Academia.eduAcademia.edu

Outline

Title
Abstract
FAQs
Figures
Introduction
Experiments and Results
Data Set and Preprocessing
Results
BNS Results
Som Results
Results Comparison and Discussion (Mit-Darpa 98)
Results Comparison and Discussion (Mit-Darpa 99)
Experimental Settings
Results Comparison and Discussion
Data Set
Conclusions
References
All Topics
Computer Science
Machine Learning

Anomaly detection using real-valued negative selection

Profile image of Gurpreet SinghGurpreet Singh

2003, Genetic Programming and Evolvable …

https://doi.org/10.1023/A:1026195112518
visibility

description

26 pages

link

1 file

Abstract

This paper describes a real-valued representation for the negative selection algorithm and its applications to anomaly detection. In many anomaly detection applications, only positive (normal) samples are available for training purpose. However, conventional classification algorithms need samples for all classes (e.g. normal and abnormal) during the training phase. This approach uses only normal samples to generate abnormal samples, which are used as input to a classification algorithm. This hybrid approach is compared against an anomaly detection technique that uses self-organizing maps to cluster the normal data sets (samples). Experiments are performed with different data sets and some results are reported.

FAQs

sparkles

AI

What advantages does real-valued negative selection offer over binary representations?add

The research demonstrates that real-valued negative selection enables a more meaningful representation of data, facilitating better integration with machine learning algorithms. This was evidenced by improvements in anomaly detection accuracy in varying applications.

How does the hybrid neuro-immune system compare with traditional methods?add

The hybrid system (HNIS) achieved a detection rate of 98% on the MIT-Darpa 99 dataset, surpassing traditional binary negative selection methods. In contrast, positive detection algorithms also performed well, reinforcing the versatility of HNIS.

What were the key parameters for optimizing the real-valued negative selection algorithm?add

Parameters such as radius (r = 0.1) and adaptation rate (η = 1) were crucial for detector generation. These settings contributed to O(num iter • num ab • (num ab + |S|)) time complexity, establishing effective detector distribution in the non-self space.

What dataset complexities were addressed in the experiments?add

Experiments utilized complex datasets like the Mackey-Glass time series, exhibiting chaotic behavior, and the KDD Cup 99 dataset, featuring real network attacks, both presenting significant challenges for reliable anomaly detection. This diversity tested the robustness of the proposed methods across varying circumstances.

What was the performance outcome of the SOM compared to HNIS?add

Self-Organizing Maps (SOM) exhibited slightly better results in some scenarios, achieving a detection rate exceeding 93% with low false alarms. However, HNIS demonstrated comparable performance, especially when detecting non-self samples, validating its efficacy.

