Our Project

A Survey on Anomaly Ditection

by Akira Imada (December 2004)

All the topic of this page is, in short, designing an algorithm to detect patterns called 'non-self' (anomalcy) among patterns called 'self' (nomalcy). Those patterns are basically in a n dimensional Eucledean space.

Anomaly Detection in General --- Artificial Immune System (AIS) Approach

We explore, first of all, anomaly detection by AIS in this section of this page.

Title of this section includes "in General" while some of the papers bellow describe specifically "Network Intrusion." IMHO, however, the algorithms proposed are easily extended to more general case of "Anomaly Detection."

Detection of Binary Encoded Anomaly

Let's start with binary-pattern detection as anomaly, since one of my concerns is search for a-needle-in-a-haystack problem.
- [1] Ayara, M., J. Timmis, R. D. Lemos, L. N. D. Castro, and R. Duncan (2002) "Negative Selection: How to Generate Detectors." Proceedings of 1st International Conference on Artificial Immune Systems (ICARIS) pp. 89--98.
  
  After a short summary of "Exhaustive Detector Generating Algorithm" as a basis for comparison, the authors showed "Greedy Detector Generating Algorithm" in which matching rule "r-chunk" is exploit. The author wrote that a more detailed algorithm was described in:
  - [2] P. Helman and S. Forrest (1994) "An Efficient Algorithm for Generating Random Antibody Strings." Technical Report 94-07, University of New Mexico, Albuquerque, NM.
  But so far I have not succeded in getting it via ftp. Don't worry, however, I finally found a detaild description of "r-contiguous bits matching" in the paper
  - [3] P. D'haeseleer, S. Forrest, and P. Helman (1996) "An immunological approach to change detection: algorithms, analysis and implications." Proceedings of the 1996 IEEE Symposium on Computer Security and Privacy, pp. 110--119.
    
    See Section 2.2 "Linear time detector generating algorithm". Also above mentioned "Greedy Detector Generating Algorithm" is from Section 2.3.
  A simplest question of "how many strings can a single detector match with at least r contiguous bit positions?" is addressed in
  - [4] F. Esponda, S. Forrest (2002) "Detector coverage under the r-contiguous bits matching rule." University of New Mexico Technical Report TR-CS-2002-03.
The other analysis for detector of anomalies in binary space is found in
- [5] F. Esponda, S. Forrest, and P. Helman (2004) "A formal framework for positive and negative detection." IEEE Transactions on Systems, Man, and Cybernetics 34:1 pp. 357-373.

Clonal Selection
- [6] J. Kim and P. Bentley "An Artificial Immune Model for Network Intrusion Detection"
  
  Althought this paper specifically intends to propose a Network Intrusion Detection System, the algorithm could be easily extended to a general Anomaly Detection. Authors wrote:
Positive Selection

[7] Kwee-Bo Sim and Dong-Wook Lee (2003) "Modeling of Positive Selection for the Development of a Computer Immune System and a Self-Recognition Algorithm." International Journal of Control, Automation, and Systems Vol. 1, No. 4, pp. 453--458

Authors wrote:

"In immune systems, T cells are produced through both positive and negative selection. Positive selection is the process used to determine a MHC receptor that recognizes self-molecules. Negative selection is the process used to determine an antigen receptor that recognizes antigen, or the nonself cell. In this paper, we propose a novel self-recognition algorithm based on the positive selection of T cells. ...... We also compare the self-recognition algorithm based on positive selection with the anomaly-detection algorithm."
Negative Selection

What we should specially note in algorithms using negative selection is "only the negative (or normal) training data are needed" as Dasgupta et all wrote in

[8] Dasgupta, et al (1999) "An Anomaly Detection Algorithm Inspired by the Immune System." Dasgupta et al. (Eds), Artificial Immune System and Their Application

Dasgupta's group in Memphis US gave us an excellent series of systematic proposal every year of a detector to detect "non-self" in the continuous multi-dimensional Eucledian space. The following a couple of papers are by Dasgupta's group from newer to older ones.

[9] Z. Ji and D. Dasgupata (2004) "Augmented Negative Selection Algorithm with Variable-Coverage Detectors." Proceedings of the Congress on Evolutionary Computation

As authors denote, Negative selection in this series of papers are very simple in the sense that

"The idea of negative selection was from T cell development process in the thymus. If a T cell recognizes self cells, it is eliminated before deployment for immune functionality. In an analogous manner, the negative selection algorithm generates the detector set by eliminating any detector candidates that match self samples. It is thus used as an anomaly detection mechanism with the advantage that only the negative (normal) training data are needed.

