monitoring events occurring on said network;

storing data identifying said events as system event data;

analyzing said system event data with a set of initial policy constraints, wherein said analyzing step includes the steps of:

retrieving said system event data from a network session;

storing said system event data within a database, wherein said database is a text file of events of interest within the system;

extracting system event data from said database by parsing each line of said database for identifying information of events that are known and labeled within the initial policy constraints; and

labeling at least some system event data with a label that indicates when said at least some system event data complies or does not comply with said initial policy constraints; and

enabling a system administrator to override at least some of the labeling to produce a set of re-labeled events;

generating refined policy constraints by applying a theory refinement algorithm to the set of re-labeled events, the theory refinement algorithm configured to automatically modify the initial policy constraints to generate refined policy constraints that are consistent with the re-labeled events; and

continuing monitoring and enforcement of said usage policy and security of said network via said refined policy constraints.