Performance Evaluatıon Of Fırefly Optımızatıon
For Intrusıon Detectıon System
RITU BALA, Dr. RITU NAGPAL
Abstract: IDS is a hardware or software submission that handles or prevents networks for mischievous actions or strategy destructions. Any mischievous action or destruction is usually testified to a manager or composed centrally with the help of a system called security information and event managements. It simply syndicates outcomes from numerous areas, and by the help of alarm filtering methods. It differentiates mischievous actions from false alarms. It is very popular for its main components, i.e. sensors, console and detection engine. In this paper we have explained about intrusion detection system, its importance and also discussed about various surveys that were useful for this system. Its first component is a sensor that senses the system traffic and produces actions. Next component console handles those actions and manage the sensors and lastly the detection Engine accounts the actions recorded by the sensors and stored in the database and rules are followed to produce alerts from the established security actions. In this paper intrusion detection system is explained in detail. Various types of intrusion detection system such as Network Intrusion Detection System, Host-based Intrusion Detection System and Hybrid intrusion detection system are discussed in this paper. It is a software or hardware that mechanizes the procedure of examining of actions. For the implementation MATLAB simulator has been used. The author in this paper has given the idea to use the algorithm called firefly algorithm and convolution neural networks. Both are discussed in this paper and results have been shown. The Firefly optimization approach has been used to optimize the features. The main aim of the paper is to decrease the unrelated structures by choosing and enhancing the finest feature for correctness. The Firefly optimization method enhance the structures and subsequently classifiers are used to sense the intrusion in the system.
Keywords: IDS, FA, NIDS, CNN, NSL, KD
————————————————————
1 INTRODUCTİON
Intrusion detection system consists of elements comprised of hardware as well as software that work together to determine unexpected events that might direct an attack that will occur, is occurring, or has occurred. This system is very popular in every area because it prevents various threats. It has been observed that definite products already notify spam that might happen, any warning as they notice an attack in progress, and some warn when they notice the consequences of the attack. IDS involve three mechanisms: Its first component is a sensor that senses the system traffic and produce actions. Next component console handles those actions and manage the sensors and lastly the detection Engine accounts the actions recorded by the sensors and stored in the database and rules are followed to produce alerts from the established security actions [1]. There are numerous behaviors to classify IDS that rely on the kind and place of the devices and the procedure recycled by the engine to produce warnings. In numerous simple IDS employments all three mechanisms are joint in a sole device or application.
1.1 Types of Intrusion Detection System
Network Intrusion Detection System.It classifies interventions by inspecting system transportation and observes many hosts. Network Intrusion Detection Systems increase access to system traffic by joining to a center, network switch arranged for port mirroring, or network tap. Snort is one of the examples of a NIDS.
Fig. 1.Network based IDS
Host-based Intrusion Detection System. It contains manager on a host that detects interventions by examining system calls, application logs, file-system alterations (binaries, PIN records, ability databases) and extra host events and state.
Fig. 2. Host based IDS
Fig. 3. Hybrid IDS
Network-based intrusion detection systems frolicked vital part in network security because of the extensive usage of computer systems. Another factor was the development of treasured incomes and the fast growth of defenders [1, 2]. This system frequently check system performance by examining the data and statistical structures of system circulation. Generally, system security specialists need to accomplish 2 main phases to implement a NIDS. The 1st one is to use a machine learning methodology to differentiate usual and invasive events. The objective is to rise the detective hustle and reduce untrue alarm degree of detection. The goal of 2nd phase is to estimate these methods on actual domain data. Though, gathering such testing facts is a key experiment in the intrusion detection investigation. The reason is absence of system traffic or host records and actions. Furthermore, collecting facts from real atmosphere might increase the remote and safe worries [3, 4].There are many authors that had survey about intrusion detection system and some of them are discussed below:Ravale, Ujwala et al.[1] proposed hybrid method such as K Means bunching algorithm and RBF kernel function of Support Vector Machine as an organization component. The key resolution of the proposed method is to reduce the number of qualities connected with every data point when applied to KDDCUP’99 Data Set.Yang Li et al. [10] introduced a fresh lightweight intrusion detection prototype that initially designated various significant attributes by mean of Information Gain and technology named as Chi-Square. The result presented for 4 categories of KDD dataset DOS, Probe, R2L and U2R still conserved accuracy. Panda et al. [11] proposed K-Means and Fuzzy C-Means which were very useful in sensing anomaly network intrusions. It was also observed that these methods were very efficient. They are cost effective, fast and do their work vastly and correctly. Author recycled a supervised learning method which is named as NaIve Bayes. The working of this method is to split dataset into the usual illustrations and probable assaults. Komviriyavut et al. [12] presented a method by the help of algorithms called decision tree and rules named as ripper rules. Author implemented 13 features of dataset. The rate of detection was 98% and sensible detection speed was there. This technique was very effective and popular among the all and presented the intrusion detection as a big benchmark.Kamran Shafi et al. [3, 4] presented a fast and great method to create a occupied label system intrusion detection that is named as Seal dataset that are suitable to controlled and uncontrolled
machine. 33 types in the Seal dataset are load based which detects intrusive actions and capable to warn viruses and spywares.Tran et al. [13] proposed combined block-based neural system that actually upgraded with a high-frequency FPGA circuit. It was done to implement real world intrusion detection method. The greatest fascinating outcome is the great quickness and speediness of the method that is why it is appropriate for handling large scales datasets from real world mode.Internet is compelling groups into an era of exposed and important infrastructures. This directness at the same time takes its part of weaknesses and difficulties like financial damages, injury to standing, preserving obtain ability of facilities, shielding the individual and client statistics and many more, assertive both initiatives and facility suppliers to take steps to guard their valued statistics from stalkers, hackers and insiders. Intrusion Detection System now became the important essential for the fruitful gratified networking. It delivers 2 main profits: Visibility and Control. It has been observed that definite products already notify that spasm might be happen, any warning as they notice an attack in progress, and some warn when they notice the consequences of the attack. This paper presents a Wrapper type methos based on Firefly Algorithm and CNN and proven to give the best result. The main aim of the paper will be to decrease the unrelated structures by choosing and enhancing the finest feature for correctness. The Firefly optimization method will enhance the structures. Subsequently, classifiers will be used to sense the intrusion in the system.
