Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.
We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.
To purchase hard copies of this book, please contact the representative in India:
CBS Publishers & Distributors Pvt. Ltd.
www.cbspd.com
|
customercare@cbspd.com
An intrusion detection systems (IDS) detect and prevent network attacks. Due to the complicated network environment, the ID system merges a high number of samples into a small number of normal samples, resulting in inadequate samples to identify and train and a maximum false detection rate. External malicious attacks damage conventional IDS, which affects network activity. Adaptive Dolphin Atom Search Optimization overcomes this. Thus, the work aims to create an adaptive optimization-based network intrusion detection system that modifies the classifier for accurate prediction. The model selects feature and detects intrusions. Mutual information selects feature for further processing in the feature selection module. Deep RNNs detect intrusions. The novel Adaptive Dolphin Atom Search Optimization technique trains the deep RNN. Adaptive DASO combines the DASO algorithm with adaptive concepts. The DASO is the integration of the dolphin echolocation (DE) with the atom search optimization (ASO). Thus, the intrusions are detected using the adaptive DASO-based deep RNN. The developed adaptive DASO approach attains better detection performance based on several parameters such as specificity, accuracy, and sensitivity.
Veermata Jijabai Institute of Technology, Mumbai, India
Achala Deshmukh
Sinhgad College of Engineering, Pune, India
Bhushan Deore
Veermata Jijabai Institute of Technology, Mumbai, India
Ramrao Adik Institute of Technology, Navi Mumbai, India
Parag Bhosale
George Mason University, Virginia, USA
*Address all correspondence to: sjbhosale@ee.vjti.ac.in
1. Introduction
Anomaly detection identifies the mechanism to study abnormal behavior notion in the data, events or experimental observations. Role of AI is very important the wide area of applications, including statistical analysis, video surveillance, computer vision, medical image analysis, neuroscience studies, financial fraud detection, law enforcement, and cyber securities.
Data analytics based on different ML novel algorithms opens a new field of research of complex data processing solutions, which can handle huge data set. Today, statisticians, programmers, engineers of multidiscipline, and medicos are brought on a common platform to have concrete and fast solution.
Real-time monitoring and dynamic data processing and finding the outliers in the dataset and finding the fact that do not conform to the normal behavior in a dataset. Cybercrimes are increasing day by day and shortcomings of the security protocols, and algorithms are exposed and worldwide internet-based businesses are affected [1].
Anomaly detection can be either supervised or unsupervised, depending on whether the dataset contains labeled or unlabeled data points. Anomaly detection system first trains machine learning algorithm (considering a dataset) to learn the normal patterns behavior, further it can identify the data points that deviate significantly from the normal behavior.
The role of AI in anomaly detection is, therefore, crucial, and new avenues of research in the field of data analytics can be possible and the demand for accurate and efficient anomaly detection algorithm will increase substantially [2].
Anomaly identification is important for cleaning up data, making sure it is secure, and building strong AI systems. This talk will talk about recent work in our group on (a) benchmarking existing algorithms, (b) building a theoretical understanding of how they work, (c) explaining anomaly “alarms” to a data analyst, and (d) re-ranking potential anomalies in response to analyst feedback. The talk will then talk about two applications: (a) identifying and diagnosing sensor failures in weather networks and (b) open category detection in supervised learning.
Anomaly detection is the process of finding events or trends that do not fit with what would normally happen. This is important for things as if predicted maintenance, but it can be hard to do just through inspection. Anomaly detection methods that use machine learning and deep learning (AI) can find things in time series or image data that would be hard to find any other way. Find out how and why to use anomaly detection methods to find strange things in sensor data from hardware.
2. Major research issues and areas in anomaly detection
In spite of several types of research carried out for anomaly detection, network security is encountered with several challenges some of them are as follows [3]: the system developed for anomaly detection in disabled many security features and automatic backup settings, erases stored data, and opens associations to get commands from a remote PC.
The multivariate statistical intrusion detection schemes in have difficulties in estimating distributions for high-dimensional data. The problems rely on the fact that it does not identify undesirable behavior, and thus the FAR can be high. The problems in include the reliance on a well-defined security policy, which may be absent, and its inability to detect intrusions that have not yet been made to be known to the IDS [4]. Some of the common challenges encountered by the network IDS are listed below:
There are many types of intrusions; the detection techniques available cannot accurately detect these varying attacks.
Intrusion detection is very challenging as most of the data are encrypted in the network; it is difficult to detect the attacks from an encrypted traffic.
Dedicated hardware components are required for network intrusion detection, and these components are very expensive.
Some IDS supports only in the recognition of network attacks, and the other system attack is not detected.
Several intrusion detection mechanisms adopted find it difficult to detect the intrusions from the high-speed network.
Insider attack is the most serious problem encountered by several IDS.
It is very difficult to approximate when and what actions are going to occur in a system.
3. Recent novel contributions in anomaly detection area
Following are the broad area in which there is research work done in the last decade as developed based on “auto encoder-based techniques,” “novel machine learning-based techniques,” and “hybrid techniques in IDS.” There are following four broad areas viz auto encoder-based techniques, supervised and unsupervised machine learning algorithm, hybrid techniques in IDS, and Deep learning-based approaches.
