The "unusual" alerts (Unusual Traffic, UnusualIPTraffic, UnusualProtocol, UnusualICMPTraffic, UnusualTCPTraffic, UnusualUDPTraffic), in my environment, are almost always inferred alerts. Inferred alerts are generated by rules in response to some condition configured in that rule. For example, if you look at the Default Rules container, you will see rules such as "TCPTrafficAudit Missing SYN Bit with possible Inference". If enabled, that rule will write an UnusualTCPTraffic alert to the database each time the configured Correlations and Correlation time parameters are true. Other rules behave the same way, so there isn't one definition of what an UnusualTCPTraffic alert is. It depends on the InferenceRule that originated it. There is a field labeled "InferenceRule" in each inferred alert that should help you trace it back.
"Suspicious" alerts (of which "Unusual" are a subcategory) are a much broader category. Many of the definitions can be found in the alert types section of the user guide. Sometimes they're vague, but there may be enough information for you to get an idea of what the underlying logic is.