A Comparative Study of Real-Valued Negative Selection to Statistical Anomaly Detection Techniques

  • Thomas Stibor
  • Jonathan Timmis
  • Claudia Eckert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3627)


The (randomized) real-valued negative selection algorithm is an anomaly detection approach, inspired by the negative selection immune system principle. The algorithm was proposed to overcome scaling problems inherent in the hamming shape-space negative selection algorithm. In this paper, we investigate termination behavior of the real-valued negative selection algorithm with variable-sized detectors on an artificial data set. We then undertake an analysis and comparison of the classification performance on the high-dimensional KDD data set of the real-valued negative selection, a real-valued positive selection and statistical anomaly detection techniques. Results reveal that in terms of detection rate, real-valued negative selection with variable-sized detectors is not competitive to statistical anomaly detection techniques on the KDD data set. In addition, we suggest that the termination guarantee of the real-valued negative selection with variable-sized detectors is very sensitive to several parameters.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Forrest, S., Perelson, A.S., Allen, L., Cherukuri, R.: Self-nonself discrimination in a computer. In: Proceedings of the 1994 IEEE Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos (1994)Google Scholar
  2. 2.
    D’haeseleer, P.: An immunological approach to change detection: Theoretical results. In: Proc. 9th IEEE Computer Security Foundations Workshop, pp. 18–26 (1996)Google Scholar
  3. 3.
    Hofmeyr, S.A., Forrest, S., D’haeseleer, P.: An immunological approach to distributed network intrusion detection. In: First International Workshop on the Recent Advances in Intrusion Detection (1998)Google Scholar
  4. 4.
    González, F., Dasgupta, D., Kozma, R.: Combining negative selection and classification techniques for anomaly detection. In: Congress on Evolutionary Computation, May 2002, pp. 705–710. IEEE, Los Alamitos (2002)Google Scholar
  5. 5.
    González, F., Dasgupta, D., Niño, L.F.: A randomized real-valued negative selection algorithm. In: Timmis, J., Bentley, P.J., Hart, E. (eds.) ICARIS 2003. LNCS, vol. 2787, pp. 261–272. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Ji, Z., Dasgupta, D.: Real-valued negative selection algorithm with variable-sized detectors. In: Deb, K., et al. (eds.) GECCO 2004. LNCS, vol. 3102, pp. 287–298. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Marsland, S.: Novelty detection in learning systems. Neural Computing Surveys 3 (2003)Google Scholar
  8. 8.
    Schölkopf, B., Platt, J.C., Shawe-Taylor, S.T., Smola, A.J., Williamson, W.: Estimating the support of a high-dimensional distribution. Technical Report MSR-TR-99-87, Microsoft Research, MSR (1999)Google Scholar
  9. 9.
    Müller, K.R., Mika, S., Rätsch, G., Tsuda, K., Schölkopf, B.: An introduction to kernel-based learning algorithms. Transactions on Neural Networks 12, 181–201 (2001)CrossRefGoogle Scholar
  10. 10.
    Ebner, M., Breunig, H.-G., Albert, J.: On the use of negative selection in an artificial immune system. In: GECCO 2002: Proceedings of the Genetic and Evolutionary Computation Conference, New York, pp. 957–964. Morgan Kaufmann Publishers, San Francisco (2002)Google Scholar
  11. 11.
    Stibor, T., Mohr, P., Timmis, J., Eckert, C.: Is negative selection appropriate for anomaly detection? In: Genetic and Evolutionary Computation – GECCO, to appear (2005)Google Scholar
  12. 12.
    Duda, R., Hart, P.E., Stork, D.G.: Pattern Classification, 2nd edn. Wiley Interscience, Hoboken (2001)zbMATHGoogle Scholar
  13. 13.
    Bishop, C.M.: Novelty detection and neural network validation. IEE Proceedings: Vision, Image and Signal Processing 141, 217–222 (1994)CrossRefGoogle Scholar
  14. 14.
    Silverman, B.W.: Density Estimation for Statistics and Data Analysis. Chapman and Hall, Boca Raton (1986)zbMATHGoogle Scholar
  15. 15.
    Yeung, D.-Y., Chow, C.: Parzen-window network intrusion detectors. In: Proc. of the Sixteenth International Conference on Pattern Recognition, pp. 385–388 (2002)Google Scholar
  16. 16.
    Chang, C.C., Lin, C.J.: LIBSVM: a Library for Support Vector Machines ( ) (2004),
  17. 17.
    Hettich, S., Bay, S.D.: KDD Cup 1999 Data (1999),
  18. 18.
    Fawcett, T.: ROC graphs: Notes and practical considerations for data mining researchers. Technical Report HPL-2003-4, Hewlett Packard Laboratories (2003)Google Scholar
  19. 19.
    Stibor, T., Timmis, J., Eckert, C.: On the appropriateness of negative selection defined over hamming shape-space as a network intrusion detection system. In: Proceedings of the 2005 IEEE Congress on Evolutionary Computation, Edinburgh, UK, 2-5 September. IEEE Computer Society Press, Los Alamitos (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Thomas Stibor
    • 1
  • Jonathan Timmis
    • 2
  • Claudia Eckert
    • 1
  1. 1.Department of Computer ScienceDarmstadt University of Technology 
  2. 2.Departments of Electronics and Computer ScienceUniversity of YorkHeslington, York

Personalised recommendations