2.
ALGORİTHM USED
Algorithms used in the proposed approach is given below:
2.1 Firefly Algorithm (FA)
Fireflies are the minor bugs that provide light in the night with hard wing yield a light from glowing chemicals in their stomach organs [5]. FA proceeds a motivation from the normal procedure of these fireflies that they follow in the dark like light release, mutual attraction performance amongst bugs and light preoccupation. Xin-She Yang in 2007 projected this algorithm. It emphases on the things that are discussed below.
• They are unisex that is they will fascinate others regardless of the femininity.
• More is the brightness, more will be the attraction. Firefly with the slighter brightness will interconnect with the firefly that has extra light. The optimistic among all will walk reflexively.
Firefly algorithm has been used in the intrusion detection system because this algorithm is an optimization technique and it fulfills all the needs that are required in the IDS. The steps of the algorithm are discussed below
Objective function: f ( x ) , x = ( x 1 , x 2 , . . . , x d )
Generate an initial population of fireflies x i ( x = 1 , 2 , … , n
Formulate light intensity I so that it is associated with f ( x )
In this system firefly optimization is essential because during any hateful action the system ingestion in terms of overhead and energy dissipation rises which damages the routine of the system. Also the optimization will rise the link constancy amongst the nodules consist of less overhead depletion in the routing of the broadcasting packets from operator to the application servers for the resource distributions which also rises the lifetime of the system to survive for the next circles to direct packages successfully and rises the system constancy amongst the neighbor modules.
2.2 KDD99 Dataset
KDD99. It is the mostly and the commonly used dataset for the accessing anomaly detection techniques.It contains about 4,900,000 solitary linking routes that enfolds 41 features and considered as either an occurrence or usual that says the estimation of the attacks noticed. It is important to preserve alertness that the trial facts is not from the same probability separation as the training statistics and it also covers exact virus attack groups. The datasets comprise total 24 training attack kinds.The simulated attacks having following four categories:
DOS.Numerous kinds of attacks are tangled, e.g. SYN flood.
R2L.It has the illegal contact from a remote mechanism, e.g. guessing password;
U2R.Illegal contact to local superuser freedoms, e.g., various "buffer overflow" attacks;
Probing.Shadowing and searching, e.g., port scanning.
2.3 Convolution Neural Network
Neural networks are classically planned in coatings. Coatings are formation of a number of unified 'nodes' which cover an 'activation function'. Designs are obtainable to the system through the 'input layer', which connects to various 'hidden layers' where the real dispensation is done through a system of weighted 'connections'. The hidden layers, then link to an 'output layer' where the answer is output as:
Fig. 4. CN Network in the form of deep layers Although there are many different kinds of learning rules used by neural networks, this demonstration is concerned only with one; the delta rule. The delta rule is often utilized by the most common class of NNs.With the delta rule, as with other types of neural network, 'learning' is a supervised process that occurs with each cycle or 'epoch' (i.e. each time the network is presented with a new input pattern) through a forward activation flow of outputs, and the backwards error propagation of weight adjustments. More simply, when a neural network is initially presented with a pattern it makes a random 'guess' as to what it might be. It then sees how far its answer was from the actual one and makes an appropriate adjustment to its connection weights.
3 RESULTS
Intrusion detection is one of the main problems in the computer networks and networking scenarios which must be diminished to have effectual communication so that it will be attack free and it must be at less error rate probabilities. Also the system must have efficient packet deliveries with less packet losses and energy consumption and high packet deliveries.
Fig. 5. Network Creation
Fig. 6. Communication Scenario
The above figure6 the packet sending takes place in which user communicate with the access points and web server. Access points are the medium which will forward the wireless signal to machines and is used for routing to connect with wireless network. In the above fig6. we can see the packets are transferring from one user to the centralized unit and will fed the user request to the application which will send to the target locations. The above fig.6 also showing the attacking effect in which botnets are affected and the medium is got effected. In this we can see in the red colour if the bandwidth of the allocated access point exceeds to the certain limit then the whole routing get effected and will increase the network delay and time consumption to degrade the lifespan of the network.
