A Formal Framework for Positive and Negative Detection Schemes

IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

Volumn 34, Issue 1, 2004, Pages 357-373

  Esponda, Fernando ^a   Forrest, Stephanie ^a   Helman, Paul ^a  

^a MSC01 1070   (United States)

Author keywords

Anamoly detection; Artificial immune systems; Intrusion detection; Negative detection

Indexed keywords

COMPUTATIONAL METHODS; DATABASE SYSTEMS; DETECTORS; GENETIC ALGORITHMS; IMMUNOLOGY; MATRIX ALGEBRA; PATTERN MATCHING; PROBLEM SOLVING; SET THEORY; STATISTICAL METHODS;

ANAMOLY DETECTION; ARTIFICIAL IMMUNE SYSTEMS; INTRUSION DETECTION; NEGATIVE DETECTION;

PATTERN RECOGNITION;

EID: 0742324903     PISSN: 10834419     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSMCB.2003.817026     Document Type: Article

References (69)

1. S. Forrest, A. S. Perelson, L. Allen, and C. R.Cheru R. Kuri, "Self-non-self discrimination in a computer," in Proc. IEEE Symp. Research Security Privacy, Los Alamitos, CA, 1994.
2. S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff, "A sense of self for Unix processes," in Proc. IEEE Symp. Computer Security Privacy, 1996.
3. P. D'haeseleer, S. Forrest, and P. Helman, "An immunological approach to change detection: algorithms, analysis and implications," in Proc. IEEE Symp. Computer Security Privacy, 1996.
4. D. Dasgupta and S. Forrest, "Novelty detection in time series data using ideas from immunology," in Proc. Int. Conf. Intelligent Systems, 1996.
5. S. Hofmeyr, A. Somayaji, and S. Forrest, "Intrusion detection using sequences of system calls," J. Comput. Security, vol. 6, pp. 151-180, 1998.
6. D. J. Smith, S. Forrest, D. H. Ackley, and A. S. Perelson, "Variable efficacy of repeated annual influenza vaccination," Proc. National Acad. Sciences (PNAS), vol. 96, pp. 14001-14006, 1999.
7. S. Hofmeyr and S. Forrest, "Immunity by design: an artificial immune system," in Proc. Genetic Evolutionary Computation Conf., San Francisco, CA, 1999, pp. 1289-1296.
8. _, "Architecture for an artificial immune system," Evol. Comput. J., vol. 8, no. 4, pp. 443-473, 2000.
9. A. Somayaji and S. Forrest, "Automated response using system-call delays," in Proc. Usenix Security Symp., 2000.
10. J. Balthrop, S. Forrest, and M. Glickman, "Revisting LISYS: parameters and normal behavior," in Proc. Congr. Evolutionary Computation, 2002.
11. J. Balthrop, F. Esponda, S. Forrest, and M. Glickman, "Coverage and generalization in an artificial immune system," in Proc. Genetic Evolutionary Computation Conf., 2002.
12. D. L. Chao and S. Forrest, "An aesthetic immune system (tentative title)," in Proc. Artificial Life VIII: The 8th Int. Conf. Simulation Synthesis Living Systems, May 2002.
13. P. D'haeseleer, "An immunological approach to change detection: theoretical results," in Proc. 9th IEEE Computer Security Foundations Workshop, 1996.
14. S. Hofmeyr, An Immunological Model of Distributed Detection and its Application to Computer Security. Albuquerque, NM: Univ. New Mexico Press, 1999.
15. P. D. Williams, K. P. Anchor, J. L. Bebo, G. H. Gunsch, and G. D. Lamont, "CDIS: Toward a computer immune system for detecting network intrusions," in Proc. Fourth Int. Symp., Recent Adv. Intrusion Detection, W. Lee, L. Me, and A. Wespi, Eds., Berlin, Germany, 2001, pp. 117-133.
16. J. Kim and P. J. Bentley, "An evaluation of negative selection in an artificial immune system for network intrusion detection," in Proc. Genetic Evolutionary Computation Conf., San Francisco, CA, 2001, pp. 1330-1337.
17. S. T. Wierzchon, "Generating optimal repertoire of antibody strings in an artificial immune system," in Intelligent Information Systems, M. A. Klopotek and M. Michalewicz, Eds. Heidelberg, Germany, New York: Physica-Verlag, 2000, pp. 119-133.
