- About this Journal ·
- Abstracting and Indexing ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Recently Accepted Articles ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Subscription Information ·
- Table of Contents

Abstract and Applied Analysis

Volume 2013 (2013), Article ID 268639, 15 pages

http://dx.doi.org/10.1155/2013/268639

## A Real-Valued Negative Selection Algorithm Based on Grid for Anomaly Detection

College of Computer Science, Sichuan University, Chengdu 610065, China

Received 15 March 2013; Accepted 13 May 2013

Academic Editor: Fuding Xie

Copyright © 2013 Ruirui Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Negative selection algorithm is one of the main algorithms of artificial immune systems. However, candidate detectors randomly generated by traditional negative selection algorithms need to conduct self-tolerance with all selves in the training set in order to eliminate the immunological reaction. The matching process is the main time cost, which results in low generation efficiencies of detectors and application limitations of immune algorithms. A novel algorithm is proposed, named GB-RNSA. The algorithm analyzes distributions of the self set in real space and regards the *n*-dimensional [0, 1] space as the biggest grid. Then the biggest grid is divided into a finite number of sub grids, and selves are filled in the corresponding subgrids at the meantime. The randomly generated candidate detector only needs to match selves who are in the grid where the detector is and in its neighbor grids, instead of all selves, which reduces the time cost of distance calculations. And before adding the candidate detector into mature detector set, certain methods are adopted to reduce duplication coverage between detectors, which achieves fewer detectors covering the nonself space as much as possible. Theory analysis and experimental results demonstrate that GB-RNSA lowers the number of detectors, time complexity, and false alarm rate.

#### 1. Introduction

In the past decade, the artificial immune systems have caused great concerns as a new method to solve complex computational problems. At present, there are four main areas in the studies of artificial immune systems [1]: the negative selection algorithm (NSA) [2], the artificial immune network (AINE) [3], the clonal selection algorithm (CLONALG) [4], the danger theory [5], and dendritic cell algorithms [6]. By simulating the immune tolerance in T-cell maturation process of biological systems, NSA removes self-reactive candidate detectors to effectively recognize nonself antigens, and is successfully applied to pattern recognition, anomaly detection, machine learning, fault diagnosis, and so forth [7, 8].

The negative selection algorithm is proposed by Forrest et al. [7]. This algorithm adopts strings or binary strings to encode the antigens (samples) and antibodies (detectors) and r-continuous-bit matching method to compute affinities between antigens and detectors, which is denoted SNSA [7]. The work in [9, 10] pointed out that the generation efficiency of detectors in SNSA is low. Candidate detectors become mature through negative selection. Given that is the training set size, is the matching probability between random antigen and antibody, and is the failure rate; then the number of candidate detectors , which is exponential to , and the time complexity of SNSA, is .

Because many problems in practical applications are easy to be defined and studied in the real space, a real-valued negative selection algorithm (RNSA) is put forward in [11]. The algorithm adopts *n*-dimensional vectors in real space to encode antigens and antibodies and Minkowski distance to calculate affinities. A real-valued negative selection algorithm with variable-sized detector (V-Detector) is proposed in [12, 13], resulting in better results. The algorithm dynamically determines the radius of a detector to generate mature ones, by computing the nearest distance between the center of the candidate detector and self-antigens. This algorithm also proposes a method for calculating detectors’ coverage rate based on the probability. In the work of [14], genetic-based negative selection algorithm is put forward, and in the work of [15], clonal optimization-based negative selection algorithm is put forward. Detectors of these two algorithms need to be processed by optimization algorithms, to gain greater coverage of nonself space. Superellipsoid detectors are introduced in [16] in the negative selection algorithm and superrectangular detectors in [17], to achieve the same coverage rate with less detectors compared with sphere ones. A self detector classification method is proposed in [18]. In this method, selves are viewed as self detectors with initial radius and the radius of selves is dynamically determined by the ROC analysis in the training stage, to increase the detection rate. A negative selection algorithm based on the hierarchical clustering of self set is put forward in [19]. This algorithm carries out the hierarchical clustering preprocess of self set to improve the generation efficiency of detectors.

