A computerized method, encoded on a computer-readable medium, of detecting anomalies
in an event stream. The method comprises at least two acts. In a first act, the
method uses a tree structure to extract a grammar having an associated set of rules,
from a sample of normal behavior. In a second act, the method checks an event stream
against the rules of the grammar to detect anomalies.
