[Retracted] Intrusion Detection Method Based on Adaptive Clonal Genetic Algorithm and Backpropagation Neural Network

Lu, Yi; Liu, Menghan; Zhou, Jie; Li, Zhigang

doi:https://doi.org/10.1155/2021/9938586

Security and Communication Networks

On this page

Abstract Introduction Related Work Conclusions Data Availability Disclosure Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article Retraction

!

This article has been Retracted. To view the article details, please click the ‘Retraction’ tab above.

Special Issue

Machine Learning for Security and Communication Networks

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 9938586 | https://doi.org/10.1155/2021/9938586

[Retracted] Intrusion Detection Method Based on Adaptive Clonal Genetic Algorithm and Backpropagation Neural Network

Yi Lu,¹Menghan Liu,¹Jie Zhou,¹and Zhigang Li¹

Academic Editor: Chi-Hua Chen

Received11 Mar 2021

Revised14 Jun 2021

Accepted28 Jun 2021

Published14 Jul 2021

Abstract

Intrusion Detection System (IDS) is an important part of ensuring network security. When the system faces network attacks, it can identify the source of threats in a timely and accurate manner and adjust strategies to prevent hackers from intruding. Efficient IDS can identify external threats well, but traditional IDS has poor performance and low recognition accuracy. To improve the detection rate and accuracy of IDS, this paper proposes a novel ACGA-BPNN method based on adaptive clonal genetic algorithm (ACGA) and backpropagation neural network (BPNN). ACGA-BPNN is simulated on the KDD-CUP’99 and UNSW-NB15 data sets. The simulation results indicate that, in contrast to the methods based on simulated annealing (SA) and genetic algorithm (GA), the detection rate and accuracy of ACGA-BPNN are much higher than of GA-BPNN and SA-BPNN. In the classification results of KDD-CUP’99, the classification accuracy of ACGA-BPNN is 11% higher than GA-BPNN and 24.2% higher than SA-BPNN, and F-score reaches 99.0%. In addition, ACGA-BPNN has good global searchability and its convergence speed is higher than that of GA-BPNN and SA-BPNN. Furthermore, ACGA-BPNN significantly improves the overall detection performance of IDS.

1. Introduction

At present, under the background of the fast advancement of the information age, the amount of computer network clients is showing a geometric growth rate [1]. How to effectively ensure the information security of computer networks is particularly important for users. Security issues mainly include network viruses, hacker attacks, worm attacks, etc. [2]. Confronted with a lot of network intrusions and attacks, data and privacy on the Internet are seriously threatened, which also poses greater challenges to IDS [3].

James P. Anderson first proposed the concept of intrusion detection, which is an important part of the field of computer security. Its purpose is to automatically and effectively identify intrusions in the network. Anderson’s interpretation of the concept of intrusion is as follows: an attacker attempts to access or modify data in an attempt to destroy the relevant functions of the system. The primary works of an IDS include monitoring and studying the main actions of clients or systems, identifying security holes in the network, identifying abnormal network patterns, and analyzing abnormal activities [4].

Traditional IDS can be split up into two types according to different detection methods: misuse IDS and anomaly-based IDS [5]. At present, the widely used IDS is the detection of misuse. Misuse intrusion detection is also called feature-based intrusion detection. The basic principle is to collect a large number of network intrusion characteristics and establish a network intrusion signature database by establishing a misuse detection model [6]. The detection process can be simply understood as comparing the status of the monitored network data with the established network intrusion signature database to determine whether the current network behavior is abnormal.

The principle of misuse intrusion detection is basically the same as the process of virus detection. Although the accuracy of detection is high, it relies heavily on the signature database [7]. Once the signature database is not timely updated, the false alarm rate of this model may significantly increase. Another anomaly-based intrusion detection model is to establish rules based on the normal traffic in the network [8]. According to the comparison between the monitored traffic and the normal traffic, if the deviation is large, the behavior is considered abnormal; otherwise, it is considered normal. Although the anomaly-based IDS no longer depends on the intrusion signature database, it is difficult to determine the normal behavior pattern. Compared with the misuse detection model, the anomaly-based intrusion detection model has a high false alarm rate [9].

In response to these problems, the BPNN is used on IDS. BPNN is a stable nonlinear method with strong learning ability and high classification and prediction accuracy [10]. Therefore, the BPNN is introduced to compensate for the traditional insufficiency of the intrusion detection model. However, the original BP algorithm also has some problems, just like long training time, and may fall into local optimal, etc., which limits the application of BPNN in IDS.

In the 1960s and 1970s, American professor Holland first proposed GA; GA is a heuristic algorithm with very strong global searchability [11]. After the initial population is iterated one after another, the quality of individuals in the population has been greatly improved, and the optimal individual solved by the algorithm can be easily found. The original genetic algorithm mainly uses selection, crossover, and mutation operators to adjust the evolution direction of individuals in the population [12]. In the process of evolution, all good genes cannot be inherited. As the number of evolutions increases, individuals tend to be the same, and differences between individuals cannot be guaranteed, resulting in insufficient internal gene diversity. Therefore, in the intrusion detection process, the original GA is easy to fall into the local optimum, and the problem of premature convergence occurs. It is easy to find the global optimal solution, which increases the error rate and makes the performance of IDS unstable [13].