Figures (12)
Figure 1. Illustrates an iteration of the real-valued negative selection algorithm. The input to the algorithm is a set of self samples represented by n-dimensional points (vectors). The algorithm tries to evolve a complement set of points (called antibodies or detectors) that cover the non-self space. This is accomplished by an iterative process that updates the position of the detector driven by two goals!:
Figure 1. Illustrates an iteration of the real-valued negative selection algorithm. The input to the algorithm is a set of self samples represented by n-dimensional points (vectors). The algorithm tries to evolve a complement set of points (called antibodies or detectors) that cover the non-self space. This is accomplished by an iterative process that updates the position of the detector driven by two goals!:
(feature vectors), which are used by the RNS algorithm [20] to generate abnormal samples. Subsequently, the normal and abnormal samples are used as input to a supervised algorithm that produces a classifier. This classifier corresponds to the anomaly detection function and is used during the testing phase to classify new samples as normal or abnormal. Figure 3. A hybrid immune system for anomaly detection that generates an anomaly characterization function from normal samples.
(feature vectors), which are used by the RNS algorithm [20] to generate abnormal samples. Subsequently, the normal and abnormal samples are used as input to a supervised algorithm that produces a classifier. This classifier corresponds to the anomaly detection function and is used during the testing phase to classify new samples as normal or abnormal. Figure 3. A hybrid immune system for anomaly detection that generates an anomaly characterization function from normal samples.
Figure 4. Mackey-Glass time series: (a) normal, using tT = 30, (b) with an anomaly, T = 17 from 300 to 400. The normal samples were produced from a time series with 500 elements generated using 7 = 30 and discarding the first 1000 samples to eliminate the initial value effect. The resulting time series is shown in Figure 4(a). The test data (Figure 4(b)) is generated as before using 7 = 30, but starting with different initial conditions. An abnormality is introduced between time 300 to 400 by changing the parameter 7 to 17. It is important to note that this experimental setting is different from the one used by Dasgupta and Forrest [9]. In that work, the anomalous time series is identical to the normal one, with the exception of the portion between 1000 and 1500. In our case, the two series are completely
Figure 4. Mackey-Glass time series: (a) normal, using tT = 30, (b) with an anomaly, T = 17 from 300 to 400. The normal samples were produced from a time series with 500 elements generated using 7 = 30 and discarding the first 1000 samples to eliminate the initial value effect. The resulting time series is shown in Figure 4(a). The test data (Figure 4(b)) is generated as before using 7 = 30, but starting with different initial conditions. An abnormality is introduced between time 300 to 400 by changing the parameter 7 to 17. It is important to note that this experimental setting is different from the one used by Dasgupta and Forrest [9]. In that work, the anomalous time series is identical to the normal one, with the exception of the portion between 1000 and 1500. In our case, the two series are completely
Figure 5. Output value produced by the anomaly function when applied to the Mackey-Glass testing set. (a) HNIS (12 hidden neurons); (b) BNS (r = 8, Gray coding); (C) SOM (6x6, Doo distance).
Figure 5. Output value produced by the anomaly function when applied to the Mackey-Glass testing set. (a) HNIS (12 hidden neurons); (b) BNS (r = 8, Gray coding); (C) SOM (6x6, Doo distance).
Figure 6. Output value, smoothed using Equation 8, produced by the anomaly func- tion when applied to the Mackey-Glass testing set. (a) HNIS (12 hidden neurons, s = 5); (b) BNS (r = 8, Gray coding, s = 10); (C) SOM (6x6, , Doo distance, s = 10).
