Abstract: Two conventional cyber attack detection approaches, signature recognition and anomaly detection, have drawbacks affecting detection accuracy. While each of the two approaches relies on either the norm or attack data model, the actual attacks mostly occur when the norm activities are also present in the background, resulting in lower detection accuracy. A newly proposed attack-norm separation approach, rooted in the physical world's signal-noise separation method, has been developed to overcome the problems of the conventional approaches. The new approach requires the definition of both an attack and norm data models based on data characteristics of attack and norm activities. The noise (norm data) cancellation in the observed data mixture of attack and norm activities is carried out using the norm model and the identification of the attack, as the signal is carried out using the attack model. Since the attack-norm separation approach relies on the scientific understanding of data characteristics of attack and norm activities to define the attack and norm data models, this dissertation presents the discovery of the data characteristics of attack and norm activities based on the data features of mean, autocorrelation and probability distribution. Detection models are developed for each combination of attack and norm activities by applying Cuscore statistics with the attack and norm models which are defined based on mean, autocorrelation and probability distribution features, respectively. Specifically, activity, state and performance data are collected during the attack and norm activities through the Windows Performance Objects monitoring utility. For variables with the significant mean shift during the attack condition as identified by Mann-Whitney U test, the attack and norm models based on the mean feature are developed to be used for attack detection. For the data variables with changes in degree of autocorrelation characteristics, the best fitted autoregressive integrating moving average (ARIMA) time series models are developed for attack and norm data models to be used in the detection model. For the data variables with changes in probability distribution characteristics, the cumulative empirical distribution functions are used to generate data from the norm and attack models for building the detection model. The detection models developed under the attack-norm separation approach based on the mean, autocorrelation, and probability distribution features show better performance in both detection accuracy and earliness than those of signature recognition based artificial neural networks (ANNs). They also outperform exponentially weighted moving average (EWMA) control charts falling into the conventional attack detection approaches of anomaly detection.