Detecting behavioral patterns and anomalies using activity profiles

The invention claimed is: 1. A system comprising: a plurality of devices coupled through a network to an information management system; an activity database; a first activity profile, collecting information usage data from the plurality of devices and storing in the activity database; a second activity profile, analyzing the information usage data in the activity database; a processing mode of operation, comparing the second activity profile with first activity profile to determine a set of differences, and analyzing the set of differences to determine whether at least one of a plurality of conditions has occurred, wherein the plurality of conditions comprise: a first condition occurs when X1 relative to Y1 is greater than a threshold value Z1, where X1 is based on the first activity profile and indicative of an amount of time a user spends in an application program, and Y1 is based on the second activity profile; a second condition occurs when X2 relative to Y2 is greater than a threshold value Z2, where X2 is based on the first activity profile and indicative of a number of users using an application program, and Y2 is based on the second activity profile; a third condition occurs when X3 relative to Y3 is greater than a threshold value Z3, where X3 is based on the first activity profile and indicative of a frequency of users using an application program, and Y3 is based on the second activity profile; and a fourth condition occurs when (X4−Y4) is greater than a threshold value Z4, where X4 is based on the first activity profile and indicative of a number of times a user has copied a portion of a document classified as being confidential, and Y4 is based on the second activity profile; and a notification mode of operation, comprising: when the first condition is detected, generating a first notification corresponding to the first condition being detected, when the second condition is detected, generating a second notification corresponding to the second condition being detected, when the third condition is detected, generating a third notification corresponding to the third condition being detected, and when the fourth condition is detected, generating a fourth notification corresponding to the third condition being detected. 2. The system of claim 1 wherein the plurality of conditions comprise: a fifth condition occurs when X5 relative to Y5 is greater than a threshold value Z5, where X5 is based on the first activity profile and indicative of an amount of information a user has copied, and Y5 is based on the second activity profile. 3. The system of claim 1 wherein the processing mode of operation comprises: extracting from the set of differences a second plurality of conditions, and determining if at least one of the second plurality of conditions correspond to the first plurality of conditions. 4. The system of claim 1 wherein Y1 can be specified by a system administrator. 5. The system of claim 1 wherein Z1 can be specified by a system administrator. 6. The system of claim 1 wherein Y1 is alterable by a system administrator. 7. The system of claim 1 wherein the information usage data includes data collected during evaluation of a rule at a device. 8. The system of claim 7 wherein the rule comprises an expression having a policy abstraction, and each policy abstraction has a corresponding definition statement stored separately from the rule. 9. The system of claim 7 wherein the information usage data from the plurality of devices corresponds to a user. 10. The system of claim 7 wherein the information usage data from the plurality of devices corresponds to at least two users. 11. The system of claim 7 wherein the information usage data comprises data associated with at least one of application program operation or document access. 12. The system of claim 1 wherein when the set of difference is zero, the condition will not have occurred. 13. The system of claim 1 wherein when the set of difference is zero, the notification mode is not invoked. 14. A method comprising: providing a plurality of devices coupled through a network to an information management system; providing an activity database; providing a first activity profile; collecting information usage data from the plurality of devices and storing in the activity database; analyzing the information usage data in the activity database to generate a second activity profile; comparing the second activity profile with first activity profile to determine a set of differences; analyzing the set of differences to determine whether at least one of a plurality of conditions has occurred, wherein the plurality of conditions comprise: a first condition occurs when X1 relative to Y1 is greater than a threshold value Z1, where X1 is based on the first activity profile and indicative of an amount of time a user spends in an application program, and Y1 is based on the second activity profile, a second condition occurs when X2 relative to Y2 is greater than a threshold value Z2, where X2 is based on the first activity profile and indicative of a number of users using an application program, and Y2 is based on the second activity profile, a third condition occurs when X3 relative to Y3 is greater than a threshold value Z3, where X3 is based on the first activity profile and indicative of a frequency of users using an application program, and Y3 is based on the second activity profile, and a fourth condition occurs when (X4−Y4) is greater than a threshold value Z4, where X4 is based on the first activity profile and indicative of an amount of information a user has copied, and Y4 is based on the second activity profile; when the first condition is detected, generating a first notification corresponding to the first condition being detected; when the second condition is detected, generating a second notification corresponding to the second condition being detected; when the third condition is detected, generating a third notification corresponding to the third condition being detected; and when the fourth condition is detected, generating a fourth notification corresponding to the third condition being detected. 15. The method of claim 14 wherein the plurality of conditions comprise: a fifth condition occurs when (X5−Y5) is greater than a threshold value Z5, where X5 is based on the first activity profile and indicative of a number of times a user has copied a portion of a document classified as being confidential, and Y5 is based on the second activity profile. 16. The method of claim 14 wherein the generating a notification of the condition occurs before evaluating at least one of the first condition, second condition, or third condition. 17. The method of claim 14 wherein the condition which is satisfied when the second activity profile indicates a user using instant messenger more than an amount of time specified in the first activity profile. 18. The method of claim 14 wherein first activity profile comprises data collected based on two or more users and the second activity profile comprises data collected based on one user. 19. The method of claim 14 wherein first activity profile comprises information derived from data collected based on two or more users and the second activity profile comprises information derived from data collected based on one user. 20. The method of claim 14 wherein the information usage data comprises an application program operation including at least one of the following: sending an e