18. _, "Discriminative power of the receptors activated by k-contiguous bits rule," J. Comput. Sci. Technol., vol. 1, no. 3, pp. 1-13, 2000.
19. _, "Deriving concise description of nonself patterns in an artificial immune system," in New Learning Paradigm in Soft Computing, S. T. Wierzchon, L. C. Jain, and J. Kacprzyk, Eds. Heidelberg, Germany, New York: Physica-Verlag, 2001, pp. 438-458.
20. W. Lee and S. Stolfo, "Data mining approaches for intrusion detection," in Proc. 7th USENIX Security Symp., 1998.
21. "An agent based architecture for a computer virus immune system," in Proc. GECCO Workshop Artificial Immune Syst., D. Dasgupta, Ed., 2000.
22. G. B. Lamont, R. E. Marmelstein, and D. A. Van Veldhuizen, "A distributed architecture for a self-adaptive computer virus immune system, " in New Ideas in Optimization. London, U.K.: MCGraw-Hill, 1999, Advanced Topics in Computer Science Series, pp. 167-183.
23. M. Burgess, H. Haugerud, and S. Straumsnes, Measuring System Normality I: Scales and Characteristics, 2000.
24. C. Marceau, "Characterizing the behavior of a program using multiple-length N-grams," in Proc. New Security Paradigms Workshop, Cork, Ireland, 2000.
25. M. J. Kearns and U. V. Vazirani, An Introduction to Computational Learning Theory. Cambridge, MA: MIT Press, 1994.
26. J. C. Schlimmer, Concept Acquisition Through Representational Adjustment. Irvine, CA: Univ. California Press, 1987.
27. D. Angulin, "Learning regular sets from queries and counterexamples," Inform. Comput., vol. 75, pp. 87-106, 1987.
28. T. Lane, Machine Learning Techniques for the Computer Security Domain of Anomaly Detection. West Lafayette, IN: Purdue Univ. Press, Aug 2000.
29. Lincoln Laboratories. (1999) DARPA Intrusion Detection Evaluation. [Online]http://www.ll.mit.edu/IST/ideval/index.html
30. D. W. Bradley and A. M. Tyrrell, "The architecture for a hardware immune system," in The Third NASA/DoD Workshop on Evolvable Hardware, D. Keymeulen, A. Stoica, J. Lohn, and R. S. Zebulum, Eds. Long Beach, CA: IEEE Computer Society Press, July 12-14, 2001, pp. 193-200.
31. _, "A hardware immune system for benchmark state machine error detection," in Proc. Congr. Evolutionary Computation, Honolulu, HI, May 2002.
32. _, "Immunotronics: Novel finite state machine architectures with built in Self test using Self-Nonself differentiation," IEEE Trans. Evol. Comput., vol. 6, pp. 227-238, June 2002.
33. D. Dasgupta and F. Gonzalez, "An immunity-based technique to characterize intrusions in computer networks," IEEE Trans. Evol. Comput., vol. 6, June 2002.
34. S. Sathyanath and F. Sahin, "Artificial immune systems approach to a real time color image classification problem," in Proc. IEEE Int. Conf. Syst., Man, Cybern., 2001.
35. D. Q. Naiman, "Statistical anomaly detection via HTTPD data analysis," Comput. Statist. Data Anal., to be published.
36. K. Tan and R. Maxion, ""Why 6?" Defining the operational limits of slide, and anomaly-based intrusion detector," in Proc. IEEE Symp. Security Privacy. Oakland, CA: IEEE Press, 2002.
37. J. W. Kappler, N. Roehm, and P. Marrack, "T-cell tolerance by clonal elimination in the thymus," Cell, vol. 49, pp. 273-280, Apr. 24, 1987.
38. J. K. Percus, O. Percus, and A. S. Perelson, "Predicting the size of the antibody combining region from consideration of efficient self/nonself discrimination," in Proc. Nat. Acad. Sci., vol. 90, 1993, pp. 1691-1695.
39. _, "Probability of self-nonself discrimination," in Theoretical and Experimental Insights into Immunology, A. S. Perelson and G. Weisbuch, Eds. New York: Springer-Verlag, 1992.
40. P. F. Brown, V. J. Delia Pietra, P. V. de Souza, J. C. Lai, and R. L. Mercer, "Class-based n-gram models of natural language," in Proc. IBM Natural Language ITL, Paris, France, 1990.
