Loading…

A formal framework for positive and negative detection schemes

In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of nor...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on cybernetics 2004-02, Vol.34 (1), p.357-373
Main Authors: Esponda, F., Forrest, S., Helman, P.
Format: Article
Language:English
Subjects:
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23
cites cdi_FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23
container_end_page 373
container_issue 1
container_start_page 357
container_title IEEE transactions on cybernetics
container_volume 34
creator Esponda, F.
Forrest, S.
Helman, P.
description In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.
doi_str_mv 10.1109/TSMCB.2003.817026
format article
fullrecord <record><control><sourceid>proquest_pubme</sourceid><recordid>TN_cdi_pubmed_primary_15369078</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>1262509</ieee_id><sourcerecordid>28881493</sourcerecordid><originalsourceid>FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23</originalsourceid><addsrcrecordid>eNqNkU1PwzAMhiMEYnz9AISEKg7cOuw0bZML0pj4kkAcGOcoS13oWNuRtCD-PRmbNIkTJ9uvH1uyX8aOEYaIoC4mz4_jqyEHSIYSc-DZFttDJTAGofh2yEEmsRCoBmzf-xkAKFD5LhtgmmQKcrnHLkdR2brazKPSmZq-Wve-FKJF66uu-qTINEXU0Kv5LQrqyHZV20TevlFN_pDtlGbu6WgdD9jLzfVkfBc_PN3ej0cPsRUou9hOjZ2qXHEsgwAkFCZoRJAVJZDlQqYqlxLQGjOFgoNVmBpAEDYcVvDkgJ2v9i5c-9GT73RdeUvzuWmo7b3mUkoUKvkHyHOOmAfw7A84a3vXhCO0lALSLBVZgHAFWdd676jUC1fVxn1rBL20QP9aoJcW6JUFYeZ0vbif1lRsJtY_D8DJCqiIaNPmGU9BJT8g_4iZ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>884056546</pqid></control><display><type>article</type><title>A formal framework for positive and negative detection schemes</title><source>IEEE Xplore (Online service)</source><creator>Esponda, F. ; Forrest, S. ; Helman, P.</creator><creatorcontrib>Esponda, F. ; Forrest, S. ; Helman, P.</creatorcontrib><description>In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.</description><identifier>ISSN: 1083-4419</identifier><identifier>ISSN: 2168-2267</identifier><identifier>EISSN: 1941-0492</identifier><identifier>EISSN: 2168-2275</identifier><identifier>DOI: 10.1109/TSMCB.2003.817026</identifier><identifier>PMID: 15369078</identifier><identifier>CODEN: ITSCFI</identifier><language>eng</language><publisher>United States: IEEE</publisher><subject>Artificial immune systems ; Biological systems ; Computer science ; Detectors ; Distributed processing ; Intrusion detection ; Iron ; Object detection ; Pattern matching ; Random variables ; Studies</subject><ispartof>IEEE transactions on cybernetics, 2004-02, Vol.34 (1), p.357-373</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2004</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23</citedby><cites>FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/1262509$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27924,27925,54796</link.rule.ids><backlink>$$Uhttps://www.ncbi.nlm.nih.gov/pubmed/15369078$$D View this record in MEDLINE/PubMed$$Hfree_for_read</backlink></links><search><creatorcontrib>Esponda, F.</creatorcontrib><creatorcontrib>Forrest, S.</creatorcontrib><creatorcontrib>Helman, P.</creatorcontrib><title>A formal framework for positive and negative detection schemes</title><title>IEEE transactions on cybernetics</title><addtitle>TSMCB</addtitle><addtitle>IEEE Trans Syst Man Cybern B Cybern</addtitle><description>In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.</description><subject>Artificial immune systems</subject><subject>Biological systems</subject><subject>Computer science</subject><subject>Detectors</subject><subject>Distributed processing</subject><subject>Intrusion detection</subject><subject>Iron</subject><subject>Object detection</subject><subject>Pattern matching</subject><subject>Random variables</subject><subject>Studies</subject><issn>1083-4419</issn><issn>2168-2267</issn><issn>1941-0492</issn><issn>2168-2275</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2004</creationdate><recordtype>article</recordtype><recordid>eNqNkU1PwzAMhiMEYnz9AISEKg7cOuw0bZML0pj4kkAcGOcoS13oWNuRtCD-PRmbNIkTJ9uvH1uyX8aOEYaIoC4mz4_jqyEHSIYSc-DZFttDJTAGofh2yEEmsRCoBmzf-xkAKFD5LhtgmmQKcrnHLkdR2brazKPSmZq-Wve-FKJF66uu-qTINEXU0Kv5LQrqyHZV20TevlFN_pDtlGbu6WgdD9jLzfVkfBc_PN3ej0cPsRUou9hOjZ2qXHEsgwAkFCZoRJAVJZDlQqYqlxLQGjOFgoNVmBpAEDYcVvDkgJ2v9i5c-9GT73RdeUvzuWmo7b3mUkoUKvkHyHOOmAfw7A84a3vXhCO0lALSLBVZgHAFWdd676jUC1fVxn1rBL20QP9aoJcW6JUFYeZ0vbif1lRsJtY_D8DJCqiIaNPmGU9BJT8g_4iZ</recordid><startdate>200402</startdate><enddate>200402</enddate><creator>Esponda, F.</creator><creator>Forrest, S.</creator><creator>Helman, P.