Figure 6. Output value, smoothed using Equation 8, produced by the anomaly func- tion when applied to the Mackey-Glass testing set. (a) HNIS (12 hidden neurons, s = 5); (b) BNS (r = 8, Gray coding, s = 10); (C) SOM (6x6, , Doo distance, s = 10).
Figure 7. ROC curves for the BNS algorithm applied to the Mackey-Glass test data set. 5.1.3.2. SOM results As it was discussed in section 4, three different distance measures were proposed to calculate the anomaly detection function defined in Equation 2. Figure 8(a) shows the ROC curves corresponding to these distance measures. D,, Minkowsky distance (Equation 6) shows a slight advantage over other distance measures. Figure 8(b) shows ROC curves for different topologies of the SOM network. A higher number of neurons produces a most accurate clas- sification; however, the difference between the curves is not big; this suggests that a further increase in the network complexity may not improve the accuracy.
Figure 7. ROC curves for the BNS algorithm applied to the Mackey-Glass test data set. 5.1.3.2. SOM results As it was discussed in section 4, three different distance measures were proposed to calculate the anomaly detection function defined in Equation 2. Figure 8(a) shows the ROC curves corresponding to these distance measures. D,, Minkowsky distance (Equation 6) shows a slight advantage over other distance measures. Figure 8(b) shows ROC curves for different topologies of the SOM network. A higher number of neurons produces a most accurate clas- sification; however, the difference between the curves is not big; this suggests that a further increase in the network complexity may not improve the accuracy.
Figure 8. ROC curves for SOM anomaly detection applied to Mackey-Glass test data set. (a) different distance measures using 6x6 topology; (b) different topologies using D. distance.
Figure 8. ROC curves for SOM anomaly detection applied to Mackey-Glass test data set. (a) different distance measures using 6x6 topology; (b) different topologies using D. distance.
Figure 9. ROC curves for HNIS anomaly detection applied to Mackey-Glass test data set for different MLP topologies: 6, 12, and 16 hidden neurons.
Figure 9. ROC curves for HNIS anomaly detection applied to Mackey-Glass test data set for different MLP topologies: 6, 12, and 16 hidden neurons.
Figure 10. Best ROC curves produced by each method for the Mackey-Glass test data set.
Figure 10. Best ROC curves produced by each method for the Mackey-Glass test data set.
Figure 11. Best ROC curves produced by HNIS and SOM methods for the MIT-Darpa 98 test data set.
Figure 11. Best ROC curves produced by HNIS and SOM methods for the MIT-Darpa 98 test data set.
Figure 12. Best ROC curves produced by each method for Darpa 99 test data set. This data set correspond to a breast cancer data set created at the University of Wisconsin Hospitals [36]. This particular data set was obtained from the University of Irvine Machine Learning repository*. Each data record is conformed by ten numerical attributes and the abel (benign or malign). The data is composed by 699 records, but 16 of them have missing values. (we did not use these records.) The data was normalized to fit the interval [0,1] , and we partitioned it in two sets, training and testing. The training set contains 271 benign records. The testing set is composed of 412 mixed benign and malign records.
Figure 12. Best ROC curves produced by each method for Darpa 99 test data set. This data set correspond to a breast cancer data set created at the University of Wisconsin Hospitals [36]. This particular data set was obtained from the University of Irvine Machine Learning repository*. Each data record is conformed by ten numerical attributes and the abel (benign or malign). The data is composed by 699 records, but 16 of them have missing values. (we did not use these records.) The data was normalized to fit the interval [0,1] , and we partitioned it in two sets, training and testing. The training set contains 271 benign records. The testing set is composed of 412 mixed benign and malign records.
Figure 18. Best ROC curves produced by each method for Wisconsin breast cance test data set.
Figure 18. Best ROC curves produced by each method for Wisconsin breast cance test data set.