3.1 Auto encoder-based techniques
The auto encoder learning-based techniques utilized in intrusion detection system are demonstrated in this section.
Shone et al. [1] introduced a novel deep learning model for enabling NIDS operation within modern networks. This method was developed by grouping both shallow and deep learning, and it had the ability to correctly analyze broad-array of network traffic. Most principally, the influence of this nonsymmetric deep auto encoder (NDAE) and the accurateness, as well as speed of random forest algorithm were combined. Further, this method was evaluated practically and attaining promising outcomes. This method provided elevated stages of precision, recall, and accuracy and requires less time for training.
Mighan et al. [5] established a novel scalable IDS based on deep learning. Network-based IDS was mainly focused on this paper. This method used one of the best processing tools Apache Spark for quick identification malicious traffic and for big data. Furthermore, this system utilized a network of stack auto encoder (SAE), subsequently an SVM classifier. For an underlying extraction of feature, the SAE was used. This methodology had four stages, known as, data preprocessing stage, decision-making stage, latent feature extraction stage, and attack classification stage. The stage of data preprocessing was the responsible for the preprocessing of data for making it ready for the extraction of feature.
Andresini et al. [6] established an auto encoder-based deep metric learning for network intrusion detection and the invented intrusion detection strategy evaluates the flow-based characteristics of the data of network traffic. The model of intrusion detection was learned by influencing a deep metric learning approach, which initially united the triplet networks, as well as auto encoders. Two distinct auto encoders were trained in the training stage on historical normal network flows, as well as attacks correspondingly. After that, a triplet network was trained for learning the inserting of the network flows’ feature vector demonstration.
3.2 Novel machine learning-based techniques
The novel machine learning-based techniques utilized in intrusion detection are demonstrated in this section.
Kaja et al. [7] discovered a new two-stage intelligent IDS for the detection and protection of systems from such malicious attacks. Four preprocessing steps were performed in this method. Initially, the variance of values of feature was calculated for calculating the increase between features present in the dataset. The correlated features are estimated and eliminated in the second step of preprocessing in order to avoid overfitting. The third step utilized least square regression error (LSQE) to maximize the reduction of dimensionality and to minimize similarities of feature. At last, for analyzing relationships of feature, the maximal information compression index (MICI) was utilized.
Jin et al. [8] implemented a Bayes system based on light gradient boosting machine (light GBM) and parallel intrusion detection mechanism. The developed IDS was called as Swift IDS, which had the ability of both investigation of enormous data of traffic in speedy networks well-timed along with maintenance of reasonable performance of detection. The abovementioned goals were achieved by Swift IDS through two approaches. Light GBM was adopted in one approach as the algorithm of detecting intrusion for the management of enormous traffic data.
Sarker et al. [9] presented a machine learning-based security model namely, intrusion detection tree (IntruDTree). In this approach, initially, the security features ranking was considered in accordance with their significance in modeling. Afterward, a comprehensive model of intrusion detection based on a tree was constructed on the basis of the chosen significant features. After completing the construction of the entire tree by means of the integrating security data, the test data was utilized for authenticate the model.
Injadat et al. [10] developed a multistage optimized machine-learning framework for network intrusion detection. The effect of oversampling methods on the training model size of the models was studied initially and the least reasonable training size for successful intrusion identification was determined. This article suggests a multi stage enhanced machine learning-based NIDS structure, which decreases computational difficulty while keeping up with its performance of recognition. The stage of data preprocessing includes the process of normalization of data utilizing the Z-score strategy in addition to minority class oversampling by the usage of synthetic minority oversampling technique (SMOTE) algorithm.
Bertoli et al. [11] illustrated an end-to-end framework for machine learning-based NIDS. The AB-TRAP architecture was described in this paper, which enabled the application of updated network traffic, as well as think about the operational worries for enabling the entire employment of the resolution. The utilized AB-TRAP was a framework had five steps, comprising of the creation of the attack dataset, implementation of the models, the bonafide dataset, training of machine learning models, and the evaluation of performance of the recognized model following employment.
3.3 Hybrid techniques in IDS
The hybrid learning-based techniques exploited in intrusion detection are demonstrated in this section.
Jiang et al. [12] established a network intrusion detection algorithm combined hybrid sampling with deep hierarchical network for the improvement of detection accuracy. Two parts were included in the hybrid sampling. At first, for the elimination of noise samples in the mainstream class, the one side selection (OSS) algorithm was utilized. Next, the SMOTE was employed for creating the minority class samples in order to lighten the imbalance of samples of minority class. Therefore, for the classification, the imbalanced data was converted into balanced data. Deep hierarchical network was constructed for the difficulty of data features, which train the CNN in addition to bi-directional long short-term memory (Bi-LSTM) when learning the temporal and spatial feature of network traffic data.
Cavusoglu [13] implemented a new hybrid approach for intrusion detection using machine learning methods. The developed IDS used a mixture of various feature selection, as well as machine learning-based methods for offering high performance intrusion discovery in several types of attacks. The first step of this technique was data preprocessing, then the dataset’s size was decreased by utilizing various feature selection algorithms. For feature selection, two novel methods were introduced. By the determination of suitable machine learning algorithms according to type of attack, the layered architecture was generated. This approach had low false positive rates and high accuracy in every form of attacks.
