Next Article in Journal
Stochastic Quasi-Geostrophic Equation with Jump Noise in Lp Spaces
Previous Article in Journal
Green Supplier Selection Based on Sequential Group Three-Way Decision Making
Previous Article in Special Issue
ENRN: A System for Evaluating Network Resilience against Natural Disasters
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Design of Network Intrusion Detection System Using Lion Optimization-Based Feature Selection with Deep Learning Model

Department of Information Technology, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia
Mathematics 2023, 11(22), 4607; https://doi.org/10.3390/math11224607
Submission received: 23 September 2023 / Revised: 22 October 2023 / Accepted: 3 November 2023 / Published: 10 November 2023
(This article belongs to the Special Issue Analytical Frameworks and Methods for Cybersecurity)

Abstract

:
In the domain of network security, intrusion detection systems (IDSs) play a vital role in data security. While the utilization of the internet amongst consumers is increasing on a daily basis, the significance of security and privacy preservation of system alerts, due to malicious actions, is also increasing. IDS is a widely executed system that protects computer networks from attacks. For the identification of unknown attacks and anomalies, several Machine Learning (ML) approaches such as Neural Networks (NNs) are explored. However, in real-world applications, the classification performances of these approaches are fluctuant with distinct databases. The major reason for this drawback is the presence of some ineffective or redundant features. So, the current study proposes the Network Intrusion Detection System using a Lion Optimization Feature Selection with a Deep Learning (NIDS-LOFSDL) approach to remedy the aforementioned issue. The NIDS-LOFSDL technique follows the concept of FS with a hyperparameter-tuned DL model for the recognition of intrusions. For the purpose of FS, the NIDS-LOFSDL method uses the LOFS technique, which helps in improving the classification results. Furthermore, the attention-based bi-directional long short-term memory (ABiLSTM) system is applied for intrusion detection. In order to enhance the intrusion detection performance of the ABiLSTM algorithm, the gorilla troops optimizer (GTO) is deployed so as to perform hyperparameter tuning. Since trial-and-error manual hyperparameter tuning is a tedious process, the GTO-based hyperparameter tuning process is performed, which demonstrates the novelty of the work. In order to validate the enhanced solution of the NIDS-LOFSDL system in terms of intrusion detection, a comprehensive range of experiments was performed. The simulation values confirm the promising results of the NIDS-LOFSDL system compared to existing DL methodologies, with a maximum accuracy of 96.88% and 96.92% on UNSW-NB15 and AWID datasets, respectively.

