A building block for awareness in technical systems: Online novelty detection and reaction with an application in intrusion detection

In this article we propose a new building block to realize awareness in technical systems, a two-stage algorithm for online novelty detection and reaction in a probabilistic framework. It uses a combination of parametric as well as nonparametric density modeling techniques. First, observed samples are categorized as potentially novel. Then, clusters of potentially novel samples are identified and finally probabilistic models of the observed environment are extended by adding new model components that describe the novel process. To demonstrate the applicability of the proposed algorithm in self-adapting technical systems, we investigate a case study in the field of intrusion detection, where new kinds of attacks have to be identified by an intrusion detection system. That is, the algorithm is used in this article to realize environment-awareness, but it could in principal be taken for self- or context-awareness mechanisms, too.