Distributed pattern discovery

What is claimed is: 1. A system for distributed pattern discovery comprising: a node comprising a processor and memory to: receive a plurality of local frequent pattern trees from a plurality of sub-nodes, wherein the respective local frequent pattern trees are each based on a plurality of transactions; merge the local frequent pattern trees into a global pattern tree for the sub-nodes; send the global pattern tree to the sub-nodes, wherein one of the local frequent pattern trees is associated with a count of times a potential pattern occurs in the transactions associated with the one local frequent pattern tree, wherein the one local frequent pattern tree includes a partial pattern associated with one of the transactions, wherein the count is below a threshold level, wherein a second one of the local frequent pattern trees includes a second count of times the potential pattern occurs in the transactions associated with the second one local frequent pattern tree, wherein the second one local frequent pattern tree includes a second partial pattern associated with the potential pattern, wherein the second count is below the threshold level, and wherein the global pattern tree is used to perform a security function. 2. The system of claim 1 , wherein the potential pattern is included in the global pattern tree as a frequent pattern if the count and second count combined is at least at the threshold level. 3. The system of claim 2 , further comprising: a first one of the sub-nodes including another processor and memory to: generate the one local frequent pattern tree; send the one local frequent pattern tree to the node; receive the global pattern tree; and use the one local frequent pattern tree and the global pattern tree to perform the security function. 4. The system of claim 3 , wherein the one transaction is one or more security events. 5. The system of claim 3 , wherein the one local frequent pattern tree is updated based on the global pattern tree. 6. The system of claim 2 , wherein the merge includes determining how the count and the second count should be combined based on duplication information stored in the one local frequent pattern tree and the second one local frequent pattern tree. 7. The system of claim 1 , wherein the security function includes at least one of: flagging a transaction, sandboxing an item, and sending an alert. 8. The system of claim 1 , wherein the local frequent pattern trees are based on at least one pattern discovery profile. 9. A non-transitory machine-readable storage medium for distributed pattern discovery storing instructions that, if executed by at least one processor of a device, cause the device to: generate a local frequent pattern tree of potential patterns for a plurality of transactions; send the local frequent pattern tree to a node of a hierarchical computing system, wherein the node is on a greater hierarchy than the device, wherein a count is associated with a first one of the potential patterns that is below a threshold level; receive a global pattern tree that is merged based on the local frequent pattern tree and other local pattern trees from a plurality of devices on a same hierarchy of the device, wherein the first one potential pattern is included in the global pattern tree if the count and a second count associated with the first one potential pattern associated with one of the other local pattern trees is greater than the threshold level; and use the local frequent pattern tree and the global pattern tree to perform a security function. 10. The non-transitory machine-readable storage medium of claim 9 , further comprising instructions that, if executed by the at least one processor, cause the device to: receive a pattern discovery profile from the node, wherein the node is a master node, wherein the local frequent pattern tree is generated based on the pattern discovery profile, and wherein the local frequent pattern tree includes a transaction annotation that identifies the respective transactions that contribute to the local frequent pattern tree. 11. The non-transitory machine-readable storage medium of claim 9 , wherein the security function includes at least one of: flagging a transaction, sandboxing an item, and sending an alert. 12. The non-transitory machine-readable storage medium of claim 9 , further comprising instructions that, if executed by the at least one processor, cause the device to: update the local frequent pattern tree based on the global pattern tree. 13. A method for distributed pattern discovery comprising: receiving, at a node, a plurality of local frequent pattern trees of potential patterns from a plurality of sub-nodes, wherein each of the respective local frequent pattern trees are based on a plurality of activities, wherein one of the local frequent pattern trees is associated with a count for a number of times one of the potential patterns has occurred in the activities; merging the local frequent pattern trees into a global pattern tree for the sub-nodes based, at least in part, on the count; sending the global pattern tree to the sub-nodes, wherein the count is below a threshold level, wherein a second one of the local frequent pattern trees is associated with a second count for a number of times the one potential pattern has occurred, wherein the second count is below the threshold level, and wherein the one potential pattern is included in the global pattern tree if the count and second count combined is at least at the threshold level; and using the global pattern tree to perform a security function. 14. The method of claim 13 , wherein the merging includes determining how the count and the second count should be combined based on duplication information stored in the one local frequent pattern tree and the second one local frequent pattern tree. 15. The method of claim 13 , wherein the security function includes at least one of: flagging a transaction, sandboxing an item, and sending an alert. 16. The method of claim 13 , wherein the local frequent pattern trees are based on at least one pattern discovery profile. 17. The method of claim 13 , further comprising: updating, at one of the sub-nodes, the one local frequent pattern tree based on the global pattern tree.