A Comparative Study of Real-Valued Negative Selection to Statistical Anomaly Detection Techniques

Stibor, Thomas; Timmis, Jon; Eckert, Claudia

doi:10.1007/11536444_20

Cited by 110 publications

(89 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…As pointed out in (Stibor et al, 2005), the NSA (no matter binary string version or real-valued version) have numerous problems: firstly they cannot avoid the curse of dimensionality, and not applicable to data with high dimensionality; secondly, the detector generation can result holes within the shape-space, so it is difficult to cover just non-self, and it either generates the population of detectors covering both non-self and unseen self (over-fit) or only covering partial non-self (under-fit); thirdly, the NSA still take extensive time period to generate the adequately complete set of detectors. Therefore, negative selection is insufficient and not suitable for anomaly detection.…”

Section: The Nsa Based Approachesmentioning

confidence: 79%

“…Initially AIS were based on simple models of the human immune system. As noted by Stibor et al (2005), "first generation algorithms", including negative selection and clonal selection do not produce the same high quality performance as the human immune system. These algorithms, negative selection in particular, are prone to problems with scaling and the generation of excessive false alarms when used to solve problems such as network based intrusion detection.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

The Dendritic Cell Algorithm for Intrusion Detection

Greensmith

Aickelin

2012

Biologically Inspired Networking and Sensing

View full text Add to dashboard Cite

As one of the solutions to intrusion detection problems, Artificial Immune Systems (AIS) have shown their advantages. Unlike genetic algorithms, there is no one archetypal AIS, instead there are four major paradigms. Among them, the Dendritic Cell Algorithm (DCA) has produced promising results in various applications. The aim of this chapter is to demonstrate the potential for the DCA as a suitable candidate for intrusion detection problems. We review some of the commonly used AIS paradigms for intrusion detection problems and demonstrate the advantages of one particular algorithm, the DCA. In order to clearly describe the algorithm, the background to its development and a formal definition are given. In addition, improvements to the original DCA are presented and their implications are discussed, including previous work done on an online analysis component with segmentation and ongoing work on automated data preprocessing. Based on preliminary results, both improvements appear to be promising for online anomaly-based intrusion detection. IntroductionArtificial Immune Systems (AIS) (de Castro and Timmis, 2003) are computer systems inspired by both theoretical immunology and observed immune functions, principles and models, which are applied to real world problems. The human immune system, from which AIS draw inspiration, is evolved to protect the host from a wealth of invading microorganisms. AIS are developed to provide the similar defensive properties within a computing context. Initially AIS were based on simple models of the human immune system. As noted by Stibor et al. (2005), "first generation algorithms", including negative selection and clonal selection do not produce the same high quality performance as the human immune system. These algorithms, negative selection in particular, are prone to problems with scaling and the generation of excessive false alarms when used to solve problems such as network based intrusion detection. Recent AIS use more rigourous and up-to-date immunology and are developed in collaboration with modellers and immunologists. The resulting algorithms are believed to encapsulate the desirable properties of immune systems including robustness, error tolerance, and self-organisation (de Castro and Timmis, 2003).One such "second generation" AIS is the Dendritic Cell Algorithm (DCA) , inspired by the function of the dendritic cells (DCs) of the innate immune system. It incorporates the principles of a key novel theory in immunology, termed the "danger theory" (Matzinger, 2002). This theory suggests that DCs are responsible for the initial detection of invading microorganisms, in addition to the induction of various immune responses against such invaders. An abstract model of natural DC behaviour is used as the foundation of the developed algorithm. The DCA has been successfully applied to numerous computer security related, more specific, 2 intrusion detection problems, including port scan detection , botnet detection (Al-Hammadi et al., 2008) and a classifier for robot secur...

show abstract

Section: The Nsa Based Approachesmentioning

confidence: 79%

Section: Introductionmentioning

confidence: 99%

The Dendritic Cell Algorithm for Intrusion Detection

Greensmith

Aickelin

2012

Biologically Inspired Networking and Sensing

View full text Add to dashboard Cite

show abstract

“…By applying statical inference test we determine if an unseen instance is normal or abnormal. Normal instances occur in high probability regions of the statistical model while anomalies occur in a low probability regions of the stochastic model [18,52]. Spectral anomaly detection techniques try to find a lower dimensional subspace in which normal instances and anomalies appear significantly different.…”

Section: Current Anomaly Detection Techniquesmentioning

confidence: 99%

A Family of Joint Sparse PCA Algorithms for Anomaly Localization in Network Data Streams

Jiang

Fei

Huan

2013

IEEE Trans. Knowl. Data Eng.

View full text Add to dashboard Cite

Determining anomalies in data streams that are collected and transformed from various types of networks has recently attracted significant research interest.Principal Component Analysis (PCA) is arguably the most widely applied unsupervised anomaly detection technique for networked data streams due to its simplicity and efficiency. However, none of existing PCA based approaches addresses the problem of identifying the sources that contribute most to the observed anomaly, or anomaly localization. In this paper, we first proposed a novel joint sparse PCA method to perform anomaly detection and localization for network data streams. Our key observation is that we can detect anomalies and localize anomalous sources by identifying a low dimensional abnormal subspace that captures the abnormal behavior of data. To better capture the sources of anomalies, we incorporated the structure of the network stream data in our anomaly localization framework. Also, an extended version of PCA, multidimensional KLE, was introduced to stabilize the localization performance. We performed comprehensive experimental studies on four real-world data sets from different application domains and compared our proposed techniques with several state-of-the-arts. Our experimental studies demonstrate the utility of the proposed methods.

show abstract

“…As the base for the change detection, the fitness distribution F(t), is real-valued it seems straightforward to use a real-valued shape space S =[0, 1] m here, where m is its dimension. Dimensionality of the shape space is an important parameter influencing computational effort and performance of the detection scheme (42). The dimensionality of the fitness distribution F(t) equals the number of individuals in the population µ.…”

Section: The Immunological Change Detectormentioning

confidence: 99%

Artificial Immune Systems, Dynamic Fitness Landscapes, and the Change Detection Problem

Richter¹

2012

Bio-Inspired Computational Algorithms and Their Applications

View full text Add to dashboard Cite

A Comparative Study of Real-Valued Negative Selection to Statistical Anomaly Detection Techniques

Cited by 110 publications

References 7 publications

The Dendritic Cell Algorithm for Intrusion Detection

The Dendritic Cell Algorithm for Intrusion Detection

A Family of Joint Sparse PCA Algorithms for Anomaly Localization in Network Data Streams

Artificial Immune Systems, Dynamic Fitness Landscapes, and the Change Detection Problem

Contact Info

Product

Resources

About