Because of the low generation efficiency of mature detectors, the time cost of negative selection algorithms seriously limits their practical applications [18, 19]. A real-valued negative selection algorithm based on grid is proposed in this paper, denoted GB-RNSA. The algorithm analyzes distributions of the self set in the shape space and introduces the grid mechanism, in order to reduce the time cost of distance calculations and the duplication coverage between detectors. The remainder of this paper is organized as follows. The basic definitions of real-valued negative selection algorithms which are also the background of this paper are described in Section 2. The basic idea, implementation strategies, and analyses of GB-RNSA are described in Section 3. The effectiveness of GB-RNSA is verified using synthetic datasets and University of California Irvine (UCI) datasets in Section 4. Finally, the conclusion is given in the last section.

#### 2. Basic Definitions of RNSA

The SNS (self/nonself) theory states that the body relies on antibodies (T cells and B cells) to recognize self antigens and nonself antigens, in order to exclude foreigners and maintain the balance and stability of the body [2, 8]. Inspired by this theory, antibodies are defined as detectors to identify nonself antigens in the artificial immune system, and their quality determines the accuracy and effectiveness of the detection system. However, randomly generated candidate detectors may identify self antigens and raise the immune self-reaction. According to the immune tolerance mechanism and mature process of immune cells in the biological immune system, Forrest put forward the negative selection algorithm to remove detectors which can recognize selves [7]. The algorithm discussed in this paper is based on real value. The basic concepts of RNSA are as follows.

*Definition 1 (antigens). * are the total samples in the space of the problem. is an antigen in the set. is the data dimension, is the normalized value of the th attribute of sample which represents the position in the real space, and is the radius of which represents the variability threshold of .

*Definition 2 (self set). * represents all the normal samples in the antigen set.

*Definition 3 (nonself set). * represents all the abnormal samples in the antigen set. *Self*/*Nonself* have different meanings in various fields. For network intrusion detections, *Nonself* represents network attacks, and *Self* represents normal network access; for virus detections, *Nonself* represents virus codes, and *Self* represents legitimate codes.

*Definition 4 (training set). * is a subset of *Self* and is the priori detection knowledge. is the size of the training set.

*Definition 5 (set of detectors). *. is a detector in the set. is the th attribute of detector , is the radius of the detector, and is the size of the detector set.

*Definition 6 (matching rule). *, and is the Euclidean distance between antigen and detector . In the detectors’ generation process, if , the detector arises the immune self-reaction and cannot become a mature detector. In the detectors’ testing process, if , the detector recognizes the antigen as a nonself.

*Definition 7 (detection rate). **DR* means the proportion of non-self samples which are correctly identified by detectors in the total non-self samples and is represented by (2). *TP* is short for true positive, which means the number of nonselves which are correctly identified by detectors. *FN* is short for false negative, which means the number of non-selves which are wrongly identified:

*Definition 8 (false alarm rate). **FAR* means the proportion of self samples which are wrongly identified as non-selves in the total self samples and is represented by (3). *FP* is short for false positive, which means the number of selves which are wrongly identified by detectors, and *TN* is short for true negative, which means the number of selves which are correctly identified:

In general, the generation process of detectors which is the basic idea of RNSA is shown in Algorithm 1.

In the algorithm of RNSA, the randomly generated candidate detectors need to do the calculation with all the elements in the training set. With the increase of the number of selves , the execution time is in exponential growth, while the probability of coverage overlaps between detectors also raises, resulting in a large number of invalid detectors and low efficiency. The aforementioned problems greatly limit the practical applications of the negative selection algorithms.