3.4 Deep learning-based approaches
The techniques on the basis of deep learning utilized in recognition of intrusion are demonstrated in this division. This section is again classified into three as follows:
3.4.1 CNN-based techniques
The CNN learning-based methods employed in intrusion detection are demonstrated in this division.
Tang et al. [14] developed a deep learning method for network intrusion detection in software-defined networking (SDN). In the established framework, the module of NIDS was established in the controller. The entire open flow switches were monitored by the SDN controller and called all network information when required; hence, the benefit of this global network was taken by the NIDS module for the detection of intrusion. After a fixed time window, a request message was sent to the entire open flow switches from the controller for requesting the network information.
Wu et al. [15] introduced an original intrusion detection model for a huge network using CNN. So as to involuntarily choose traffic features from raw dataset the CNN was utilized and the cost function weight coefficient of each category was set on the basis of its numbers for solving the problem of unprovoked dataset. Standard datasets were utilized by this approach for assessing the performance of the developed CNN model. The raw format of traffic vector was altered into image format in order to condense the cost for calculation. This method reduced the false alarm rate and improved the calculation cost and accuracy.
3.4.2 DNN-based method
The DNN learning-based methods exploited in intrusion detection are demonstrated in this division.
Vinayakumar et al. [16] presented a deep-learning approach for and intelligent IDS. This method utilized deep learning network (DNN) for designing an effective and flexible IDS for detecting and classifying unexpected and unknown cyber-attacks. The summary and high-dimensional feature demonstration of the IDS information are learned by sending them into several hidden layers. Moreover, this approach took up a multilayer perceptron (MLP) model that was a form of feed-forward neural (FFN) network consisting three or more than three layers with one output layer, one or more hidden layer, and one input layer wherein every layer had a lot of units or neurons in mathematical notation.
Gao et al. [17] explored an adaptive ensemble machine learning model for intrusion detection in which the advantages of every algorithm for various form of data detection was integrated, and optimal results are achieved through ensemble learning. The benefit of ensemble learning was merging the guesses of various fundamental estimators to enhance the robustness and generalize ability over a distinct estimator. A few widespread algorithms are utilized in this approach such as DNN, decision tree, and random forest to train this model. Also, the adaptive voting and multi-tree algorithm are developed in order to enhance the consequence of intrusion detection. It was found from the comparison with various existing methods; this method was superior to many former research outcomes and had good application prospects.
3.4.3 Other techniques
The other deep learning-based techniques utilized in intrusion detection are demonstrated in this section.
Otoum et al. [18] developed deep learning-based intrusion detection in the supervising of critical infrastructures through sensor networks. The main intention of this research is to examine the prospective of deep learning as a substitute for IDS based on robust machine learning. A restricted Boltzmann-based Clustered IDS (RBC-IDS) model was presented for a deep learning solution for detecting intrusion in critical network applications based on wireless sensor network.
Yang et al. [19] introduced a joined wireless network intrusion detection model in view of deep learning. The deep belief network (DBN) was involved in this approach as the layer of feature extraction and support vector machine (SVM) characterization layer. DBN layer, the error backpropagation algorithm, and the contrast divergence algorithm were utilized to decrease aspects of information and extort features. It assisted SVM for enhancing the capability to categorize high-dimensional information. Contrasted with the preceding forward proliferation, this approach changed the credence of the multi-restricted Boltzmann machine (RBM) with the back-propagation algorithm. The recognition model was prepared and laid out with the SVM to keep on enhancing the interruption. The classification performance of DBN was efficiently progressed by this approach. Thus, the precision rate, recall rate, and accuracy rate of this approach were superior to other methods.
Wu and Guo [20] introduced a hierarchical deep neural network for network intrusion detection namely, LuNet, which was made up of numerous levels of merged recurrent convolution sub-nets. The input data at every level was learned by RNN and CNN nets. The granularity of learning turned into increasingly detailed, as progress of the learning from the first level to the last level. With an understanding, the synergy of both RNN and CNN was efficiently utilized for the of both temporal and spatial feature extractions. By means of an in-depth examination and conversation for the arrangement of LuNet, high learning efficiency was attained by this method.
Khan et al. [21] presented a novel two-stage deep learning (TSDL) model, in view of a stacked auto-encoder with a soft-max classifier, for effective network intrusion identification. Two decision stages are involved in this model. This model varies from preceding models as it comprised two stages of feature representation. Feature representation was learned by the primary stage for characterizing typical and unusual network traffic with a possibility score value.
Sohi et al. [22] presented a recurrent neural network-based IDS, namely RNNIDS to catch complex designs in attacks and generate like ones. Initially, by the application of a new method, the generation of mutants of a malware was demonstrated, and this was the first step of this approach. This approach depends on the truth that an unknown pattern could be learned and extorted by a RNN. On the basis of this truth, new and unseen sequences were generated.