41. D. E. Denning, "An intrusion-detection model," IEEE Trans. Softw. Eng., vol. SE-2, p. 222, Feb. 1987.
42. H. Teng, K. Chen, and S. Lu, "Adaptive real-time anomaly detection using inductively generated sequential patterns," in Proc. IEEE Symp. Research Computer Security Privacy, Los Alamitos, CA, 1990.
43. H. S. Javitz and A. Valdes, "The SRI IDES statistical anomaly detector," in Proc. IEEE Symp. Research in Security and Privacy, 1991, pp. 316-326.
44. H. S. Javitz, A. Valdes, T. F. Lunt, A. Tamaru, M. Tyson, and J. Lowrance, Next Generation Intrusion Detection Expert System (NIDES). Menlo Park, CA: SRI Int., 1993.
45. P. Helman, G. Liepins, and W. Richards, "Foundations of intrusion detection," in Proc. Fifth Computer Security Foundations Workshop, Franconia, NH, 1992, pp. 114-120.
46. M. Roesch. SNORT. [Online]http://www.snort.org/
47. M. Damashek, "Gauging similarity with n-grams: Language-independent categorization of text," Science, vol. 267, pp. 843-848, 1995.
48. A. Arning, R. Agrawal, and P. Raghavan, "A linear method for deviation detection in large databases," in Proc. 2nd Knowledge Discovery Data Mining, 1996, pp. 164-169.
49. V. Barnett and T. Lewis, Outliers in Statistical Data. New York: Wiley, 1994.
50. E. Eskin, "Anomaly detection over noisy data using learned probability distributions," in Proc. 17th Int. Conf. Machine Learning, San Francisco, CA, 2000, pp. 255-262.
51. D. H. Fisher, "Knowledge acquisition via incremental conceptual clustering," Machine Learning, vol. 2, no. 2, pp. 139-172, 1987.
52. D. Freedman, R. Psani, and R. Purves, Statistics. New York: W. W. Norton, 1978.
53. H. Garcia-Molina, J. Ullman, and J. Widom, Database Systems: The Complete Book. Englewood Cliffs, NJ: Prentice-Hall, 2001.
54. S. J. Hanson and M. Bauer, "Conceptual clustering, categorization, and polymorphy," Machine Learning, vol. 3, no. 4, pp. 343-372, 1989.
55. P. Helman and G. Liepins, "Statistical foundations of audit trail analysis for the detection of computer misuse," IEEE Trans. Softw. Eng., vol. 19, pp. 886-901, Sept. 1993.
56. P. Helman and J. Bhangoo, "A statistically based system for prioritizing information exploration under uncertainty," IEEE Trans. Syst., Man, Cybern., vol. 27, pp. 449-466, July 1997.
57. P. Helman and R. Gore, "Prioritizing information for the discovery of phenomena," J. Intell. Inform, Syst., vol. 11, no. 2, pp. 99-138, Sept/Oct. 1998.
58. D. Hoaglin, F. Mosteller, and J. Tukey, Understanding Robust and Exploratory Data Analysis, New York: Wiley, 1983.
59. A. Jain and R. Dubes, Algorithms for Clustering Data. Englewood Cliffs, NJ: Prentice-Hall, 1988.
60. L. Kaufman and P. Rousseeuw, Finding Groups in Data. New York: Wiley, 1990.
61. E. Knorr and R. Ng, "A unified approach for mining: Properties and computation," in Proc. 3rd Knowledge Discovery Data Mining, 1997, pp. 219-222.
62. _, "Algorithms for mining distance based outliers in large databases," in Proc. 24th VLDB, 1998, pp. 392-403.
63. D. Maier, The Theory of Relational Databases. New York: Computer Science Press, 1983.
64. R. Ng and J. Han, "Efficient and effective clustering methods for spacial datamining," in Proc. 20th VLDB, 1994, pp. 144-155.
65. G. Salton and M. J. McGill, Introduction to Modern Retrieval. New York: McGraw-Hill, 1983.
66. J. T. Tou and R. C. Gonzalez, Pattern Recognition Principles. Reading, MA: Addison Wesley, 1974.
67. D. Gusfield, Algorithms on Strings, Trees, and Sequences: Computer Science and Computational Biology. Cambridge, U.K.: Cambridge Univ. Press, 1997.
68. B. Scholköpf and A. Smola, Learning with Kernels. Cambridge, MA: MIT Press, 2002.
69. C.Carla Marceau. Characterizing the behavior of a program using multiple-length n-grams. presented at Proc. New Security Paradigm Workshop. [Online]ftp://ftp.oracorp.com/documents/MultiLengthStrings.pdf