A method for partitioning a plurality of entities each associated with a plurality of ordered sequences of events received by a computer system, the method including: defining a minimal directed acyclic graph data structure representing the sequences of events to define a plurality of categories of behavior of the entities; defining a threshold degree of similarity as an xmu number, the xmu number having cardinality that is able to vary across a normalized range; defining a relation for each entity including a degree of association of the entity with each of the categories; defining a cluster of entities as a set of entities comprising a first entity; comparing a relation for the first entity with a relation for a second entity to define a xmu Jaccard similarity coefficient for the first and second entities; and responsive to the coefficient meeting the threshold degree of similarity, adding the second entity to the cluster.