Zeng et al. [23] invented a deep learning-based network encrypted traffic classification and intrusion detection framework for detecting intrusions. The developed architecture was named as Deep-Full-Range (DFR), and it had three deep-learning algorithms such as CNN, LSTM, and SAE. The CNN was used for learning features of the raw traffic from spatial range. The features were learned from the time-related aspect by the use of LSTM. The SAE was taken for extracting features from coding characteristics.
4. Proposed adaptive dolphin atom search optimization-based DRNN for network intrusion detection system
The main challenges in network security are the development of efficient and robust NIDS. Although the significant developments in NIDS technology, the majority of solutions are still functioning by less capable signature-dependent techniques as opposed to anomaly detection approaches. The recent situation reaches a point, whereby reliance on such techniques leads to unsuccessful and inaccurate analysis. These challenges are utilized to create a widely-accepted anomaly detection (AD) technique capable of overcoming limitations caused by the ongoing changes happening in modern networks. NIDS is composed of data gathering, attribute extraction, attribute selection, IDS, and report generation. Every component in IDS have own impacts and functions, which are not noticed. There are three major limitations exist in IDS, where the contribution of this ID system is related to these limitations. First challenge relies on the enormous quantity of network information, and this issue can be handled using developing technique, which evaluates the data in an efficient manner. Second challenge is granularity and depth observing required for boosting up efficiency. Third limitation relies on quantity of distinct protocols and enormous quantity of data communication through traditional networks that commence large levels of intricacy and complexity. This augments the complexity for evaluating an exact scope of potential implementation or zero-day attacks [24].
Machine learning (ML) techniques are enormously adapted for recognizing distinct categories of attacks, and ML technique assists the system supervisor acquire the respective measures for preserving intrusions. Nevertheless, majority of conventional ML techniques be owned by superficial learning, which cannot successfully evaluate the issue of enormous intrusion information [25]. These limitations arise in the features of real system in application background. The invention of multi-classification process diminished accuracy with effective development of dataset. Additionally, superficial learning is inappropriate to knowledge-based analysis and broadcasting necessities of elevated dimensional learning accompanied with enormous data. In contrast, deep learners have ability for extracting better illustration from review data for generating better learning schemes. Consequently, IDS has familiarized rapid improvement after diminishing into moderately slow period [26]. Though, majority of traditional ML techniques related to superficial learning and regularly emphasize selection and feature engineering [27]. The innovations of deep learning (DL) techniques employ a rapid improvement in the recent period, which gives an improvement for detecting the new IDS. Recurrent neural network (RNN) plays a significant function in enhancement of DL techniques in the domain of language processing, translation, image depiction, human behavior identification, and semantic realization [6]. Since, DL approaches contain potential for identifying better illustrations from the information for creating much better schemes and inspired by RNN [28].
The main aspire of research is the detection of intrusions exist in the network using DASO-based deep RNN. Initially, input image is fed into the feature selection using mutual information in which the relevant features are selected. Then, the selected features are forwarded to the ID module in which the process is done by deep RNN. The deep RNN is trained using adaptive DASO algorithm for predicting whether it is intruder or not.
Proposed model: The main contribution of the research is development of adaptive DASO-based deep RNN for intruder detection. The Adaptive DASO is utilized to train the DRNN for predicting whether the network is intruder or not.
4.1 Developed adaptive DASO-based DRNN for NIDS
NIDS is the efficient method for preserving the computer networks from malicious threats and attacks. Different ID methods are adapted to predict the behavior of malicious activities, but an accurate detection of intrusion exist in the network system offers a major challenge. To deal with this challenge, an effective optimization method, named adaptive DASO-based DRNN is developed for identifying intrusion behavior in the network. The developed optimization scheme completes ID approach using two stages such as feature selection and ID. Initially, input data is gathered from ID dataset, and then it is forwarded to the feature selection steps, where the relevant features are selected using mutual information. Once the suitable features are selected, the intrusions are detected using DRNN, where the weight of the classifier is trained using developed Adaptive DASO algorithm for predicting the malicious behavior. Adaptive DASO algorithm is designed by including adaptive concept with the integration of DE and ASO. Figure 1 shows the schematic illustration of developed model.
Figure 1.
Schematic illustration of developed model for ID.
4.2 Get the input data
Let us choose the database as F with x number of network intrusion data D, which is depicted as,
F=D1D2…D,p…DxE1
where, D depicts the intrusion data, F indicates the database, and Dp demonstrates the intrusion data situated at pth index. From the intrusion dataset, intrusion data of input network Dp is considered and is permitted to feature selection module for performing ID process.
4.3 Selection of features through mutual information
The input data Dp is gathered from database and is fed to the feature selection stage, where the important features are successfully extracted to reduce the dimensionality of data. Here, the feature selection module is modeled using theory of mutual Information [29], which is employed to overcome the nuisance of dimensionality in prediction of malicious system. The motive of feature selection is to extract the relevant features suitable for identifying the behavior of intrusions. Mutual information establishes the relation among class label and features that are sampled simultaneously for predicting the relevant features. According to information theory [30], the mutual information among two constraints is nothing if and only if two constraints are statistically autonomous. Joint distribution of mutual information among two features S, and class label T is evaluated as,
LST=∑sεS∑tεTLstlogLstLs.LtE2
LS and LT depict borderline distributions of S and T formed through marginalization approach. Here, S shows the features, and T shows the labels of class. Finally, the features are chosen by the mutual information theory are represented as S and expressed by,
S=S1S2…Sm…SnE3
Here, Sn indicates the total count of features, and Sm depicts the mth feature. The output attained from the mutual information theory can be either normal or abnormal behavior, which is considered based on threshold value for choosing the features [31]. The relevant features selected using mutual information are denoted as S with the dimension of 1×n. Furthermore, the features chosen from feature selection are fed to the input of deep RNN for performing ID process.