Traditional IDS has a high false alarm and missing alarm rate, low detection accuracy, and poor performance. Therefore, to increase the detection rate, and accuracy of IDS, and to achieve effective intrusion detection on the network, a novel ACGA-BPNN method is proposed. In ACGA-BPNN, adaptive and clone selection mechanisms are introduced to optimize its search capabilities. The adaptive operator appropriately adjusts the crossover and mutation probability, which effectively improves the convergence of the algorithm. The clone operator selects the best individual and constantly adjusts the weights in the BPNN to minimize the error [14]. Compared with the traditional BPNN, it not only shortens the training time but also improves the accuracy of intrusion detection, which has obvious advantages. The main contributions of this paper are as follows:(1)This paper proposes a new intrusion detection model, which combines adaptive clonal genetic algorithm and BP neural network, and uses ACGA to adjust the weight of BPNN to improve the accuracy of detection.(2)Improved GA, using adaptive and cloning operators to improve the performance of GA: Standard GA is easy to fall into local optimality. Compared with standard GA, ACGA can avoid premature convergence of the algorithm and find the global optimal solution as much as possible.(3)The proposed ACGA-BPNN method effectively improves the correct rate and accuracy of IDS and reduces the false negative rate. The detection accuracy rate can reach 99.40%, and the accuracy rate can reach 98.80%. ACGA-BPNN selected KDD-CUP’99 and UNSW-NB15 data sets for testing. The results show that the detection effect of ACGA-BPNN algorithm on these two data sets is better than the other two algorithms.

The other parts of the paper are arranged as follows. Section 2 introduces the related research of BPNN in the field of intrusion detection. Section 3 gives an ACGA-BPNN method and describes the training process and steps of ACGA-BPNN in detail. The process of ACGA adjusting BPNN weight is given in Section 4. Section 5 is the simulation results and data analysis, using the KDD-CUP’99 and UNSW-NB15 data set to simulate the experiment to analyze the performance of ACGA-BPNN. Finally, Section 6 is the conclusion and future work.

IDS has become a basic and necessary part of network security. As the amount of data in the network continues to increase, the network scale continues to expand, the detection accuracy of IDS has declined, and the false alarm rate is very high [15]. In IDS, many network attacks need to be monitored and identified. Some common types of network attacks are relatively easy to be detected, but for some uncommon attacks, it is likely that the related attacks cannot be detected or the attack identification is incorrect.

As a way to solve this situation, paper [16] proposed an optimization algorithm for adaptive neurofuzzy inference, which combines fuzzy algorithm with the artificial neural network and uses crow search optimization algorithm to enhance the computing power of the model. The experimental results test that the detection rate can reach 95.80%. Though the adaptive neurofuzzy inference algorithm increases the detection accuracy, it is vulnerable to problems just like slow convergence speed in the process of training the model.

In [17], an efficient hybrid clustering algorithm is proposed for IDS. According to the quantum ant colony combined with the k-means hybrid clustering algorithm, this method enables the K-means hybrid clustering algorithm to have the ability of fast convergence and improves the monitoring accuracy of IDS, and the clustering of data is more accurate. However, the algorithm is not ideal in terms of convergence.

In [18], an adaptive hybrid nesting model is designed, which is a combination of two-level nested GA and fuzzy sets. Simulation experiments were conducted on the UNSW-NB15 data set. The simulation results indicate that the detection accuracy of this hybrid nested genetic model has been improved, but the training process is complicated and takes a long time.

In [19], an intrusion detection method based on conditional random field and linear correlation coefficient is proposed. On the basis of convolutional neural network and feature extraction, the KDD-CUP’99 data set is tested and classified, and the model is tested multiple times through cross-validation to test the performance of the model. In addition, the experimental results show that the detection accuracy of the method is significantly improved, but it consumes a lot of time and cost.

In [20], a new IDS was designed for a new unknown network attack. Using the characteristics of decision tree and convolutional neural networks, an efficient intelligent fuzzy time decision tree algorithm is proposed to detect network attacks. The algorithm can effectively reduce the false alarm rate and network delay, but in real-time detection, the detection efficiency of the algorithm needs to be improved. In [21], a preencryption detection algorithm is proposed to detect encrypted ransomware. Compared with some algorithms based on machine learning, it is found that the proposed preencryption algorithm has better performance and a lower false alarm rate.

3. Intrusion Detection Based on ACGA-BPNN

IDS has become a basic part of network security. However, due to the massive influx of data in the network and the unlimited expansion of the network scale, there are more and more attacks on the network or system. The original IDS detection performance has been affected, and its accuracy rate has declined. The ACGA-BPNN proposed in this paper is an intelligent algorithm with independent learning and self-adjustment capabilities. It can continuously adjust the parameters in the neural network according to the set parameters and optimize its weights to find the output that best meets the expectations. Furthermore, it has strong nonlinear mapping capabilities.

In ACGA-BPNN, the adaptive operator adjusts the probability of crossover and mutation, and the clone operator can maintain the optimal population when the weight is optimized. In this way, the weight of the network is optimized. After several pieces of trainings, ACGA-BPNN can effectively reduce the error value and improve the efficiency of intrusion detection.

3.1. ACGA-BPNN Method

The overall flow of the ACGA-BPNN method is shown in Figure 1.

