Loading…
A formal framework for positive and negative detection schemes
In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of nor...
Saved in:
Published in: | IEEE transactions on cybernetics 2004-02, Vol.34 (1), p.357-373 |
---|---|
Main Authors: | , , |
Format: | Article |
Language: | English |
Subjects: | |
Citations: | Items that this one cites Items that cite this one |
Online Access: | Get full text |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
cited_by | cdi_FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23 |
---|---|
cites | cdi_FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23 |
container_end_page | 373 |
container_issue | 1 |
container_start_page | 357 |
container_title | IEEE transactions on cybernetics |
container_volume | 34 |
creator | Esponda, F. Forrest, S. Helman, P. |
description | In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations. |
doi_str_mv | 10.1109/TSMCB.2003.817026 |
format | article |
fullrecord | <record><control><sourceid>proquest_pubme</sourceid><recordid>TN_cdi_pubmed_primary_15369078</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>1262509</ieee_id><sourcerecordid>28881493</sourcerecordid><originalsourceid>FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23</originalsourceid><addsrcrecordid>eNqNkU1PwzAMhiMEYnz9AISEKg7cOuw0bZML0pj4kkAcGOcoS13oWNuRtCD-PRmbNIkTJ9uvH1uyX8aOEYaIoC4mz4_jqyEHSIYSc-DZFttDJTAGofh2yEEmsRCoBmzf-xkAKFD5LhtgmmQKcrnHLkdR2brazKPSmZq-Wve-FKJF66uu-qTINEXU0Kv5LQrqyHZV20TevlFN_pDtlGbu6WgdD9jLzfVkfBc_PN3ej0cPsRUou9hOjZ2qXHEsgwAkFCZoRJAVJZDlQqYqlxLQGjOFgoNVmBpAEDYcVvDkgJ2v9i5c-9GT73RdeUvzuWmo7b3mUkoUKvkHyHOOmAfw7A84a3vXhCO0lALSLBVZgHAFWdd676jUC1fVxn1rBL20QP9aoJcW6JUFYeZ0vbif1lRsJtY_D8DJCqiIaNPmGU9BJT8g_4iZ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>884056546</pqid></control><display><type>article</type><title>A formal framework for positive and negative detection schemes</title><source>IEEE Xplore (Online service)</source><creator>Esponda, F. ; Forrest, S. ; Helman, P.</creator><creatorcontrib>Esponda, F. ; Forrest, S. ; Helman, P.</creatorcontrib><description>In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.</description><identifier>ISSN: 1083-4419</identifier><identifier>ISSN: 2168-2267</identifier><identifier>EISSN: 1941-0492</identifier><identifier>EISSN: 2168-2275</identifier><identifier>DOI: 10.1109/TSMCB.2003.817026</identifier><identifier>PMID: 15369078</identifier><identifier>CODEN: ITSCFI</identifier><language>eng</language><publisher>United States: IEEE</publisher><subject>Artificial immune systems ; Biological systems ; Computer science ; Detectors ; Distributed processing ; Intrusion detection ; Iron ; Object detection ; Pattern matching ; Random variables ; Studies</subject><ispartof>IEEE transactions on cybernetics, 2004-02, Vol.34 (1), p.357-373</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2004</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23</citedby><cites>FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/1262509$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27924,27925,54796</link.rule.ids><backlink>$$Uhttps://www.ncbi.nlm.nih.gov/pubmed/15369078$$D View this record in MEDLINE/PubMed$$Hfree_for_read</backlink></links><search><creatorcontrib>Esponda, F.</creatorcontrib><creatorcontrib>Forrest, S.</creatorcontrib><creatorcontrib>Helman, P.</creatorcontrib><title>A formal framework for positive and negative detection schemes</title><title>IEEE transactions on cybernetics</title><addtitle>TSMCB</addtitle><addtitle>IEEE Trans Syst Man Cybern B Cybern</addtitle><description>In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.