Intrusion detection is well studied, yet, most of the work to date lacks formal treatment, but rather manual scanning of data to detect suspicious activity, namely, activity that is similar to one detected before and attributed to a malicious intruder. This is often done by frequency counts of events, until some threshold is reached. In particular, ``anti-events” (of the type: the dog didn’t bark) are ignored, and, moreover, causal relations between events and anti-events are ignored. 
In this work we extract temporal sequence of events (and anti-events)  from a large collection of network log data and apply sophisticated learning techniques based on historical ground truth about the malicious activities. These relationships are checked against the testing data, with human experts checking the results. This allows for a more comprehensive detection of malicious activities beyond the currently used ground truths.