1. Introduction

Network security is the most interesting aspect that is responsible for the emergence of internet applications. However, the number of cyberattacks has also increased on the internet in the past decade. Therefore, it is essential to develop new approaches that can effectively detect and prevent such attacks. This can be achieved by developing novel techniques for intrusion detection [1]. In order to avoid these cyberattacks, key management, access control, and intrusion detection systems (IDS) are necessary [2]. Amongst these, IDS is the most commonly used system for ensuring network security. Presently, cyberattacks pose a major issue for system and network security in the form of Denial of Service (DoS) attacks, computer viruses, and data breaches [3]. To mitigate this problem, the IDSs are frequently employed in different organizations. According to the identification techniques, these detection methods are categorized as signature-based or misuse-based NIDS and anomaly-based NIDS. The objective of the current research is to determine the anomalies by recognizing a clear abnormality between the existing actions and predetermined normal actions, utilized for representing a normal activity or normal connection [4,5]. Automatically, the anomaly-based detection techniques exhibit the ability to identify new (or 0-day) attacks, whereas the misuse-based detection systems identify only the known attacks [6].
The researchers established IDSs for various platforms depending on the security issues of diverse networks. The operations of the IDS involve data collection to analyze every potential security attack from various fields within a network or computer [7]. In recent years, intrusion detection and other security technologies, namely, firewalls, cryptography, and authentication, have significantly improved. Machine Learning (ML) is the main assistant of Artificial Intelligence (AI) technology [8]. It enables the creation of computers that can perform without precise programming. In these computers, the ML techniques can perform the execution of tasks depending on generalized data or samples. This characteristic helps these computers in improving themselves by learning from the available information [9]. The ML technique is capable of identifying unknown attacks in network traffic, thus sharing its ability to identify other types of attacks trained on rare and general types of traffic. However, the effectiveness of the ML approaches does not remain consistent when using various types of datasets, because of the presence of higher-dimensional data [10]. For instance, redundant or inefficient features can increase the computational period and reduce the identification outcome. In this context, Feature Selection (FS) is a better approach to mitigate this problem.
For intrusion detection, FS and Deep Learning (DL) techniques are applied. FS is highly needed nowadays, owing to the presence of numerous attributes of the network data, which are repetitive and unrelated. With the application of the FS technique, the detection model can focus primarily on highly useful features, reduce the dimensionality, enhance the model’s interpretability, and increase the detection accuracy. On the other hand, the DL technique can proficiently learn complex patterns and temporal dependencies from the network traffic data. The DL models can learn intricate intrusion patterns that may be challenging for traditional rule-based or statistical approaches to discern. By combining the FS’s data pre-processing capabilities with DL’s pattern recognition prowess, the network intrusion detection process can be significantly fortified. This outcome enables the timely and accurate identification of both known and novel cyber threats in the ever-evolving landscape of network security.
The current study proposes a Network Intrusion Detection System using a Lion Optimization Feature Selection with Deep Learning (NIDS-LOFSDL) model. The NIDS-LOFSDL technique uses the LOFS technique, which aids in improving the classification performance. Furthermore, the study also used the attention-based bi-directional long short-term memory (ABiLSTM) system for intrusion detection. In order to enhance the intrusion detection performances of the ABiLSTM methodology, the gorilla troops optimizer (GTO) is deployed for hyperparameter tuning. For validating the enhanced solution of the NIDS-LOFSDL technique for intrusion detection, a comprehensive range of experiments was conducted. The key contributions of the study are summarized herewith:
  • A new NIDS-LOFSDL technique has been developed in this study, comprising LOFS, ABiLSTM classifier, and GTO-based parameter tuning approaches for network intrusion detection. The rationale behind combining the FS and hyperparameter-tuned DL model is to enhance the accuracy and efficiency of the intrusion detection systems;
  • LOFS has been incorporated as an FS method that selects the most relevant and informative features from a dataset. This characteristic helps in improving the accuracy and interpretability of the intrusion detection models;
  • The ABiLSTM network has been deployed for intrusion detection, and the model is known for its ability to capture temporal dependencies in sequential data, thus making it an appropriate choice for the detection of complex intrusion patterns in network traffic;
  • To further enhance the performance of the ABiLSTM algorithm, the study used GTO for hyperparameter tuning. It intends to determine the optimal hyperparameter configuration for the ABiLSTM model to accomplish an enhanced detection performance.

2. Related Works

In the literature [11], a new anomaly-based IDS technique has been deployed for IoT networks, utilizing the DL method. In particular, a filter-based FS-DNN technique was introduced in the study, in which extremely correlated features were dropped. Additionally, this technique was tuned with several parameters and hyperparameters. Mohy-eddine et al. [12] developed an NIDS for IoT platforms by employing FS and KNN methods. The authors created the NIDS with the help of the K-NN method to enhance the IDS Detection Rate (DR) and accuracy (ACC). Also, the GA, univariate statistical test, and PCA were utilized for the FS technique individually to increase the quality of the data and select ten better effective features. In the study conducted earlier [13], a hybrid DL technique and shallow learning method were presented for identifying the intrusions in the IoT devices. In the developed method, the spider monkey optimization FS method was primarily employed to select a greater number of relevant features. Secondarily, a Siamese NN-based approach was presented for making the data highly classifiable. Syed et al. [14] suggested a new fog-cloud-based IoT-IDS that integrates a distributed process by separating the database based on the type of attacks and an FS stage on time-series IoT data. Then, a DL-Recurrent-NN (Simple RNN and BiLSTM) was used to identify the attacks.
In the literature [15], a network intrusion detection classification (NIDS-CNNLSTM) technique was presented based on DL. This technique was designed for the wireless sensing environment of the Industrial IoT (IIoT) for the efficient differentiation and detection of network traffic data, and to ensure the safety of the equipment and the functioning of the IIoT. The NIDS-CNNLSTM technique integrated the robust learning capability of LSTM-NNs in time series data, and classified and learnt the FS utilizing CNN. Further, the efficiency was also confirmed based on multi-classification and binary classification methods. Ravi et al. [16] recommended an endwise system for network attack classification and identification by DL-based recurrent approaches. This method extracts the features of v-layers present in the recurrent algorithms and uses a kernel-based PCA (KPCA)-FS technique for the detection of the optimum features. Lastly, the optimum features of the recurrent methods were incorporated, and classification was executed using an ensemble meta-classifier.
Atefinia and Ahmadi [17] introduced a multi-architectural integrated DNN technique to reduce the false positive rate of anomaly-based IDSs. This approach contains a feed-forward method, a stack of limited Boltzmann machine methods and two recurrent methods. The output weights of these methods were input into an aggregator method to generate the solution for these models. In the literature [18], the authors introduced an efficient network IDS based on Random Forest (RF) and Sparse-AE (SAE) to alleviate the issue. The extraction feature ability of the SAE and identification and classification potential of the RF were integrated to enhance the identification accuracy and performance. The SAE-RF identification technique was developed.
With an increase in network-based threats and sophisticated intrusion techniques, the requirement for highly robust and adaptive intrusion detection systems has grown exponentially. A major research gap in the field of network intrusion detection lies in the requirement for efficient models to perform FS and hyperparameter selection. Though considerable developments have been made in ML and DL models to detect intrusions, the intricate and high-dimensional nature of the network data continue to pose challenges. The existing approaches find it challenging to deal with feature redundancy, irrelevant attributes, and suboptimal hyperparameter configurations, thus resulting in low detection performance. So, it is now necessary to design new models for the effective selection of relevant features and the fine-tuning of the model hyperparameters to adapt to the dynamic and evolving nature of network threats.