#### 3. Implementations of GB-RNSA

This section describes the implementation strategies of the proposed algorithm. The basic idea of the algorithm is described in Section 3.1. Sections 3.2, 3.3 and 3.4 are the detailed descriptions of the algorithm. The grid generation method is introduced in Section 3.2. Coverage calculation method of the non-self space is introduced in Section 3.3. And the filter method of candidate detectors is introduced in Section 3.4. Performance analysis of the algorithm is given in Section 3.5. Time complexity analysis of the algorithm is given in Section 3.6.

##### 3.1. Basic Idea of the Algorithm

A real-valued negative selection algorithm based on grid GB-RNSA is proposed in this paper. The algorithm adopts variable-sized detectors and expected coverage of non-self space for detectors as the termination condition for detectors’ generation. The algorithm analyzes distributions of the self set in the real space and regards space as the biggest grid. Then, through divisions step-by-step until reaching the minimum diameter of the grid and adopting -tree to store grids, a finite number of subgrids are obtained, meanwhile self antigens are filled in corresponding sub grids. The randomly generated candidate detector only needs to match with selves who are in the grid where the detector is and in its neighbor grids instead of all selves, which reduces the time cost of distance calculations. When adding it into the mature detector set, the candidate detector will be matched with detectors within the grid where the detector is and neighbor grids, to judge whether the detector is in existing detectors’ coverage area or its covered space totally contains other detector. This filter operation decreases the redundant coverage between detectors and achieves that fewer detectors cover the non-self space as much as possible. The main idea of GB-RNSA is as shown in Algorithm 2.

Iris dataset is one of the classic machine learning data sets published by the University of California Irvine [20], which are widely used in the fields of pattern recognition, data mining, anomaly detection, and so forth. We choose data records of category “setosa” in the dataset Iris as self antigens, choose “sepalL” and “sepalW” as antigen properties of first dimension and second dimension, and choose top 25 records of self antigens as the training set. Here, we use only two features of records, for that two-dimensional map is intuitive to illustrate the ideas, which does not affect comparison results. Figure 1 illustrates the ideas of GB-RNSA and the classical negative selection algorithms RNSA and V-Detector. RNSA generates detectors with fixed radius. V-Detector generates variable-sized detectors by dynamically determining the radius of detectors, through computing the nearest distance between the center of the candidate detector and self antigens. Detectors generated by the two algorithms need to conduct tolerance with all self antigens, which will lead to redundant coverage of non-self space between mature detectors with the increase of coverage rate. GB-RNSA first analyzes distributions of the self set in the space, and forms grids. Then, the randomly generated candidate detector only needs to perform tolerance with selves within the grid where the detector is and neighbor grids. Certain strategies are conducted for detectors which have passed tolerance, to avoid the duplication coverage and make sure that new detectors cover uncovered non-self space.

##### 3.2. Grid Generation Method

In the process of grid generation, a top-down method is selected. First, the algorithm regards the -dimensional space as the biggest grid. If there are selves in this grid, divide each dimension into two parts and get sub grids. Then, continue to judge and divide each sub grid, until a grid does not contain any selves or the diameter of the grid reaches the minimum. Eventually, the grid structure of the space is obtained, and then the algorithm searches each grid to get neighbors in the structure. This process is shown in Algorithms 3 and 4.

*Definition 9 (minimum diameter of grids). *, where is the self radius and is the smallest radius of detectors. Suppose that the diameter of a grid is less than , then divide this grid; the diameter of sub grids is less than . If there are selves in the sub grid, it is probably impossible to generate detectors in the sub grid. So, set the minimum diameter of grids .

*Definition 10 (neighbor grids). *If two grids are adjacent at least in one dimension, these two grids are neighbors, which are called the basic neighbor grids. If selves of the neighbor grid are empty, add the basic neighbor grid of it in the same direction as the attached neighbor grid. The neighbors of a grid include the basic neighbor grids and the attached ones.

The filling process of neighbor grids is shown in Algorithm 5.

Figure 2 describes the dividing process of grids. The self training set is also selected from records of category “setosa” of the Iris data set. Select “sepalL” and “sepalW” as antigen properties of first dimension and second dimension. As shown in Figure 2, the two-dimensional space is divided into four sub grids in the first division, and then continue to divide sub grids whose selves are not empty, until the subs cannot be divided.