Figure 1 is the specific process of the ACGA-BPNN method. In ACGA-BPNN, during the BPNN training process, data needs to be preprocessed to reduce the impact of feature attributes on the detection results and combined with standardized data, so as not to affect the accuracy of the data. When optimizing, it is necessary to calculate the length of the weight and threshold of the neural network and encode the individual. The error of BPNN training is used as the initial fitness value, and individuals are optimized through adaptive crossover and mutation operators, and high-quality individuals are selected for inheritance. Calculate the fitness value again, select the best individual according to the obtained fitness value, and use the cloning operator to retain a certain proportion of high-quality individuals to continue to evolve. ACGA-BPNN has undergone multiple iterations of training to obtain a new population with the smallest error, which is the final classification result. BPNN calculates the error again according to the adjusted weight and backpropagates to modify the weight of each neuron until the error signal is the smallest.

The ACGA-BPNN method mainly selects the optimal individual by the clonal operator and continuously optimizes the weights of BPNN by adaptively adjusting the crossover and mutation probability.

There are two challenges in the optimization of ACGA-BPNN: (1) While maintaining individual diversity, improve the convergence speed of ACGA-BPNN and reduce the training time of BPNN. (2) Avoid the neural network from falling into the local optimum during training and improve the prediction accuracy of the IDS.

3.2. BPNN Method

BPNN has a three-layer network structure, including input and output and hidden layers. It is a multilayer feedforward neural network based on error backpropagation. As far as its training process is concerned, BPNN continuously adjusts the parameters in the network structure through the forward propagation process of information and the backpropagation process of errors, so as to achieve the purpose of training.

BPNN is a classic neural network model. Whether from theoretical research or practical application, using the BPNN model for intrusion detection experiments is a good start. The ACGA-BPNN method designed in this paper uses intelligent algorithms to optimize the weights and thresholds of BPNN to improve the classification accuracy of intrusion detection. Compared with convolutional neural network (CNN) and recurrent neural network (RNN), BPNN has a wider range of applications. In addition, the pooling layer in CNN will cause some original data features to be lost, which has a great impact on the accuracy of intrusion detection. RNN is mainly for prediction and training related to time. Therefore, this paper chooses BPNN as the training model.

3.3. Training Process of ACGA-BPNN

The ACGA-BPNN training process has two steps: (1) The forward calculation and propagation of the received signal. (2) The backward feedback and correction of the error signal.

The forward calculation and propagation process are processed by a three-layer neural network. The error calculation is carried out from the input to the output direction. The signal is transmitted from the input layer; the hidden layer processes the signal, calculates the state and activation value of each layer, and then transmits it from the hidden to the output layer. It can be seen that, in the BPNN, the signal is transmitted in a positive direction. When the output value of the output layer exceeds a given error, the error signal is propagated back to the second stage of learning.

The error backpropagation process is mainly a process of reverse learning from the output terminal for error signals that exceed a given error value. The error signal is transmitted backward from the output to the hidden layer and then to the input layer. At the same time, the error of each layer is calculated, and the calculated error is backpropagated layer by layer to correct the weight of ACGA-BPNN. After many calculations and adjustments, until the output layer meets the given error accuracy, at this time the weight and bias value reach the best, and the learning process of the ACGA-BPNN is over.

3.4. Steps of ACGA-BPNN

The basic idea of ACGA-BPNN is to continuously optimize the weights and improve the security of ids by learning and training the given data in the neural network. ACGA-BPNN uses adaptive and cloning operators to minimize the error. The steps of ACGA-BPNN are as follows: Step 1. Initialize ACGA-BPNN and read the parameters and training data set in the neural network. Step 2. Normalize the data and randomly assign the weight and threshold of each layer in the interval of [−1, +1]. Step 3. Select the learning mode and calculate the sample data in ACGA-BPNN. Step 4. Forward calculation of the output of all nodes on the ACGA-BPNN hidden layer and the input and output of all nodes on the output layer. Step 5. Calculate the error between the given value and the ACGA-BPNN training result. Step 6. Reversely adjust the weights and thresholds of the output layer and the excitation function in ACGA-BPNN. Step 7. When one piece of data training is completed, go back to Step 2 and proceed to the next piece of data training until all data training ends. After the training, the BPNN weights are optimized by ACGA. In ACGA, each individual in the population contains the ownership value in the network. Calculate the fitness value of each individual. Through selection, adaptive cross-mutation, cloning, and other operations, find the corresponding individual with the best fitness value. The weights in BPNN are updated and the training results are output. Step 8. Judge whether the value of the output layer meets the expected error value; if it meets the conditions, proceed to Step 9; otherwise, continue training. Step 9. Update the network learning times; if less than the specified times, continue training.

4. Weight Adjustment Based on ACGA

In IDS, ACGA is used to adjust the weight to strengthen the reliability of network attack classification. The basic idea of ACGA is based on the rule of survival of the fittest, after each generation has evolved, retaining the superior individuals of one generation, and finally leaving the optimal solution after evolution. After the initial population is generated, individuals are selected by calculating the value of individual fitness. Use genetic operators in genetics to combine crossover and mutation to generate new populations. After many iterations, the optimal solution is finally obtained. This process is similar to the evolutionary process of natural organisms. The newly generated populations of offspring can adapt to the environment better than the first-generation populations.

The ACGA proposed in this paper has strong adaptability and self-organization and continuously optimizes the search space within its convergence area. Moreover, ACGA is not a single-point search, but a multipoint parallelly combining the search space, reflecting the excellent overall situation of ACGA searchability. The probability of crossover and mutation of the algorithm is dynamically changing, and the probability value is adjusted by an adaptive operator, so that ACGA has better fitness and global convergence and avoids premature convergence of the algorithm. The cloning operator clones individuals with high fitness values and suppresses memorizes, maintains outstanding individuals, and directly inherits them to the next generation. Algorithm 1 shows the flow of the ACGA-BPNN algorithm.

