{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:52:40Z","timestamp":1750308760522,"version":"3.41.0"},"reference-count":39,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2009,11,1]],"date-time":"2009-11-01T00:00:00Z","timestamp":1257033600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Auton. Adapt. Syst."],"published-print":{"date-parts":[[2009,11]]},"abstract":"<jats:p>Anomaly-based intrusion detection is about the discrimination of malicious and legitimate behaviors on the basis of the characterization of system normality in terms of particular observable subjects. As the system normality is constructed solely from an observed sample of normally occurring patterns, anomaly detectors always suffer excessive false alerts. Adaptability is therefore a desirable feature that enables an anomaly detector to alleviate, if not eliminate, such annoyance. To achieve that, we either design self-learning anomaly detectors to capture the drifts of system normality or develop postprocessing mechanisms to deal with the outputs. As the former methodology is usually scenario- and application-specific, in this article, we focus on the latter one. In particular, our design starts from three key observations: (1) most of anomaly detectors are threshold based and parametric, that is, configurable by a set of parameters; (2) anomaly detectors differ in operational environment and operational capability in terms of detection coverage and blind spots; (3) an intrusive anomaly may leave traces across multiple system layers, incurring different observable events of interest. Firstly, we present a statistical framework to formally characterize and analyze the basic behaviors of anomaly detectors by examining the properties of their operational environments. The framework then serves as a theoretical basis for developing an adaptive middleware, which is called M-AID, to optimally integrate a number of observation-specific parameterizable anomaly detectors. Specifically, M-AID treats these fine-grained anomaly detectors as a whole and casts their collective behaviors in a framework which is formulated as a Multiagent Partially Observable Markov Decision Process (MPO-MDP). The generic anomaly detection models of M-AID are thus automatically inferred via a reinforcement learning algorithm which dynamically adjusts the behaviors of anomaly detectors in accordance with a reward signal that is defined and quantified by a suit of evaluation metrics. Fundamentally, the distributed and autonomous architecture enables M-AID to be scalable, dependable, and adaptable, and the reward signal allows security administrators to specify cost factors and take into account the operational context for taking rational response. Finally, a host-based prototype of M-AID is developed, along with comprehensive experimental evaluation and comparative studies.<\/jats:p>","DOI":"10.1145\/1636665.1636670","type":"journal-article","created":{"date-parts":[[2009,11,30]],"date-time":"2009-11-30T14:56:36Z","timestamp":1259592996000},"page":"1-35","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["M-AID"],"prefix":"10.1145","volume":"4","author":[{"given":"Zonghua","family":"Zhang","sequence":"first","affiliation":[{"name":"NICT, Tokyo, Japan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hong","family":"Shen","sequence":"additional","affiliation":[{"name":"The University of Adelaide, SA, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2009,11,30]]},"reference":[{"volume-title":"A survey of approximate methods for solving partially observable markov decision processes. National ICT Australia rep","author":"Aberdeen D.","key":"e_1_2_1_1_1"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/357830.357849"},{"key":"e_1_2_1_3_1","unstructured":"Barlett P. L. and Baxter J. 1999. Hebbian synaptic modifications in spiking neurons that learn. Tech. rep. Australia National University Canberra Australia.  Barlett P. L. and Baxter J. 1999. Hebbian synaptic modifications in spiking neurons that learn. Tech. rep. Australia National University Canberra Australia."},{"key":"e_1_2_1_4_1","unstructured":"Baxter J. and Barlett P. L. 1999. Direct gradient-based reinforcement learning: I. Gradiment estimation algorithms. Tech. rep. Australia National University Canberra Australia.  Baxter J. and Barlett P. L. 1999. Direct gradient-based reinforcement learning: I. Gradiment estimation algorithms. Tech. rep. Australia National University Canberra Australia."},{"key":"e_1_2_1_5_1","unstructured":"Baxter J. Weaver L. and Barlett P. L. 1999. Direct gradient-based reinforcement learning: II. Gradiment descent algorithms and experiments. Tech. rep. Australia National University Canberra Australia.  Baxter J. Weaver L. and Barlett P. L. 1999. Direct gradient-based reinforcement learning: II. Gradiment descent algorithms and experiments. Tech. rep. Australia National University Canberra Australia."},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.2"},{"key":"e_1_2_1_7_1","unstructured":"Cheung S. Crawford R. Dilger M. Frank J. and Hoagland J. 1999. The design of GrIDS: a graph-based intrusion detection system. Tech. rep. CSE-99-2 University of California at Davis Computer Science Department.  