A Formal Framework for Positive and Negative Detection Schemes

Abstract: Abstract-In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between posi… Show more

“…The r-chunks match rule, on which our paper focuses, was introduced in [3,12]. It is a simplification of the r-contiguous bits (rcb) match rule [13,28,29], which has been used in many artificial immune system projects.…”

“…The crossover closure was introduced in [12], where it was restricted to contiguous windows of attributes. Here, we remove this restriction and extend it to a set of features.…”

“…For example, many of the results we present apply both to positive detection and negative detection systems, and can be used to examine tradeoffs between these two detection schemes. In an earlier paper, we developed an extensive formal framework for analyzing positive and negative detection under various matching criteria [12]. Much of this paper is devoted to summarizing those earlier results, illuminating their importance for artificial immune systems and extending them to cover a more general set of conditions.…”

The Crossover Closure and Partial Match Detection

“…The r-chunks match rule, on which our paper focuses, was introduced in [3,12]. It is a simplification of the r-contiguous bits (rcb) match rule [13,28,29], which has been used in many artificial immune system projects.…”

“…The crossover closure was introduced in [12], where it was restricted to contiguous windows of attributes. Here, we remove this restriction and extend it to a set of features.…”

“…For example, many of the results we present apply both to positive detection and negative detection systems, and can be used to examine tradeoffs between these two detection schemes. In an earlier paper, we developed an extensive formal framework for analyzing positive and negative detection under various matching criteria [12]. Much of this paper is devoted to summarizing those earlier results, illuminating their importance for artificial immune systems and extending them to cover a more general set of conditions.…”

The Crossover Closure and Partial Match Detection

“…This paper focuses on the problem of efficient generation of detectors when a realvalued representation of the self/non-self space is used. Other important issues concerning the NS algorithm are discussed elsewhere (positive vs negative detection [6,9], representation and matching rules [10,12], applications [3]), and thus they are not considered in this paper.…”

“…This higher-level representation provides some advantages such as increased expressiveness, the possibility of extracting high-level knowledge from the generated detectors, and, in some cases, improved scalability [9,11]. However, this algorithm lacks the theoretical support of the binary negative selection algorithm [5,6]. The main difficulties due to the lack of theoretical support include:…”

A Randomized Real-Valued Negative Selection Algorithm

Tracking the complexity of interactions between risk incidents and engineering systems