	Intrusion detection method based on ACGA-BPNN
	Begin
	set gen = 1
	Calculate BPNN weights and thresholds
	The error of BPNN training is used as the fitness value
	while gen <=Maxgen
	Normalized data
	Roulette Selection of Individual
	Adaptive crossover
	Adaptive mutation
	Clone high-quality individuals and mutate
	Calculate fitness value
	gen = gen + 1
	end while
	Get weight
	Calculation error
	Update weight
	end

4.1. Population Encoding

In the process of network intrusion detection, in order to adjust the weight, ACGA is used for encoding. There are two ways to encode the population; one is real number encoding and the other is a binary encoding. In this paper, the individual coding adopts real number coding. Each individual is a real number string. This real number string contains four parts, the connection weight of the input and hidden layer in BPNN, the hidden layer threshold, the correlation weight of the hidden and output layer, and the output layer threshold. In this way, every individual includes all the weights of the neural network.

4.2. Selection

When IDS classifies network attacks, the quality of individuals in the population has a great influence on the classification results. In ACGA, the fitness value is employed to assess whether an individual is excellent or terrible in the entire population, but when selecting individuals, the fitness value cannot be used to select individuals. This is because the optimal individual in the population is not necessarily in the vicinity of the global optimal value, if overreliance on fitness to select individuals will make the algorithm fall into the “premature” problem. Therefore, in the ACGA, the selection strategy of roulette is used to select individuals.

In roulette wheel selection, the probability of each individual being selected is related to the fitness value of the individual. Calculate the sum of the fitness values of all individuals in the population and then normalize the probability to generate random number between [0, 1], the size of the random number generated determines which area the random number falls in, and the individual corresponding to the corresponding area is selected. This can avoid the algorithm “premature.”

The probability of each individual being selected iswhere is the probability of an individual being selected in roulette wheel, is each individual in the population, is the number of individuals in the population, , and F is the fitness function.

4.3. Crossover

In the training process of BPNN, the change of weight will directly affect the result of NIDS. The crossover function is an essential part of the ACGA. The crossover operation allows the offspring individuals to have different characteristics of the two parents. If the parents perform better, then after the crossover, the offspring individuals will get better and better. This is similar to the evolution of organisms in nature, where genes are constantly crossed and recombined, and the offspring produced are better than their parents. In this paper, new individuals are generated through the single-point crossover. Single-point crossover is to randomly select two individuals from the parent generation and randomly generate a crossover point. The part after the crossover point of the selected two individuals undergoes chromosome recombination. Figure 2 shows a specific crossover example. Two randomly selected individuals exchanged genes at the crossover point, resulting in two new individuals.

During the crossover operation, a crossover probability is set to increase the diversity of genes in the population. But, a fixed probability sometimes causes high-quality individuals to become ordinary individuals, so adaptive crossover probability is proposed to adjust the evolution process of the population. According to the difference of individual fitness value, the crossover probability is dynamically adjusted. Figure 2 shows a specific crossover example. Two randomly selected individuals judge whether their fitness values meet the crossover condition. If the crossover condition is met, then the genes are exchanged at the crossover point to generate two new individuals.

4.4. Mutation

The mutation operation is performed after the crossover operation, which is an important step in optimizing the weights for IDS. In the ACGA, when the individual gene undergoes the crossover operation, the search space is close to the optimal solution field, and then the gene is mutated through the mutation operator, and the mutation operation is used to increase the local searchability. Speed up the speed of convergence. But the probability of mutation should be set to a small value to prevent individuals who are already close to the optimal choice from being affected.

The mutation probability is the same as the crossover probability, and the adaptive operator is used to dynamically adjust the mutation probability. This method can retain high-quality individuals to the greatest extent and enable individuals with poor performance to evolve. Figure 3 is an input example that shows the changes in genes when individuals mutate. When an individual meets the mutation condition, a point is randomly selected for mutation, and the gene at that point is randomly mutated into any real number.

4.5. Calculation of Fitness Value

In the IDS simulation experiment, when using BPNN training data, the error has a great influence on the training result. In the training process of ACGA-BPNN, after initializing the data, the signal is input forward, and the neural network calculates the error layer by layer. In order to get better classification results, it is necessary to measure the degree of individual evolution through fitness function. In the training process of ACGA-BPNN, it is necessary to calculate the error between the predicted output and the expected output, count the number of error values, and use it as the fitness value.

4.6. Clone Operator

In the ACGA, the optimization of the weights in the BPNN is equivalent to the antigen in the cloning operator, and the optimal individual in the new population is called an antibody. In biological systems, the affinity of antibodies is used to select antibodies. Individuals with high affinity will preferentially develop and have memory capabilities. When the same antigen appears, the corresponding individuals can be quickly generated. This paper introduces the cloning operator into GA. It clones individuals with high affinity, remembers and maintains excellent individuals, and inherits them to offspring. The cloning operators in ACGA can improve the learning and memory abilities of individuals, ensure that high-standard antibodies are directly cloned to the next generation, eliminate antibodies with low affinity, speed up the optimization of the population, and find high-quality solutions. In ACGA, individuals are cloned according to a certain ratio, and the size of the population before and after cloning must be the same. The cloned new population also needs to mutate again. Figure 4 shows the specific operation of an individual clonal mutation.

