Our Project

A Survey on Anomaly Ditection

by Akira Imada (December 2004)

All the topic of this page is, in short, designing an algorithm to detect patterns called 'non-self' (anomalcy) among patterns called 'self' (nomalcy). Those patterns are basically in a n dimensional Eucledean space.

Anomaly Detection in General --- Artificial Immune System (AIS) Approach

We explore, first of all, anomaly detection by AIS in this section of this page.

Title of this section includes "in General" while some of the papers bellow describe specifically "Network Intrusion." IMHO, however, the algorithms proposed are easily extended to more general case of "Anomaly Detection."

Detection of Binary Encoded Anomaly

Let's start with binary-pattern detection as anomaly, since one of my concerns is search for a-needle-in-a-haystack problem.
- [6] F. Esponda, S. Forrest, and P. Helman (2004) "A formal framework for positive and negative detection." IEEE Transactions on Systems, Man, and Cybernetics 34:1 pp. 357-373.
  
  A matching rule "r-chunk" is proposed
- [15] Ayara, M., J. Timmis, R. D. Lemos, L. N. D. Castro, and R. Duncan (2002) "Negative Selection: How to Generate Detectors." Proceedings of 1st International Conference on Artificial Immune Systems (ICARIS) pp. 89--98.

Clonal Selection
- An Artificial Immune Model for Network Intrusion Detection J. Kim and P. Bentley
  
  Althought this paper specifically intends to propose a Network Intrusion Detection System, the algorithm could be easily extended to a general Anomaly Detection. Authors wrote:
Positive Selection

[31] Kwee-Bo Sim and Dong-Wook Lee (2003) "Modeling of Positive Selection for the Development of a Computer Immune System and a Self-Recognition Algorithm." International Journal of Control, Automation, and Systems Vol. 1, No. 4, pp. 453--458

Authors wrote:

"In immune systems, T cells are produced through both positive and negative selection. Positive selection is the process used to determine a MHC receptor that recognizes self-molecules. Negative selection is the process used to determine an antigen receptor that recognizes antigen, or the nonself cell. In this paper, we propose a novel self-recognition algorithm based on the positive selection of T cells. ...... We also compare the self-recognition algorithm based on positive selection with the anomaly-detection algorithm."
Negative Selection

[4] Gonzalez, F., D. Dasgupta, J. Gomez, The Effect of Binary Matching Rules in Negative Selection, GECCO-03, 2003

[6] Esponda, F., S. Forrest, P. Helman, A Formal Framework for Positive and Negative Detection Scheme, IEEE Transaction on Systems, Man, and Cybernetics, 2003

[11] Ceong, H. T., et al, Complementary Dual Detectors for Effective Classification, ICARIS-03, 2003

[13] Kim, J., et al, An evaluation of negative selection in an artificial immune system for network intrusion detection, in Proceedings Genetic Evolutionary Computation Conference, San Francisco, 2001

[15] Ayara, M., J. Timmis, R. de Lemos, L. de Castro, and R. Duncan, Negative Selection: How to Generate Detectors, 1st ICARIS, 2002

What we should specially note in algorithms using negative selection is only the negative (or normal) training data are needed as Dasgupta et all wrote in

Dasgupta, et al (1899) "An Anomaly Detection Algorithm Inspired by the Immune System." (Dasgupta et al. Eds), Artificial Immune System and Their Application

Dasgupta's group in Memphis US gave us an excellent series of systematic proposal every year of a detector to detect "non-self" in the continuous multi-dimensional Eucledian space. The following a couple of papers are by Dasgupta's group from newer to older ones.

Z. Ji and D. Dasgupata (2004) "Augmented Negative Selection Algorithm with Variable-Coverage Detectors." Proceedings of the Congress on Evolutionary Computation

As authors denote, Negative selection in this series of papers are very simple in the sense that

"The inspiration of negative selection, or negative detection, came from the T cell development process in the thymus. If a T cell recognizes self cells, it is eliminated before deployment for immune functionality. In an analogous manner, the negative selection algorithm generates the detector set by eliminating any detector candidates that match self samples. It is thus used as an anomaly detection mechanism with the advantage that only the negative (or 'normal') training data are needed.

Then authors proposed two algorithms: one is to generate detectors of constant sized and the other variable sized sperers. (See my article "Hints for Implementations".

F. Gonzalez, D. Dasgupta and L.F. Nino (2003) "A Randomized Real-Valued Negative Selection Algorithm. Proceedings of the 2nd International Conference on Artificial Immune Systems,

Immuno-fuzzy Approach

J. Gomez, F. Gonzalez, and D. Dasgupta (2003) "An Immuno-Fuzzy Approach to Anomaly Detection" proceedings of the 12th IEEE International Conference on Fuzzy Systems, Vol. 2, pp. 1219-1224.

Fuzzy Rules not based on Immune System but Evolved by Genetic Algorithm

J. Gomez and D. Dasgupta "Evolving Fuzzy Classifiers for Intrusion Detection"

Authors wrote:
"proposes a technique to generate good fuzzy classifiers using genetic algorithms that can detect anomalies ... The main idea is to evolve two rules, one for the normal class and other for the abnormal class ..."
And their algorithm is in

J. Gomez, O. Nasraoui, D. Dasgupta, and F. Gonzalez (2002) "Complete Expression Trees for Evolving Fuzzy Classifier Systems with Genetic Algorithms and Application to Network Intrusion Detection." Proceedings of the IEEE, North American Fuzzy Information Processing Society Conference on Fuzzy Learning.

Also the detailed algorithm seems to be in

J. Gomez and D. Dasgupta (2002) "Using Competitive Operators and a Local Selection Scheme in Genetic Search." Proceedings (Late-Breaking) of the Genetic and Evolutionary Computation Conference, pp. 193-200.

Using-Competitive-Operators-and-a-Local-Selection-Scheme-in-Genetic-Search." But I have not succeeded in getting the paper via Internet.

Messy-GA Approach

F. HOFFMANN Soft Computing Techniques for the Design of Mobile Robot Be- haviours"

F. Hofmann and G. Pfister (1995) "A New Learning Method for the Design of Hierarchical Fuzzy Controllers Using Messy Genetic Algorithms"

M. M. Chowdhury and Yun Li "Messy Genetic Algorithm Based New Learning Method for Structurally Optimised Neurofuzzy Controllers"

This is not a paper describing anomaly detection, but good article for a messy-GA implementation.

Yet Another Intrusion Detection --- Data Mining Approach

W. Lee and S. Stolfo (1998) "Data mining approaches for intrusion detection" Proceedings of the 7th USENIX security symposium (San Antonio, TX).

Anomaly Detection in Particular --- Network Intrusion Detection --- Proposals in a more Concrete Way

A Survey on Anomaly Ditection

Anomaly Detection in General --- Artificial Immune System (AIS) Approach

Immuno-fuzzy Approach

Fuzzy Rules not based on Immune System but Evolved by Genetic Algorithm

Messy-GA Approach

Yet Another Intrusion Detection --- Data Mining Approach

Anomaly Detection in Particular --- Network Intrusion Detection --- Proposals in a more Concrete Way