3. The Proposed Model

In the current study, a novel NIDS-LOFSDL approach has been established for intrusion recognition so as to accomplish network security. The NIDS-LOFSDL technique follows the concept of FS with a hyperparameter-tuned DL algorithm for the recognition of the intrusions. The proposed model encompasses LOFS, ABiLSTM-based detection, and GTO-based hyperparameter tuning. Figure 1 exhibits the entire procedure of the NIDS-LOFSDL methodology.

3.1. Feature Selection Using the LOFS Approach

For the feature selection process, the LOFS approach is used. The LO algorithm is a population-based algorithm in which the lemurs set is mathematically modeled as follows [19].
X = l 1 1 l 1 2 · l 1 d l 2 1 l 2 2 · l 2 d l n 1 l n 2 · l n d ,
where n stands for the solution candidate and d indicates the decision variable. X shows the matrix in n × d size. Figure 2 illustrates the flowchart of the LO algorithm. The steps contained in the LOFS approach are given below.
Step 1: Define the parameter N Population when M a x i t e r represents the maximum iteration count. d corresponds to the dimensionality of the searching region over the dataset size. In addition, U B and L B indicate the upper and lower boundaries of the problem, respectively.
Step 2: Produce X decision parameters in the ith solution, according to Equation (2)
X i j = L B + U B j L B j × r ,  
where   r implies the uniformly distributed random integer [ 0 , 1 ] .
Step 3: Inside the loop for all the iterations, evaluate the Free Risk Rate ( F R R ) , a co-efficient of LO,
F R R = H R R t × H R R L R R M a x i t e r ,
In Equation (3), t indicates the existing iteration counter. M a x i t e r shows the size of the iteration. Low-Risk Rate (LRR) and High-Risk Rate (HRR) are two constant and predefined values.
Step 4: Compute the fitness values for x i j , as given below.
F i t   x i j = α × 1 A c c + β × s S ,
In Equation (4),   A c c represents the accuracy of the subset that can be extracted by the ABiLSTM classification function in order to assess the selected subset in all the iterations. Fit  x i j denotes the fitness values, s implies the number of features selected a n d   S suggests the maximal number of features selected.
Step 5: Lemurs are categorized into two dissimilar processes to increase their fitness values. Initially, the best near lemurs b n l are recognized, which implies the selection of the solution with a low fitness values. According to the FS objective, b n l provides a better feature for the existing iteration. Then, the global best lemur g b l is selected in the whole population, which represents the total optimum solution.
Step 6: Set the value of r 1 , a randomly generated value, to [ 0 , 1 ] , and compare it with F R R . Later, the location is updated for the lemur, far from the risk-based position, according to Equation (5).
X i j = x i ,   j + | x i ,   j x b n l ,   j × r 3 0.5 × 2 ; r 1 < F R R x i ,   j + | x i ,   j x g b l ,   j × r 3 0.5 × 2 ; r 1 > F R R   ,  
where r 1 refers to the random integer [ 0 , 1 ] . The present i th lemur of the N th population is ( i , j ) , i.e., the solution candidate at the j th dimension.
The LO process begins by arbitrarily generating a swarm of lemurs. Next, it tries to move towards the lemurs with low fitness value by dance hup. The optimization process randomly generates a group of lemurs. The F R R value begins towards the LRR, thus representing that the lemur starts with the move and moves near to the b n l through “dance hup”. The purpose of LO, implementing these dance hup actions, is to decrease the value of F R R near to the H R R . Next, it exploits the leap-up action to move the lemur towards the global optimal performance. This process is repeated until the ending condition is met.