Then authors proposed two algorithms: one is to generate detectors of constant sized and the other variable sized sphers. (See my article "Hints for Implementations".

This paper is currently the latest vergion of them in this series, but the described algorithm is not easy to interpret, unfortunately. So I reccommend to read

[10] F. Gonzalez, D. Dasgupta (2003) "Anomaly Detection Using Real-Valued Negative Selection." Genetic Programming and Evolvable Machines, Vol. 4 No. 4, Kluwer Academic Press, pp 383-403.

This is not with the same concept as [9] but a continuous version of "Greedy Detector Generating Algorithm" originally proposed in [3] and employed also in [1] as mentioned above.

The other ones in the series by Dasgupt's group:

[11] F. Gonzalez, D. Dasgupta and L. F. Nino (2003) "A Randomized Real-Valued Negative Selection Algorithm." Proceedings of the 2nd International Conference on Artificial Immune Systems, pp. 261-272

This is one of the previous papers of [9] above, mentioning "the optimal number of detectors needed to cover the non-self space, and the maximization of the non-self coverage."

[12] Gonzalez, F., D. Dasgupta, J. Gomez (2003) "The Effect of Binary Matching Rules in Negative Selection." GECCO-03.

[13] D. Dasgupta and N. S. Majumdar (2002) "Anomaly detection in Multidimensional Data using Negative Selection algorithm." Proceedings of the Congress on Evolutionary Computation, Vol. 2, pp. 1039-1044.

Also negative selection by other groups.

[14] Ceong, H. T., et al, (2003) "Complementary Dual Detectors for Effective Classification." ICARIS-03, pp.242-248.

Copy right of this paper is protected by Springer and not accessible for free charge.

[15] J. Kim and P. Bentley (2001) "An evaluation of negative selection in an artificial immune system for network intrusion detection." Proceedings Genetic Evolutionary Computation Conference pp. 1330--1337.

Immuno-fuzzy Approach

[16] J. Gomez, F. Gonzalez, and D. Dasgupta (2003) "An Immuno-Fuzzy Approach to Anomaly Detection" proceedings of the 12th IEEE International Conference on Fuzzy Systems, Vol. 2, pp. 1219-1224.

Again by the Gomez, Gonzalez and Dasgupt group but a different approach.

Fuzzy Rules not based on Immune System but Evolved by Genetic Algorithm

[17] J. Gomez and D. Dasgupta (2001) "Evolving Fuzzy Classifiers for Intrusion Detection" Proc. of IEEE Workshop on Information Assurance.

Authors wrote:

"proposes a technique to generate good fuzzy classifiers using genetic algorithms that can detect anomalies ... The main idea is to evolve two rules, one for the normal class and other for the abnormal class ..."

And their algorithm is in

[18] J. Gomez, O. Nasraoui, D. Dasgupta, and F. Gonzalez (2002) "Complete Expression Trees for Evolving Fuzzy Classifier Systems with Genetic Algorithms and Application to Network Intrusion Detection." Proceedings of the IEEE, North American Fuzzy Information Processing Society Conference on Fuzzy Learning. pp. 469- 474.

Also the detailed algorithm seems to be in

[19] J. Gomez and D. Dasgupta (2002) "Using Competitive Operators and a Local Selection Scheme in Genetic Search." Proceedings (Late-Breaking) of the Genetic and Evolutionary Computation Conference, pp. 193-200.

But I have not succeeded in getting the paper via Internet and it has not been possible to contact the first author (Gomes) in Columbia.

Messy-GA Approach

[20] F. HOFFMANN Soft Computing Techniques for the Design of Mobile Robot Be- haviours"

[21] F. Hofmann and G. Pfister (1995) "A New Learning Method for the Design of Hierarchical Fuzzy Controllers Using Messy Genetic Algorithms"

[22] M. M. Chowdhury and Yun Li "Messy Genetic Algorithm Based New Learning Method for Structurally Optimised Neurofuzzy Controllers"

This is not a paper describing anomaly detection, but good article for a messy-GA implementation.

Yet Another Intrusion Detection --- Data Mining Approach

[23] W. Lee and S. Stolfo (1998) "Data mining approaches for intrusion detection" Proceedings of the 7th USENIX security symposium pp. 79--94.