\subsection{Negative Selection Approach} Dasgupta \& Gonzalez (2002-A) => tec-02.pdf proposed two method called (1) a positive characterization (PC) method which is based on a nearest-neighbor classification; and (2) negative characterization (NC) method based on negative selection of AIS. Although, as the title of the paper shows, the authors' concern was to detect network intrusion, and as such, experiments are with real intrusion data from the Lincoln Laboratory of the Massachusetts Institute of Technology, so-called DARPA Intrusion Detection Evaluation (Darpa, 1999), Authers took the data as $n$-dimensional real vector (x_1, x_2, \cdots, x_n) \forall x_i \in [0, 1]. Our interest here is on the NC methods. This is based on the idea by Forrest and co-workers (1994) to discriminate self-nonself patterns by negative selection algorithm. While in the proposal by Forrest et al. both the self and non-self patterns are binary string, here in this paper, patterns are strings made up of continuous variables. The detectors of non-self are hyper-cubes in $n$-dimensional space $[0, 1]^n$. To be more specific, the detector implys a set of rules IF x_1^j \in [a_1^j, b_1^j] AND x_2^j \in [a_2^j, b_1^j] AND \cdots AND x_n^j \in [a_n^i, b_n^i] THEN {\bf x} is non-self. The so-called Sequential Niching GA is used to evolve rules to cover hte nonself space. A rule is considered good if it does not cover positive samples and its area is large, which constitute the criteria to calculate fitness value of each detector. Gonzarez and Dasgupta (2002) proposed essentiall the same concept as above. The difference is two points. That is, Dasgupta & Gonzarez (2002) the decision of self and non-self is crisp while in Gonzarez & Dasgupta Fuzzy logic is used. That is the discrimination is according to membership function --- the degree to how {\it x} is likely to be non-self. The other differece is GA is a so-called Deterministic Crowding GA. Anyway, the algorithm is basically as follow. ...... \section{AIS} Though the two papers introduced in the previous subsection refered to negative selection which is a concept of AIS, evolution is by a GA not AIS the other difference is hyper-sphere instead of hypercube. [I] <> [7][8] [7] D. Dagupta and F. Gonzarez (2002) ---> tec02.pdf "An Immunity-Based Technique to Charac-terize Intrusions in Computer Networks" IEEE Transactions on Evolu-tionary Computation, Vol. 6, pp. 1081--1088 (???). [8] F. Gonzarez and D. Dasgupta (2002) "An imunogenetic technique to detect anomalies in network traffic" Proceedings of the genetic and evolutionary computation conference, pp. 1081--1088 (???), Morgan Kaufmann, 9-13 July 2002. The negative-selection algorithm employed in these two papers can be summarized as follows ([14]): 1. Define self as a collection S of elements in a feature space U, a collection that needs to be monitored. 2. Generate a set R of detectors, each of which fails to match any string in S. "The elements of self/non-self space are represented by n-dimensional real vectors." "The detectors correspond to hyper-rectangles and have a high level representation as rules." "The detectors are evolved using a genetic algorithm that maximizes the covering of the non-self space while mini-mizing the matching of self points. " ----- paraphrase by me ----- We now assume that a set S --- a collection of $p$ points in $n$-dimensional Euclidean space --- each of which should be recognized as {\it self}. Then we have R --- a set of {\it detectors}. Phenotype of the Detector is a set of $k$ rules. --- R-1: IF THEN non-self ...... R-k: IF THEN non-self --- where (x_1, \cdots, x_n) is a feature vector and x_i \in [0, 1]^n; is x_1 \in [a_1^i, b_1^i] AND x_2 \in [a_2^i, b_2^i] AND \cdots x_n \in [a_n^i, b_n^i] ========================================================== [II] J. Gomez, F. Gonzalez, and D. Dasgupta (2003) "An Immuno-Fuzzy Approach to Anomaly Detection" proceedings of the 12th IEEE International Conference on Fuzzy Systems, Vol. 2, pp. 1219-1224. Authors propose "a new technique for generating a set of fuzzy rules that can characterize the non-self space (abnormal) using only self (normal) samples." ======== [III] Z. Ji and D. Dasgupata (2004) "Augmented Negative Selection Algorithm with Variable-Coverage Detectors." Proceedings of the Congress on Evolutionary Computation ======= [Datasets for test] "To demonstrate the basic behavior od V-detector algorithm, synthesized datasets are used." --- which I'm most interested in. "Then, the benchmark Fisherfs Iris data and more real-world datasets are used to further examine its performace and compare with other methods." The syntesized datasets, to be more specific, are as follows. "The training set is 100 randomly picked points in the self region and the test data are 1000 randomly distributed points over the entire square." Authors wrote "[The] smaller self radius would result[] in high detection rate but high false alarm too, so it is suitable for the scenario when detecting all or most abnormals is very important. On the other hand, larger self radius would result in low detection rate [and] low false alarm, thus suitable when we need to try the best to avoid false alarm. [Reference] [DARPA, 1999] Available on line at http://www.ll.mit.edu/IST/ideval/index.html [Forrest, S., A. Perelson, L. Allen, and R. Cherukuri, 1994] Self-nonself discrimination in a computer" Proc. IEEE Symp. Research in Security and Privacy, pp. 202--212.