Related papers

Comments on real-valued negative selection vs. real-valued positive selection and one-class SVM
Jon Timmis

2007

Real-valued negative selection (RVNS) is an immune-inspired technique for anomaly detec- tion problems. It has been claimed that this technique is a competitive approach, comparable to statistical anomaly detection approaches such as one-class Sup- port Vector Machine. Moreover, it has been claimed that the complementary approach to RVNS, termed real-valued positive selection, is not a realistic solu- tion. We investigate

View PDFchevron_right
Unsupervised Classification Based Negative Selection Algorithm
Mohamed-Khireddine Kholladi

In the last decade, artificial life has been considered as a promising area for rising challenges to unresolved computational problems. Inspired by natural phenomena, its study focuses on the exploration of complex systems. Neuronal networks, genetic algorithms and more recently artificial immune systems are examples. Artificial Immune Systems (AIS) are one type of intelligent algorithms inspired by the principles and processes of the human immune system. Emulating the discrimination mechanism of the natural system, negative selection algorithm of AIS has been successfully applied on change and anomaly detection. This paper describes initial investigations in applying negative selection algorithm on pixel classification by maintaining a population of detectors that remove undesired patterns. Its purpose is to find several detectors which do not match to self in the population. We make use of an Euclidian space with an Euclidian performance measure on color images. The experimental s...

View PDFchevron_right
An enhanced Hybrid Anomaly-based Detection Approach
Mohiy M. Hadhoud

2014

During the last decade, Intrusion Detection Systems (IDSs) have played an important role in defending critical computer systems and networks from cyber-attacks. Anomaly detection techniques have received a particularly great amount of attention because they offer intrinsic ability to detect unknown attacks. In this paper, we propose an enhanced hybrid anomaly detection approach based on negative selection algorithm and metaheuristics. The enhancements include tuning some of its parameters value automatically without predefining them. NSL-KDD dataset; which is a modified version of the widely used KDDCUP99 dataset; is used for performance evaluation. KDDCUP99 dataset is criticized by its inability to reflected recent network traffic behaviour. So, a real time experiment was performed to capture and construct a recent dataset to ensure the performance of the proposed enhancements. Performance evaluation shows that the proposed approach outperforms other competitors of machine learning algorithms on both datasets.