3.2. Intrusion Detection Using ABiLSTM Model

To detect the presence of the intrusions, the ABiLSTM model is applied. LSTM is a revised edition of the classical RNN that exploits the specially adapted memory units to effectively express the long-term dependency of the MTS dataset [20]. The LSTM model’s design provides an effective solution to the gradient disappearing problem on the contrary to the traditional RNN methods. According to the present input and the previous state of the hidden units, the LSTM cell learns about the existing state of the hidden unit. Nevertheless, it replaces the structure of the hidden unit with a memory cell that corresponds to the long-term dependency of the MTS signal. The LSTM model includes four controlled gates, such as one self-loop memory cell, one input, one output, and one forget, for manipulating the interaction of the data stream among different memory neurons. In the hidden layer of the LSTM model, the forget gate is used to determine the data that need to be ignored or preserved from the prior moment. Simultaneously, the entrance of the input neuron decides whether the input signal needs to be injected with the information of the memory unit. The output neuron gate decides whether the state of the memory unit should be changed or not. Consider the input x t of MTS and the dynamic output state h t ; the neuron state, output of HL, and gate states are calculated using the subsequent formula.
i t = σ U i x t + W i h t 1 + b i ,  
f t = σ U f x t + W f h t 1 + b f ,  
o t = σ U o x t + W o h t 1 + b o ,
C ~ t = t a n h U c x t + W c h t 1 + b c ,
c t = f t c t 1 + i t C ~ t ,  
h t = o t t a n h c t .  
The recurrent weight matrices are represented as W i ,   W f ,   W o , and W c , while the weighted matrix for the input, forget, output and memory cell gates are denoted by U i ,   U f ,   U o , and U c , correspondingly. The gates bias is formulated by b i ,   b f ,   b o , and b c . The cell state of the candidate C ~ t is used to update the original memory cell state, c t . At any time step, h t represents the state of HL and o t denotes the output. The symbol denotes the element-wise multiplication operation. t a n h denotes the hyperbolic tangent function and σ shows the logistic sigmoid activation function.
The classical LSTM model may inadvertently discard the sequential information at the time of training as it processes only the input signals in one direction. Therefore, the time series data cannot be completely reviewed. In order to over this limitation, the BLSTM was developed with a bidirectional structure to capture the representation of MTS information via forward and backward directions. The BLSTM comprises two LSTM layers that are carried out in parallel but opposite directions. In the case of the reverse propagation direction, h b ( t ) represents the hidden layer, which comprises data from the future MTS values. In forward propagation, h f ( t ) denotes the data of the hidden LSTM neuron, and it retains the data from the prior sequence value. Both h f ( t ) and h b ( t ) are connected to each other for creating the final output of the BiLSTM model. The tth hidden layer of BLSTM for forward and backward states is computed using Equations (12) and (13):
h f t = ψ W f h x t + W b h h h f t 1 + b f b ,  
h b ( t ) = ψ W b h x t + W b h h h b t + 1 + b b .  
In addition to these, b f b and b b correspond to biased data in two directions. The weight matrices W f h and W b h represent the forward and backward synapsis weight from the input to the internal unit weight. Likewise, W f h h and W b h h represent the forward and backward feedback recurrent weights.
t a n h indicates the activation function of the HLs ψ . Using this component, the output of BiLSTM y t is defined herewith.
y t = σ W f h y h f t + W b h y h b t + b y ,  
In Equation (16), the forward and backward weights of the resultant layers are denoted by W j h y and W b h y , correspondingly. The activation function of the resultant layer σ is either given as a linear function or sigmoidal function. Further, b y represents the output bias.
In ABiLSTM, when the attention mechanism is utilized, it supports the model in learning by assigning various weights. For an HL h i , its attention a i is expressed as in Equation (15).
u i = t a n h W · h i + b , a i = e u i T · u w Σ i e u i T · u w ,  
whereas W signifies the weighted matrix, b implies the bias, and u w represents the global context vector, and all three are learned in the training method.

