Abstract
A model that can detect anomalies, even when trained only with normal samples, and can learn from encounters with new anomalies is proposed. The model combines a negative selection algorithm and a self-organizing map (SOM) in an immune inspired architecture. One of the main advantages of the proposed system is that it is able to produce a visual representation of the self/non-self feature space, thanks to the topological two-dimensional map produced by the SOM. Experimental results with anomaly and classification data are presented and discussed.
Similar content being viewed by others
Abbreviations
- ADR:
-
average detection rates
- AFAR:
-
average false alarm rates
- AIS:
-
artificial immune systems
- LVQ:
-
learning vector quantization
- NIS:
-
natural immune system
- NS:
-
negative selection
- PCA:
-
principal component analysis
- RRNS:
-
randomized real-valued negative selection
- SOM:
-
self-organizing map
- UA:
-
unknown anomaly
References
Aickelin U, Bentley P, Cayzer S, Kim J and McLeod J (2003) Danger theory: the link between AIS and IDS? In: Timmis J, Bentley P, Hart E (eds) Proceedings of the 2nd International Conference on Artificial Immune Systems, Vol. 2787 of Lecture Notes in Computer Science, pp. 156–167. Springer-Verlag
Axelsson S (2004) Visualising intrusions: watching the webserver. In: Proceedings of the 19th IFIP International Information Security Conference (SEC2004). Tolouse, France
Bellman R (1961) Adaptive Control Processes, Princeton University Press, Princeton NJ
Coello Coello CA and Cruz Cortés N (2002) A parallel implementation of the artificial immune system to handle constraints in genetic algorithms: preliminary results. In: Fogel DB, El-Sharkawi MA, Yao X, Greenwood G, Iba H, Marrow P and Shackleton M (eds) Proceedings of the 2002 Congress on Evolutionary Computation CEC2002, USA, pp. 819–824
Dasgupta D (1999a) Artificial Immune Systems and their Applications, Springer-Verlag, New York
Dasgupta D (1999b) Immunity-based intrusion detection system: a general framework. In: Proceedings of the 22nd National Information Systems Security Conference (NISSC), pp. 147–160
Dasgupta D and Forrest S (1995) Tool breakage detection in milling operations using a negative-selection algorithm. Technical Report CS95-5, Department of Computer Science, University of New Mexico
Dasgupta D and Forrest S (1996) Novelty detection in time series data using ideas from immunology. In: Harris JFC (ed.) Proceedings of the 5th International Conference on Intelligent Systems, pp. 82–87. ISCA, Cary, NC
Dasgupta D and Forrest S (1999) An anomaly detection algorithm inspired by the immune system. In: Dasgupta D (ed.) Artificial Immune Systems and their Applications, pp. 262–277. Springer-Verlag, New York
de Castro LN and Timmis J (2002) Artificial Immune Systems: A New Computational Approach. Springer-Verlag, London, UK
D’haeseleer P, Forrest S and Helman P (1996) An immunological approach to change detection: algorithms, analysis and implications. In: McHugh J, Dinolt G (eds) Proceedings of the 1996 IEEE Symposium on Computer Security and Privacy, pp. 110–119. IEEE Press, USA
Erbacher RF (2002) Glyph-based generic network visualization. In: Proceedings of the SPIE ’2002 Conference on Visualization and Data Analysis, pp. 228–237. San Jose, CA
Forrest S, Perelson A, Allen L and Cherukuri R (1994) Self-nonself discrimination in a computer. In: Proceedings IEEE Symposium on Research in Security and Privacy, pp. 202–212. IEEE Computer Society Press, Los Alamitos, CA
Girardin L and Brodbeck D (1998) A visual approach for monitoring logs. In: Proceedings of the Twelth Systems Administration Conference (LISA XII), p. 299. USENIX Association, Berkeley, CA
González F and Dasgupta D (2003) Anomaly detection using real-valued negative selection. Genetic Programming and Evolvable Machines 4(4), 383–403.
González F, Dasgupta D and Kozma R (2002) Combining negative selection and classification techniques for anomaly detection. In: Fogel DB, El-Sharkawi MA,Yao X, Greenwood G, Iba H, Marrow P and Shackleton M (eds) Proceedings of the 2002 Congress on Evolutionary Computation CEC2002, pp. 705–710. IEEE Press, USA
González F, Dasgupta D and Niño F (2003) A randomized real-valued negative selection algorithm. In: Timmis J, Bentley P and Hart E (eds) Proceedings of the 2nd International Conference on Artificial Immune Systems, Vol. 2787 of Lecture Notes in Computer Science, pp. 261–272. Springer
González FA, Galeano JC, Rojas DA and Veloza-Suan A (2005) Discriminating and visualizing anomalies using negative selection and self-organizing maps. In: GECCO ’05: Proceedings of the 2005 Conference on Genetic and Evolutionary Computation, pp. 297–304. ACM Press, New York, NY, USA
Harmer P, Williams G, Gnusch PD and Lamont G (2002) An artificial immune system architecture for computer security applications. IEEE Transactions on Evolutionary Computation 6(3): 252–280
Haykin S (1994) Neural Networks: A Comprehensive Foundation. Macmillan, New York
Hofmeyr S and Forrest S (2000) Architecture for an artificial immune system. Evolutionary Computation 8(4): 443–473
Jerne NK (1974) Towards a network theory of the immune system. Annals Immunologie (Inst. Pasteur) 125C: 373–389
Jolliffe IT (1986) Principal Component Analysis. Springer-Verlag, New York
Kephart JO (1994) A biologically inspired immune system for computers. In: Brooks RA and Maes P (eds) Proceedings of the 4th International Workshop on the Synthesis and Simulation of Living Systems Artificial Life IV, pp. 130–139. MIT Press, Cambridge, MA, USA
Kohonen T (1982) Self-organized formation of topologically correct feature maps. Biological Cybernetics 43: 59–69
Kohonen T (1990) Improved versions of learning vector quantization. In: IJCNN International Joint Conference on Neural Networks, Vol. 1. pp. 545–550
Onut I-V, Zhu B and Ghorbani AA (2004) A novel visualization technique for network anomaly detection. In: Proceedings of the Second Annual Conference on Privacy, Security and Trust (PST’04). New Brunswick, Canada
Secker A, Freitas A and Timmis J (2003) A danger theory approach to web mining. In: Timmis J, Bentley P and Hart E (eds) Proceedings of the 2nd International Conference on Artificial Immune Systems, Vol. 2787 of Lecture Notes in Computer Science, pp. 156–167. Springer-Verlag
Teoh ST, Jankun-Kelly TJ, Ma K-L and Wu SF (2004) Visual data analysis for detecting flaws and intruders in computer network systems. IEEE Computer Graphics and Applications 24(5)
Tyrrell A (1999) Computer know thy self!: a biological way to look at fault tolerance. In: Proceedings of the 2nd Euromicro/IEEE workshop on Dependable Computing Systems, pp. 129–135. Milan
Williams PD, Anchor KP, Bebo JL, Gunsch GH and Lamont GD (2001) CDIS: towards a computer immune system for detecting network intrusions. Lecture Notes in Computer Science 2212: 117–133
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
González, F., Galeano, J., Rojas, D. et al. A neuro-immune model for discriminating and visualizing anomalies. Nat Comput 5, 285–304 (2006). https://doi.org/10.1007/s11047-006-9003-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11047-006-9003-y