The raw data for a plurality of numerical reports (distributions or histograms) concerning malware infection in a computer network are stored in a data source. The data source is queried to produce any number of reports. Each report's content comes from a distribution of data within a time interval, and a baseline distribution is formed for comparison by the corresponding historical data. The shape change for the distributions is determined by using Kullback-Leibler divergence. The change of volume (i.e., total sample count) for the distributions is determined using the L1 norm ratio. A cutoff threshold is determined for the K-L divergence and the volume ratio threshold is determined for the count change. A measure value for each report is determined by multiplying the shape change by the volume change (modified by raising it to a particular power). The reports are ranked based upon their measure values. A report is determined to be important if its shape change is greater than the cutoff threshold, if it's volume change is greater than the count ratio threshold, or if the measure value is greater than a measure threshold. The invention can be applied to all kinds of reports suitable for a distribution or histogram, and also provides one approach to detect anomalous behaviors.