A Comparative Study of Negative Selection Based Anomaly Detection in Sequence Data

  • Johannes Textor
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7597)

Abstract

The negative selection algorithm is one of the oldest immune-inspired classification algorithms and was originally intended for anomaly detection tasks in computer security. After initial enthusiasm, performance problems with the algorithm lead many researchers to conclude that negative selection is not a competitive anomaly detection technique. However, in recent years, theoretical work has lead to substantially more efficient negative selection algorithms. Here, we report the results of the first evaluation of negative selection with r-chunk and r-contiguous detectors that employs these novel algorithms. On a collection of 14 datasets from real-world sources, we compare negative selection with r-chunk and r-contiguous detectors against techniques based on kernels, finite state automata, and n-gram frequencies, and find that negative selection performs competitively, yielding a slightly better average performance than all other techniques investigated. Because this study represents, to our knowledge, the most comprehensive one of string-based negative selection to date, the widely held view that negative selection is not a competitive anomaly detection technique may be inaccurate.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 202–212. IEEE Computer Society Press (1994)Google Scholar
  2. 2.
    Forrest, S., Hofmeyr, S.A., Somayaji, A.: Computer immunology. Communications of the ACM 40, 88–96 (1997)CrossRefGoogle Scholar
  3. 3.
    Kim, J., Bentley, P.J.: An evaluation of negative selection in an artificial immune system for network intrusion detection. In: Proceedings of the Genetic and Evolutionary Computation Conference (GECCO), pp. 1330–1337. Morgan Kaufmann (2001)Google Scholar
  4. 4.
    D’haeseleer, P., Forrest, S., Helman, P.: An immunological approach to change detection: Algorithms, analysis, and implications. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 110–119. IEEE Computer Society (1996)Google Scholar
  5. 5.
    Timmis, J., Hone, A., Stibor, T., Clark, E.: Theoretical advances in artificial immune systems. Theoretical Computer Science 403, 11–32 (2008)MathSciNetMATHCrossRefGoogle Scholar
  6. 6.
    Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security 6, 151–180 (1998)Google Scholar
  7. 7.
    Balthrop, J., Esponda, F., Forrest, S., Glickman, M.R.: Coverage and generalization in an artificial immune system. In: Proceedings of the 2002 Genetic and Evolutionary Computation Conference (GECCO 2002), pp. 1045–1050 (2002)Google Scholar
  8. 8.
    Stibor, T.: On the Appropriateness of Negative Selection for Anomaly Detection and Network Intrusion Detection. PhD thesis, Technische Universität Darmstadt (2006)Google Scholar
  9. 9.
    Stibor, T.: An Empirical Study of Self/Non-self Discrimination in Binary Data with a Kernel Estimator. In: Bentley, P.J., Lee, D., Jung, S. (eds.) ICARIS 2008. LNCS, vol. 5132, pp. 352–363. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Elberfeld, M., Textor, J.: Efficient Algorithms for String-Based Negative Selection. In: Andrews, P.S., Timmis, J., Owens, N.D.L., Aickelin, U., Hart, E., Hone, A., Tyrrell, A.M. (eds.) ICARIS 2009. LNCS, vol. 5666, pp. 109–121. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Elberfeld, M., Textor, J.: Negative selection algorithms on strings with efficient training and linear-time classification. Theoretical Computer Science 412, 534–542 (2011)MathSciNetMATHCrossRefGoogle Scholar
  12. 12.
    Stibor, T., Timmis, J., Eckert, C.: The link between r-contiguous detectors and k-CNF satisfiability. In: Proceedings of the Congress on Evolutionary Computation (CEC), pp. 491–498. IEEE Press (2006)Google Scholar
  13. 13.
    Chandola, V., Mithal, V., Kumar, V.: A comparative evaluation of anomaly detection techniques for sequence data. In: Proceedings of the 2008 Eighth IEEE International Conference on Data Mining (ICDM 2008), pp. 743–748 (2008)Google Scholar
  14. 14.
    Moya, M.M., Hush, D.R.: Network constraints and multi-objective optimization for one-class classification. Neural Networks 9(3), 463–474 (1996)CrossRefGoogle Scholar
  15. 15.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Computing Surveys 41(3), 1–58 (2009)CrossRefGoogle Scholar
  16. 16.
    Chapelle, O., Schölkopf, B., Zien, A. (eds.): Semi-Supervised Learning. Adaptive Computation and Machine Learning series. The MIT Press (2006)Google Scholar
  17. 17.
    Liśkiewicz, M., Textor, J.: Negative selection algorithms without generating detectors. In: Proceedings of Genetic and Evolutionary Computation Conference (GECCO 2010), pp. 1047–1054. ACM (2010)Google Scholar
  18. 18.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society (1999)Google Scholar
  19. 19.
    Michael, C.C., Ghosh, A.: Two state-based approaches to program-based anomaly detection. In: Proceedings of the 16th Annual Computer Security Applications Conference, p. 21 (2000)Google Scholar
  20. 20.
    Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice Hall (1988)Google Scholar
  21. 21.
    Melville, H.: Moby-Dick, or, The Whale. Hendricks House, New York (1952)Google Scholar
  22. 22.
    Bateman, A., Birney, E., Durbin, R., Eddy, S.R., Howe, K.L., Sonnhammer, E.L.: The PFAM protein families database. Nucleic Acids Research 28, 263–266 (2000)CrossRefGoogle Scholar
  23. 23.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 120–128. IEEE Computer Society, Washington, DC (1996)Google Scholar
  24. 24.
    Lippmann, R.P., et al.: Evaluating intrusion detection systems – the 1998 DARPA offline intrusion detection evaluation. In: DARPA Information Survivability Conference and Exposition (DISCEX) 2000, vol. 2, pp. 12–26. IEEE Computer Society Press (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Johannes Textor
    • 1
  1. 1.Theoretical Biology & BioinformaticsUniversiteit UtrechtUtrechtThe Netherlands

Personalised recommendations