Cheung S. Crawford R. Dilger M. Frank J. and Hoagland J. 1999. The design of GrIDS: a graph-based intrusion detection system. Tech. rep. CSE-99-2 University of California at Davis Computer Science Department."},{"key":"e_1_2_1_8_1","unstructured":"DARPA. 1999. Darpa intrusion detection data sets. http:\/\/www.II.mit.edu\/mission\/communications\/ist\/corpora\/ideval\/data\/index.html  DARPA. 1999. Darpa intrusion detection data sets. http:\/\/www.II.mit.edu\/mission\/communications\/ist\/corpora\/ideval\/data\/index.html"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1186778.1186782"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 62--75","author":"Feng H. H.","key":"e_1_2_1_10_1"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 120--128","author":"Forrest S.","key":"e_1_2_1_11_1"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-8655(03)00004-7"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1128817.1128834"},{"volume-title":"Proceedings of the 16th USENIX Security Symposium. USENIX, 167--182","author":"Gu G.","key":"e_1_2_1_14_1"},{"volume-title":"-B","year":"2003","author":"Han S.-J.","key":"e_1_2_1_15_1"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/32.241771"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/1380584.1380585"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.5555\/945365.964286"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1176995"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2004.824833"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.5555\/597917.597919"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 130--143","author":"Lee W.","key":"e_1_2_1_22_1"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-4048(02)00514-X"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/382912.382923"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/996943.996947"},{"volume-title":"Proceedings of the 20th National Information Systems Security Conference. NISSC, 353--365","author":"Porras P. A.","key":"e_1_2_1_26_1"},{"volume-title":"Proceedings of the Summer USENIX Conference. USENIX Association, 227--233","author":"Snapp S. R.","key":"e_1_2_1_27_1"},{"key":"e_1_2_1_28_1","unstructured":"Solomonoff R. J. 2003. Three kinds of probabilistic induction: Universal distributions and convergence theorems. http:\/\/comjnl.oxfordjournals.org\/cgi\/content\/abstract\/bxml20vl  Solomonoff R. J. 2003. Three kinds of probabilistic induction: Universal distributions and convergence theorems. http:\/\/comjnl.oxfordjournals.org\/cgi\/content\/abstract\/bxml20vl"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. 188--201","author":"Tan K. M. C.","key":"e_1_2_1_29_1"},{"volume-title":"Proceedings of the 18th International Conference on Machine Learning. Morgan Kaufmann, 553--560","author":"Tao N.","key":"e_1_2_1_30_1"},{"volume-title":"Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection. Springer, 54--68","author":"Valdes A.","key":"e_1_2_1_31_1"},{"key":"e_1_2_1_32_1","doi-asserted-by":"crossref","unstructured":"Vasilakos A. V. Parashar M. Karnouskos S. and Pedrycz W. 2009. Autonomic Communication. Springer.   Vasilakos A. V. Parashar M. Karnouskos S. and Pedrycz W. 2009. Autonomic Communication. Springer.","DOI":"10.1007\/978-0-387-09753-4"},{"volume-title":"Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 1343--145","author":"Warrender C.","key":"e_1_2_1_33_1"},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/65.484228"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/3468.935043"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0031-3203(02)00026-2"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2008.07.011"},{"volume-title":"Proceedings of the 2nd International Conference on Communications and Networking. IEEE, 317--321","author":"Zhang Z.","key":"e_1_2_1_38_1"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2005.30"}],"container-title":["ACM Transactions on Autonomous and Adaptive Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1636665.1636670","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1636665.1636670","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T20:22:27Z","timestamp":1750278147000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1636665.1636670"}},"subtitle":["An adaptive middleware built upon anomaly detectors for intrusion detection and rational response"],"short-title":[],"issued":{"date-parts":[[2009,11]]},"references-count":39,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2009,11]]}},"alternative-id":["10.1145\/1636665.1636670"],"URL":"https:\/\/doi.org\/10.1145\/1636665.1636670","relation":{},"ISSN":["1556-4665","1556-4703"],"issn-type":[{"type":"print","value":"1556-4665"},{"type":"electronic","value":"1556-4703"}],"subject":[],"published":{"date-parts":[[2009,11]]},"assertion":[{"value":"2007-12-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2009-01-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2009-11-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}