4.7. Adaptive Operator

In the ACGA, the mutation probability is automatically adjusted through an adaptive operator to sustain the variety of individuals and enhance the reliability of IDS. The crossover operator enhances the search capability of ACGA, and the mutation operator can maintain the diversity of genes in the algorithm. Before performing crossover and mutation operations, the corresponding probabilities have been set. In the choice of crossover probability, the greater the crossover probability, the greater the probability of generating a new individual. But this will also bring new troubles. The high probability of crossover will reorganize the originally well-adapted individuals, thereby reducing the fitness of the individual. But, the too small crossover probability will slow down the speed of gene recombination and reduce the rate of new individuals. As for the mutation probability, a high probability mutation rate will make the gene unable to be inherited and retained, and the search function of the algorithm is completely random. However, if the set mutation rate is too small, it will affect the generation of individuals.

In the ACGA-BPNN, the crossover and mutation probability are adjusted through adaptive operators. After calculating the fitness value of the individual, the adaptive operator judges the current individual, adaptively changes the crossover and the mutation probability, and ensures that the individual maintains good performance. If the individual fitness is higher than the average fitness, the crossover probability and the mutation probability are adaptively reduced to ensure the effective convergence of the ACGA. If the fitness value of the current individual is lower than the average value, the probability of crossover and mutation can be increased appropriately, and the individual generates new individuals through crossover and mutation, expand the search space, and maintain the diversity of individuals in the population. In ACGA, formulas (2) and (3) are used to adaptively adjust the crossover probability and mutation probability:

In formulas (2) and (3), is the maximum fitness value in the population, is the average fitness of individuals in the population, is the larger fitness value of the two crossover individuals, is the fitness value of the mutant individual fitness value, , , , [0, 1], and are the probability of randomly generated crossover, and represent the probability of randomly generated mutation, is the adaptive crossover probability, and is the adaptive mutation probability.

5. Simulation Experiment and Result Analysis

ACGA-BPNN selected part of the data in the KDD-CUP’99 and UNSW-NB15 data sets for simulation testing. KDD-CUP’99 is a simulated network attack data set published by Columbia University IDS Experiment in 1999. The KDD-CUP’99 data set can be divided into 4 categories (DOS, R2L, U2L, and PROBING) according to the types of attacks, and there are 39 types of network attacks [22]. 5 types of data were randomly selected from 10% of the KDD-CUP’99 data set to test the reliability of the ACGA-BPNN method. UNSW-NB15 was created in the network laboratory of the University of New South Wales, using IXIA tools to generate a data set that meets the abnormal traffic of the modern integrated network. UNSW-NB15 has a total of 49 types of features and 9 types of attacks [23]. The experiment is simulated on part of the data randomly selected in the divided test set.

5.1. Data Preprocessing

Since the original KDD-CUP’99 and UNSW-NB15 data sets have labels and characters, they cannot handle nondigital data when using the BP neural network for training, so nondigital data needs to be processed.

To process the selected data, the specific operations are as follows. Firstly, count the nonnumeric data in each attribute, secondly arrange the data in alphabetical order, and finally select the appropriate number to replace the nonnumeric data. In this experiment, the attribute values in the second column of the selected data are ICMP, UDP, and TCP. ICMP is represented by 10, UDP is represented by 11, and TCP is represented by 12. According to the same method, the nondigital data in UNSW-NB15 is processed, including the attack type in the last column, so that the nondigital data in the two types of data sets are quantified for easy testing. Here are 41 features in KDD-CUP’99 and 49 features in UNSW-NB15. However, there are some feature attributes that have no practical significance for training, and the value of this feature attribute in the sample is all zero. In order to improve the learning efficiency of BPNN, we have also processed feature attributes and deleted some features. In the end, 35 features were retained in 99 KDD-CUP's, and 39 features were retained in UNSW-NB15. In KDD-CUP’99 and UNSW-NB15, 4500 pieces of data are selected for training and testing. The data is randomly divided into 4000 training data and 500 test data pieces.

Since the selected data attribute values vary greatly, it is necessary to normalize the data in ACGA-BPNN training. The advantage of data normalization is to summarize the data and count its distribution, thereby reducing the influence of some special values on the experiment and avoiding the training results from being affected by different measurement units. During the experiment, the mapminmax function in MATLAB was used to normalize the data.

5.2. Experimental Results

In this simulation experiment, the ACGA-BPNN model proposed in this paper was tested on a preprocessed data set to test the efficiency of intrusion detection, compared with the results of GA-BPNN and SA-BPNN, and the simulation results were analyzed. With comprehensive evaluation of ACGA’s performance by calculating the accuracy rate, precision rate, missing alarm rate, recall rate, and F-score, the specific analysis is as follows.

Figure 5 is the network attack classification results of 4000 data pieces in the KDD-CUP’99 training set. The experiment compared the three algorithms of ACGA-BPNN, SA-BPNN, and GA-BPNN as the evolution algebra, with changes in network attack classification results. When the KDD-CUP’99 data set is used for the attack classification test, after 100 iterations, the ACGA-BPNN network attack classification has the lowest error and the least number of errors. However, GA-BPNN and SA-BPNN have large errors, and the classification results of more than 1,000 data pieces are incorrect, resulting in a very low accuracy rate. As can be seen from Figure 2, when GA-BPNN and SA-BPNN run for 20 to 30 generations, the error will no longer decrease, which will cause the algorithm to stagnate, converge prematurely, and fall into a local extreme.