Figure 3 is a schematic drawing of neighbor grids, and grids with slashes are the neighbors of grid which positions in the up-left of the space.

##### 3.3. Coverage Calculation Method of the Nonself Space

The non-self space coverage is equal to the ratio of the volume covered by detectors and the total volume of nonself space [12], as is shown in the following:

Because there is redundant coverage between detectors, it is impossible to calculate (4) directly. In this paper, the probability estimation method is adopted to compute the detector coverage . For detector set , the probability of sampling in the non-self space covered by detectors obeys the binomial distribution [13]. The probability of sampling times obeys the binomial distribution *. *

Theorem 11. *When the number of non-self specimens of continuous sampling , if , the non-self space coverage of detectors reaches . is percentile point of standard normal distribution, is the number of non-self specimens of continuous sampling covered by detectors, and is the smallest positive integer which is greater than and .*

*Proof. * Random variable . Set . We consider two cases.(1)If the number of non-self specimens of continuous sampling , known from De Moivre-Laplace theorem, when and *.* That is,. Do assumptions that : the non-self space coverage of detectors ≤ ; : the non-self space coverage of detectors > . Given significance level , . Then, the rejection region . So, when , belongs to the rejection region, reject , and accept . That is, the non-self space coverage of detectors > .(2)If the number of non-self specimens of continuous sampling , is not too large, approximately obeys the Poisson distribution with equaling . Then . When , the non-self space coverage of detectors > *. *Proved*. *

From Theorem 11, in the process of detector generation, only the number of non-self specimens of continuous sampling and the number of non-self specimens covered by detectors need to be recorded. After sampling in the non-self space, determine whether the non-self specimen is covered by detectors of . If not, generate a candidate detector with the position vector of this non-self specimen, and then add it into the candidate detector set . If so, compute whether is larger than . If it is larger than , the non-self space coverage reaches the expected coverage , and the sampling process stops. If not, increase . When is up to , put candidate detectors of into the detector set to change the non-self space coverage, and then set , to restart a new round of sampling. With the continuous addition of candidate detectors, the size of the detector set is growing, and the non-self space coverage gradually increases.

##### 3.4. Filter Method of Candidate Detectors

When the number of sampling times in the non-self space reaches , detectors of candidate detector set will be added into the detector set . At this time, not all candidate detectors will join , and the filtering operation will be performed for these detectors. The filtering operation consists of two parts.

The first part is to reduce the redundant coverage between candidate detectors. First, sort detectors in the candidate detector set in a descending order by the detector radius, and then judge whether the candidate detectors in the back of the sequence have been covered by the front ones. If so, this sampling of the non-self space is invalid, and the candidate detector generated from the position vector of this sampling should be deleted. There is no complete coverage between candidate detectors which have survived the first filtering operation.

The second part is to decrease the redundant coverage between mature detectors and candidate ones. The candidate detector will be matched with detectors within the grid where the detector is and neighbor grids when adding it into the detector set , to judge whether it totally covers some mature detector. If so, the mature detector is redundant and should be removed. The filtering operations ensure that every mature detector will cover the uncovered non-self space.

The filtering process of candidate detectors is shown in Algorithm 6.

##### 3.5. Performance Analysis

This section analyzes the performance of the algorithm from the probability theory. Assuming that the number of all the samples in the problem space is , the number of antigens in the self set is , the number of antigens in the training set is , and the number of detectors is . The matching probability between a detector and an antigen is , which is associated with the specific matching rule [7, 9]. is defined as the probability of occurrence of event [21].

