Intrusions in a system under surveillance are detected by matching the events occurring during operation of the system against a knowledge base including information on events which occurred during a learning phase. The detection technique includes the steps of: recording, during the learning phase, temporal data related to the events during the learning phase; identifying, as a function of the temporal data recorded, a dynamic part of the knowledge base; discovering patterns that cover the dynamic part of the knowledge base; and using, during the analysis phase, a regular expression match at least with respect to the dynamic part of the knowledge base.