Systems and methods for identifying a computer security threat based on communication via a computer network. A method includes receiving a definition of acceptable network communication characteristics for communication protocols; receiving a set of security events for the communication, each security event including network communication characteristics for the communication; for each security event: a) identifying a communication protocol associated with the event; b) detecting deviations of network communication characteristics of the event from the acceptable network communication characteristics for the identified communication protocol; and c) generating a record of each deviation identifying a communication characteristic for which the deviation is detected, so as to generate a set of one or more records of deviation for the set of security events; and storing the set of records of deviation as a security threat identifier for identifying subsequent security threats by comparing with the set of records.