### Abstract

In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.

Original language | English (US) |
---|---|

Pages (from-to) | 357-373 |

Number of pages | 17 |

Journal | IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics |

Volume | 34 |

Issue number | 1 |

DOIs | |

State | Published - Feb 1 2004 |

Externally published | Yes |

### Fingerprint

### Keywords

- Anamoly detection
- Artificial immune systems
- Intrusion detection
- Negative detection

### ASJC Scopus subject areas

- Control and Systems Engineering
- Software
- Information Systems
- Human-Computer Interaction
- Computer Science Applications
- Electrical and Electronic Engineering

### Cite this

*IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics*,

*34*(1), 357-373. https://doi.org/10.1109/TSMCB.2003.817026

**A Formal Framework for Positive and Negative Detection Schemes.** / Esponda, Fernando; Forrest, Stephanie; Helman, Paul.

Research output: Contribution to journal › Article

*IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics*, vol. 34, no. 1, pp. 357-373. https://doi.org/10.1109/TSMCB.2003.817026

}

TY - JOUR

T1 - A Formal Framework for Positive and Negative Detection Schemes

AU - Esponda, Fernando

AU - Forrest, Stephanie

AU - Helman, Paul

PY - 2004/2/1

Y1 - 2004/2/1

N2 - In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.

AB - In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.

KW - Anamoly detection

KW - Artificial immune systems

KW - Intrusion detection

KW - Negative detection

UR - http://www.scopus.com/inward/record.url?scp=0742324903&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0742324903&partnerID=8YFLogxK

U2 - 10.1109/TSMCB.2003.817026

DO - 10.1109/TSMCB.2003.817026

M3 - Article

C2 - 15369078

AN - SCOPUS:0742324903

VL - 34

SP - 357

EP - 373

JO - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

JF - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

SN - 1083-4419

IS - 1

ER -