The main parameters of ACGA-BPNN, GA-BPNN, and SA-BPNN in the experiment are shown in Tables 1–3. In the training process of BPNN, the number of iterations of the three algorithms is 100, and the number of populations is also consistent. Table 4 shows the number of neurons in the input layer, output layer, and hidden layer of BPNN when the KDD-CUP’99 and UNSW-NB15 data sets are used for testing, and the input and output and hidden layers in BPNN are all single layers.

Compared with GA-BPNN and SA-BPNN, ACGA-BPNN is significantly better than these two algorithms in performance; as can be seen from Figure 6, ACGA-BPNN uses adaptive and cloning operations to optimize the weights of the neural network, which plays a great role in training BPNN. ACGA-BPNN can jump out of local extremes, continuously optimize weights, avoid immature convergence of the algorithm, and increase the precision of intrusion detection.

(a)

(b)

Figure 6 shows the simulation results in the KDD-CUP’99 and UNSW-NB15 test sets. The accuracy of ACGA-BPNN has reached 99.40%, GA-BPNN is 88.40%, and SA-BPNN is only 75.20%. In UNSW-NB15, the accuracy has also reached 96.40%. The accuracy reflects the performance of the classifier. The higher the accuracy, the greater the classification result. Obviously, the classification result of ACGA-BPNN is better than the other two algorithms. The precision reflects the true proportion of positive examples in the sample during the experiment. The precision of ACGA-BPNN in the two types of test sets is 98.80% and 96.91%. Compared with GA-BPNN and SA-BPNN, ACGA-BPNN has more advantages in network classification performance in the KDD-CUP’99 or UNSW-NB15 test set.

Figure 7 compares the missing alarm and false alarm rates of ACGA-BPNN, GA-BPNN, and SA-BPNN in the two types of data test sets. These two types of indicators are calculated as the result of the classification error of the classifier. The lower the two indicators, the fewer the samples that are missed and incorrectly judged. The missing alarm and false alarm rates of GA-BPNN and SA-BPNN are both above 8%, while ACGA-BPNN’s two types of indicators are only 0.60% and 1.10%. In the UNSW-NB15 test set, the two indicators of ACGA-BPNN are 2.22% and 3.08%, respectively, which are significantly lower than the other two algorithms. The method proposed in this paper has a low missing alarm and false alarm rate on both types of data sets, which further illustrates the reliability of the ACGA-BPNN method.

(a)

(b)

Figures 8 and 9 compare the performance of the three algorithms in recall and comprehensive evaluation indicators. The recall rate is a measure of the coverage of the classifier, which judges the proportion of the correct result after training in the network attack classification experiment in the known positive classification. In Figure 8, the recall rate is 99.40% for ACGA-BPNN, 91.95% for GA-BPNN, and 91.10% for SA-BPNN. The advantages of ACGA-BPNN are more obvious in the UNSW-NB15 test set, and its recall rate is significantly higher than the other two algorithms.

F-score is a weighted harmonic average of the accuracy and recall rate, and at the same time, the accuracy and recall rate of the classification model are taken into consideration. The performance of the classification model is comprehensively evaluated. It can be said that the higher the F-score is, the more effective the classification method is. From Figure 9, you can intuitively see the performance of the comprehensive performance of the three types of algorithms. The simulation results show that the comprehensive detection ability of ACGA-BPNN reaches 99.00% and 97.35% on the two test sets, respectively, which has strong adaptability.

Figure 10 compares the detection time of the three algorithms running under the same parameters and number of iterations. It can be seen from the figure that the ACGA-BPNN method proposed in this paper has the shortest detection time whether it is in the KDD-CUP’99 or UNSW-NB15 data sets. The weights and thresholds of the BP neural network in the training process are relatively random, so it is difficult to quickly find more suitable weights and thresholds. After ACGA-BPNN calculates the weight length and threshold, it narrows the search space through optimization algorithms and quickly finds the optimal solution while obtaining good weights and thresholds. This greatly shortens the training time of BPNN and speeds up the training speed. The original BPNN randomly selects weights and thresholds to produce large errors. These errors require a lot of training to correct and take longer. The ACGA-BPNN method optimizes the weight and threshold from a good starting point after iterative calculation, thereby reducing the number of training times and shortening the training time.

In ACGA-BPNN, many parameters have a great influence on the accuracy of network attacks. When using BPNN for learning, there is some correlation between the number of neurons in the hidden layer and the number of populations in ACGA, and the impact of a single variable on accuracy cannot be considered. As shown in Table 5, after experimental comparison, it is found that when the number of neurons in the hidden layer is 50 and the population size is 40, the accuracy is the highest.

Table 6 compares the ACGA-BPNN method proposed in this paper with the methods proposed in other works. In [24], a joint algorithm is proposed to optimize the network structure of the Deep Belief Network (DBN). The method combines the characteristics of artificial fish swarms algorithm and GA to optimize the performance of PSO and improve the detection rate. Paper [25] designed a cuckoo search algorithm based on ADAM and also used DBN network training data. Paper [26] designed a detection model based on SVM, using GA and PSO algorithms to optimize SVM and test the accuracy of attack classification. From the test results, the detection accuracy of the above three methods are lower than ACGA-BPNN.