</description><subject>Artificial immune systems</subject><subject>Biological systems</subject><subject>Computer science</subject><subject>Detectors</subject><subject>Distributed processing</subject><subject>Intrusion detection</subject><subject>Iron</subject><subject>Object detection</subject><subject>Pattern matching</subject><subject>Random variables</subject><subject>Studies</subject><issn>1083-4419</issn><issn>2168-2267</issn><issn>1941-0492</issn><issn>2168-2275</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2004</creationdate><recordtype>article</recordtype><recordid>eNqNkU1PwzAMhiMEYnz9AISEKg7cOuw0bZML0pj4kkAcGOcoS13oWNuRtCD-PRmbNIkTJ9uvH1uyX8aOEYaIoC4mz4_jqyEHSIYSc-DZFttDJTAGofh2yEEmsRCoBmzf-xkAKFD5LhtgmmQKcrnHLkdR2brazKPSmZq-Wve-FKJF66uu-qTINEXU0Kv5LQrqyHZV20TevlFN_pDtlGbu6WgdD9jLzfVkfBc_PN3ej0cPsRUou9hOjZ2qXHEsgwAkFCZoRJAVJZDlQqYqlxLQGjOFgoNVmBpAEDYcVvDkgJ2v9i5c-9GT73RdeUvzuWmo7b3mUkoUKvkHyHOOmAfw7A84a3vXhCO0lALSLBVZgHAFWdd676jUC1fVxn1rBL20QP9aoJcW6JUFYeZ0vbif1lRsJtY_D8DJCqiIaNPmGU9BJT8g_4iZ</recordid><startdate>200402</startdate><enddate>200402</enddate><creator>Esponda, F.</creator><creator>Forrest, S.</creator><creator>Helman, P.</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>RIA</scope><scope>RIE</scope><scope>NPM</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7TB</scope><scope>8FD</scope><scope>F28</scope><scope>FR3</scope><scope>H8D</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>200402</creationdate><title>A formal framework for positive and negative detection schemes</title><author>Esponda, F. ; Forrest, S. ; Helman, P.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2004</creationdate><topic>Artificial immune systems</topic><topic>Biological systems</topic><topic>Computer science</topic><topic>Detectors</topic><topic>Distributed processing</topic><topic>Intrusion detection</topic><topic>Iron</topic><topic>Object detection</topic><topic>Pattern matching</topic><topic>Random variables</topic><topic>Studies</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Esponda, F.</creatorcontrib><creatorcontrib>Forrest, S.</creatorcontrib><creatorcontrib>Helman, P.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library Online</collection><collection>PubMed</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Mechanical & Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>ANTE: Abstracts in New Technology & Engineering</collection><collection>Engineering Research Database</collection><collection>Aerospace Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on cybernetics</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Esponda, F.</au><au>Forrest, S.</au><au>Helman, P.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A formal framework for positive and negative detection schemes</atitle><jtitle>IEEE transactions on cybernetics</jtitle><stitle>TSMCB</stitle><addtitle>IEEE Trans Syst Man Cybern B Cybern</addtitle><date>2004-02</date><risdate>2004</risdate><volume>34</volume><issue>1</issue><spage>357</spage><epage>373</epage><pages>357-373</pages><issn>1083-4419</issn><issn>2168-2267</issn><eissn>1941-0492</eissn><eissn>2168-2275</eissn><coden>ITSCFI</coden><abstract>In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.</abstract><cop>United States</cop><pub>IEEE</pub><pmid>15369078</pmid><doi>10.1109/TSMCB.2003.817026</doi><tpages>17</tpages><oa>free_for_read</oa></addata></record> |
fulltext | fulltext |
identifier | ISSN: 1083-4419 |
ispartof | IEEE transactions on cybernetics, 2004-02, Vol.34 (1), p.357-373 |
issn | 1083-4419 2168-2267 1941-0492 2168-2275 |
language | eng |
recordid | cdi_pubmed_primary_15369078 |
source | IEEE Xplore (Online service) |
subjects | Artificial immune systems Biological systems Computer science Detectors Distributed processing Intrusion detection Iron Object detection Pattern matching Random variables Studies |
title | A formal framework for positive and negative detection schemes |
url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-25T18%3A09%3A37IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_pubme&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20formal%20framework%20for%20positive%20and%20negative%20detection%20schemes&rft.jtitle=IEEE%20transactions%20on%20cybernetics&rft.au=Esponda,%20F.&rft.date=2004-02&rft.volume=34&rft.issue=1&rft.spage=357&rft.epage=373&rft.pages=357-373&rft.issn=1083-4419&rft.eissn=1941-0492&rft.coden=ITSCFI&rft_id=info:doi/10.1109/TSMCB.2003.817026&rft_dat=%3Cproquest_pubme%3E28881493%3C/proquest_pubme%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=884056546&rft_id=info:pmid/15369078&rft_ieee_id=1262509&rfr_iscdi=true |