View PDFchevron_right
Revisiting Negative Selection Algorithms
sun shine

This paper reviews the progress of negative selection algorithms, an anomaly/change detection approach in Artificial Immune Systems (AIS). Following its initial model, we try to identify the fundamental characteristics of this family of algorithms and summarize their diversities. There exist various elements in this method, including data representation, coverage estimate, affinity measure, and matching rules, which are discussed for different variations. The various negative selection algorithms are categorized by different criteria as well. The relationship and possible combinations with other AIS or other machine learning methods are discussed. Prospective development and applicability of negative selection algorithms and their influence on related areas are then speculated based on the discussion.

View PDFchevron_right
Discriminating and visualizing anomalies using negative selection and self-organizing maps
Diego Rojas

Proceedings of the …, 2005

An immune inspired model that can detect anomalies, even when trained only with normal samples, and can learn from encounters with new anomalies is presented. The model combines a negative selection algorithm and a self-organizing map (SOM) in an immune inspired architecture. The proposed system is able to produce a visual representation of the self/non-self feature space, thanks to the topological 2-dimensional map produced by the SOM. Some experiments were performed on classification data; the ...

View PDFchevron_right

References (38)

  1. Ayara, M., J. Timmis, L. de Lemos, R. de Castro, and R. Duncan: 2002, 'Neg- ative selection: How to generate detectors'. In: J. Timmis and P. J. Bentley (eds.): Proceedings of the 1st International Conference on Artificial Immune Systems (ICARIS). Canterbury, UK, pp. 89-98.
  2. Balthrop, J., F. Esponda, S. Forrest, and M. Glickman: 2002a, 'Coverage And Generalization In An Artificial Immune System'. In: W. B. Langdon, E. Cantú- Paz, K. Mathias, R. Roy, D. Davis, R. Poli, K. Balakrishnan, V. Honavar, G. GPEM2003resubm.tex; 8/04/2004; 10:47; p.22
  3. Rudolph, J. Wegener, L. Bull, M. A. Potter, A. C. Schultz, J. F. Miller, E. Burke, and N. Jonoska (eds.): Proceedings of the Genetic and Evolutionary Computation Conference (GECCO). San Francisco, CA, pp. 3-10.
  4. Balthrop, J., S. Forrest, and M. R. Glickman: 2002b, 'Revisting LISYS: Pa- rameters and Normal Behavior'. In: D. B. Fogel, M. A. El-Sharkawi, X. Yao, G. Greenwood, H. Iba, P. Marrow, and M. Shackleton (eds.): Proceedings of the 2002 Congress on Evolutionary Computation CEC2002. USA, pp. 1045-1050.
  5. Bradley, D. and A. Tyrrell: 2002, 'Immunotronics: Novel Finite-State-Machine Architectures with Built-In Self-Test Using Self-Nonself Differentiation'. IEEE Transactions on Evolutionary Computation 6(3), 227-238.
  6. Caudell, T. and D. Newman: 1993, 'An adaptive resonance architecture to define normality and detect novelties in time series and databases'. In: IEEE World Congress on Neural Networks. Portland, OR, pp. 166-176.
  7. Coello Coello, C. A. and N. Cruz Cortés: 2002, 'An Approach to Solve Multi- objective Optimization Problems Based on an Artificial Immune System'. In: J. Timmis and P. J. Bentley (eds.): First International Conference on Artificial Immune Systems (ICARIS). Canterbury,UK, pp. 212-221.
  8. Dagupta, D. and F. González: 2002, 'An Immunity-Based Technique to Charac- terize Intrusions in Computer Networks'. IEEE Transactions on Evolutionary Computation 6(3), 281-291.
  9. Dasgupta, D.: 1999, Artificial immune systems and their applications. New York: Springer-Verlag.
  10. Dasgupta, D. and S. Forrest: 1996, 'Novelty detection in time series data using ideas from immunology'. In: J. F. C. Harris (ed.): Proceedings of the 5th International Conference on Intelligent Systems. Cary, NC, pp. 82-87.
  11. Dasgupta, D. and S. Forrest: 1999, 'An anomaly detection algorithm inspired by the immune system'. In: D. Dasgupta (ed.): Artificial immune systems and their applications,. New York: Springer-Verlag, pp. 262-277.
  12. Dasgupta, D. and N. S. Majumdar: 2002, 'Anomaly Detection in Multidimen- sional Data using Negative Selection Algorithm'. In: D. B. Fogel, M. A. El-Sharkawi, X. Yao, G. Greenwood, H. Iba, P. Marrow, and M. Shackle- ton (eds.): Proceedings of the 2002 Congress on Evolutionary Computation (CEC2002). USA, pp. 1039-1044.
  13. de Castro, L. N. and J. Timmis: 2002, Artificial Immune Systems: A New Computational Approach. London, UK: Springer-Verlag.
  14. Denning, D. E.: 1987, 'An intrusion-detection model'. IEEE Transactions on Software Engineering 13(2), 222-232.
  15. D'haeseleer, P., S. Forrest, and P. Helman: 1996, 'An immunological approach to change detection: algorithms, analysis and implications'. In: J. McHugh and G. Dinolt (eds.): Proceedings of the 1996 IEEE Symposium on Computer Security and Privacy. USA, pp. 110-119.
