"A ""complex attack"" is a sequence of temporally and spatially separated actions each of which may be detected or prevented by various Intrusion Detection Systems (IDS); however as a whole they constitute a powerful attack that cannot be detected by IDS paradigm. Examples include ""insider"" and ""stealth"" attacks. The main reason for IDS paradigm to fall short of detecting and modeling complex attacks is that adversarial actions may not violate any IDS rules explicitly. Thus, new methods are required to efficiently recognize complex attacks within message streams coming from various sources such as IDS, sniffers and system logs. Such stream data may be generated by several physically separated data sources (with varying rates and volumes) that together they may produce one logical data set. Thus, it may be necessary to monitor and analyze (correlated) data flows from multiple locations in a distributed fashion to obtain more accurate statistical and structural information. The raw data carried in these streams offer many valuable information ranging from alerts for early responses to discovery of hidden groups in adversarial actions. However, processing and analysis of data streams to identify complex attacks remain as a challenge. This project develops (1) efficient distributed algorithms to sample, and analyze complex information from continuous low of data streams, (2) new models for detection of complex attacks based on such analysis in order to produce rapid responses o events such as emerging disasters, epidemic outbreaks, or terrorist attacks."