Theorem 12. *The probability of matching an undescribed self antigen for a detector which is passed self-tolerance is .*

*Proof. *From the proposition, a given detector passing the self-tolerance indicates that this detector does not match any antigen in the self training set. Let event be “the given detector does not match any antigen in the self set,” event “the given detector matches at least one antigen which is not described,” then *.* In the event , the number of times for a detector matching antigens in the self set meets the binomial distribution, . Therefore, . In the event , the number of times for a detector matching undescribed self antigens meets the binomial distribution, . Then, .

So, . Proved.

Theorem 13. *The probability of correct identification for a non-self antigen is , and the probability of erroneous identification for a non-self antigen is . The probability of correct identification for a self antigen is , and the probability of erroneous identification for a self antigen is .*

*Proof. *Let event be “the given non-self antigen matches at least one detector in the detectors set.” In the event , the number of times for a non-self antigen matching detectors meets the binomial distribution, . Therefore, , and .

Let event be “the given self antigen does not match any detector in the detectors set.” In the event , the number of times for a self antigen matching detectors meets the binomial distribution, . Therefore, , and . Proved.

is substantially constant for specific matching rules [7, 9]. Assuming that and , then Figure 4 shows variations of *, **, *, and under the effects of and *.* As can be seen from the figure, when the number of selves in the training set and the number of detectors are larger, the probability of correct identification for an arbitrary given non-self antigen is greater, the probability of erroneous identification is small, and variation tendencies of and are not large while and change. Thus, when the coverage of non-self space for the detector set is certain, the detection rates of different algorithms are relatively close. When and are larger, the probability of correct identification for an arbitrary given self antigen is greater, the probability of erroneous identification is small, and variation tendencies of and are large while and change. So, when the coverage of non-self space for the detector set is certain, the false alarm rate of GB-RNSA is smaller for that the algorithm significantly reduces the number of detectors.

##### 3.6. Time Complexity Analysis

Theorem 14. *The time complexity of detector generation process in GB-RNSA is , where is the size of the training set, is the size of the detector set, and is the average self-reactive rate of detectors.*

*Proof. *For GB-RNSA, the main time cost of generating a new mature detector includes the time spending of calling *FindGrid* to find the grid, the time spending of self-tolerance for candidate detectors, and the time spending of call *Filter* to screen detectors.

Known from Section 3.2, the depth of -tree is . So, for a new detector, the time complexity of finding the grid where the detector is . is the space dimension, is the radius of selves, and is the smallest radius of detectors. So, is relatively constant.

Calculating the radius of the new detector needs to compute the nearest distance with selves in the grid where the detector is and neighbors. The time complexity is *, *where is the number of selves in and neighbors*. *

The time complexity of calculating whether the new detector is covered by existing detectors is , where is the number of detectors in and neighbors*. *

The time complexity of calling *Filter* to screen detectors includes the time spending of sorting the candidate detectors and judging whether redundant coverage exists; that is, *. *

Suppose is the number of candidate detectors to generate the detector set , then the time complexity of sampling is *. *And , so, the time complexity of generating the detector set is as follows:

So, the time complexity of detector generation process in GB-RNSA is . Proved.

SNSA, RNSA, and V-Detector are the main detector generation algorithms and are widely used in the fields of artificial immune-based pattern recognition, anomaly detection, immune optimization, and so forth. Table 1 shows the comparisons of these negative selection algorithms and GB-RNSA. As seen from Table 1, the time complexity of traditional algorithms is exponential to the size of selves . When the number of self elements increases, the time cost will rapidly increase. GB-RNSA eliminates the exponential impact and reduces the influence of growth of selves’ scale on the time cost. So, GB-RNSA lowers the time complexity of the original algorithm and improves the efficiency of detector generation.

#### 4. Experimental Results and Analysis

This section validates the effectiveness of GB-RNSA through experiments. Two types of data sets are selected for the experiments which are commonly used in the study of real-valued negative selection algorithms, including 2D synthetic datasets [22] and UCI datasets [20]. 2D synthetic datasets are authoritative in the performance test of real-valued negative selection algorithms [13, 19, 22], which is provided by Professor Dasgupta’s research team of Memphis University. UCI datasets are classic machine learning data sets, which are widely used in the tests of detectors’ performance and generation efficiencies [11, 18, 19, 23]. In the experiments, two traditional real-valued negative selection algorithms RNSA and V-Detector are chosen to compare with.

