I just read the post "Can Computers Detect Suspicious Behavior?" on Techdirt and it got me thinking. Companies put a lot of money and effort into making and deploying anti-virus and intrustion detection products. Why not make something that profiles what a user normally does on a computer, and have it flag things that are out of the norm. Anti virus programs are only as good as their definition files and intrustion detection packages (like Snort) are only as good as their rules files. These programs only catch what they know about, but the "bad guys" are making up nasty software to take over you computer all of the time (just watch http://www.incidents.org/ for a week or two and see).

Is there some reseach out there already to detect suspicious network or process activity? Are there any products like that? Of course, the period of time where the system "learns" what type of behavior is acceptable would have to be done on "clean" systems that were not already infected. That would be hard to do in today's environment.