Detecting abnormal database activity

What is claimed is: 1. A method of detecting abnormal activity on a processing device comprising: receiving, via a processor, time series data including information pertaining to a corresponding attribute of monitored activity on the processing device; determining, via the processor, an upper bound of the time series data based on a weighted combination of a prior upper bound and a current value derived from the time series data, wherein greater weight is provided to greater values in the time series data based on an exponent applied to the prior upper bound and the current value and an effect of older values in the time series data decays over time based on a smoothing factor applied to exponential values of the prior upper bound and the current value that are derived from applying the exponent; applying, via the processor, the upper bound to a profile of an entity associated with the monitored activity, wherein the profile includes bounds for attributes of activities of the entity indicating valid behavior and the upper bound is compared to a corresponding bound of the profile; and detecting, via the processor, abnormal activity on the processing device based on the comparison of the upper bound to the corresponding bound of the profile. 2. The method of claim 1 , wherein the processing device is a database system. 3. The method of claim 2 , wherein the upper bound is determined based on a root of a weighted combination of exponential values of the prior upper bound and a current weighted mean of the time series data that are derived from applying the exponent, wherein the root corresponds to the exponent. 4. The method of claim 2 , further comprising: inverting, via the processor, the time series data to produce inverted data; determining, via the processor, the upper bound of the inverted data; and inverting, via the processor, the upper bound of the inverted data to produce a lower bound of the time series data. 5. The method of claim 2 , further comprising: dividing, via the processor, the time series data into sub-streams each corresponding to additional characteristics of the corresponding attribute; determining, via the processor, the upper bound for the sub-streams; and updating, via the processor, the profile of the entity with the upper bound of the sub-streams to refine the valid behavior for the entity. 6. The method of claim 2 , wherein receiving the time series data further comprises: receiving, via the processor, an event stream indicating occurrence of events on the processing device; and converting, via the processor, the event stream to the time series data representing an activity load on the processing device. 7. A system for detecting abnormal activity on a processing device comprising: at least one processor configured to: receive time series data including information pertaining to a corresponding attribute of monitored activity on the processing device; determine an upper bound of the time series data based on a weighted combination of a prior upper bound and a current value derived from the time series data, wherein greater weight is provided to greater values in the time series data based on an exponent applied to the prior upper bound and the current value and an effect of older values in the time series data decays over time based on a smoothing factor applied to exponential values of the prior upper bound and the current value that are derived from applying the exponent; apply the upper bound to a profile of an entity associated with the monitored activity, wherein the profile includes bounds for attributes of activities of the entity indicating valid behavior and the upper bound is compared to a corresponding bound of the profile; and detect abnormal activity on the processing device based on the comparison of the upper bound to the corresponding bound of the profile. 8. The system of claim 7 , wherein the processing device is a database system. 9. The system of claim 8 , wherein the upper bound is determined based on a root of a weighted combination of exponential values of the prior upper bound and a current weighted mean of the time series data that are derived from applying the exponent, wherein the root corresponds to the exponent. 10. The system of claim 8 , wherein the at least one processor is further configured to: invert the time series data to produce inverted data; determine the upper bound of the inverted data; and invert the upper bound of the inverted data to produce a lower bound of the time series data. 11. The system of claim 8 , wherein the at least one processor is further configured to: divide the time series data into sub-streams each corresponding to additional characteristics of the corresponding attribute; determine the upper bound for the sub-streams; and update the profile of the entity with the upper bound of the sub-streams to refine the valid behavior for the entity. 12. The system of claim 8 , wherein receiving the time series data further comprises: receiving an event stream indicating occurrence of events on the processing device; and converting the event stream to the time series data representing an activity load on the processing device. 13. A computer program product for detecting abnormal activity on a processing device, the computer program product comprising one or more computer readable storage media having program instructions collectively stored on the one or more computer readable storage media, the program instructions executable by a processor to cause the processor to: receive time series data including information pertaining to a corresponding attribute of monitored activity on the processing device; determine an upper bound of the time series data based on a weighted combination of a prior upper bound and a current value derived from the time series data, wherein greater weight is provided to greater values in the time series data based on an exponent applied to the prior upper bound and the current value and an effect of older values in the time series data decays over time based on a smoothing factor applied to exponential values of the prior upper bound and the current value that are derived from applying the exponent; apply the upper bound to a profile of an entity associated with the monitored activity, wherein the profile includes bounds for attributes of activities of the entity indicating valid behavior and the upper bound is compared to a corresponding bound of the profile; and detect abnormal activity on the processing device based on the comparison of the upper bound to the corresponding bound of the profile. 14. The computer program product of claim 13 , wherein the processing device is a database system. 15. The computer program product of claim 14 , wherein the upper bound is determined based on a root of a weighted combination of exponential values of the prior upper bound and a current weighted mean of the time series data that are derived from applying the exponent, wherein the root corresponds to the exponent. 16. The computer program product of claim 14 , wherein the program instructions further cause the processor to: invert the time series data to produce inverted data; determine the upper bound of the inverted data; and invert the upper bound of the inverted data to produce a lower bound of the time series data. 17. The computer program product of claim 14 , wherein the program instructions further cause the processor to: divide the time series data into sub-streams each corresponding to additional characteristics of the correspond