According to CIAP-CT/HISTO, Clementine's enhanced data mining capabilities are essential to conducting effective analysis. The program does not require any code or syntax, and each visual field contains various nodes, or icons, that allow users to grab data, and then aggregate it by the day of the week or by volume of transactions, for instance. Each node represents a step in the data mining process, which linked together create a profile of a potential threat. "It's crucial that users are able to build a set of characteristics that surround a particular type of event," says Bill Haffey, technical director, public sector at SPSS. An example would be a domain expert at CIAP-CT/HISTO viewing how many times access to a specific IP address was attempted by a single user unsuccessfully over a specific period of time. Based on results from the data, he or she could determine if the behavior should be considered unusual and dealt with as a possible threat.
The key to analyzing possible threats, according to CIAP-CT/HISTO, is the volume of data users have to work with. The more data that's available, the better the results will be in pinpointing unusual behaviors.