Tutorial M1 – Intrusion Detection and Assessment through Mining and Learning Data Characteristics of Cyber Attacks and Normal Use Activities

Dr. Nong Ye, Arizona State University

Monday, December 8th, Full Day

Intrusion detection and assessment through signature recognition, anomaly detection, attack-norm separation, and event correlation all require the learning of data characteristics of cyber attacks and normal use activities to enable the detection and correlation of cyber attack events. Data mining techniques are desirable to handle large amounts of computer and network data that are collected under attack and normal use conditions of computers and networks to learn data characteristics of cyber attacks and normal use activities.

This tutorial will cover the conventional and new applications of data mining and analysis techniques to mining and learning data characteristics of cyber attacks and normal use activities in mean shift, density distribution change, autocorrelation change, wavelet signal change, and classification models. These data characteristics have shown to be useful in detecting many cyber attacks. Examples of such data characteristics associated with a variety of cyber attacks, such as Rootkits, hardware and software keyloggers, buffer overflow, denial of service, ARP poison, and vulnerability scan, will be illustrated. This tutorial will also demonstrate how such attack and normal use data characteristics can be used to support the two conventional approaches of intrusion detection and assessment (signature recognition and anomaly detection) and a new approach, called attack-norm separation. All of the covered data mining techniques allow the incremental learning and update of attack and normal use data characteristics when new computer and network data are collected under new attack and normal use conditions.


  1. Overview of intrusion detection and assessment approaches and their requirements for data characteristics of cyber attacks and normal use activities
  2. Computer and network data collected under attack and normal use conditions
  3. Density distribution and parameter estimation to discover the mean shift and distribution change characteristics
  4. Autocorrelation and time series analysis to discover the autocorrelation change characteristic
  5. Wavelet analysis to discover the data characteristic in time-frequency domain
  6. Classification models to discover target data patterns
  7. Use of data characteristics to support signature recognition, anomaly detection and attack-norm separation
  8. Mining and learning data characteristics for other applications


General knowledge of cyber attacks, intrusion detection systems, as well as computer and network security

About the Instructor

Dr. Nong Ye is a full professor at Arizona State University (ASU). She received her Ph.D. degree in Industrial Engineering from Purdue University, and her M.S. and B.S. degrees in Computer Science. Dr. Ye taught numerous courses on cyber security and data mining at ASU, and has extensive research experience in intrusion detection and data mining. She has published 132 journal and conference papers as well as three books. Dr. Ye holds a patent for a method and algorithm for classifying data for intrusion detection and other data mining applications, and is the recipient of $9.2M in external research grants, awards and contracts. More information is available at enpub.fulton.asu.edu/ye.