6. Conclusions and Future Work

Aiming at the problem that traditional IDS detection performance is not high and cannot identify external intrusions and attacks quickly and efficiently, this paper proposes a new ACGA-BPNN intrusion detection method. ACGA optimizes BPNN through adaptive operator and clonal selection operator. The clonal selection operator can retain a certain proportion of the optimal individuals, and the adaptive operator can adaptively adjust the crossover and mutation probabilities to control the evolution of individuals in a good direction. In BPNN self-learning, the ACGA-BPNN algorithm shows a good global searchability. Without increasing the training time, it reduces the training error, improves the detection accuracy, and can effectively avoid the problem of easy convergence of the algorithm.

In the simulation experiment, ACGA-BPNN uses KDD-CUP’99 and UNSW-NB15 mainstream data sets to test the effectiveness of the method. In KDD-CUP’99, the classification accuracy and recall rate of ACGA-BPNN are 11% and 7.45% higher than GA-BPNN and 24.2% and 8.30% higher than SA-BPNN. The missing alarm rate of ACGA-BPNN is only 0.6%, which is 7.40% lower than GA-BPNN and 8.2% lower than SA-BPNN. The low false missing rate proves that the detection quality of this method is effective. The accuracy rate of ACGA-BPNN in UNSW-NB15 also reached 96.40%, and its missing alarm rate and false alarm rate were also lower than the other two algorithms. Combining the detection results of the two data sets and comparing the performance indicators of the three algorithms, it can be concluded that the comprehensive performance of ACGA-BPNN is better than SA-BPNN and GA-BPNN, and it has strong applicability.

In summary, the ACGA-BPNN method proposed in this paper can play a good role in the classification of intrusion detection network attacks. Whether compared with SA-BPNN, GA-BPNN, or other intrusion detection methods, ACGA-BPNN has very high detection accuracy and efficiency, and it has efficient global optimization and search capabilities. However, ACGA-BPNN also has some shortcomings. Due to the small size of the experimental data and because only two data sets are selected, more data sets are needed to verify the performance of the method in practical applications.

Our future work is to use parallel computing on this basis to process large data sets, speed up the detection time, and improve operating efficiency.

Data Availability

The data presented in this study are available on request to the corresponding author. The data are not publicly available due to privacy.

Disclosure

The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

Conflicts of Interest

The authors declare no conflicts of interest.

Acknowledgments

This work was funded by the Corps Innovative Talents Plan, under Grant no. 2020CB001, the Project of Youth and Middle-Aged Scientific and Technological Innovation Leading Talents Program of the Corps, under Grant no. 2018CB006, the China Postdoctoral Science Foundation, under Grant no. 220531, Funding Project for High Level Talents Research in Shihezi University, under Grant no. RCZK2018C38, Project of Shihezi University, under Grant no. ZZZC201915B, and Postgraduate Education Innovation Program of the Autonomous Region.

