only those resources that are needed at any given time, where those resources typically will be managed by a resource provider. In order to attempt to minimize unexpected behavior in a system, as may be the result of an intrusion or security breach, approaches such as behavioral profiling can be used to attempt to detect anomalies in the system. Actions taken in a system can be monitored and recorded throughout a learning period to generate a behavior profile, and any deviations from the learned behavior can be indicative of an anomaly. Such approaches can be problematic, however, as many normal events will be flagged as anomalies due to the changing or variable nature of the values of certain fields. While attempts can be made to exclude these fields, such a generic simplification can increase detection miss rate.