4.4 ID using developed adaptive model
NIDS is performed using developed adaptive model. The developed Adaptive DASO is constructed by combining DE and ASO with adaptive concept. The deep RNN classifier takes feature S as input obtained from feature selection module and initiates intrusion detection process with the hidden layers of neural network. Furthermore, the developed Adaptive DASO is employed for training the weights of classifier for achieving optimal performance [32].
4.4.1 Structure of DRNN
Deep RNN uses the information from the feature selection tool to do its work. It has three levels, including the input layer, the hidden layer, and the output layer. In neural network design, the input layer is at the top and the output layer is at the bottom. The hidden layer is in the middle. The output pattern of the last layer is fed into the first layer of the next layer, and so on. The repeating link is only made between levels that are hidden. Deep RNN classifier is better because it takes less time to learn the data. The system design of deep RNN is depicted in Figure 2.
Figure 2.
System design of deep RNN classifier.
The organization of DRNN classifier is formed by picking the input vector of ith layer at jthtime as Sij=S1ijS2ijS3ij…Shij…Snij and output vector of ith layer at jth time as Rij=R1ijR2ijR3ij…Rhij…Rnij, respectively. h represents arbitrary unit number of ithlayer, and n species the total count of units of ith layer. Moreover, the arbitrary unit number, total number of units of i−1th layer is indicated as i and j, respectively However, the elements of the input vector are demonstrated as,
Shi,j=∑z=1qrhziRzi−1j+∑h'nuhh'iRh'ij−1E4
where, rhzi and uhh'i are the elements of Gi and gi. Arbitrary unit number of ith layer is represented as h'. The elements of the output vector of ith layer are expressed as,
Rhij=χiShijE5
where, χi depicts the activation function. After assessing the output vector, the look becomes
Rij=χi(GiRi−1j+giRij−1E6
Here, Rij indicates the output of classifier.
4.4.2 Training process of Deep RNN using adaptive DASO algorithm
The DRNN classifier is trained using developed Adaptive DASO. The developed Adaptive DASO is formed by including adaptive concept with the integration of DE and ASO. The ASO method is developed using the attraction and repulsion behavior of atoms. Every atom interacts with other atoms using attraction behavior and repulses the premature and over-concentrated atoms using repulsion properties. On the other hand, the DE method is introduced for enhancing the security of detection using the behavior of dolphins. DE method investigates the large space of candidate solutions, and it is performed till the global solution is achieved. The mixture of DE and ASO scheme, called as DASO technique, that offers best solution to solve optimization issues; however, this method consumes more computational time. Hence, in this research adaptive concept is included with DASO method for obtaining less computational time.
Solution encoding: The developed optimization is employed to estimate the optimal solution and reduced the error rate for NIDS-based on fitness measure. However, the implementation steps engaged in the developed adaptive model are summarized as below:
4.4.2.1 Population initialization
Let υ be the number of atoms and the position of dth atom is depicted as,
Id=Id1…Ida;d=1…lE7
where, Ida denotes the ath position component of dth atom.
4.4.2.2 Fitness function
Fitness function is evaluated by estimating the variation of predicted output and classifier output, and the less error value is selected as the best solution, which is expressed as,
σd=1μ∑s=1μεs−RsijE8
where, σd indicates the fitness value of dth atom, Rsij depicts the classifier output, and εsdenotes the predicted output.
4.4.2.3 Mass computation
Atom mass is estimated using fitness function and mass of dth atom at fth iteration is specified as,
Mdf=efd∑d=1leffE9
where, Mdf indicates the mass, and the term edf is expressed as,
edf=σd−σbesteσworst−σbestE10
where, the terms σbest and σworst specifies the best and worst value, and the expression is depicted as,
σbest=mind=1,…,lσdE11
σworst=maxd=1,…,lσdE12
4.4.2.4 Evaluate neighbor
The exploration of initial iteration is enhanced by selecting the N neighbors, which is based on the fitness value of interactions between atoms. The expression for N is depicted as,
Nf=l−l−2fdE13
4.4.2.5 Calculate the total force and constraint force
The summation of overall component that performed on the dth atoms from neighboring atoms is specified as total force, and the expression given by,
Qdaf=∑sεNbestrandQsdsafE14
where, Qdaf indicates the force, and the term rands specifies the random number and varies from 0 to 1, respectively. Every atom in the population space behaves as the best atom along with the constraint force of dth atom is expressed as,
λdaf=Hf(Ibestaf−IdafE15
where, Hf indicates the lagrangian multiplier.
