CISPA Machine Learning in Cybersecurity tutorials

📘 Course Information

Course website: Course website

Course edition: Winter term 2025/2026 (Oct 13 – Feb 06)

Recordings: Will follow

Instructor: Christoph R. Landolt

—

⚙️ How to Run the Notebooks

The website hosts HTML-exported versions of the notebooks for convenient reading on any device. However, we encourage you to run them yourself to gain hands-on experience. You can do this in three main ways:

🖥️ Run Locally (CPU)

All notebooks are available in this GitHub repository. You can also find them here: 👉 GitHub repository

• Designed to run on standard laptops (no GPU required).

☁️ Google Colab

Prefer to use a hosted environment or want GPU support? Use [Google Colab](https://colab.research.google.com/notebooks/intro.ipynb#recent=true).

• Each notebook includes a “Run in Colab” badge on the documentation website.

• Enable GPU support via: Runtime → Change runtime type → GPU.

—

🧭 Tutorial Lessons

The Exercise Schedule (below) lists the practical/tutorial sessions associated with the course tutorials. The sessions will take place in CISPA Lecture Hall, Stuhlsatzenhaus 5.

Change of Location for the Second Tutorial – Now in CISPA Lecture Hall, Stuhlsatzenhaus 5

Date	Time	Topic
29.10.2025	16:15-17:45	Tutorial: ML Basics / Setup
05.11.2025	16:15-17:45	Q&A: ML Basics
12.11.2025	16:15-17:45	Introduction Ex1: Train ML IDS
03.12.2025	16:15-17:45	Ex1 Review: Train ML IDS
10.12.2025	16:15-17:45	Introduction Ex2: Evade ML IDS
07.01.2026	16:15-17:45	Ex2 Review: Evade ML IDS
14.01.2026	16:15-17:45	Introduction Ex3: AI for CTF
04.02.2026	16:15-17:45	Ex3 Review: AI for CTF

📬 Submit your questions [here](https://forms.gle/enzD3i6yjbAFJaya6) — review sessions will be organized based on your questions and feedback.

—

💬 Feedback, Questions, or Contributions

This is the first edition of the Machine Learning in Cybersecurity tutorials. We appreciate all feedback — whether it’s a typo, a bug, or a suggestion for improvement.

If you discover a mistake or issue in a notebook, please [open a GitHub issue](../../issues) so we can track and resolve it publicly.

You can also reach out directly via email (christoph dot landolt at cispa dot de), or speak to us during a exercise session.

If you find the tutorials helpful, please cite this course as:

@misc{landolt2025_mlcysec,
  title        = {CISPA Machine Learning in Cybersecurity},
  author       = {Christoph R. Landolt and Mario Fritz},
  year         = {2025},
  howpublished = {\url{https://christophlandolt.com/mlcysec_notebooks/}},
}

Tutorial 1: Getting started:

• Getting started 1: Working with Jupyter and Python
  • Tutorial Objectives
  • Where to run these tutorials
  • Set up a local Environment
  • Jupyter and Colab Notebooks
  • This is a level 2 heading
  • Python
  • Matplotlib
  • Optional: JAX as NumPy on GPU
  • Exercise 1: Linear Regression Exercise: Normal Equation with NumPy (or JAX)
  • Solution - Exercise 1
  • Conclusion
• Getting Started 2: How to Load and Visualize Data for Cyber Threat Intelligence Analysis
  • Tutorial Objectives
  • Notebook Setup and Visualization Configuration
  • Load the Data
  • Data Cleaning and Preparation
  • Exercises
  • Solution - Exercise 1: Distribution of Operation Types
  • Solution - Exercise 2: Top 10 Affiliations
  • Solution - Exercise 3: APT 28 Cyber Attacks Over Time
  • Conclusion
• Getting Started 3: Classic Machine Learning for Cybersecurity
  • Tutorial Objectives
  • Data Preprocessing
  • Unsupervised Learning with the KDDCUP99 Dataset
  • Supervised Learning with the KDDCUP99 Dataset
  • Exercises
  • Solution - Exercise 1: Train Decision Tree Classifier
  • Solution - Exercise 2: Visualize the Decision Tree
  • Solution - Exercise 3: Feature Importance
  • Solution - Exercise 4: Parameter Optimization for SVM
  • Conclusion
• Getting Started 4: Deep Learning for Cybersecurity
  • Tutorial Objectives
  • Getting Started with PyTorch
  • Anomaly Detection using a Neural Network with the KDDCUP99 Dataset
  • Unsupervised Dimensionality Reduction with Autoencoders on KDD Cup 99
  • Exercises
  • Solution - Exercise 1: Simple Classifier Network
  • Conclusion

Tutorial 2: Intrusion Detection:

• Tutorial 2.1: Intrusion Detection System
  • Tutorial Objectives
  • What is an Intrusion Detection System?
  • Anomaly Detection: Handling Rare and Diverse Attacks
  • ML-Based Anomaly Detection
  • Isolation Forest
  • Robust Covariance
  • One-Class SVM
  • Exercises – Anomaly Detection with KDDCUP99
  • Solution - Exercise 1: Compare Decision Boundaries Between Anomaly Detection Algorithms
  • Solution - Exercise 2: Runtime Complexity
  • Solution - Exercise 3: Implement Local Outlier Factor (LOF)
  • Conclusion
• Tutorial 2.2: Deep Learning based IDS
  • Tutorial Objectives
  • Neural Network-Based Anomaly Detection in Cybersecurity
  • Variational Autoencoder (VAE)
  • Exercises
  • Solution - Exercise 1: Nonstationarity in Cybersecurity Data
  • Solution - Exercise 2: Practical Hyperparameter Tuning and Impact
  • Conclusion
• Tutorial 2.3: Analyzing Application-Layer Protocols
  • Tutorial Objectives
  • Dataset Composition and Anomalies
  • Data Structure and Features
  • Structure of an HTTP Request
  • Data Loading and Integration
  • Classic ML Pipeline: Data Preparation, Feature Engineering and Isolation Forest
  • Deep Learning Pipeline: Natural Language Processing (NLP) Feature Engineering with BERT
  • Exercises
  • Solution - Exercise 1: Enhancing Classic ML with NLP Features (TF-IDF)
  • Conclusion

Tutorial 3: Evading ML-IDS:

• Tutorial 3.1: Getting started with GANs
  • Tutorial Objectives
  • Game Theory and Generative Adversarial Networks (GANs)
  • 2. Implementation of a Simple Vanilla GAN in PyTorch
  • Advanced GAN Training: Multi-Agent Diverse GAN (MAD-GAN) Setup
  • Exercises
  • Further Reading: Evaluating GAN Performance
  • Conclusion
• Tutorial 3.2: Evading ML-based IDS using GANs
  • Tutorial Objectives
  • ML-Based IDS and Their Limitations
  • Implementation: Evading an IDS with GANs
  • Conclusion