Network Intrusion Detection System (IDS) aims to maintain computer network security by detecting several forms of attacks and unauthorized uses of applications which often can not be detected by firewalls. The features selection approach plays an important role in constructing effective network IDS. Various bio-inspired metaheuristic algorithms used to reduce features to classify network traffic as abnormal or normal traffic within a shorter duration and showing more accuracy. Therefore, this paper aims to propose a hybrid model for network IDS based on hybridization bio-inspired metaheuristic algorithms to detect the generic attack. The proposed model has two objectives; The first one is to reduce the number of selected features for Network IDS. This objective was met through the hybridization of bio-inspired metaheuristic algorithms with each other in a hybrid model. The algorithms used in this paper are particle swarm optimization (PSO), multi-verse optimizer (MVO), grey wolf optimizer (GWO), moth-flame optimization (MFO), whale optimization algorithm (WOA), firefly algorithm (FFA), and bat algorithm (BAT). The second objective is to detect the generic attack using machine learning classifiers. This objective was met through employing the support vector machine (SVM), C4.5 (J48) decision tree, and random forest (RF) classifiers. UNSW-NB15 dataset used for assessing the effectiveness of the proposed hybrid model. UNSW-NB15 dataset has nine attacks type. The generic attack is the highest among them. Therefore, the proposed model aims to identify generic attacks. My data showed that J48 is the best classifier compared to SVM and RF for the time needed to build the model. In terms of features reduction for the classification, my data show that the MFO-WOA and FFA-GWO models reduce the features to 15 features with close accuracy, sensitivity and F-measure of all features, whereas MVO-BAT model reduces features to 24 features with the same accuracy, sensitivity and F-measure of all features for all classifiers.
Computer network operations have been developing rapidly due to an increase in the number of computers and mobile devices. In light of that, the number of network attacks has been overgrowing as well. According to “
On the other hand, anomaly-based detection aims to identify the normal behaviour of the network and producing a warning every time a deviation occurs through using a predefined threshold. Anomalies detection defined as a two-class classifier that classifies each sample as a normal or abnormal sample. The current IDS suffers from several efficiency-related problems, such as the low rates of detection accuracy and high rates of false detection [
Feature selection contributes to reducing the dimensional data by removing the duplicate and unnecessary features from the dataset. In addition to that, it deletes the least essential feature from the dataset to improve the classification accuracy. Feature selection approaches play a significant role in building an optimized IDS with fewer features. Feature selection model can be either filter-based, wrapper-based and embedded-based. In this paper wrapper-based used.
Bio-inspired metaheuristic algorithms are algorithms based on certain physical and biological standards. They are classified into two types, population and single solution based algorithms [
Through the present paper, a hybrid model based on PSO, MVO, GWO, MFO, WOA, FFA, and BAT algorithms for network IDS proposed to reduce feature selection. That main objective of this study is to enhance the network IDS performance by reducing the number of the selected features to get high detection accuracy for large scale datasets with consuming less time. The effectiveness of the proposed model tested by using well-known machine learning SVM, J48 and RF classifiers.
The new contributions of the paper include:
The present study offers a proposed hybrid model for network IDS through the hybridization of every couple of PSO, MVO, GWO, MFO, WOA, FFA, and BAT algorithms to reduce the number of the selected feature to improve NIDS performance. The present study evaluates the reduced dataset of the proposed hybrid model based on SVM, J48, and RF machine learning classifiers.
The paper organized as follows: Section 2 provides a review of the relevant literature that is related to anomaly detection by using bio-Inspired Metaheuristic algorithms. Section 3 presents a discussion about the proposed model. Section 4 provides information about the performance evaluation metrics. Section 5 presents several experimental results about the proposed model. Section 6 offers a conclusion
During recent years, the feature selection model for network IDS has been receiving much attention from researchers. The researchers proposed many models to improve network IDS performance using different approaches such as filter, wrapper, data processing, optimization, machine learning techniques, and Bio-inspired Metaheuristic algorithms. Bio-inspired Metaheuristic algorithms are used to improve the network IDS performance due to its ability to find the most effective solutions within the minimum time. Each bio-Inspired metaheuristic algorithm has its drawbacks and advantages. Through hybridization, each algorithm can take advantage of the strengths and address the weaknesses of other algorithms. Many recent studies suggest that hybridization improves the bio-Inspired metaheuristic algorithm performance. This section explains some of these recent studies.
Kim et al. [
Ghanem et al. [
Eesa et al. [
Asahi-Shahri et al. [
Guo et al. [
Al-Yaseena et al. [
Hajisalem et al. [
Li et al. [
Hosseini et al. [
Khraisat et al. [
Mohmmadzadeh et al. [
This model aims to increase the performance efficiency of the network IDS by hybridizing the following PSO, MVO, GWO, MFO, WOA, FFA, and BAT meta-heuristic algorithms.
The UNSW-NB15 dataset [
Features | Features | Features | Features | Features | Features name | Features | Features name |
---|---|---|---|---|---|---|---|
no | name | no | name | no | no | ||
1 | id | 12 | dttl | 23 | dtcpb | 34 | ct_dst_ltm |
2 | dur | 13 | sload | 24 | dwin | 35 | ct_src_dport_ltm |
3 | proto | 14 | dload | 25 | tcrptt | 36 | ct_dst_sport_ltm |
4 | service | 15 | sloss | 26 | synack | 37 | ct_dst_src_ltm |
5 | state | 16 | dloss | 27 | ackdat | 38 | is_ftp_loain |
6 | spkts | 17 | sinpkt | 28 | smean | 39 | ct_ftp_cmd |
7 | dpkts | 18 | dinpkt | 29 | dmean | 40 | ct_flw_http_mthd |
8 | sbytes | 19 | sjit | 30 | trans_depth | 41 | ct_src_ltm |
9 | dbytes | 20 | djit | 31 | response_body_len | 42 | ct_srv_dst |
10 | rate | 21 | swin | 32 | ct_srv_src | 43 | is_sm_ips_p orts |
11 | stt1 | 22 | stcpb | 33 | ct_state_ttl | 44 | attack_cat |
45 | label |
The UNSW-NB15 dataset has to go through the following pre-processing steps to use the EvoloPy-FS optimization framework [ The label removal: Each feature in the original UNSW-NB15 dataset has a label. It’s necessary to remove this label to adapt the dataset with the EvoloPy-FS context. The removal of features: The original UNSW-NB15 Dataset has 45 features, 2 of these include class labels i.e attack cat and label. The attack cat is not considered as a feature, thus, deleting it is necessary. Label encoding: Within the Dataset, the labels i.e state, protocol, and service type have string values and it is crucial to have these values encoded in numerical values. Binarisation of data: The numerical data in the dataset poses challenges over the classifier in the training process. Thus, it is very important to standardize the values in each feature. Therefore, the minimum value should be 0 in each feature and the maximum value should be 1 in each feature. This will make the group more homogeneous and maintain the contrast between the values of every feature.
Selecting the features was done based on the following Bio-inspired metaheuristic algorithms:
PSO created by Eberhart et al. [
D refers to the search space dimensionality. Particles move to search for the optimal solutions within the search space, considering each particle has a velocity which is identified as follows
Regarding each particle, it has its position and velocity, such a position and velocity updated throughout the movement of the position. The best initial position of the particle reported as the best personal pbest. The best position of the population is called gbest. PSO looks for optimal solutions based on gbest-pbest. It looks for them through having the velocity and position of each particle updated by the equations below:
MVO is a new metaheuristic algorithm that was developed by Mirjalili et al. [
MVO has two parameters for having the solution updated. Those parameters are wormhole existence probability (WEP) and travelling distance rate (TDR). They determine how much and how often the solutions change during the process of optimization. WEP is calculated based on the equation below:
Where the minimum is b, the maximum is a current iteration is t, and the maximum number of allowed iterations is T. TDR i is calculated based on the equation below:
where the exploitation accuracy is p. Finally, the position of the solutions modified after calculating WEP and TDR.
GWO developed based on a social hierarchy and the hunting approach of grey wolves. It proposed by Mirjalili et al. [
GWO mathematics model has three parts. Those parts are encircling, hunting and attaching behaviour. the encircling behaviour, it represented in the equation below:
whereas:
The hunting behaviour defined in the equation below
The attaching behaviour represented in the equation below
MFO proposed by Mirjalili [
Whereas:
FFA created by Yang et al. [ Regarding all the fireflies as unisex. The brightness of the fireflies is proportionate to their attractiveness. The firefly’s brightness is determined and influenced by the environment of the objective functions.
The movement of a firefly i that is attracted to firefly j represented in the equation below:
Where:
(rand −0.5) is a random number that is within the range of [ −0.5 −0.5],
Whereas:
xi refers to the position of firefly I, xj refers to the position of firefly j.
A WOA created by Mirjalili [
Where:
The phase of exploitation: This phase is also called the attacking bubble-net. It works with two approaches: Shrinking encircling and spiral updating position. Both shrinking circlings in a spiral updating position are applying in whale movement in the direction of its prey.
BAT proposed by Yang [ All the bats use echolocation to predict the distance. They know in some magical manner the difference between food/prey and background barriers. A bat Loudness varies in several aspects. It differs from a large positive
Virtual bat movement updates its velocity and position through using the following equations:
where:
ß is a random number that is within the range of [0, 1],
The proposed model selects important features as follow:
Binariz data [ −1, 1] Define a set of binary individuals. Individual and population represented by [1-D, 2-D] array. Reduce dataset generated where 1s indicates to feature selected, and 0s mean feature not selected feature. Knn classifier used to evaluate the suitable solution and produce fitness value of reducing dataset. Finally, repeat these steps to reach the maximum number of iterations.
A1 | A2 | Hybrid model | A1 | A2 | Hybrid model | A1 | A2 | Hybrid model |
---|---|---|---|---|---|---|---|---|
MVO | PSO-MVO | PSO | WOA-PSO | PSO | MFO-PSO | |||
GWO | PSO-GWO | MVO | WOA-MVO | MVO | MFO-MVO | |||
MFO | PSO-MFO | GWO | WOA-GWO | GWO | MFO-GWO | |||
WOA | PSO-WOA | MFO | WOA-MFO | WOA | MFO-WOA | |||
FFA | PSO-FFA | FFA | WOA-FFA | FFA | MFO-FFA | |||
BAT | PSO-BAT | BAT | WOA-BAT | BAT | MFO-BAT | |||
PSO | MVO-PSO | PSO | FFA-PSO | |||||
GWO | MVO-GWO | MVO | FFA-MVO | |||||
MFO | MVO-MFO | GWO | FFA-GWO | |||||
WOA | MVO-WOA | MFO | FFA-MFO | |||||
FFA | MVO-FFA | WOA | FFA-WOA | |||||
BAT | MVO-BAT | BAT | FFA-BAT | |||||
PSO | GWO-PSO | PSO | BAT-PSO | |||||
MVO | GWO-MVO | MVO | BAT-MVO | |||||
MFO | GWO-MFO | GWO | BAT-GWO | |||||
WOA | GWO-WOA | MFO | BAT-MFO | |||||
FFA | GWO-FFA | WOA | BAT-WOA | |||||
BAT | GWO-BAT | FFA | BAT-FFA |
Classifier employed for classifying the incoming data as abnormal data or a normal. The present study sheds light on J48, SVM and RF classifiers. These classifiers were select because they are the most famous classifiers used in the literature for network IDS [
SVM is a binary classifier. In SVM, the data gets divided into two class through the use of statistical methods, fixed rules and quadratic equations. The binary classification of the data is carried out through employing a separating hyperplane to maximize the space of the margin based on the functions of the kernel, and the extracted data are stored in the vector, leading to the best solution for the problem. Due to its use for the structural risk minimization method, the SVM has a strong generalization capability. Several previous [
The algorithm of J48 is considered a tree classifier that was proposed by Quinlan [ Selecting the attribute as root that has the enormous gain value. Building a branch for any value. Repeating the procedure for each branch until the branches have the same class for all the cases.
Several researchers explored the influence of employing the J48 algorithm for enhancing the accuracy level of IDS [
RF classifier proposed by L.Breiman [
For assessing the performance efficiency of the proposed model, the following metrics were used: true-positive (TP), true-negative (TN), false-positive (FP) and false-negative (FN) rates [
Predicted | |||
---|---|---|---|
Normal | Attack | ||
Normal | (TP) | (FN) | |
Attack | (FP) | (TN) |
Metrics calculated as below:
The experiment was done using anaconda python open-source.
Optimizers | Datasets | Attack | Number | Population | Iterations | |
---|---|---|---|---|---|---|
of runs | size | |||||
Combination of PSO, MVO, GWO, MFO, WOA, FFA, and BAT (see |
UNSW-NB15 | Generic | 30 | 20 | 20 |
Hybrid model | Features number | Selected features |
---|---|---|
PSO-GWO | 19 | F2, F3, F8, F9, F12, F13, F14, F15, F17, F18, F21, F23, F25, F26, F27, F33, F35, F36, F42 |
PSO-MFO | 14 | F3, F4, F13, F15, F16, F18, F19, F20, F21, F25, F26, F27, F30, F32 |
PSO-WOA | 18 | F3, F4, F12, F15, F16, F18, F19, F20, F21, F22, F23, F25, F26, F27, F30, F33, F35, F38 |
PSO-FFA | 20 | F2, F3, F4, F9, F15, F16, F17, F18, F19, F20, F21, F22, F26, F27, F30, F32, F35, F36, F38, F42 |
PSO-BAT | 19 | F2, F4, F8, F12, F13, F14, F15, F19, F20, F21, F22, F23, F25, F26, F30, F32, F33, F36, F42 |
MVO-PSO | 15 | F5, F6, F7, F9, F10, F15, F19, F21, F22, F24, F28, F29, F36, F37, F40 |
MVO-GWO | 15 | F2, F3, F5, F6, F7, F9, F10, F11, F16, F19, F22, F35, F36, F37, F41 |
MVO-MFO | 16 | F2, F4, F6, F7, F11, F15, F16, F17, F18, F19, F21, F29, F32, F37, F39, F43 |
MVO-FFA | 19 | F2, F3, F4, F5, F6, F7, F8, F16, F18, F19, F21, F24, F28, F29, F33, F35, F36, F39, F40 |
MVO-BAT | 24 | F2, F3, F4, F5, F6, F9, F10, F11, F15, F16, F17, F19, F21, F22, F24, F29, F32, F33, F35, F36, F37, F40, F41, F43 |
GWO-PSO | 17 | F2, F3, F7, F9, F11, F12, F15, F18, F19, F21, F23, F26, F33, F35, F36, F37, F41 |
GWO-WOA | 17 | F2, F4, F9, F12, F18, F19, F20, F21, F23, F26, F28, F32, F33, F36, F39, F42, F43 |
GWO-FFA | 15 | F3, F4, F7, F11, F15, F18, F19, F23, F26, F31, F32, F33, F36, F37, F41 |
GWO-BAT | 17 | F3, F7, F9, F11, F15, F18, F21, F23, F27, F28, F31, F32, F35, F36, F39, F42, F43 |
MFO-GWO | 13 | F3, F5, F9, F17, F18, F19, F20, F23, F26, F32, F35, F37, F41 |
MFO-WOA | 15 | F1, F4, F5, F11, F15, F17, F18, F20, F24, F26, F28, F32, F37, F39, F41 |
MFO-FFA | 14 | F3, F4, F8, F11, F15, F18, F19, F24, F26, F28, F32, F35, F38, F41 |
MFO-BAT | 19 | F3, F5, F8, F9, F11, F17, F18, F19, F20, F23, F24, F26, F28, F32, F35, F37, F38, F39, F41 |
WOA-PSO | 12 | F4, F8, F15, F17, F23, F30, F32, F33, F36, F40, F42, F43 |
WOA-MVO | 13 | F4, F5, F19, F21, F22, F23, F24, F25, F32, F33, F40, F42, F43 |
WOA-MFO | 15 | F2, F4, F8, F11, F17, F21, F23, F24, F25, F30, F32, F33, F34, F42, F43 |
WOA-FFA | 11 | F4, F5, F15, F22, F23, F24, F25, F33, F34, F42, F43 |
WOA-BAT | 19 | F2, F4, F5, F8, F11, F15, F17, F19, F21, F22, F23, F25, F30, F32, F33, F34, F36, F42, F43 |
FFA-PSO | 13 | F1, F4, F7, F10, F12, F15, F18, F27, F29, F33, F37, F41, F43 |
FFA-GWO | 15 | F1, F2, F3, F4, F7, F10, F12, F14, F15, F19, F22, F31, F33, F39, F42 |
FFA-MFO | 15 | F1, F3, F4, F8, F14, F15, F18, F22, F31, F33, F35, F39, F41, F42, F43 |
FFA-WOA | 18 | F2, F8, F10, F12, F14, F15, F18, F19, F22, F27, F29, F31, F33, F35, F37, F39, F41, F42 |
FFA-BAT | 19 | F1, F2, F4, F7, F8, F12, F13, F14, F15, F18, F22, F27, F31, F33, F35, F37, F39, F42, F43 |
BAT-PSO | 22 | F1, F2, F5, F7, F10, F11, F12, F13, F16, F17, F21, F22, F23, F25, F26, F27, F30, F33, F35, F36, F39, F42 |
BAT-MVO | 22 | F2, F5, F7, F10, F12, F13, F16, F17, F20, F21, F22, F23, F25, F26, F28, F31, F33, F34, F36, F38, F39, F42 |
BAT-MFO | 23 | F3, F5, F7, F9, F10, F11, F12, F13, F17, F21, F23, F25, F26, F28, F29, F30, F33, F34, F36, F38, F39, F42, F43 |
BAT-WOA | 19 | F3, F5, F7, F9, F11, F12, F13, F16, F17, F28, F29, F30, F32, F33, F34, F35, F37, F42, F43 |
BAT-FFA | 22 | F1, F2, F3, F5, F9, F10, F11, F13, F16, F17, F20, F22, F25, F26, F27, F28, F32, F34, F36, F38, F42, F43 |
The hybrid model in
J48 | SVM | RF | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
All Features | 92.80 | 90.60 | 94.34 | 2.35 | 92.79 | 90.57 | 94.33 | 193.53 | 92.80 | 90.60 | 94.34 | 26.26 |
PSO-MVO | 92.67 | 90.38 | 94.23 | 92.67 | 90.38 | 94.23 | 182.7 | 92.67 | 90.38 | 94.23 | ||
PSO-GWO | 92.59 | 90.39 | 94.17 | 0.99 | 92.47 | 90.15 | 94.07 | 92.59 | 90.39 | 94.17 | 16.1 | |
PSO-MFO | 91.68 | 88.91 | 93.4 | 0.76 | 91.67 | 88.89 | 93.39 | 251.88 | 91.68 | 88.91 | 93.40 | 19.18 |
PSO-WOA | 91.52 | 88.72 | 93.27 | 0.60 | 90.90 | 87.73 | 92.74 | 182.61 | 91.52 | 88.72 | 93.27 | 16.92 |
PSO-FFA | 92.60 | 90.39 | 94.18 | 0.93 | 92.49 | 90.16 | 94.08 | 311.36 | 92.60 | 90.39 | 94.18 | 20.00 |
0.69 | 109.93 | 15.2 | ||||||||||
MVO-PSO | 92.59 | 90.39 | 94.17 | 0.6 | 92.48 | 90.16 | 94.07 | 176.28 | 92.59 | 90.39 | 94.17 | |
MVO-GWO | 90.65 | 87.41 | 92.52 | 0.65 | 90.65 | 87.41 | 92.52 | 135.82 | 90.65 | 87.41 | 92.52 | 13.61 |
MVO-MFO | 92.64 | 90.42 | 94.21 | 0.72 | 92.56 | 90.24 | 94.14 | 125.38 | 92.64 | 90.42 | 94.21 | 14.08 |
MVO-WOA | 92.77 | 90.56 | 94.32 | 0.75 | 92.75 | 90.55 | 94.31 | 95.27 | 92.76 | 90.57 | 94.31 | 13.99 |
MVO-FFA | 92.76 | 90.57 | 94.31 | 0.98 | 92.75 | 90.55 | 94.31 | 92.76 | 90.57 | 94.31 | 12.39 | |
116.58 | 16.00 | |||||||||||
0.67 | 86.06 | 14.68 | ||||||||||
GWO-MVO | 92.49 | 90.16 | 94.08 | 92.49 | 90.16 | 94.08 | 110.68 | 92.49 | 90.16 | 94.08 | 14.52 | |
GWO-MFO | 92.63 | 90.41 | 94.2 | 0.64 | 92.54 | 90.23 | 94.13 | 144.79 | 92.63 | 90.41 | 94.25 | |
1.28 | 14.12 | |||||||||||
GWO-FFA | 0.61 | 92.76 | 90.56 | 94.31 | 90.34 | 13.41 | ||||||
GWO-BAT | 0.97 | 92.55 | 90.24 | 94.13 | 139.65 | 92.55 | 90.24 | 94.13 | 17.02 | |||
MFO-PSO | 86.78 | 81.58 | 89.10 | 0.60 | 86.64 | 81.32 | 88.97 | 68.12 | 86.78 | 81.58 | 89.10 | |
MFO-MVO | 90.90 | 87.73 | 92.74 | 90.84 | 87.63 | 92.68 | 90.90 | 87.73 | 92.74 | 7.88 | ||
MFO-GWO | 89.62 | 85.90 | 91.64 | 0.89 | 89.61 | 85.88 | 91.63 | 86.06 | 89.62 | 85.90 | 91.64 | 8.78 |
0.74 | 71.73 | 9.50 | ||||||||||
MFO-FFA | 90.21 | 90.12 | 90.41 | 1.26 | 92.53 | 90.21 | 94.11 | 69.14 | 92.54 | 90.22 | 94.12 | 11.36 |
MFO-BAT | 90.61 | 87.38 | 92.50 | 1.24 | 90.61 | 87.37 | 92.49 | 92.92 | 90.61 | 87.37 | 92.49 | 11.22 |
WOA-PSO | 92.72 | 90.42 | 94.27 | 92.71 | 90.41 | 94.26 | 92.71 | 90.44 | 94.26 | |||
WOA-MVO | 92.75 | 90.56 | 94.30 | 0.55 | 92.71 | 90.47 | 94.26 | 66.89 | 92.74 | 90.55 | 94.29 | 11.24 |
WOA-GWO | 84.37 | 77.8 | 86.83 | 0.51 | 84.37 | 77.80 | 86.83 | 29.56 | 84.38 | 77.81 | 86.84 | 12.02 |
WOA-MFO | 92.75 | 90.46 | 94.29 | 0.55 | 90.46 | 94.29 | 36.76 | 92.74 | 90.45 | 94.29 | 11.06 | |
WOA-FFA | 92.72 | 90.42 | 94.27 | 0.95 | 92.71 | 90.41 | 94.26 | 16.67 | 92.72 | 90.42 | 94.27 | 8.93 |
1.45 | 92.73 | 71.38 | 11.01 | |||||||||
FFA-PSO | 92.72 | 90.41 | 94.27 | 0.83 | 92.71 | 90.41 | 94.26 | 41.77 | 92.70 | 90.42 | 94.26 | |
FFA-MVO | 88.15 | 83.52 | 90.32 | 88.15 | 83.52 | 90.32 | 88.15 | 83.52 | 90.32 | 8.29 | ||
FFA-MFO | 92.72 | 90.42 | 90.42 | 0.60 | 92.71 | 90.41 | 94.26 | 68.82 | 92.72 | 90.42 | 94.27 | 12.39 |
FFA-WOA | 92.75 | 94.30 | 0.65 | 92.73 | 94.28 | 99.47 | 92.75 | 94.30 | 12.75 | |||
FFA-BAT | 92.73 | 90.47 | 94.28 | 1.07 | 92.72 | 90.46 | 94.28 | 85.03 | 92.74 | 90.47 | 94.28 | 8.74 |
0.88 | 96.3 | 14.01 | ||||||||||
BAT-MVO | 92.67 | 90.38 | 94.23 | 1.92 | 92.67 | 90.38 | 94.23 | 442.01 | 92.67 | 90.38 | 94.23 | 14.34 |
BAT-GWO | 92.56 | 90.24 | 94.14 | 0.83 | 92.56 | 90.24 | 94.14 | 86.17 | 92.56 | 90.24 | 94.14 | |
BAT-MFO | 92.73 | 94.28 | 1.03 | 92.73 | 94.28 | 99.79 | 92.73 | 90.45 | 94.28 | 13.26 | ||
BAT-WOA | 89.74 | 86.00 | 91.74 | 89.74 | 86.00 | 91.74 | 89.74 | 86.00 | 91.74 | 11.03 | ||
BAT-FFA | 89.62 | 85.80 | 91.63 | 1.25 | 89.62 | 85.80 | 91.63 | 116.89 | 89.62 | 85.80 | 91.63 | 20.13 |
*Accuracy = Accu Sensitivity = Sens F-measure = F-M Time in second to build detection model = Ts
Based on obtained results from
My data suggest that the proposed hybrid models improve network IDS by reducing features and time required to build a detection model. In addition to that my results show the dominance of J48 on SVM and RF in term of the required time. Concerning the features reduction and the classification, results show that the MFO-WOA and FFA-GWO models reduce features to 15 features with close accuracy, sensitivity and F-measure of all features, whereas MVO-BAT model reduces features to 24 features with the same accuracy, sensitivity and F-measure of all features for all classifiers.
Using metaheuristic algorithms can help to find optimal features sets. Hybridization of metaheuristic algorithms can reduce the number of features and improve the accuracy of the classification process with less time. Therefore, In this study, a hybrid model based on metaheuristic algorithms is developed to reduce selected features for network IDS. PSO, MVO, GWO, MFO, WOA, FFA and BAT algorithms used by this study. The proposed hybrid model was evaluated using UNSW-NB15 dataset and J48, SVM, RF classifier. The experiment conducted throughout two phases. The first phase aims to choose features through using Metaheuristic algorithm and the second phase is represented in evaluating proposed hybrid models based on R48, SVM and RF classifiers. The results obtained of the first phase showed that proposed hybrid models reduce the number of features. The results of the second phase show the dominance of J48 on SVM and RF in terms of required time to build the model. MFO-WOA and FFA-GWO models reduce features to 15 features with good classification rate. Finally, the MVO-BAT model reduces features to 24 features with the same results of all features. The proposed hybrid model is capable to detect generic attack more effectively.