Computer networks are often configured to incorporate network security systems in order to protect the networks against malicious activity, such as deployment of malware or propagation of viruses by attackers. Network security systems typically rely on extensive sets of security rules in order to detect malicious activity. These rules in many cases are generated by domain experts and manually added into the system. Individual rules can be highly specific to detection of particular malicious activity scenarios. For example, some rules are configured to detect very specific binaries corresponding to particular sets of malicious code. Other rules include behavioral rules that are configured to detect anomalous or suspicious activities, such as an unusual amount of extracted data. Rules may overlap, contradict, contain or complete each other, or exhibit a wide variety of other types of relationships. Over time a given network security system can evolve to include hundreds or thousands of distinct security rules and maintaining such rules becomes a highly challenging and time-consuming task. In addition, as the rule sets become increasingly large and complex, application of the rules to detect malicious activity can undermine the performance of the network security system.