One of the goals of terrorist organizations is to attack critical infrastructures such as power plants, telecommunication companies etc. Since many critical infrastructures employ various Information and Communication Technologies (ICTs), such an attack may be carried out by using dedicated Electronic Threats (eThreats) such as worms, viruses, Trojans, and spywares. The goal of the attack is to interrupt the normal operation of the critical infrastructure in order to cause economic damages and social chaos. Current state-of- the-art technologies, such as antivirus and intrusion detection systems, are aimed at coping with known eThreats that were encountered before. However, terrorists may write dedicated eThreats that will not be identified by the existing tools. Thus, there is a need to develop generic technologies to identify eThreats based on their behavior, especially over time, and not only based on their unique signature. In many cases, identifying that the computer is infected may be sufficient to stop the attack. In this article, we propose a new approach for early detection of the presence of unknown eThreats, based on their behavior within the target computer. First, an agent extracts various time-stamped data, such as number of active processes at each time-point, from the target computer. Then, by using the Knowledge-Based Temporal Abstraction (KBTA) method, we integrate the continuously measured data (e.g., the number of running processes) and events (e.g., installation) with a security-domain temporal-abstraction knowledge base (i.e., a security ontology specialized for abstraction of meaningful patterns from time-oriented security data), to create higher-level time oriented concepts and patterns, also known as temporal abstractions. Detected temporal abstractions and the data they are derived from can be explored by visual means, and assist security experts in detecting suspicious patterns compatible with a set of predefined classes of temporal patterns, each defined by a set of time and value constraints, previously specified by a security expert. The temporal abstractions can also be automatically monitored to detect new patterns that match the behavior of known classes of eThreat.