The number of mature detectors *DN*, the detection rate *DR*, the false alarm rate *FAR*, and the time cost of detectors generations *DT* are adopted to measure the effectiveness of the algorithms in the experiments. Because the traditional algorithm RNSA uses the preset number of detectors as the termination condition, this paper modified RNSA and uses the expected coverage of non-self space as the termination condition, in order to ensure that the three algorithms are under the same experimental conditions to make valid comparisons.

##### 4.1. 2D Synthetic Datasets

These datasets consist of several different subdatasets. We choose Ring, Stripe, and Pentagram subdatasets to test the performance of detectors generation of GB-RNSA. Figure 5 shows the distributions of these three datasets in two-dimensional real space.

The size of self sets of the three datasets is . The training set is composed of data points randomly selected from the self set, and the test data is randomly selected from the two-dimensional space. The experiments were repeated 20 times and the average values were adopted. Experimental results are shown in Tables 2 and 3, where values within parenthesis are variances. Table 2 lists comparisons of detection rates and false alarm rates of GB-RNSA in the three datasets under the same expected coverage of 90%, the same training set , and different self radiuses. As can be seen, the algorithm has higher detection rate and false alarm rate under smaller self radius, while the algorithm has lower detection rate and false alarm rate under greater self radius. Table 3 lists comparisons of detection rates and false alarm rates of GB-RNSA in the three datasets under the same expected coverage of 90%, the same self radius and different sizes of training set. The detection rate increases gradually and the false alarm rate decreases gradually while the size of the training set grows.

##### 4.2. UCI Datasets

Three standard UCI data sets including Iris, Haberman’s Survival and Abalone, are chosen to do the experiments, and experimental parameters are shown in Table 4. For the three data sets, self set and non-self set are chosen randomly, and records of training set and test set are chosen randomly as well. The experiments were repeated 20 times and the average values were adopted.

###### 4.2.1. Comparisons of the Number of Detectors

Figures 6, 7, and 8 show the number of mature detectors of RNSA, V-Detector, and GB-RNSA on the three data sets. Seen from the figures, with the increase of the expected coverage, the number of detectors which are needed to meet the coverage requirements for the three algorithms correspondingly increases. But the efficiency of GB-RNSA is significantly better than those of RNSA and V-Detector. For the data set of Iris, to achieve the expected coverage 99%, RNSA needs 13527 mature detectors, V-Detector needs 1432, and GB-RNSA needs 1166 which decreases about 91.4% and 18.6%, respectively. For the larger data set of Abalone, to achieve the expected coverage 99%, RNSA needs 11500 mature detectors, V-Detector needs 620, and GB-RNSA needs 235 which decreases about 98% and 62.1%, respectively. Thus, under the same expected coverage, different data dimensions, and different training sets, the number of mature detectors generated by GB-RNSA is significantly reduced compared with RNSA and V-Detector.

###### 4.2.2. Comparisons of the Cost of Detectors’ Generations

Figures 9, 10, and 11 show the time costs of detectors’ generation of RNSA, V-Detector, and GB-RNSA on the three data sets. As seen from the figures, with the increase of the expected coverage, the time cost of RNSA and V-Detector is in a sharp increase, while that of GB-RNSA is in a slow growth. For the data set of Iris, to achieve the expected coverage of 90%, the time cost of RNSA is 350.187 seconds, that of V-Detector is 0.347 seconds, and that of GB-RNSA is 0.1 seconds which decreases about 99.97% and 71.2%, respectively; when the expected coverage is 99%, the time cost of RNSA is 1259.047 seconds, that of V-Detector is 40.775 seconds, and that of GB-RNSA is 3.659 seconds which decreases about 99.7% and 91.0%, respectively. For the other two datasets, experimental results are similar. Thus, compared with RNSA and V-Detector, the effectiveness of detectors’ generation of GB-RNSA is promoted.

