User in group behavior signature monitor

The invention claimed is: 1. A method for monitoring user behavior of a user of a computing system for abnormalities compared to baseline users of the computing system by reference to a database storing information about previously classified activities of a plurality of baseline users, the method comprising: monitoring an activity of the user of the computing system using a behavior signature monitor, wherein the behavior signature monitor is a software module under program control of a microprocessor and wherein the activity comprises one of the previously classified activities; calculating, with the behavior signature monitor, a user behavioral signature for the activity as a new behavior vector of values representing event data from the monitored activity; calculating a group behavioral signature of the plurality of baseline users for the activity, wherein the group behavioral signature of the plurality of baseline users is a previous behavior vector of values representing event data from a previously classified activity corresponding to the monitored activity; calculating a degree of variance (DoV) by mathematical vector multiplication of the user behavioral signature of the user and the group behavioral signature of the plurality of baseline users, wherein the DoV is a distance between the new behavior vector and the previous behavior vector; comparing the calculated DoV to a predetermined variance threshold to determine whether the user behavioral signature of the monitored user is similar or is different from the group behavioral signature of the plurality of baseline users; determining that the user belongs in a group with the plurality of baseline users associated with the group behavioral signature when the calculated DoV is less than or equal the predetermined variance threshold; determining that the user does not belong in the group with the plurality of baseline users associated with the group behavioral signature when the calculated DoV is greater than the predetermined variance threshold; and sending an indication to a destination in the computing system about the determination when the user does not belong to the group with the plurality of baseline users. 2. The method of claim 1 , wherein the monitored activity comprises actions of applications related to the monitored user applications running on behalf of the user, when the user is logged in and logged off, or a resource of the computing system accessed by the user. 3. The method of claim 1 , wherein the monitored activity comprises a beginning, an end, a frequency, or a duration of an event related to the monitored user. 4. The method of claim 1 , wherein the monitored activity comprises observing authentication events related to the monitored user. 5. The method of claim 1 , wherein the monitored activity comprises the user's access to the user's computer, a mobile device of the user, or hardware devices related to the monitored user. 6. The method of claim 1 , wherein the monitored activity comprises activity in a web browser related to the monitored user. 7. The method of claim 1 , wherein the monitored activity comprises network traffic of the user, including one or more of Internet Protocol addresses, port numbers, protocol types, volumes of data sent and received, and types of information sent and received. 8. The method of claim 1 , further comprising performing an analysis of a behavior vector of the user using one or more pre-programmed heuristic rules, statistical analysis, a neural network, or support vector machines. 9. The method of claim 1 , further comprising performing an analysis of a behavior vector of the user to identify a security incident. 10. The method of claim 1 , further comprising performing an action or communicating predetermined information about an identified abnormality of the user based on a behavior vector of the user to at least one destination in the computing system. 11. A system of monitoring user behavior in a computing system for abnormalities compared to a group's behavior in the computing system, the system comprising: a database storing information about previously classified activities of a plurality of baseline users of the computing system; a microprocessor coupled to a memory storing instructions, the microprocessor being configured to: monitor an activity of a user; calculate a user behavioral signature of the monitored user for the monitored activity as a new behavior vector of values representing event data from the monitored activity; calculate a degree of variance (DoV) of the monitored activity from a behavior signature of the previously classified activities, wherein the behavior signature of the previously classified activities is a previous behavior vector of values representing events data related to a previously classified activity corresponding to the monitored activity, and the DoV is a distance between the new behavior vector and the previous behavior vector calculated by mathematical vector multiplication; compare the calculated DoV to a predetermined variance threshold; determine that the user belongs in a group with the plurality of baseline users associated with the behavior signature of the previously classified activities when the calculated DoV is less than or equal the predetermined variance threshold; determine that the user does not belong in the group with the plurality of baseline users associated with the behavior signature of the previously classified activities when the calculated DoV is greater than the predetermined variance threshold; and send an indication to a destination in the computing system about the determination when the user does not belong to the group with the plurality of baseline users. 12. The system of claim 11 , wherein the monitored activity comprises actions of applications related to the monitored user applications running on behalf of the user, when the user is logged in and logged off, or a resource of the computing system accessed by the user. 13. The system of claim 11 , wherein the monitored activity comprises a beginning, an end, a frequency, or a duration of events related to the monitored user. 14. The system of claim 11 , wherein the monitored activity comprises authentication events related to the monitored user. 15. The system of claim 11 , wherein the monitored activity comprises the user's access to the user's computer, a mobile device of the user, or hardware devices related to the monitored user. 16. The system of claim 11 , wherein the monitored activity comprises activity in a web browser related to the monitored user. 17. The system of claim 11 , wherein the monitored activity comprises network traffic of the user, including one or more of Internet Protocol addresses, port numbers, protocol types, types of peripheral devices, volumes of data sent and received, and types of information sent and received. 18. The system of claim 11 , wherein the microprocessor is further configured to perform an analysis of a behavior vector of the user using one or more of predetermined heuristic rules, statistical analysis, a neural network, or support vector machines. 19. The system of claim 11 , wherein the microprocessor is further configured to perform an analysis of a behavior vector of the user to identify a security incident. 20. The system of claim 11 , wherein the microprocessor is further configured to perform an action or communicate information about an identified abnormality of the user based on a behavior vector of the user