A method and system for maintaining network activity data for intrusion detection includes storing data representative of network activity in datasets. The datasets include root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset. Child datasets are identified through their root datasets.