An attack-norm separation approach for detecting cyber attacks

Nong Ye, Toni Farley, Deepak Lakshminarasimhan

Research output: Contribution to journalArticlepeer-review

8 Scopus citations


The two existing approaches to detecting cyber attacks on computers and networks, signature recognition and anomaly detection, have shortcomings related to the accuracy and efficiency of detection. This paper describes a new approach to cyber attack (intrusion) detection that aims to overcome these shortcomings through several innovations. We call our approach attack-norm separation. The attack-norm separation approach engages in the scientific discovery of data, features and characteristics for cyber signal (attack data) and noise (normal data). We use attack profiling and analytical discovery techniques to generalize the data, features and characteristics that exist in cyber attack and norm data. We also leverage well-established signal detection models in the physical space (e.g., radar signal detection), and verify them in the cyberspace. With this foundation of information, we build attack-norm separation models that incorporate both attack and norm characteristics. This enables us to take the least amount of relevant data necessary to achieve detection accuracy and efficiency. The attack-norm separation approach considers not only activity data, but also state and performance data along the cause-effect chains of cyber attacks on computers and networks. This enables us to achieve some detection adequacy lacking in existing intrusion detection systems.

Original languageEnglish (US)
Pages (from-to)163-177
Number of pages15
JournalInformation Systems Frontiers
Issue number3
StatePublished - Jul 2006


  • Computer and network security
  • Cyber attacks
  • Intrusion detection
  • Signal detection
  • Signal processing

ASJC Scopus subject areas

  • Software
  • Theoretical Computer Science
  • Information Systems
  • Computer Networks and Communications


Dive into the research topics of 'An attack-norm separation approach for detecting cyber attacks'. Together they form a unique fingerprint.

Cite this