An intrusion detection system (IDS) analyzes network traffic data with the goal of revealing malicious activities and incidents. Before assessing maliciousness, the IDS constructs incidents and activities from as primitive information as individual traffic flows. The IDS then analyzes maliciousness based on the identified incidents and activities. Clustering flows to meaningful entities is an open problem. Existing solutions are trivial and sub-optimal in many ways, producing results that miss many a true network event or misinterpret the extracted information. The IDS can only effectively analyze maliciousness levels when solid categorization of the network events, activities and incidents is performed.