4.4.2.6 Estimate the acceleration
The acceleration of dth atom at fth time is calculated as,
Adaf=QdafMdaf+λdafMdafE16
where, Qdaf is the total force, λdaf is the constraint force, Mdaf indicates the mass, and Adaf indicates acceleration of dth atom at fth time.
4.4.2.7 Renew the velocity
The velocity of dth atom at f+1 iteration is expressed as,
Vdaf+1=randdaVdaf+AdafE17
where, randda indicates the random number, and Adaf specifies the acceleration.
4.4.2.8 Update the atom location
The final updated equation of DASO algorithm is given as follows.
where, Mdf specifies the mass of dth atom, Vdf is the velocity, Z indicates the multiplier weight, ψ specifies the depth weight, α shows the maximum iteration, Wd signifies the search space dimension, Jd depicts the personal best solution, and ω1d and ω2d are the random number that lies between 0 to 1.
In equation, the term ψ is made adaptive for better performance of intrusion detection. The expression ψ is given by,
ψ=ψmax−fψmax−ψminαE19
where, α signifies the depth weight, which is made adaptive, ψmax and ψmax depicts the predefined max, and min value of ψ and α signifies the highest iteration. Algorithm 1 states the pseudocode of the developed adaptive model.
4.4.2.9 Re-compute the fitness
Fitness value is predicted using objective function, which is mentioned in Eq. (8), where the fitness with optimal value is selected as optimal solution.
4.4.2.10 Termination
The abovementioned iteration is repeated until the stopping criteria are reached. The pseudocode of developed adaptive DASO-based deep RNN techniques is specified in Algorithm 1.
Algorithm 1. Pseudocode of the developed adaptive model.
Introduce adaptive concept in place of ψ=ψmax−fψmax−ψminα
16
End for
17
End while
18
Return Ibest
By including the Adaptive concept with ASO and DE provides enhanced optimal result, and the computation time is also reduced. The performance of intrusion detection is also enhanced by including the adaptive concept within the hybrid optimization algorithm.
The results of developed adaptive model are briefly discussed in this area in terms of sensitivity, accuracy, and specificity.
5.1 Experimental setup and dataset description
The developed adaptive model is executed in Pythontool using NSL-KDD dataset [33], and BoT-IoT dataset [34]. Dataset-1 includes multiple information for solving the optimization troubles such that this information is reasonable. The Dataset-2 comprises the source files with different formats such as CSV files, argus files, and pcap files. However, these files are partitioned based on the kind of attacks.
5.2 Evaluation parameters
The performance parameters utilized for the analysis of intrusion detection in the proposed adaptive model are sensitivity, accuracy, and specificity.
5.2.1 Sensitivity
The sensitivity is the proportion of true positive (TP) to the addition of TP and false negative (FN). The sensitivity is expressed as,
Sensitivity=PTNF+PTE20
5.2.2 Accuracy
The accuracy is the degree of proximity between predicted and original value. The accuracy is expressed as,
Accuracy=NT+PTPF+NF+PT+NTE21
5.2.3 Specificity
The specificity is the proportion of true negative (TN) to the addition of false positive (FP) and true negative (TN). The specificity is termed as,
Specificity=NTNT+PFE22
where, PT, PF, NT and NF represented the true positive, false positive, true negative, and false negative, respectively.
5.3 Comparative methods
The performance of the developed method is analyzed by comparing developed method with the other state-of-the-art techniques, such as DBN [1], CNN [13], as well as DSAE [14], respectively.
5.4 Comparative analysis
This part talked about how the developed adaptive DASO-based DRNN with dataset-1 and dataset-2 were compared.
5.4.1 Analysis using dataset-1
Figure 3a shows how accuracy can be looked at by changing the training data. For 60% of training data, the accuracy of the newly created adaptive model is 0.8856, while the accuracy of the currently used methods, such as DBN, DSAE, CNN, and DASO-based DRNN, is 0.8290, 0.8224, 0.8056, and 0.860317, respectively. The performance of the adaptive DASO-based deep RNN was improved by 6.39354%, 7.1329%, 9.0376%, and 2.8613% when compared to state-of-the-art methods such as DBN, DSAE, CNN, and DASO-based deep RNN.
Figure 3.
Comparative analysis using dataset-1, (a) accuracy, (b) sensitivity, and (c) specificity.
Figure 3b shows how the sensitivity and training data were looked at. The created adaptive model has a sensitivity of 0.9849, while the training data is 70%. With existing methods, such as DBN, DSAE, CNN, and DASO-based deep RNN, the sensitivity values are 0.9362, 0.9230, 0.89, and 0.9779. The performance of the adaptive DASO-based deep RNN was improved by 4.94251%, 6.2823%, 9.64145%, and 0.7154% when compared to state-of-the-art methods such as DBN, DSAE, CNN, and DASO-based deep RNN.
Figure 3c shows how the precision of training data was tested. With 80% of the training data, the created adaptive DASO-based deep RNN gets a specificity value of 0.9754. Existing methods such as DBN, DSAE, CNN, and DASO-based deep RNN get specificities of 0.7394, 0.8969, 0.9174, and 0.9611. The performance of the developed adaptive DASO-based deep RNN was found to be better than state-of-the-art methods such as DBN, DSAE, CNN, and DASO-based deep RNN by 24,193%, 80,476%, 59,513%, and 14,712%, respectively.