  16. Fan, W., W. Lee, M. Miller, S. Stolfo, and P. Chan: 2001, 'Using artificial anomalies to detect unknown and known network intrusions'. In: N. Cer- cone, T. Y. Lin, and X. Wu (eds.): Proceedings of the 1st IEEE International conference on Data Mining. USA, pp. 123-130.
  17. Forrest, S., A. Perelson, L. Allen, and R. Cherukuri: 1994, 'Self-nonself dis- crimination in a computer'. In: Proceedings IEEE Symposium on Research in Security and Privacy. Los Alamitos, CA, pp. 202-212.
  18. Fox, K., R. Henning, J. Reed, and R. Simonian: 1990, 'A neural network approach towards intrusion detection'. In: Proc. 13th NIST-NCSC national computer security conference. Washington, DC, pp. 125-134. GPEM2003resubm.tex; 8/04/2004; 10:47; p.23
  19. González, F. and D. Dasgupta: 2002, 'An imunogenetic technique to detect anomalies in network traffic'. In: W. B. Langdon, E. Cantú-Paz, K. Mathias, R. Roy, D. Davis, R. Poli, K. Balakrishnan, V. Honavar, G. Rudolph, J. Wegener, L. Bull, M. A. Potter, A. C. Schultz, J. F. Miller, E. Burke, and N. Jonoska (eds.): Proceedings of the Genetic and Evolutionary Computation Conference (GECCO). San Francisco, CA, pp. 1081-1088.
  20. Gonzalez, F., D. Dasgupta, and J. Gomez: 2003, 'The Effect of Binary matching Rules in Negative Selection'. In: Proceedings of the Genetic and Evolutionary Computation Conference (GECCO).
  21. González, F., D. Dasgupta, and R. Kozma: 2002, 'Combining negative selection and classification techniques for anomaly detection'. In: D. B. Fogel, M. A. El- Sharkawi, X. Yao, G. Greenwood, H. Iba, P. Marrow, and M. Shackleton (eds.): Proceedings of the 2002 Congress on Evolutionary Computation CEC2002. USA, pp. 705-710.
  22. Harmer, P., G. Williams, P.D.and Gnusch, and G. Lamont: 2002, 'An Artifi- cial Immune System Architecture for Computer Security Applications'. IEEE Transactions on Evolutionary Computation 6(3), 252-280.
  23. Haykin, S.: 1994, Neural networks : a comprehensive foundation. New York: Macmillan.
  24. Hofmeyr, S. and S. Forrest: 2000, 'Architecture for an Artificial Immune System'. Evolutionary Computation 8(4), 443-473.
  25. Hsu, W., L. Auvil, W. Pottenger, D. Tcheng, and M. Welge: 1999, 'Self- organizing systems for knowledge discovery in databases'. In: In proceedings of the international joint conference on neural networks IJCNN-99. USA.
  26. Keogh, E., S. Lonardi, and B. Chiu: 2002, 'Finding surprising patterns in a time series database in linear time and space'. In: O. R. Zaïane, R. Goebel, D. Hand, D. Keim, and R. Ng (eds.): Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD '02). USA, pp. 550-556.
  27. Kephart, J. O.: 1994, 'A Biologically Inspired Immune System for Computers'. In: R. A. Brooks and P. Maes (eds.): Proceedings of the 4th International Work- shop on the Synthesis and Simulation of Living Systems Artif icialLif eIV . Cambridge, MA, USA, pp. 130-139.
  28. Kim, J. and P. Bentley: 2001, 'An Evaluation of Negative Selection in an Artificial Immune System for Network Intrusion Detection'. In: L. Spector, E. D. Goodman, A. Wu, W. B. Langdon, H.-M. Voigt, M. Gen, S. Sen, M. Dorigo, S. Pezeshk, M. H. Garzon, and E. Burke (eds.): Proceedings of the Genetic and Evolutionary Computation Conference (GECCO). San Francisco, CA, pp. 1330-1337.
  29. Kohonen, T.: 1995, Self-Organizing Maps, Vol. 30 of Springer Series in In- formation Sciences. Berlin, Heidelberg: Springer. (Second Extended Edition 1997).
  30. Lane, T.: 2000, 'Machine learning techniques for the computer security'. Ph.D. thesis, Purdue University.
  31. Lee, W. and S. Stolfo: 1998, 'Data mining approaches for intrusion detection'. In: Proceedings of the 7th USENIX security symposium. Berkeley, CA, pp. 79- 94.
  32. Mackey, M. and L. Glass: 1977, 'Oscillation and chaos in physiological control systems'. Science 197, 287-289.
  33. MIT: 1999, '1999 Darpa intrusion detection evaluation'. MIT Lincoln Labs.
  34. Murphy, P. and D. Aha: 1992, 'UCI Repository of machine learning databases'. GPEM2003resubm.tex; 8/04/2004; 10:47; p.24
  35. Portnoy, L., E. Eskin, and S. Stolfo: 2001, 'Intrusion detection with unlabeled data using clustering'. In: Proceedings of ACM CCS Workshop on Data Mining Applied to Security. USA.
  36. Provost, F., T. Fawcett, and R. Kohavi: 1998, 'The case against accuracy esti- mation for comparing induction algorithms'. In: J. Shavlik (ed.): Proceedings of 15th International Conference on Machine Learning. San Francisco, CA, pp. 445-453.
  37. Wolberg, W. H. and O. Mangasarian: 1990, 'Multisurface method of pattern separation for medical diagnosis applied to breast cytology'. Proceedings of the National Academy of Sciences, U.S.A. 87, 9193-9196.
  38. Yoshikiyo, T.: 2001, 'Fault detection by mining association rules from house- keeping data'. In: proceedings of international symposium on artificial intelli- gence, robotics and automation in space (i-sairas 2001). Montreal, Canada. GPEM2003resubm.tex; 8/04/2004; 10:47; p.25