Fig. 7. Network Training Process
Fig. 8. CNN Layers
The fig 8 shows the layers of the CNN which is made at the time of the training process and the whole process is
implemented in the number of iterations. The main objectiveof those layers is to minimze the loss function and also evaluate the malicious activities of the intrusions. If the error probability increases the intrusion process will take place which is detected using training process through the generation of the CNN layers.
Fig. 9. Training Performance using CNN
The fig 9 shows the training performance using CNN and shows that the CNN is well efficient to reduce the network broadcasting errors and reduce the activities in terms of mean square error rate which increases the lifetime of the network and detects the malicious intrusion process.
Fig. 10. Performance evaluation using CNN
The fig 10 shows the proposed approach performance evaluation in which the system is able to perform in an efficient manner to achieve high degree of parameters which must be high for the high detection of intrusion. The precison must be high, the recall also must be high for the high detection rate and low computation time.
Table 2. Performance Evalaution
Prameters Firefly + CNN
Detection accuracy 0.7418
Precision 0.916
Recall 0.56
Computation Time 101.65 ms
detection accuracy, precision, recall and computation time. The graph in fig. 11 below describes the parameter of firefly+ CNN named as Detection accuracy and precision that is equals to 0.7418 and 0.916
Fig. 11. Detection accuracy and precision
The graph in fig. 12 below describes the parameter of firefly+ CNN named as recall and computation time that is equals to 0.56 and 101.65.
Fig. 12. Recall and computation time
CONCLUSİON
In this paper we have described about the different IDS. In this paper we have given the idea to use the firefly algorithm and convolution neural networks. Both are discussed in this paper and results have been shown with the help of graphs. The Firefly optimization approach has been used to optimize the features. The main aim of the paper is to decrease the unrelated structures by choosing and enhancing the finest features for correctness. The Firefly optimization method enhances the structures. Subsequently, classifiers are used to sense the intrusion in the system. The behavior of proposed models is analyzed on the basis of detection accuracy, precision, Recall and computation time.
REFERENCES
[1] Padiya, P. “Feature selection based hybrid anomaly intrusion detection system using K means and RBF kernel function”, 45 , 428-435 (2015).
[2] Thaksen, J, and Chandra, P. “A Novel approach to deep packet inspection for intrusion detection” Procedia Computer Science. Vol 45, pp. 506-513, (2015).
[3] Sharma, S.K. “Analysis of KDD dataset attributes-class wise for intrusion detection” Procedia Computer Science, vol 57, pp.842-851, (2015). [4] Nilkanth,S. and Bichkar, R.S. “Genetic algorithm
with variable length chromosomes for network intrusion detection” in International Journal of Automation and Computing, pp.337-342, (2015). [5] Karkouch, A., et al.” Data quality in internet of
things: A state-of-the-art survey” in Journal of Network and Computer Applications, vol 73, pp.57-81, (2015).
[6] Guo, C.et al. “A distance sum-based hybrid method for intrusion detection” in Applied intelligence, vol 40, pp.178-188, (2014).
[7] Hosseini,S.M et al. “A new intrusion detection approach using PSO based multiple criteria linear programming”, Procedia Computer Science, vol 55 , pp.231-237, (2015).
[8] Tamer F., Wail S.E. and Hatem M. A. “A hybrid approach for efficient anomaly detection using metaheuristic methods” in Journal of advanced research, vol 64, pp. 609-619 (2014).
[9] Lee, W., Stolfo, S. Mok, K. “A Data Mining Framework for Building Intrusion Detection Models”, in Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 120-132, (1999).
[10] Lee, W. Stolfo, S. “A framework for constructing features and models for intrusion detection systems”, in ACM Transactions on Information and System Security, vol. 3, no. 4, pp.227-261, (2000). [11] Shafi, K., Abbass, H.A., and Zhu, W. “A
Methodology to Evaluate Supervised Learning Algorithms For Intrusion Detection”, in School ofiTEE, (2009).
[12] Kamran,S. Hussein, A. Abbass,”Evaluation of an Adaptive Genetic-Based Signature Extraction System for Network Intrusion Detection”, in Journal of Pattern Analysis and Applications, 0044-011-0255-5,2010.
[13] Lippmann R. P. and M. A. Zissman “DARPAlAFRL off-line intrusion detection evaluation. KDD Cup 1999 data (Computer network intrusion detection)”, 23-27,(2003).
[14] Sabhnani M. “Why machine learning algorithms fail in misuse detection on KDD intrusion detection data set” , in Intelligent Data Analysis, vol 8(4), pp.403-415, (2004).
0 0.2 0.4 0.6 0.8 1
Detection accuracyPrecision
FireFly+CNN
Parameter 1, 2
0 20 40 60 80 100 120
RecallComputation Time