5.4.2 Analysis using dataset-2
Figure 4a shows how the accuracy of the training data was compared to the accuracy of the test data. For 60% of the training data, the accuracy of the adaptive model is 0.9767, while the accuracy of DBN, DSAE, CNN, and DASO-based DRNN is 0.9305, 0.9329, 0.9388, and 0.956087, respectively. When comparing the developed adaptive model to state-of-the-art methods such as DBN, DSAE, CNN, and DASO-based deep RNN, the performance improvement is 4.7341%, 4.4860%, 3.8829%, and 2.1169%, respectively.
Figure 4.
Comparative analysis of dataset-2, (a) accuracy, (b) sensitivity, and (c) specificity.
Figure 4b shows how the sensitivity analysis is done with the training data. For 70% of training data, the developed adaptive DASO-based deep RNN gets a specificity value of 0.9894, while existing methods such as DBN, DSAE, and CNN get values of 0.9560, 0.9238, 0.9280, and 0.9821 for sensitivity. When comparing the developed adaptive DASO-based deep RNN with the most advanced methods, such as DBN, DSAE, CNN, and DASO-based deep RNN, the performance improvement is 3.3776%, 6.6318%, 6.2063%, and 0.7416%, respectively.
Figure 4c shows how sensitivity is tested and how training data is used. When the training data is 80%, the developed adaptive model has a sensitivity of 0.8513. On the other hand, existing methods like DBN, DSAE, CNN, and DASO-based deep RNN have specificities of 0.7370, 0.8178, 0.8041, and 0.8255. When comparing the developed adaptive DASO-based deep RNN with the most advanced methods, like DBN, DSAE, CNN, and DASO-based deep RNN, the performance improvement was found to be 13.4295%, 3.9380%, 5.539%, and 3.02870%, respectively.
5.5 Comparative discussion
Table 1 shows a comparison of the adaptive model that has been created. Using dataset-1 as an example, the accuracy of the current DBN, DSAE, CNN, and DASO-based deep RNN is 0.8479, 0.8245, 0.8094, and 0.9180, while the accuracy of the proposed adaptive model is 0.93679, which is better. With dataset-1, the DBN, DSAE, CNN, and DASO-based deep RNN each got a sensitivity of 0.9364, 0.9281, 0.89, and 0.9788, but the suggested adaptive model did better, getting a sensitivity of 0.9851. With dataset-2, the accuracy of the existing DBN, DSAE, CNN, and DASO-based DRNN is 0.9512, 0.9735, 0.9552, and 0.9822, respectively, while the accuracy of the suggested adaptive model is 0.9854. With dataset-2, the specificity of the existing DBN, DSAE, CNN, and DASO-based deep RNN is 0.7370, 0.8178, 0.8041, and 0.82557, respectively, while the specificity of the suggested adaptive model is 0.8513.
In this paper, a novel network ID mechanism named adaptive DASO-based deep RNN is developed to predict the abnormal behavior in the network. At first, the data are obtained from database and send this data to feature selection module using mutual information, which selects the relevant features. The features selected through feature selection are based on the threshold value. Once the features are selected, these features are forwarded to the IDS for predicting the malicious behavior in the network. The malicious activity is obtained by the developed DRNN, which is trained using Adaptive DASO algorithm. The Adaptive DASO model is designed by integrating adaptive concept, DE, and ASO. Although, the combined DA and ASO algorithm provides better result, but this method consumes high computational time. Thus, the adaptive concept is introduced with the DASO for reducing computational time. This algorithm predicts that the behavior of the network is either normal or abnormal. The weights are accurately measured by the developed Adaptive DASO algorithm through fitness function. In addition, the developed Adaptive DASO achieved optimal performance utilizing the evaluation metrics such as accuracy, sensitivity, and specificity with the values of 0.9854, 0.99, and 0.8513, using dataset-1. In the future, the detecting capacity of IDS can be enhanced by using some other optimization techniques.
