The process to identify and detect the instances of network attacks by comparing the current computer activity against the expected attack path used by an intruder.