Security monitoring with progressive behavioral query language databases

What is claimed is: 1. An automated security system, comprising: a plurality of monitored systems, each having one or more corresponding monitors configured to record system state information; a progressive software behavioral query language (PROBEQL) database configured to store the system state information from the plurality of monitored systems; a query optimizing module comprising a processor configured to optimize a database query, that includes an update frequency, for parallel execution using spatial and temporal information relating to elements in the PROBEQL database, the optimized database query being split into a plurality of sub-queries that have an expected execution time based on the update frequency, with sub-queries being divided spatially according to host and temporally according to time window; a parallel execution module configured to execute the sub-queries on the PROBEQL database in parallel and to determine actual execution information for executed sub-queries, wherein the query optimizing module is further configured to adjust an event processing rate for subsequent sub-queries based on the determined actual execution information for the executed sub-queries and the update frequency; a results module configured to output progressive results of the database query according to the update frequency; and a security control system configured to perform a security control action in accordance with the progressive results. 2. The automated security system of claim 1 , wherein the database query further comprises a subject, an operation, and an object that the subject operates on. 3. The automated security system of claim 1 , wherein the results module is further configured to output progressive results from executed sub-queries. 4. The automated security system of claim 1 , wherein the query optimizing module is further configured to split the database query into sub-queries in accordance with a sequential workload partitioning with initialization cost strategy. 5. The automated security system of claim 4 , wherein the sequential workload partitioning with initialization cost strategy is online adaptive workload prediction partitioning. 6. The automated security system of claim 4 , wherein the query optimizing module is further configured to compute initialization costs as separate workloads for the purpose of partitioning. 7. The automated security system of claim 1 , wherein the security control system is further configured to automatically issue the database query when a triggering condition is met. 8. An automated security method, comprising: monitoring system state information from a plurality of monitored systems; storing the monitored system state information in a progressive software behavioral query language (PROBEQL) database; optimizing a database query, that includes an update frequency, for parallel execution using spatial and temporal information relating to elements in the PROBEQL database, the optimized database query being split into a plurality of sub-queries that have an expected execution time based on the update frequency, with sub-queries being divided spatially according to host and temporally according to time window; executing the sub-queries in parallel; determining actual execution information for executed sub-queries; adjusting an event processing rate for subsequent sub-queries based on the determined actual execution information for the executed sub-queries and the update frequency; outputting progressive results of the database query according to the update frequency; and performing a security control action in accordance with the progressive results. 9. The method of claim 8 , wherein the database query further comprises a subject, an operation, and an object that the subject operates on. 10. The method of claim 8 , wherein outputting progressive results of the database query comprises outputting results from executed sub-queries. 11. The method of claim 8 , wherein optimizing the database query comprises splitting the database query into sub-queries in accordance with a sequential workload partitioning with initialization cost strategy. 12. The method of claim 11 , wherein the sequential workload partitioning with initialization cost strategy is online adaptive workload prediction partitioning. 13. The method of claim 11 , wherein optimizing the database query comprises compute initialization costs as separate workloads for the purpose of partitioning. 14. The method of claim 11 , further comprising automatically issuing the database query when a triggering condition is met.