Information Technology Reference
In-Depth Information
context information received during the antigen collection process. Diff erent combi-
nations of input signals result in two diff erent antigen contexts: “unlicensed mature
antigen” context implied that antigen data was collected under normal conditions,
whereas a “mature antigen” context signifi ed a potentially anomalous data.
In this algorithm, antigen was used only for the labeling and tracking of data
and hence, represented as a string of either integers or characters. Signals were rep-
resented as real-valued numbers that are proportional to values derived from the
context information of the dataset in use. For example, a danger signal may be an
increase in CPU usage of a computer. h e value for the CPU load can be normal-
ized within a range and converted into its real-valued signal concentration value.
(
9
WC
∗
)(
WC WC
WWW
∗
)(
∗
)
(
1
IC
)
P
P
S
S
DD
C
∗
(7.1)
[
csm LmatDCs ULmatDCs
,
,
]
2
P
S
D
In Equation 7.1, the signal values are combined using a weighted function, where
Cx
is the input concentration and
Wx
is the weight. Input signals are categorized
either as PAMPs (
P
), safe signals (
S
), danger signals (
D
), or infl ammatory cytokines
(IC), and are represented as a concentration of signals. h ey are transformed to
output concentrations of costimulatory molecules (csm), ULmatDCs cytokines,
and LmatDCs cytokines.
To detect port sca n attack s, t hree diff erent signals—PAMPs, danger, and safe—
are used, where PAMPs indicated the number of “unreachable destination” errors.
When the port scan process scans multiple Internet Protocol (IP) addresses indis-
criminately, the number of these errors increases. Danger signals are indicative of
the number of outbound network packets per second. An increase in network traf-
fi c could imply anomalous behavior. h e safe signals are the inverse rate of change
of network packets per second. h is is based on the assumption that if the rate of
sending network packets is highly variable, the machine is behaving suspiciously
(Figure 7.8 shows the pseudocode for this DC approach).
7.3 Applications in Fraud Detection
An immune-based system called JISYS was applied to fraud detection (Hunt and
Cooke, 1995; Hunt and Fellows, 1996; Hunt et al., 1999). h is system forms a net-
work of B cell objects where each B cell represented a loan application. Advances were
made in the follow-on work by Hunt et al. (1999) where results for fraud detection
were presented. Work presented by Neal et al. (1998) discusses an immune-inspired
supervised learning system called “Immunos-81.” Two standard machine-learning
datasets were used to test the system's recognition capabilities. h ey use software
abstractions of T cells, B cells, antibodies, and their interactions. Artifi cial T cells
control the creation of B cell populations (clones), which compete for recognition
of “unknowns.” h e B cell clone with “simple highest avidity” (SHA) or “relative
highest avidity” (RHA) is considered to have successfully classifi ed the unknown.
Search WWH ::
Custom Search