References

J. Liu, W. Zhang, Z. Tang et al., “Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection,” Expert Systems with Applications, vol. 139, Article ID 112845, 2020.
View at: Publisher Site | Google Scholar
Y. Zhang, P. Li, and X. Wang, “Intrusion detection for IoT based on improved genetic algorithm and deep belief network,” IEEE Access, vol. 7, pp. 31711–31722, 2019.
View at: Publisher Site | Google Scholar
R. Elhefnawy, H. Abounaser, and A. Badr, “A hybrid nested genetic-fuzzy algorithm framework for intrusion detection and attacks,” IEEE Access, vol. 8, pp. 98218–98233, 2020.
View at: Publisher Site | Google Scholar
R. Vijayanand and D. Devaraj, “A novel feature selection method using whale optimization algorithm and genetic operators for intrusion detection system in wireless mesh network,” IEEE Access, vol. 8, pp. 56847–56854, 2020.
View at: Publisher Site | Google Scholar
L. Guo, “Research on anomaly detection in massive multimedia data transmission network based on improved PSO algorithm,” IEEE Access, vol. 8, pp. 95368–95377, 2020.
View at: Publisher Site | Google Scholar
F. Folino, G. Folino, M. Guarascio, F. S. Pisani, and L. Pontieri, “On learning effective ensembles of deep neural networks for intrusion detection,” Information Fusion, vol. 72, pp. 48–69, 2021.
View at: Publisher Site | Google Scholar
A. Yang, Y. Zhuansun, C. Liu, J. Li, and C. Zhang, “Design of intrusion detection system for Internet of things based on improved BP neural network,” IEEE Access, vol. 7, pp. 106043–106052, 2019.
View at: Publisher Site | Google Scholar
T. Duan, Y. Tian, H. Zhang et al., “Intelligent processing of intrusion detection data,” IEEE Access, vol. 8, pp. 78330–78342, 2020.
View at: Publisher Site | Google Scholar
I. F. Kilincer, F. Ertam, and A. Sengur, “Machine learning methods for cyber security intrusion detection: datasets and comparative study,” Computer Networks, vol. 188, Article ID 107840, 2021.
View at: Publisher Site | Google Scholar
Y. Zhang, Y. Zhang, N. Zhang, and M. Xiao, “A network intrusion detection method based on deep learning with higher accuracy,” Procedia Computer Science, vol. 174, pp. 50–54, 2020.
View at: Publisher Site | Google Scholar
B. Kumar Suresh, B. V. V. Siva Prasad, and S. Vyas, “Combining the OGA with IDS to improve the detection rate,” Materials Today: Proceedings, pp. 2214–7853, 2020.
View at: Publisher Site | Google Scholar
M. Mazini, B. Shirazi, and I. Mahdavi, “Anomaly network-based intrusion detection system using a reliable hybrid artificial bee colony and adaboost algorithms,” Journal of King Saud University-Computer and Information Sciences, vol. 31, no. 4, pp. 541–553, 2019.
View at: Publisher Site | Google Scholar
W. Elmasry, A. Akhan, and Z. Abdul Halim, “Evolving deep learning architectures for network intrusion detection using a double PSO metaheuristic,” Computer Networks, vol. 168, Article ID 107042, 2020.
View at: Publisher Site | Google Scholar
T. Liu, J. Yao, and Q. Sun, “Intrusion detection algorithm of EPSO combined with BP neural network,” in Proceedings of the 2020 International Conference on Intelligent Transportation, Big Data and Smart City (ICITBS), pp. 893–896, IEEE, Vientiane, Laos, January 2020.
View at: Publisher Site | Google Scholar
K. Hussain, S. J. Hussain, N. Z. Jhanjhi, and M. Humayun, “SYN flood attack detection based on bayes estimator (SFADBE) for MANET,” in Proceedings of the 2019 International Conference on Computer and Information Sciences (ICCIS), pp. 1–4, IEEE, Sakaka, Saudi Arabia, April 2019.
View at: Publisher Site | Google Scholar
S. Manimurugan, A. Q. Majdi, M. Mohmmed, C. Narmatha, and R. Varatharajan, “Intrusion detection in networks using crow search optimization algorithm with adaptive neuro-fuzzy inference system,” Microprocessors and Microsystems, vol. 79, Article ID 103261, 2020.
View at: Publisher Site | Google Scholar
J. Chen, X. Qi, L. Chen, F. Chen, and G. Cheng, “Quantum-inspired ant lion optimized hybrid k-means for cluster analysis and intrusion detection,” Knowledge-Based Systems, vol. 203, Article ID 106167, 2020.
View at: Publisher Site | Google Scholar
E. Ramy, A. Hassan, and B. Amr, “A hybrid nested genetic-fuzzy algorithm framework for intrusion detection and attacks,” IEEE Access, vol. 8, pp. 98218–98233, 2020.
View at: Google Scholar
B. Riyaz and S. Ganapathy, “A deep learning approach for effective intrusion detection in wireless networks using CNN,” Soft Computing, vol. 24, no. 22, pp. 17265–17278, 2020.
View at: Publisher Site | Google Scholar
P. Nancy, S. Muthurajkumar, S. Ganapathy, S. V. N. Santhosh Kumar, M. Selvi, and K. Arputharaj, “Intrusion detection using dynamic feature selection and fuzzy temporal decision tree classification for wireless sensor networks,” IET Communications, vol. 14, no. 5, pp. 888–895, 2020.
View at: Publisher Site | Google Scholar
S. Kok, A. Abdullah, N. Jhanjhi, and M. Supramaniam, “Prevention of crypto-ransomware using a pre-encryption detection algorithm,” Computers, vol. 8, no. 4, p. 79, 2019.
View at: Publisher Site | Google Scholar
W. Fang, X. Tan, and D. Wilbur, “Application of intrusion detection technology in network safety based on machine learning,” Safety Science, vol. 124, Article ID 104604, 2020.
View at: Publisher Site | Google Scholar
M. Moukhafi, S. Bri, and K. El Yassini, “Intelligent intrusion detection system using multilayer perceptron optimised by genetic algorithm,” International Journal of Computational Intelligence Studies, vol. 9, no. 3, pp. 190–199, 2020.
View at: Publisher Site | Google Scholar
P. Wei, Y. Li, Z. Zhang, T. Hu, Z. Li, and D. Liu, “An optimization method for intrusion detection classification model based on deep belief network,” IEEE Access, vol. 7, pp. 87593–87605, 2019.
View at: Publisher Site | Google Scholar
M. Mohsin, H. Li, and H. B. Abdalla, “Optimization driven adam-cuckoo search-based deep belief network classifier for data classification,” IEEE Access, vol. 8, pp. 105542–105560, 2020.
View at: Publisher Site | Google Scholar
R. Duo, X. Nie, N. Yang, C. Yue, and Y. Wang, “Anomaly detection and attack classification for train real-time ethernet,” IEEE Access, vol. 9, pp. 22528–22541, 2021.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Yi Lu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Security and Communication Networks

Machine Learning for Security and Communication Networks

[Retracted] Intrusion Detection Method Based on Adaptive Clonal Genetic Algorithm and Backpropagation Neural Network

Abstract

1. Introduction

2. Related Work

3. Intrusion Detection Based on ACGA-BPNN

3.1. ACGA-BPNN Method

3.2. BPNN Method

3.3. Training Process of ACGA-BPNN

3.4. Steps of ACGA-BPNN

4. Weight Adjustment Based on ACGA

4.1. Population Encoding

4.2. Selection

4.3. Crossover

4.4. Mutation

4.5. Calculation of Fitness Value

4.6. Clone Operator

4.7. Adaptive Operator

5. Simulation Experiment and Result Analysis

5.1. Data Preprocessing

5.2. Experimental Results

6. Conclusions and Future Work

Data Availability

Disclosure

Conflicts of Interest

Acknowledgments

References

Copyright