Jonatan Gómez

The effect of binary matching rules in negative selection

Negative selection algorithm is one of the most widely used techniques in the field of artificial immune systems. It is primarily used to detect changes in data/behavior patterns by generating detectors in the complementary space (from given normal samples). The negative selection algorithm generally uses binary matching rules to generate detectors. The purpose of the paper is to show that the low-level representation of binary matching rules is unable to capture the structure of some problem spaces. The paper compares some of the binary matching rules reported in the literature and study how they behave in a simple two-dimensional real-valued space. In particular, we study the detection accuracy and the areas covered by sets of detectors generated using the negative selection algorithm.

An immuno-fuzzy approach to anomaly detection

This paper presents a new technique for generating a set of fuzzy rules that can characterize the non-self space (abnormal) using only self (normal) samples. Because, fuzzy logic can provide a better characterization of the boundary between normal and abnormal, it can increase the accuracy in solving the anomaly detection problem. Experiments with synthetic and real data sets are performed in order to show the applicability of the proposed approach and also to compare with other works reported in the literature.

CIDS: An agent-based intrusion detection system

The paper describes security agent architecture, called CIDS, which is useful as an administrative tool for intrusion detection. Specifically, it is an agent-based monitoring and detection system, which is developed to detect malfunctions, faults, abnormalities, misuse, deviations, intrusions, and provide recommendations (in the form of common intrusion detection language). The CIDS can simultaneously monitor networked-computer activities at multiple levels (user to packet level) in order to find correlation among the deviated values (from the normal or defined policy) to determine specific security violations. The current version of CIDS (CIDS 1.4) is tested with different simulated attacks in an isolated network, and some of those results are reported here.

Self Adaptation of Operator Rates in Evolutionary Algorithms

This work introduces a new evolutionary algorithm that ad- apts the operator probabilities (rates) while evolves the solution of the problem. Each individual encodes its genetic rates. In every generation, each individual is modified by only one operator that is selected accor- ding to the encoded rates. Such rates are updated according to the per- formance achieved by the offspring (compared to its parent) and a ran- dom learning rate. The proposed approach is augmented with a simple transposition operator and tested on a number of benchmark functions.

Anomaly detection based on unsupervised niche clustering with application to network intrusion detection

We present a new approach to anomaly detection based on unsupervised niche clustering (UNC). The UNC is a genetic niching technique for clustering that can handle noise, and is able to determine the number of clusters automatically. The UNC uses the normal samples for generating a profile of the normal space (clusters). Each cluster can later be characterized by a fuzzy membership function that follows a Gaussian shape defined by the evolved cluster centers and radii. The set of memberships are aggregated using a max-or fuzzy operator in order to determine the normalcy level of a data sample. Experiments on synthetic and real data sets, including a network intrusion detection data set, are performed and some results are analyzed and reported.

Duality, conjugacy and adjointness of approximation operators in covering-based rough sets

Many different proposals exist for the definition of lower and upper approximation operators in covering-based rough sets. In this paper, we establish relationships between the most commonly used operators, using especially concepts of duality, conjugacy and adjointness (also referred to as Galois connection). We highlight the importance of the adjointness condition as a way to provide a meaningful link, aside from duality, between a pair of approximation operators. Moreover, we show that a pair of a lower and an upper approximation operator can be dual and adjoint at the same time if and only if the upper approximation is self-conjugate, and we relate this result to a similar characterization obtained for the generalized rough set model based on a binary relation.

Partial order relation for approximation operators in covering based rough sets

Covering based rough sets are a generalization of classical rough sets, in which the traditional partition of the universe induced by an equivalence relation is replaced by a covering. Many definitions have been proposed for the lower and upper approximations within this setting. In this paper, we recall the most important ones and organize them into sixteen dual pairs. Then, to provide more insight into their structure, we investigate order relationships that hold among the approximation operators. In particular, we study a point-wise partial order for lower (resp., upper) approximation operators, that can be used to compare their respective approximation fineness. We establish the Hasse diagram for the partial order, showing the relationship between any pair of lower (resp., upper) operators, and identifying its minimal and maximal elements.

Neighborhood operators for covering-based rough sets

Covering-based rough sets are important generalizations of the classical rough sets of Pawlak. A common way to shape lower and upper approximations within this framework is by means of a neighborhood operator. In this article, we study 24 such neighborhood operators that can be derived from a single covering. We verify equalities between them, reducing the original collection to 13 different neighborhood operators. For the latter, we establish a partial order, showing which operators yield smaller or greater neighborhoods than others.Six of the considered neighborhood operators result in new covering-based rough set approximation operators. We study how these new approximation operators relate to existing ones in terms of partial order relations, i.e., whether the generated approximations are in general greater, smaller or incomparable. Finally, we discuss the connection between the covering-based approximation operators and relation-based approximation operators, another prominent generalization of Pawlaks rough sets.

An evolutionary approach to generate fuzzy anomaly (attack) signatures

We describe the generation of fuzzy signatures to detect some cyber attacks. This approach is an enhancement to our previous work, which was based on the principle of negative selection for generating anomaly detectors using genetic algorithms. The present work includes a different genetic representation scheme for evolving efficient fuzzy detectors. To determine the performance of the proposed approach, which is named Evolving Fuzzy Rule Detectors (EFR), experiments were conducted with three different data sets. One data set contains wireless data, generated using network simulator (NS2) while the other two data sets are publicly available (from Lincoln Lab). Results exhibited that the proposed approach outperformed the previous techniques.

Using adaptive operators in genetic search

In this paper, we provided an extension of our previous work on adaptive genetic algorithm [1]. Each individual encodes the probability (rate) of its genetic operators. In every generation, each individual is modified by only one operator. This operator is selected according to its encoded rates. The rates are updated according to the performance achieved by the offspring (compared to its parents) and a random learning rate. The proposed approach is augmented with a simple transposition operator and tested on a number of benchmark functions.