###### 4.2.3. Comparisons of Detection Rates and False Alarm Rates

Figures 12, 13, and 14 show the detection rates and false alarm rates of RNSA, V-Detector, and GB-RNSA on the three data sets. As seen from the figures, when the expected coverage is large than 90%, the detection rates of the three algorithms are similar, and that of RNSA is slightly lower, while the false alarm rate of GB-RNSA is obviously lower than those of RNSA and V-Detector. For the data set of Haberman’s Survival, when the expected coverage is 99%, the false alarm rate of RNSA is 55.2%, that of V-Detector is 30.1%, and that of GB-RNSA is 20.1% which decreases about 63.6% and 33.2%, respectively. For the data set of Abalone, when the expected coverage is 99%, the false alarm rate of RNSA is 25.1%, that of V-Detector is 20.5%, and that of GB-RNSA is 12.6% which decreases about 49.8% and 38.5%, respectively. Thus, under the same expected coverage, the false alarm rate of GB-RNSA is significantly lower compared with RNSA and V-Detector.

The ROC curve is a graphical method for the classification model using true positive rate and false positive rate. In NSAs, true positive rate is the detection rate and false positive rate is the false alarm rate. Figure 15 shows the ROC curves of RNSA, V-Detector, and GB-RNSA on the three data sets. A good classification model should be as close as possible to the upper-left corner of the graphic. As seen from Figure 15, GB-RNSA is better than RNSA and V-Detector.

#### 5. Conclusion

Too many detectors and high time complexity are the major problems of existing negative selection algorithms, which limit the practical applications of NSAs. There is also a problem of redundant coverage of non-self space for detectors in NSAs. A real-valued negative selection algorithm based on grid for anomaly detection GB-RNSA is proposed in this paper. The algorithm analyzes distributions of the self set in the real space and divides the space into grids by certain methods. The randomly generated candidate detector only needs to match selves who are in the grid where the detector is and in its neighbor grids. And before the candidate detector is added into the mature detector set, certain methods are adopted to reduce the duplication coverage. Theory analysis and experimental results demonstrate that GB-RNSA has better time efficiency and detector quality compared with classical negative selection algorithms and is an effective artificial immune algorithm to generate detectors for anomaly detection.

#### Acknowledgments

This work has been supported by the National Natural Science Foundation of China under Grant no. 61173159, the National Natural Science Foundation of China under Grant no. 60873246, and the Cultivation Fund of the Key Scientific and Technical Innovation Project, Ministry of Education of China, under Grant no. 708075.

