TY - JOUR
T1 - A Formal Framework for Positive and Negative Detection Schemes
AU - Esponda, Fernando
AU - Forrest, Stephanie
AU - Helman, Paul
N1 - Funding Information:
Manuscript received July 18, 2002; revised March 24, 2003. This work was supported by the National Science Foundation under Grants ANIR-9986555 and DBI-0309147, the Office of Naval Research under Grant N00014-99-1-0417, the Defense Advanced Projects Agency under Grant AGR F30602-00-2-0584, the Intel Corporation, the Santa Fe Institute, and the Consejo Nacional de Ciencia y Tecnología (México) under Grant 116691/131686. This paper was recommended by Asoociate Editor D. Cook.
PY - 2004/2
Y1 - 2004/2
N2 - In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.
AB - In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.
KW - Anamoly detection
KW - Artificial immune systems
KW - Intrusion detection
KW - Negative detection
UR - http://www.scopus.com/inward/record.url?scp=0742324903&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=0742324903&partnerID=8YFLogxK
U2 - 10.1109/TSMCB.2003.817026
DO - 10.1109/TSMCB.2003.817026
M3 - Article
C2 - 15369078
AN - SCOPUS:0742324903
SN - 1083-4419
VL - 34
SP - 357
EP - 373
JO - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics
JF - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics
IS - 1
ER -