References
1.Shone N, Ngoc TN, Phai VD, Shi Q. A deep learning approach to network intrusion detection. IEEE Transactions on Emerging Topics in Computational Intelligence. 2018;2(1):41-50
2.Yin C, Zhu Y, Fei J, He X. A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access. 2017;5:21954-21961
3.Azad C, Jha VK. Fuzzy min–max neural network and particle swarm optimization based intrusion detection system. Microsystem Technologies. 2017;23(4):907-918
4.Sohi SM, Seifert JP, Ganji F. RNNIDS: Enhancing network intrusion detection systems through deep learning. Computers and Security. 2020;2020:102151
5.Mighan SN, Kahani M. A novel scalable intrusion detection system based on deep learning. International Journal of Information Security. 2021;20(3):387-403
6.Andresini G, Appice A, Malerba D. Autoencoder-based deep metric learning for network intrusion detection. Information Sciences. 2021;569:706-727
7.Kaja N, Shaout A, Ma D. An intelligent intrusion detection system. Applied Intelligence. 2019;49(9):3235-3247
8.Jin D, Lu Y, Qin J, Cheng Z, Mao Z. SwiftIDS: Real-time intrusion detection system based on LightGBM and parallel intrusion detection mechanism. Computers & Security. 2020;97:101984
9.Sarker IH, Abushark YB, Alsolami F, Khan AI. Intrudtree: A machine learning based cyber security intrusion detection model. Symmetry. 2020;12(5):754
10.Injadat M, Moubayed A, Nassif AB, Shami A. Multi-stage optimized machine learning framework for network intrusion detection. IEEE Transactions on Network and Service Management. 2020;18(2):1803-1816
11.Bertoli GDC, Júnior LAP, Saotome O, Dos Santos AL, Verri FAN, Marcondes CAC, et al. An end-to-end framework for machine learning-based network intrusion detection system. IEEE Access. 2021;9:106790-106805
12.Jiang K, Wang W, Wang A, Wu H. Network intrusion detection combined hybrid sampling with deep hierarchical network. IEEE Access. 2020;8:32464-32476
13.Çavuşoğlu Ü. A new hybrid approach for intrusion detection using machine learning methods. Applied Intelligence. 2019;49(7):2735-2761
14.Tang TA, Mhamdi L, McLernon D, Zaidi SAR, Ghogho M. Deep learning approach for network intrusion detection in software defined networking. In: Proceedings of 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM). Fez, Morocco: IEEE; 2016. pp. 258-263
15.Wu K, Chen Z, Li W. A novel intrusion detection model for a massive network using convolutional neural networks. IEEE Access. 2018;6:50850-50859
16.Vinayakumar R, Alazab M, Soman KP, Poornachandran P, Al-Nemrat A, Venkatraman S. Deep learning approach for intelligent intrusion detection system. IEEE Access. 2019;7:41525-41550
17.Gao X, Shan C, Hu C, Niu Z, Liu Z. An adaptive ensemble machine learning model for intrusion detection. IEEE Access. 2019;7:82512-82521
18.Otoum S, Kantarci B, Mouftah HT. On the feasibility of deep learning in sensor network intrusion detection. IEEE Networking Letters. 2019;1(2):68-71
19.Yang H, Qin G, Ye L. Combined wireless network intrusion detection model based on deep learning. IEEE Access. 2019;7:82624-82632
20.Wu P, Guo H. LuNET: A deep neural network for network intrusion detection. In: Proceedings of 2019 IEEE Symposium Series on Computational Intelligence (SSCI). Xiamen, China: IEEE; 2019. pp. 617-624
21.Khan FA, Gumaei A, Derhab A, Hussain A. A novel two-stage deep learning model for efficient network intrusion detection. IEEE Access. 2019;7:30373-30385
22.Sohi SM, Seifert JP, Ganji F. RNNIDS: Enhancing network intrusion detection systems through deep learning. Computers & Security. 2021;102:102151
23.Zeng Y, Gu H, Wei W, Guo Y. Deep-full-range: A deep learning based network encrypted traffic classification and intrusion detection framework. IEEE Access. 2019;7:45182-45190
24.Jouad M, Diouani S, Houmani H, Zaki A. Security challenges in intrusion detection. In: Proceedings of International Conference on Cloud Technologies and Applications (CloudTech). Marrakech, Morocco. 2015. pp. 1-11
25.Borkar GM, Mahajan AR. A secure and trust based on-demand multipath routing scheme for self-organized mobile ad-hoc networks. Wireless Networks. 2017;23(8):2455-2472
26.Zhao W, Wang L, Zhang Z. A novel atom search optimization for dispersion coefficient estimation in groundwater. Future Generation Computer Systems. 2019;91:601-610
27.Inoue M, Inoue S, Nishida T. Deep recurrent neural network for mobile human activity recognition with high throughput. Artificial Life and Robotics. 2018;23(2):173-185
28.Erik G. Entropy and Mutual Information. Amherst; 2013
29.Wu K, Chen Z, Li W. A novel intrusion detection model for a massive network using convolutional neural networks. IEEE Access. 2018;2018:1-1
30.Khan FA, Gumaei A, Derhab A, Hussain A. TSDL: A two stage deep learning model for efficient network intrusion detection. IEEE Access. 2019:1-1
31.Dong B, Wang X. Comparison deep learning method to traditional methods using for network intrusion detection. In: Proceedings of 8th IEEE International Conference on Communication Software and Networks (ICCSN). Beijing, China. 2016. pp. 581-585
32.Sangeetha S, Ramya R, Dharani MK, Sathya P. Signature based semantic intrusion detection system on cloud. Information Systems Design and Intelligent Applications. 2015;2015:657-666
33.NSL-KDD Dataset. Available from: https://www.unb.ca/cic/datasets/nsl.html [Accessed: August 2022]
34.BoT-IoT Dataset. Available from: https://research.unsw.edu.au/projects/BoT-IoT-dataset [Accessed: August 2022]
Written By
Surendra Bhosale, Achala Deshmukh, Bhushan Deore and Parag Bhosale
Submitted: 10 June 2023Reviewed: 04 July 2023Published: 04 August 2023
Open access peer-reviewed chapter
