TY - JOUR

T1 - A Formal Framework for Positive and Negative Detection Schemes

AU - Esponda, Fernando

AU - Forrest, Stephanie

AU - Helman, Paul

N1 - Funding Information:
Manuscript received July 18, 2002; revised March 24, 2003. This work was supported by the National Science Foundation under Grants ANIR-9986555 and DBI-0309147, the Office of Naval Research under Grant N00014-99-1-0417, the Defense Advanced Projects Agency under Grant AGR F30602-00-2-0584, the Intel Corporation, the Santa Fe Institute, and the Consejo Nacional de Ciencia y Tecnología (México) under Grant 116691/131686. This paper was recommended by Asoociate Editor D. Cook.

PY - 2004/2

Y1 - 2004/2

N2 - In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.

AB - In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.

KW - Anamoly detection

KW - Artificial immune systems

KW - Intrusion detection

KW - Negative detection

UR - http://www.scopus.com/inward/record.url?scp=0742324903&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0742324903&partnerID=8YFLogxK

U2 - 10.1109/TSMCB.2003.817026

DO - 10.1109/TSMCB.2003.817026

M3 - Article

C2 - 15369078

AN - SCOPUS:0742324903

VL - 34

SP - 357

EP - 373

JO - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

JF - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

SN - 1083-4419

IS - 1

ER -