System and method of anomaly detection with categorical attributes

The invention claimed is: 1. A method comprising: an event processor detecting a plurality of events related to activities of users within a security system, wherein the plurality of events are defined by a plurality of attributes, wherein at least one of the plurality of attributes is categorical, and wherein a data distance between each of the plurality of events is a function of event attributes; an evaluation processor evaluating the detected plurality of events using a selected density based anomaly detection method responsive to a size of a neighborhood around a data point representing each of the plurality of events to establish distances between data values in a categorical portion of a data space; a comparison processor comparing a value of the established distances in the categorical portion of the data space with a selected margin threshold value; and an alarm processor setting an alarm upon detecting that the value exceeds the threshold value. 2. The method as in claim 1 wherein the function of the event attributes further comprises associating an access point identifier of each of the plurality of events to a predetermined one of a plurality of security zones within a secured area, wherein the distances between the data values are determined based on a spatial arrangement of the plurality of security zones, and wherein said distances are used to establish a notion of the neighborhood around the data point representing each of the plurality of events. 3. The method as in claim 1 wherein the function of the event attributes further comprises associating a user ID of each of the plurality of events to a predetermined one of a plurality of user roles within a secured area, wherein the distances between the data values are determined based on similarity of the associated plurality of user roles, and wherein said distances are used to establish a notion of the neighborhood around the data point representing each of the plurality of events. 4. The method as in claim 1 wherein the function of the event attributes further comprises associating a user ID of each of the plurality of events to a predetermined one of a plurality of security zones within a secured area, wherein the distances between the data values are determined based on differences between the associated plurality of security zones, and wherein said distances are used to establish a notion of the neighborhood around the data point representing each of the plurality of events. 5. The method as in claim 1 wherein the function of the event attributes further comprises continuous data values including at least one of a time of entry into a secured area, a frequency of entry into the secured area per time period, a duration of stay within the secured area after each entry into the secured area, a frequency of travel from one security zone to another security zone within the secured area, and a duration of non-entry into the secured area. 6. The method as in claim 5 further comprising constructing a continuous attribute distribution for each continuous data value associated with each categorical value of a user. 7. The method as in claim 6 further comprising defining a similarity measure using similarity measures including at least a selected divergence or mutual information defined for two distributions. 8. The method as in claim 7 further comprising inverting the similarity measure into a distance measurement and using the distance measurement to establish a notion of the neighborhood around the data point representing each of the plurality of events. 9. An apparatus comprising: an event processor that detects a plurality of events related to activities of users within a security system, wherein the plurality of events are defined by a plurality of attributes, wherein at least one of the plurality of attributes is categorical, and wherein a data distance between each of the plurality of events is a function of event attributes; an evaluation processor that evaluates the detected plurality of events using a density based anomaly detection method responsive to a size of a neighborhood around a data point representing each of the plurality of events to establish distances between data values in a categorical portion of a data space; a comparison processor that compares a value of the established distances in the categorical portion of the data space with a selected margin threshold value; and an alarm processor that sets an alarm upon detecting that the value exceeds the threshold value. 10. The apparatus as in claim 9 wherein the event processor and the function of the event attributes further comprise a processor that associates an access point identifier (ID) of each of the plurality of events to a predetermined one of a plurality of security zones within a secured area, wherein the distances between the data values are determined based on a spatial arrangement of the plurality of security zones, and wherein said distances are used to establish a notion of the neighborhood around the data point representing each of the plurality of events. 11. The apparatus as in claim 9 wherein the event processor and the function of the event attributes further comprise a processor that associates a user ID of each of the plurality of events to a predetermined one of a plurality of user roles within a secured area, wherein the distances between the data values are determined based on similarity of the associated plurality of user roles, and wherein said distances are used to establish a notion of the neighborhood around the data point representing each of the plurality of events. 12. The method as in claim 9 wherein the event processor and the function of the event attributes further comprise a processor that associates a user ID of each of the plurality of events to a predetermined one of a plurality of security zones within a secured area, wherein the distances between the data values are determined based on differences between the associated plurality of security zones, and wherein said distances are used to establish a notion of the neighborhood around the data point representing each of the plurality of events. 13. The apparatus as in claim 9 wherein the function of the event attributes further comprises continuous data values including at least one of a time of entry into a secured area, a frequency of entry into the secured area per time period, a duration of stay within the secured area after each entry into the secured area, a frequency of travel from one security zone to another security zone within the secured area, and a duration of non-entry into the secured area. 14. The apparatus as in claim 13 further comprising a processor that constructs a continuous attribute distribution for each continuous data value associated with each categorical value of a user. 15. The apparatus as in claim 14 further comprising a processor that defines a similarity measure using similarity measures including at least a selected divergence or mutual information defined for two distributions. 16. The apparatus as in claim 15 further comprising a processor that inverts the similarity measure into a distance measurement and uses the distance measurement to establish a notion of the neighborhood around the data point representing each of the plurality of events. 17. An apparatus comprising: a security system that detects security events within a secured area; an event processor that detects events related to activities of users within a security system, wherein the events are defined by a plurality of attributes, wherein at least one o