Anomaly detection is an important problem that has been researched within diverse research areas and application domains. Many anomaly detection techniques have been specifically developed for certain application domains, while others are more generic. This survey tries to provide a structured and comprehensive overview of the research on anomaly detection. We have grouped existing techniques into different categories based on the underlying approach adopted by each technique. For each category we have identified key assumptions, which are used by the techniques to differentiate between normal and anomalous behavior. When applying a given technique to a particular domain, these assumptions can be used as guidelines to assess the effectiveness of the technique in that domain. For each category, we provide a basic anomaly detection technique, and then show how the different existing techniques in that category are variants of the basic technique. This template provides an easier and succinct understanding of the techniques belonging to each category. Further, for each category, we identify the advantages and disadvantages of the techniques in that category. We also provide a discussion on the computational complexity of the techniques since it is an important issue in real application domains. We hope that this survey will provide a better understanding of the di®erent directions in which research has been done on this topic, and how techniques developed in one area can be applied in domains for which they were not intended to begin with.

The use of artificial immune systems in intrusion detection is an appealing concept for two reasons. Firstly, the human immune system provides the human body with a high level of protection from invading pathogens, in a robust, self-organised and distributed manner. Secondly, current techniques used in computer security are not able to cope with the dynamic and increasingly complex nature of computer systems and their security. It is hoped that biologically inspired approaches in this area, including the use of immune-based systems will be able to meet this challenge. Here we collate the algorithms used, the development of the systems and the outcome of their implementation. It provides an introduction and review of the key developments within this field, in addition to making suggestions for future research.

One way to describe anomalies is by saying that anomalies are not concentrated. This leads to the problem of finding level sets for the data generating density. We interpret this learning problem as a binary classification problem and compare the corresponding classification risk with the standard performance measure for the density level problem. In particular it turns out that the empirical classification risk can serve as an empirical performance measure for the anomaly detection problem. This allows us to compare different anomaly detection algorithms empirically, i.e. with the help of a test set. Based on the above interpretation we then propose a support vector machine (SVM) for anomaly detection. Finally, we establish universal consistency for this SVM and report some experiments which compare our SVM to other commonly used methods including the standard one-class SVM. 1

Abstract. A new scheme of detector generation and matching mechanism for negative selection algorithm is introduced featuring detectors with variable properties. While detectors can be variable in different ways using this concept, the paper describes an algorithm when the variable parameter is the size of the detectors in real-valued space. The algorithm is tested using synthetic and realworld datasets, including time series data that are transformed into multipledimensional data during the preprocessing phase. Preliminary results demonstrate that the new approach enhances the negative selection algorithm in efficiency and reliability without significant increase in complexity. 1

Most current network intrusion detection systems employ signature-based methods or data mining-based methods which rely on labelled training data. This training data is typically expensive to produce. Moreover, these methods have difficulty in detecting new types of attack. Using unsupervised anomaly detection techniques, however, the system can be trained with unlabelled data and is capable of detecting previously "unseen" attacks. In this paper, we present a new density-based and grid-based clustering algorithm that is suitable for unsupervised anomaly detection. We evaluated our methods using the 1999 KDD Cup data set. Our evaluation shows that the accuracy of our approach is close to that of existing techniques reported in the literature, and has several advantages in terms of computational complexity.

The use of artificial immune systems in intrusion detection is an appealing concept for two reasons. Firstly, the human immune system provides the human body with a high level of protection from invading pathogens, in a robust, self-organised and distributed manner. Secondly, current techniques used in computer security are not able to cope with the dynamic and increasingly complex nature of computer systems and their security. It is hoped that biologically inspired approaches in this area, including the use of immune-based systems will be able to meet this challenge. Here we review the algorithms used, the development of the systems and the outcome of their implementation. We provide an introduction and analysis of the key developments within this field, in addition to making suggestions for future research.

The paper examines various applicability issues of the negative selection algorithms (NSA). Recently, concerns were raised on the use of NSAs, especially those using real-valued representation. In this paper, we argued that many reported issues are either due to improper usage of the method or general difficulties which are not specific to negative selection algorithms. On the contrary, the experiments with synthetic data and well-known real-world data show that NSAs have great flexibility to balance between efficiency and robustness, and to accommodate domain-oriented elements in the method, e.g. various distance measures. It is to be noted that all methods are not suitable for all datasets and data representation plays a major role.

Abstract. As an immune-inspired algorithm, the Dendritic Cell Algorithm (DCA), produces promising performance in the field of anomaly detection. This paper presents the application of the DCA to a standard data set, the KDD 99 data set. The results of different implementation versions of the DCA, including antigen multiplier and moving time windows, are reported. The real-valued Negative Selection Algorithm (NSA) using constant-sized detectors and the C4.5 decision tree algorithm are used, to conduct a baseline comparison. The results suggest that the DCA is applicable to KDD 99 data set, and the antigen multiplier and moving time windows have the same effect on the DCA for this particular data set. The real-valued NSA with contant-sized detectors is not applicable to the data set. And the C4.5 decision tree algorithm provides a benchmark of the classification performance for this data set. 1

Summary. The BEYOND architecture applies biological principles and mechanisms to design network applications that autonomously adapt to dynamic environmental changes in the network. In BEYOND, each network application consists of distributed software agents, analogous to a bee colony (application) consisting of multiple bees (agents). Each agent provides a particular functionality of a network application, and implements biological behaviors such as energy exchange, migration, reproduction and replication. This paper describes two key components in BEYOND: (1) a self-regulatory and evolutionary adaptation mechanism for agents, called iNet, and (2) an agent development environment, called BEYONDwork. iNet is designed after the mechanisms behind how the immune system detects antigens (e.g., viruses) and produces antibodies to eliminate them. It models a set of environment conditions (e.g., network traffic) as an antigen and an agent behavior (e.g., migration) as an antibody. iNet allows each agent to autonomously sense its surrounding environment conditions (i.e., antigens) and adaptively invoke a behavior (i.e., antibody) suitable for the conditions. In iNet, a configuration of antibodies is encoded as a gene. Agents evolve their antibodies so that they can adapt to unexpected environmental changes. iNet also allows each agent to detect its own deficiencies to detect antigen invasions (i.e., environmental changes) and regulate its policy for antigen detection. Simulation results show that agents adapt to changing network environments by self-regulating their antigen detection and evolving their antibodies through generations. BEYONDwork provides visual and textual languages to design agents in an intuitive manner. 1

This paper introduces hyper-ellipsoids as an improvement to hyper-spheres as intrusion detectors in a negative selection problem within an artificial immune system. Since hyper-spheres are a specialization of hyper-ellipsoids, hyperellipsoids retain the benefits of hyper-spheres. However, hyper-ellipsoids are much more flexible, mostly in that they can be stretched and reoriented. The viability of using hyper-ellipsoids is established using several pedagogical problems. We conjecture that fewer hyper-ellipsoids than hyperspheres are needed to achieve similar coverage of nonself space in a negative selection problem. Experimentation validates this conjecture. In pedagogical benchmark problems, the number of hyper-ellipsoids to achieve good results is significantly (∽50%) smaller than the associated number of hyper-spheres.