Related papers

A comparative study of real-valued negative selection to statistical anomaly detection techniques
Jon Timmis

2005

The (randomized) real-valued negative selection algorithm is an anomaly detection approach, inspired by the negative selection immune system principle. The algorithm was proposed to overcome scaling problems inherent in the hamming shape-space negative selection algorithm. In this paper, we investigate termination behavior of the realvalued negative selection algorithm with variable-sized detectors on an artificial data set. We then undertake an analysis and comparison of the classification performance on the high-dimensional KDD data set of the real-valued negative selection, a real-valued positive selection and statistical anomaly detection techniques. Results reveal that in terms of detection rate, real-valued negative selection with variable-sized detectors is not competitive to statistical anomaly detection techniques on the KDD data set. In addition, we suggest that the termination guarantee of the real-valued negative selection with variable-sized detectors is very sensitive to several parameters. 7 Received Operating Characteristic 8 generates detectors randomly

View PDFchevron_right
Is negative selection appropriate for anomaly detection?
Gurpreet Singh

Proceedings of the 2005 …, 2005

Negative selection algorithms for hamming and real-valued shape-spaces are reviewed. Problems are identified with the use of these shape-spaces, and the negative selection algorithm in general, when applied to anomaly detection. A straightforward self detector classification principle is proposed and its classification performance is compared to a real-valued negative selection algorithm and to a one-class support vector machine. Earlier work suggests that realvalue negative selection requires a single class to learn from. The investigations presented in this paper reveal, however, that when applied to anomaly detection, the real-valued negative selection and self detector classification techniques require positive and negative examples to achieve a high classification accuracy. Whereas, one-class SVMs only require examples from a single class.

View PDFchevron_right
Hybrid Negative Selection Approach for Anomaly Detection
Slawomir Wierzchon

Lecture Notes in Computer Science, 2012

This paper describes b-v model which is enhanced version of the negative selection algorithm (NSA). In contrast to formerly presented approaches, binary and real-valued detectors are incorporated. The reason behind developing this hybrid is willingness to overcome the scalability problems, which are a key problem, when only one type of detectors is used. Although high-dimensional datasets are a great challenge for NSA, however, equally important are quality of generated detectors and duration of learning as well as classification stages. Thus, also there are discussed various versions of b-v model to increase its efficiency. Versatility of proposed approach was intensively tested by using popular testbeds concerning domains like computer's security (intruders and spam detection), recognition of handwritten words, etc.

View PDFchevron_right
A Cooperative Negative Selection Algorithm for Anomaly Detection
Bhupendra Verma

International Journal of Computer Applications, 2014

Artificial Immune System (AIS) is a convoluted and complex arrangement derived from biological immune system (BIS). It possesses the abilities of self-adapting, self-learning and selfconfiguration. It has the basic function to distinguish self and non-self. Negative Selection Algorithm (NSA) over the years has shown to be competent for anomaly detection problems. In the past decade internet has popularized and proliferated into our lives immensely. Internet attack cases are increasing with different and new attack methods. This paper presents a Cooperative Negative Selection Algorithm (CNSA) for Anomaly Detection by integrating a novel detector selection strategy and voting between them to effectively identify anomaly. New introduced mechanisms in CNSA enable it to cover more self region correctly and efficiently. It also reduces computational complexities. Experimental results show high anomaly detection rate with less false positive alarm and low overhead in most of the cases.

View PDFchevron_right
NSNAD: negative selection-based network anomaly detection approach with relevant feature subset
Mohamed Guerroumi

Neural Computing and Applications, 2019

Intrusion detection systems are one of the security tools widely deployed in network architectures in order to monitor, detect and eventually respond to any suspicious activity in the network. However, the constantly growing complexity of networks and the virulence of new attacks require more adaptive approaches for optimal responses. In this work, we propose a semi-supervised approach for network anomaly detection inspired from the biological negative selection process. Based on a reduced dataset with a filter/ranking feature selection technique, our algorithm, namely negative selection for network anomaly detection (NSNAD), generates a set of detectors and uses them to classify events as anomaly. Otherwise, they are matched against an Artificial Human Leukocyte Antigen in order to be classified as normal. The accuracy and the computational time of NSNAD are tested under three intrusion detection datasets: NSL-KDD, Kyoto2006? and UNSW-NB15. We compare the performance of NSNAD against a fully supervised algorithm (Naïve Bayes), an unsupervised clustering algorithm (K-means) and a semi-supervised algorithm (One-class SVM) with respect to multiple accuracy metrics. We also compare the time incurred by each algorithm in training and classification stages.

