Graph model for alert interpretation in enterprise security system

What is claimed is: 1. A computer-implemented method executed on a processor for implementing alert interpretation in enterprise security systems, the method comprising: employing a plurality of sensors to monitor streaming data from a plurality of computing devices; generating alerts based on the monitored streaming data; automatically analyzing the alerts by using a graph-based alert interpretation engine employing process-star graph models; retrieving a cause of the alerts, an aftermath of the alerts, and baselines for the alert interpretation; and integrating the cause of the alerts, the aftermath of the alerts, and the baselines into an alert interpretation graph output to a user interface of a user device, wherein, when an alert is detected pertaining to a computing device of the plurality of computing devices, the graph-based alert interpretation engine matches the detected alert to a corresponding process-star graph and retrieves related entities; wherein the graph-based alert interpretation engine computes an abnormal score for each entity of the related entities; wherein the graph-based alert interpretation engine selects the entity with a highest score as an alert cause; wherein the graph-based alert interpretation engine retrieves historical normal activities as the baselines; wherein the graph-based alert interpretation engine traces following events on further incoming streaming data; wherein the alert cause can be determined based on entity seniority, entity stability, and entity similarity; and wherein the entity seniority is computed by ρ ⁡ ( o ) = { t - t 0 T if ⁢ ⁢ t - t 0 < T 1 if ⁢ ⁢ t - t 0 ≥ T , the entity stability is computed by σ ⁡ ( v ) = Count ⁡ ( T stable ) Count ⁡ ( T ) , and the entity similarity is computed by γ src ⁡ ( o 1 , o 2 ) = dst ⁡ ( o 1 ) ⋂ dst ⁡ ( o 2 ) dst ⁡ ( o 1 ) ⋃ dst ⁡ ( o 2 ) ⁢ ⁢ and γ dst ⁡ ( o 1 , o 2 ) = src ⁡ ( o 1 )