#### References

- D. Dasgupta, S. Yu, and F. Nino, “Recent advances in artificial immune systems: models and applications,”
*Applied Soft Computing Journal*, vol. 11, no. 2, pp. 1574–1587, 2011. View at Publisher · View at Google Scholar · View at Scopus - P. Bretscher and M. Cohn, “A theory of self-nonself discrimination,”
*Science*, vol. 169, no. 3950, pp. 1042–1049, 1970. View at Scopus - F. Burnet,
*The Clonal Selection Theory of Acquired Immunity*, Vanderbilt University Press, Nashville, Tenn, USA, 1959. - N. K. Jerne, “Towards a network theory of the immune system,”
*Annals of Immunology*, vol. 125, no. 1-2, pp. 373–389, 1974. View at Scopus - P. Matzinger, “The danger model: a renewed sense of self,”
*Science*, vol. 296, no. 5566, pp. 301–305, 2002. View at Publisher · View at Google Scholar · View at Scopus - M. L. Kapsenberg, “Dendritic-cell control of pathogen-driven T-cell polarization,”
*Nature Reviews Immunology*, vol. 3, no. 12, pp. 984–993, 2003. View at Scopus - S. Forrest, L. Allen, A. S. Perelson, and R. Cherukuri, “Self-nonself discrimination in a computer,” in
*Proceedings of the IEEE Symposium on Research in Security and Privacy*, pp. 202–212, May 1994. View at Scopus - T. Li,
*Computer Immunology*, House of Electronics Industry, Beijing, China, 2004. - T. Li, “Dynamic detection for computer virus based on immune system,”
*Science in China F*, vol. 51, no. 10, pp. 1475–1486, 2008. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - T. Li, “An immunity based network security risk estimation,”
*Science in China F*, vol. 48, no. 5, pp. 557–578, 2005. View at Publisher · View at Google Scholar · View at Zentralblatt MATH · View at MathSciNet - F. A. González and D. Dasgupta, “Anomaly detection using real-valued negative selection,”
*Genetic Programming and Evolvable Machines*, vol. 4, no. 4, pp. 383–403, 2003. View at Publisher · View at Google Scholar · View at Scopus - Z. Ji,
*Negative selection algorithms: from the thymus to V-detector [Ph.D. dissertation]*, University of Memphis, Memphis, Tenn, USA, 2006. - Z. Ji and D. Dasgupta, “V-detector: an efficient negative selection algorithm with “probably adequate” detector coverage,”
*Information Science*, vol. 19, no. 9, pp. 1390–1406, 2009. - X. Z. Gao, S. J. Ovaska, and X. Wang, “Genetic algorithms-based detector generation in negative selection algorithm,” in
*Proceedings of the IEEE Mountain Workshop on Adaptive and Learning Systems (SMCals '06)*, pp. 133–137, July 2006. View at Publisher · View at Google Scholar · View at Scopus - X. Z. Gao, S. J. Ovaska, X. Wang, and M.-Y. Chow, “Clonal optimization of negative selection algorithm with applications in motor fault detection,” in
*Proceedings of the IEEE International Conference on Systems, Man and Cybernetics (SMC '06)*, pp. 5118–5123, Taipei, Taiwan, October 2006. View at Publisher · View at Google Scholar · View at Scopus - J. M. Shapiro, G. B. Lament, and G. L. Peterson, “An evolutionary algorithm to generate hyper-ellipsoid detectors for negative selection,” in
*Proceedings of the Genetic and Evolutionary Computation Conference (GECCO '05)*, pp. 337–344, Washington, DC, USA, June 2005. View at Scopus - M. Ostaszewski, F. Seredynski, and P. Bouvry, “Immune anomaly detection enhanced with evolutionary paradigms,” in
*Proceedings of the 8th Annual Genetic and Evolutionary Computation Conference (GECCO '06)*, pp. 119–126, Seattle, Wash, USA, July 2006. View at Scopus - T. Stibor, P. Mohr, and J. Timmis, “Is negative selection appropriate for anomaly detection?” in
*Proceedings of the Genetic and Evolutionary Computation Conference (GECCO '05)*, pp. 569–576, IEEE Computer Society Press, June 2005. - W. Chen, X. Liu, T. Li, Y. Shi, X. Zheng, and H. Zhao, “A negative selection algorithm based on hierarchical clustering of self set and its application in anomaly detection,”
*International Journal of Computational Intelligence Systems*, vol. 4, no. 4, pp. 410–419, 2011. View at Scopus - “UCI Dataset,” http://archive.ics.uci.edu/ml/datasets.
- G. Chang and J. Shi,
*Mathematical Analysis Tutorial*, Higher Education Press, Beijing, China, 2003. - F. Gonzalez, D. Dasgupta, and J. Gomez, “The effect of binary matching rules in negative selection,” in
*Proceedings of the Genetic and Evolutionary Computation (GECCO '03)*, pp. 196–206, Springer, Berlin, Germany, 2003. - T. Stibor, J. Timmis, and C. Eckert, “On the appropriateness of negative selection defined over hamming shape-space as a network intrusion detection system,” in
*Proceedings of the IEEE Congress on Evolutionary Computation (CEC '05)*, pp. 995–1002, September 2005. View at Scopus