View PDFchevron_right

Related topics

  • Technology
  • Anomaly Detection
  • Self Organized Map
  • Negative Selection Algorithm

    • Cited by

    An interdisciplinary perspective on artificial immune systems
    Jon Timmis

    Evolutionary Intelligence, 2008

    ... Artificial Immune Systems (AIS) is a diverse area of research that attempts to bridge the divide between immunology and engineering and ... such as mathematical and computational modelling of immunology, abstraction from those models into algorithm (and system) design and ...

    View PDFchevron_right
    An Introduction to Artificial Immune Systems
    Mark Read

    Handbook of Natural Computing, 2012

    The field of artificial immune systems (AIS) can be thought of comprising two threads of research: the employment of mathematical and computational techniques in the modelling of immunology, and the incorporation of immune system inspired mechanisms and metaphors in the development of engineering solutions. The former permits the integration of immunological data and sub-models into a coherent whole, which may be of value to immunologists in the facilitation of immunological understanding, hypothesis testing, and the direction of future research. The latter attempts harness the perceived properties of the immune system in the solving of engineering problems. This chapter concentrates on the latter: the development and application of immune inspiration to engineering solutions.

    View PDFchevron_right
    Immunity-Based Aircraft Fault Detection System
    Misty Davies

    AIAA 1st Intelligent Systems Technical Conference, 2004

    In the study reported in this paper, we have developed and applied an Artificial Immune System (AIS) algorithm for aircraft fault detection, as an extension to a previous work on intelligent flight control (IFC). Though the prior studies had established the benefits of IFC, one area of weakness that needed to be strengthened was the control dead band induced by commanding a failed surface. Since the IFC approach uses fault accommodation with no detection, the dead band, although it reduces over time due to learning, is present and causes degradation in handling qualities. If the failure can be identified, this dead band can be further minimized to ensure rapid fault accommodation and better handling qualities. The paper describes the application of an immunity-based approach that can detect a broad spectrum of known and unforeseen failures. The approach incorporates the knowledge of the normal operational behavior of the aircraft from sensory data, and probabilistically generates a set of pattern detectors that can detect any abnormalities (including faults) in the behavior pattern indicating unsafe in-flight operation. We developed a tool called MILD (Multi-level Immune Learning Detection) based on a real-valued negative selection algorithm that can generate a small number of specialized detectors (as signatures of known failure conditions) and a larger set of generalized detectors for unknown (or possible) fault conditions. Once the fault is detected and identified, an adaptive control system would use this detection information to stabilize the aircraft by utilizing available resources (control surfaces). We experimented with data sets collected under normal and various simulated failure conditions using a piloted motion-base simulation facility. The reported results are from a collection of test cases that reflect the performance of the proposed immunity-based fault detection algorithm.

    View PDFchevron_right
    NSNAD: negative selection-based network anomaly detection approach with relevant feature subset
    Mohamed Guerroumi

    Neural Computing and Applications, 2019

    Intrusion detection systems are one of the security tools widely deployed in network architectures in order to monitor, detect and eventually respond to any suspicious activity in the network. However, the constantly growing complexity of networks and the virulence of new attacks require more adaptive approaches for optimal responses. In this work, we propose a semi-supervised approach for network anomaly detection inspired from the biological negative selection process. Based on a reduced dataset with a filter/ranking feature selection technique, our algorithm, namely negative selection for network anomaly detection (NSNAD), generates a set of detectors and uses them to classify events as anomaly. Otherwise, they are matched against an Artificial Human Leukocyte Antigen in order to be classified as normal. The accuracy and the computational time of NSNAD are tested under three intrusion detection datasets: NSL-KDD, Kyoto2006? and UNSW-NB15. We compare the performance of NSNAD against a fully supervised algorithm (Naïve Bayes), an unsupervised clustering algorithm (K-means) and a semi-supervised algorithm (One-class SVM) with respect to multiple accuracy metrics. We also compare the time incurred by each algorithm in training and classification stages.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved