A. Conceptual Framework of IDS

A conceptual model of the proposed framework is given in Figure 1. The framework comprises three tiers, i.e. feature selection, classifier modeling, and validation. The first tier refers to the process of carefully choosing a feature set as the most appropriate for the anomaly detection task at hand. This is done using a hybrid technique relying on three evolutionary search techniques, i.e. particle swarm optimization (PSO), ant colony optimization (ACO), and genetic algorithms (GA). The feature selection method is described in depth in Section III-B.

FIGURE 1.

A conceptual framework for an anomaly-based IDS.

Show All

In the second tier, a two-stage meta classifier for classification is designed. This tier is responsible for building classification model through the combination of two meta classifiers, i.e. rotation forest (RF) and bagging (BG). Since BG requires weak classifier, a conjunctive rule (CR) [53] classifier is chosen as base classifier. Following this, other meta combinations and a single classifier can be taken into consideration, e.g. bagging of CR (BG-CR), rotation forest of CR (RF-CR), and CR. These classifiers are further used as the basis of our classification analysis using statistical significance tests provided in Section IV-C. The two-stage meta classifier is described in depth in Section III-C.

Lastly, in the third layer, the proposed two-stage meta classifier is evaluated. This validation is performed using 10-fold cross validation ($10f cv$ ) [54]. We also consider a validation test using simple hold-out (train-test) approach applied on each provided test set for overall comparison with existing techniques. In addition, four performance measures that are frequently used in IDS research are taken into account. These are accuracy, false positive rate (FPR), sensitivity (also known as recall), and precision. The experimental results are presented in Section IV.

B. Tier 1: Hybrid Feature Selection

A feature selection technique can be seen as a procedure for selecting a precise, compact and accurate subset of features from a given feature set. In this work, we choose a correlation-based feature selection, which estimates the importance of features using entropy and information gain [55]. In particular, irrelevant, noisy, and redundant features have to be excluded from the dataset in this tier.

We consider an evolutionary approach to feature selection, using three distinct evolutionary search techniques: PSO [56], GA [57], and ACO [58]:

• Particle swarm optimization. In this technique, a feature set is represented by particles in a swarm. Several particles are placed in an hyperspace in which each particle possesses random location $x_{i}$ and velocity $v_{i}$ . Let $\omega$ be the inertia weight constant, with $c_{1}$ and $c_{2}$ be the cognitive and social learning constant, respectively. Let also $n_{1}$ and $n_{2}$ be random numbers, $p_{i}$ be the personal best location of particle $i$ , and $g$ be the global location among the particles. Then, the fundamental rules for updating the position and speed of each particle are:

  $$\begin{align*} x_{i}(t+1)=&x_{i}(t)+v_{i}(t+1)\tag{1}\\ v_{i}(t+1)=&\omega v_{i}(t)+c_{1}n_{1}(p_{i}-x_{i}(t))+c_{2}n_{2}(g-x_{i}(t)) \\\tag{2}\end{align*}$$ View Source\begin{align*} x_{i}(t+1)=&x_{i}(t)+v_{i}(t+1)\tag{1}\\ v_{i}(t+1)=&\omega v_{i}(t)+c_{1}n_{1}(p_{i}-x_{i}(t))+c_{2}n_{2}(g-x_{i}(t)) \\\tag{2}\end{align*}

• Genetic algorithm. In this technique, a set of features is represented by a chromosome. The existence of particular feature in a feature set is determined using binary value, either 1 (present) or 0 (missing). In addition, the Goldberg method is frequently taken into consideration to obtain the best feature set, while a $k$ -fold cv is used by subset evaluator to examine the input features. In the experiment, it is necessary to specify the parameters such as initial population, mutation, crossover probability, and $k$ .

• Ant colony optimization. In this techniques, adopting a graph representation, features are denoted by nodes and the selection of the best possible next feature is denoted by edges. The final feature subset is obtained through an ant search in the graph. The search stopping criterion is set to check a minimum number of visited nodes [59]. In addition, in order to evaluate which features are more informative among the currently chosen features, a probabilistic transition rule is utilized. Let $k$ be the number of ants, $J_{i}^{k}$ the set of ant $k$ ’s unvisited features, $\eta _{ij}$ the heuristic merit of picking feature $j$ when presently at feature $i$ , $\tau _{ij}(t)$ the amount of virtual pheromone on edge $(i,j)$ , then the likelihood of an ant at feature $i$ to be willing to travel to feature $j$ at time $t$ is:

  $$\begin{equation*} p_{ij}^{k}(t) = \frac {[\tau _{ij}(t)]^{\alpha }\cdot [\eta _{ij}]^{\beta }}{\sum _{l\in J_{i}^{k}}[\tau _{il}(t)]^{\alpha }\cdot [\eta _{il}]^{\beta }}\tag{3}\end{equation*}$$ View Source\begin{equation*} p_{ij}^{k}(t) = \frac {[\tau _{ij}(t)]^{\alpha }\cdot [\eta _{ij}]^{\beta }}{\sum _{l\in J_{i}^{k}}[\tau _{il}(t)]^{\alpha }\cdot [\eta _{il}]^{\beta }}\tag{3}\end{equation*}

Several experiments have been carried out by tuning the size of particle, the number of ants, and the population size of PSO, ACO, and GA, respectively. A feature set is then selected by considering the maximum classification accuracy of a REPT classifier [60]. REPT is chosen due to its simplicity and speed in generating decision trees. It reduces the size of decision trees by pruning segments of the tree that contribute only marginally to sample classification. The classification accuracy of REPT is evaluated using subsampling (Monte-Carlo cross validation) technique. Subsampling is very similar to classical bootstrap [61]. It draws a training set $D_{train}$ from $D$ , whilst the remaining part of the dataset $D_{test}$ is used for testing. The process is then repeated in a given number of iterations $k$ . In the experiment, we choose $k=40$ and sampling ratio 80/20.

C. Tier 2: A Two-Stage Meta Classifier

A meta classifier trains multiple individual classifiers, either in a parallel or serial manner. In order to construct a two-stage meta classifier, we employ two original ensembles, that is, rotation forest and bagging, which work as follows:

• Rotation forest. The goal of this meta classifier is to produce accurate and diverse classification algorithms. To create some feature subset projections, rotation forest uses principle component analysis (PCA). A number of independent feature subsets are trained using the same classification algorithm. Then, a full feature set for each classifier is collected, arranging the ensemble [35]. Let $F$ and $L$ be the feature set and number of subsets, respectively. The rotation forest splits randomly $F$ into $L$ subsets. PCA is then applied independently on each subset, and the new extracted features are collected by pooling all principle components. A dataset $D$ is transformed into a new feature space, from which a classifier $C_{i}$ is able to create a model. Independent split of the feature set yields the diversity of the extracted features.

• Bagging. In this meta classifier, several base individual classifiers are trained independently in parallel [36]. Let $D$ be the original training set, which has $n$ sample size. A number of $M$ bootstrap samples $D_{1}, D_{2},\ldots,D_{M}$ are randomly created from $D$ . Next, an individual classifier $C_{i}$ is trained on each bootstrap sample $D_{i}$ . Finally, majority voting is taken to predict the final output of the new test instances. The final prediction $C^{\ast }$ on a test instance, bagging feeds to its individual classifiers $C_{1}, C_{2},\ldots,C_{M}$ , collects all of the outputs, the votes of the label, and decides the winner label.

In this work, a new procedure for creating a two-stage meta classifier for an anomaly-based IDS is proposed. The proposed approach, unlike typical meta classifiers, which are frequently built from simple weak classifiers, considers two meta classifiers. Roughly speaking, it is a two-stage classification algorithm, where a meta classifier acts as a base model of another meta classifier. As illustrated in Figure 2, BG is chosen as a base model of RF, where another weak classifier, namely conjunctive rule (CR) [53] is chosen as a base model of BG. CR is prevalently recognized as an inductive learner, where the objective of rule induction is to generate a set of rules from the data [62].

FIGURE 2.

Proposed procedure of constructing a two-stage meta classifier.

Show All

In practice, several combinations of meta learners could be considered, since there exist a large number of meta learners in the literature. However, the combination that we propose is expected to maximize diversity, since RF and BG have different induction strategies, by taking into account the features (vertical induction) and samples (horizontal induction) of a training set, respectively. In the first stage, RF creates a feature set of $D$ into $L$ feature subsets. Subsequently, each feature subset is divided into $M$ sub-samples in the second stage classifier. Majority voting is utilized as an operator to aggregate the final class label prediction.

Let $T$ be the total number of classifiers. Then, given the two meta learners, it holds that $T=L\times M$ classifiers. Let us assume that $T$ classifiers $\{h_{1},\ldots,h_{T}\}$ are specified and our goal is to concatenate $h_{i}$ to predict the class label from a set of $l$ possible class label $\{c_{1},\ldots,c_{l}\}$ . Suppose also that, for a given sample $x$ , the final prediction of $h_{i}$ is prescribed as a $l$ -dimensional vector $(h_{i}^{1}(x),\ldots,h_{i}^{l}(x))^{T}$ , where $h_{i}^{j}(x)$ is the output of $h_{i}$ for the class label $c_{j}$ . Hence, $h_{i}^{j}(x)\in \{0,1\}$ holds value 1 if $h_{i}$ estimates $c_{j}$ as the class label, and 0 otherwise. Majority voting grants each classifier to vote one class label and the final class prediction $H(x)$ is chosen in accordance with the one that receives more than half of the votes, that is:

View Source\begin{equation*} H(x)=\! \begin{cases} c_{j} &\quad if \displaystyle \sum \limits _{i=1}^{T} h_{i}^{j}(x)>\displaystyle \frac {1}{2}\sum \limits _{k=1}^{l}\sum \limits _{i=1}^{T} h_{i}^{k}(x)\\ rejection&\quad \text {otherwise} \end{cases}\tag{4}\end{equation*}

A. Intrusion Detection Datasets

We consider the following publicly available intrusion detection datasets that are widely adopted in previous works:

• NSL-KDD [10]. It is an improved version of the KDD Cup 99 dataset, which does not have redundant samples, thus preventing classifiers to have a biased result. It comprises 42 features and a class label attribute. We consider 20% of dataset, so-called KDDTrain+, in the model training. KDDTrain+ consists of 25,192 samples, with 13,499 anomalous and 11,743 normal samples. In addition, we take into account two separated test sets, i.e., KDDTest+ (22,544 samples) and KDDTest-21 (11,850 samples), which are provided specifically for performance benchmark analysis.

• UNSW-NB15 [11]. This dataset, unlike NSL-KDD, is an original version of an intrusion detection dataset that has appeared more recently. The full training set (UNSW-NB$15_{train}$ ) is composed by 42 features, with 37,000 samples in the normal class and 45,332 samples in the anomaly class. A specialized testing set (UNSW-NB$15_{test}$ ) is also used in the experiment. UNSW-NB$15_{test}$ has 175,341 samples.

All experiments discussed in the remainder of this paper were run on a Linux machine with 32G RAM memory and Intel Xeon Processor. The classifiers are implemented using the $RWeka$ library [63].

B. Results of Feature Selection

Experiments to determine the best configuration for feature selection are carried out by changing the value of the parameter $n$ , representing the number of particles, population size, and ants in PSO, GA, and ACO, respectively, all other conditions being the same. Parameters setting for PSO are set as follows: $c_{1}$ , $c_{2}$ , number of generations, mutation type and mutation probability is set to 2, 2, 30, bit-flip, and 0.01, respectively. In GA, the initial population, maximum number of generations, mutation, crossover probability, $k$ , and random seed number are set to 30, 30, 0.01, 0.9, 10 and 1, respectively. In ACO, the local pheromone update ($\alpha$ ) and the relative importance of pheromone versus heuristic ($\beta$ ) are set to 0.8 and 1, respectively.

The results of REPT on NSL-KDD dataset for each search technique is presented in Figure 3. It is obvious that PSO with $n=2$ indicates the best classification result with an accuracy of 99.557±0.134%. This case generates a set of 37 features (see Figure 4), namely: protocol_type, service, flag, src_bytes, dst_bytes, land, wrong_fragment, urgent, hot, num_failed_logins, logged_in, num_compromised, root_shell, su_attempted, num_file_creations, num_shells, num_outbound_cmds, is_host_login, is_guest_login, count, srv_count, serror_rate, srv_serror_rate, rerror_rate, srv_ rerror_rate, same_srv_rate, srv_diff_host_rate, dst_host_ count, dst_host_same_srv_rate, dst_host_diff_srv_rate, dst_host_same_src_port_rate, dst_host_srv_diff_host_rate, dst_host_serror_rate, dst_host_srv_serror_rate, dst_host_ rerror_rate, and dst_host_srv_rerror_rate.

FIGURE 3.

Classification accuracy of REPT for each search technique on NSL-KDD.

Show All

FIGURE 4.

Number of selected features on NSL-KDD.

Show All

The results for the UNSW-NB15 dataset are visualized in Figure 5 and 6. PSO with $n=5$ achieves the best classification accuracy of 97.055±0.125%, resulting in the following feature set (19 features): service, state, sbytes, dbytes, sttl, dttl, sinpkt, swin, dtcpb, tcprtt, ackdat, dmean, response_body_len, ct_state_ttl, ct_srt_dport_ltm, ct_dst_sport_ltm, ct_dst_src_ltm, ct_srv_dst, and is_sm_ ips_ports.

FIGURE 5.

Classification accuracy of REPT for each search technique on UNSW-NB15.

Show All

FIGURE 6.

Number of selected features on UNSW-NB15.

Show All

The two selected feature sets discussed above are used in the next section for evaluating the performance of the two-stage classification model in the second tier of our framework.

C. Intrusion Detection Classification Analysis

This section evaluates the performance of the proposed two-stage classifier against other classifiers, namely bagging of CR (BG-CR), rotation forest of CR (RF-CR), and CR. For each classifier, we present the average accuracy using 10-fold cross-validation, i.e. $10f cv$ . We also report the results of performance comparisons using statistical tests.

In order to compare multiple classifiers, a common procedure is as follows [64]. First, omnibus tests, e.g. Friedman rank [65] and Iman-Davenport [66] are applied to determine the ranking of classifiers and to identify if at least one of the classifiers has performance difference among the competitors, respectively. More specifically, the goal of Iman-Davenport is to test whether all the classification algorithms perform equally, or, on the contrary, some of them hold a significant difference. Second, if such significant difference is found, then a pair-wise test, e.g., Friedman post-hoc with the corresponding $p$ -value correction is used for multiple comparisons. Regarding post-hoc tests, the alternative of multiple comparisons normally rely on three possible options, i.e., pair-wise comparisons, comparison with control, and all pair-wise comparisons. In this paper, comparison with control is chosen, in which the proposed classifier is considered as a control classifier. In order to be marked as significant, the tests must be lower than a specified threshold $p$ -value (0.05 in our case). Table 1 shows the average accuracy (along with the relative standard deviations) and Friedman average rank, as well as the result of the Iman-Davenport test obtained by different classifiers. Note that a lower ranking corresponds to a better classification performance.

TABLE 1 Results of Average Accuracy (%) With Standard Deviations, Friedman Average Rank, and Iman-Davenport Test in Terms of 10-Fold Cross Validation

The proposed classifier emerges as the clear best performer. The proposed classifier is, in fact, associated with the lowest (e.g. best) mean rank. The $p$ -value = 0.03407 < 0.05 means that the null hypothesis, which indicates statistical equivalence among all algorithms, can be rejected. In addition, as the null hypothesis is rejected, it is necessary to carry out a post-hoc procedure using Friedman post-hoc test [67] to identify the pairs that indicate statistical differences between the four classification algorithms. As we have mentioned previously, the proposed approach is chosen as a control classifier as it holds smaller mean rank. The Friedman post-hoc results are shown in Table 2. It clearly shows how proposed classifier outperforms other classifiers. Also, from Table 2, it can be argued that the performance difference between the proposed classifier and the remaining classifiers, i.e. BG-CR, RF-CR, and CR is significant ($p$ -value = 0.081), not too significant ($p$ -value = 0.439), and highly significant ($p$ -value = 0.033), respectively.

TABLE 2 Results of the Pairwise Comparison Using Friedman Post-Hoc Test, Where the Proposed Approach is Chosen as a Control Classifier

To extend this benchmark, we have compared the proposed two-stage classifier with the performance achieved by previous studies that use the datasets KDDTrain+ for training and KDDTest+ and KDDTest-21 for testing. We also include the result obtained by [10], where the NSL-KDD dataset has been firstly proposed. These results are shown in Table 3 and Table 4. Based on the experimental validation on KDDTest+, the highest detection accuracy is achieved by the proposed approach, which outperforms the most recent anomaly-based IDS techniques, i.e. SVM [21], bagging (J48) [25], and two-tier classifier [49]. Besides having superior detection accuracy, the proposed approach also outperforms significantly other approaches in terms of sensitivity and precision. Even though our proposed classifier does not perform best in terms of FPR metric, it is still comparable as being able to outperform GAR-Forest [34]. Moreover, according to a validation test applied on KDDTest-21, the proposed approach clearly outperforms classifiers available in the current literature, regardless of the evaluation metrics (see Table 4).

TABLE 3 Performance Benchmark With Some of the Existing Approaches on KDDTest+

TABLE 4 Performance Benchmark With Some of the Existing Approaches on KDDTest-21

Table 5 shows the results regarding the UNSW-NB$15_{test}$ dataset. Here, other existing approaches, i.e., [17], [20], [51], which have used the same datasets are considered. The proposed classifier yields performance accuracy of 91.27%, which is substantially higher than other classifiers. However, in terms of FPR, there exists a slight difference of 2.51% between our approach and a most recent technique, (DT-GALR). Surprisingly, our proposed approach has performed better by 6.74% than two-stage classifier [51], in terms of accuracy and FPR.

TABLE 5 Performance Benchmark With Some of the Existing Approaches on UNSW-NB $15_{test}$

The comparison analysis shown in Table 3–​5 show that the proposed approach is very competitive as an effective approach for the anomaly-based intrusion detection task. In addition to the performance analysis, the statistical significance tests prove that the better performance of the proposed classifier is statistically significant when compared to state of the art techniques. Note that statistical tests are usually not provided by the other approaches in the literature that we have considered in this paper.

Finally, Figure 7 shows the execution time of the proposed classifier. The training time is calculated based on the computation time required for classification modeling. It is worth mentioning that the proposed model whose considerable reduced the training time when the optimal number features, obtained as the output of tier 1, is considered. For practical implementation, the time performance is acceptable, since the classification has to be trained only once and can then be used as an off-line anomaly detection tool in the network.

FIGURE 7.

Training time taken by the proposed model (reduced set) and original full feature set.

Show All