</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>RIA</scope><scope>RIE</scope><scope>NPM</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7TB</scope><scope>8FD</scope><scope>F28</scope><scope>FR3</scope><scope>H8D</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>200402</creationdate><title>A formal framework for positive and negative detection schemes</title><author>Esponda, F. ; Forrest, S. ; Helman, P.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2004</creationdate><topic>Artificial immune systems</topic><topic>Biological systems</topic><topic>Computer science</topic><topic>Detectors</topic><topic>Distributed processing</topic><topic>Intrusion detection</topic><topic>Iron</topic><topic>Object detection</topic><topic>Pattern matching</topic><topic>Random variables</topic><topic>Studies</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Esponda, F.</creatorcontrib><creatorcontrib>Forrest, S.</creatorcontrib><creatorcontrib>Helman, P.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library Online</collection><collection>PubMed</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Mechanical &amp; Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>ANTE: Abstracts in New Technology &amp; Engineering</collection><collection>Engineering Research Database</collection><collection>Aerospace Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on cybernetics</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Esponda, F.</au><au>Forrest, S.</au><au>Helman, P.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A formal framework for positive and negative detection schemes</atitle><jtitle>IEEE transactions on cybernetics</jtitle><stitle>TSMCB</stitle><addtitle>IEEE Trans Syst Man Cybern B Cybern</addtitle><date>2004-02</date><risdate>2004</risdate><volume>34</volume><issue>1</issue><spage>357</spage><epage>373</epage><pages>357-373</pages><issn>1083-4419</issn><issn>2168-2267</issn><eissn>1941-0492</eissn><eissn>2168-2275</eissn><coden>ITSCFI</coden><abstract>In anomaly detection, the normal behavior of a process is characterized by a model, and deviations from the model are called anomalies. In behavior-based approaches to anomaly detection, the model of normal behavior is constructed from an observed sample of normally occurring patterns. Models of normal behavior can represent either the set of allowed patterns (positive detection) or the set of anomalous patterns (negative detection). A formal framework is given for analyzing the tradeoffs between positive and negative detection schemes in terms of the number of detectors needed to maximize coverage. For realistically sized problems, the universe of possible patterns is too large to represent exactly (in either the positive or negative scheme). Partial matching rules generalize the set of allowable (or unallowable) patterns, and the choice of matching rule affects the tradeoff between positive and negative detection. A new match rule is introduced, called r-chunks, and the generalizations induced by different partial matching rules are characterized in terms of the crossover closure. Permutations of the representation can be used to achieve more precise discrimination between normal and anomalous patterns. Quantitative results are given for the recognition ability of contiguous-bits matching together with permutations.</abstract><cop>United States</cop><pub>IEEE</pub><pmid>15369078</pmid><doi>10.1109/TSMCB.2003.817026</doi><tpages>17</tpages><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 1083-4419
ispartof IEEE transactions on cybernetics, 2004-02, Vol.34 (1), p.357-373
issn 1083-4419
2168-2267
1941-0492
2168-2275
language eng
recordid cdi_pubmed_primary_15369078
source IEEE Xplore (Online service)
subjects Artificial immune systems
Biological systems
Computer science
Detectors
Distributed processing
Intrusion detection
Iron
Object detection
Pattern matching
Random variables
Studies
title A formal framework for positive and negative detection schemes
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-25T18%3A09%3A37IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_pubme&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20formal%20framework%20for%20positive%20and%20negative%20detection%20schemes&rft.jtitle=IEEE%20transactions%20on%20cybernetics&rft.au=Esponda,%20F.&rft.date=2004-02&rft.volume=34&rft.issue=1&rft.spage=357&rft.epage=373&rft.pages=357-373&rft.issn=1083-4419&rft.eissn=1941-0492&rft.coden=ITSCFI&rft_id=info:doi/10.1109/TSMCB.2003.817026&rft_dat=%3Cproquest_pubme%3E28881493%3C/proquest_pubme%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c418t-cbacb97921fc410e49131a4cba9e3067485978801caab0d20c915a0104c817d23%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=884056546&rft_id=info:pmid/15369078&rft_ieee_id=1262509&rfr_iscdi=true