3.3. Hyperparameter Tuning Using GTO Algorithm

Eventually, the hyperparameter values of the ABiLSTM methodology are chosen using the GTO algorithm. The GTO approach is one of the main metaheuristic optimization approaches, inspired by the intelligent behaviors of gorillas [21]. These behaviors are explained using five major operators, as follows. Two of the operators represent the exploitation stage, whereas the other three operators define the exploration stage. The three operators are sometimes described as strategies or the exploration stage, and they can be inferred from the movement to another gorilla, migration towards an unknown place, and migration towards a known place. As mentioned before, the exploitation stage uses two operators reflected by the competition for adult females, and follows the behavior of the silverback. The competition is initiated between the adult females in such a way that they follow the silverback.
Using the following equations, the three prior approaches of the exploration stage are defined.
G X t + 1 = U B L B × r 1 + L B r 2 C × X r t + L × H X i L × ( L × X t G X r t 0 , + r 3 × X t G X r t )  
C = F × 1 i t M a x s I t ,  
F = c o s 2 × r 4 + 1 ,  
L = C × l   ,  
H = Z × X t ,  
Z = C ,   C   ,  
In this equation, the upper as well as lower boundaries are denoted using U B and L B , respectively. Using X ( i t + 1 ) , the position selected is defined in the iteration ( i t ), whereas the existing location is represented as X ( i t ). M a x i t is known by the maximum number of iterations. The parameter p defines the probability of the migration that lies in the range of 0 to 1. Lastly, the exploration stage ends by enabling the outcome G X ( i t ) to exchange X ( i t ) , and these solutions are known if the silverback arises, when X ( i t ) is greater than G X ( i t ).
Using Equations (18)–(24), the following competition strategies are defined.
X t + 1 = L × M × X t X s i l v e r b a c k + X t ,  
M = 1 N i = 1 N G X i t g 1 g ,  
g = 2 L ,  
G X i = X s i l v e r b a c k X s i l v e r b a c k × Q X t × Q × A ,  
Q = 2 × r 5 1 ,  
A = β × E   ,  
E = N 1   r a n d 0.5 N 2   r a n d < 0.5 ,  
The GTO approach develops the following FF to make the best classification solutions. It defines a positive integer to denote the good solution of the candidate’s performance. In this case, the reduction in the classification errors is supposed to be the FF.
f i t n e s s x i = C l a s s i f i e r E r r o r R a t e x i = N o .   o f   m i s c l a s s i f i e d   i n s t a n c e s   T o t a l   n o .   o f   i n s t a n c e s 100 ,  

4. Results and Discussion

The proposed model was simulated in the Python 3.8.5 tool configured on a PC with specifications of i5-8600k, GeForce 1050Ti 4 GB, 16 GB RAM, 250 GB SSD, and 1 TB HDD.
The ID detection outcomes of the NIDS-LOFSDL methodology were validated using two benchmark datasets, the UNSW-NB15 [22] and AWID [23]. Table 1 shows the details of both datasets.
Figure 3 establishes the classification performances of the NIDS-LOFSDL system on the UNSW-NB15 database. Figure 3a,b demonstrate the confusion matrices produced by the NIDS-LOFSDL methodology on the 60:40 TR set/TS set. The outcome values show that the NIDS-LOFSDL system detected and classified both the classes accurately. Afterwards, Figure 3c reveals the PR outcomes of the NIDS-LOFSDL method. The simulation value infers that the NIDS-LOFSDL methodology attained the maximum PR values on both the classes. However, Figure 3d demonstrates the ROC outcomes of the NIDS-LOFSDL methodology. The outcomes show that the NIDS-LOFSDL approach led to a proficient solution with better ROC values on both the classes.
Table 2 and Figure 4 highlight the recognition outcomes of the NIDS-LOFSDL system upon the UNSW-NB15 database. The outcomes indicate the proficient recognition of normal and attack instances. With the 60% TR set, the NIDS-LOFSDL technique achieved an average a c c u y of 96.88%, a p r e c n of 96.89%, a r e c a l of 96.88%, and an F s c o r e of 96.88%. Additionally, with the 40% TS set, the NIDS-LOFSDL algorithm attained an average a c c u y of 96.83%, a p r e c n of 96.84%, a r e c a l of 96.83% and an F s c o r e of 96.83%.
Figure 5 illustrates the training accuracy values, i.e., T R _ a c c u y and V L _ a c c u y , attained by the NIDS-LOFSDL technique on the UNSW-NB15 dataset. T L _ a c c u y is determined by evaluating the NIDS-LOFSDL method on the TR dataset, whereas the V L _ a c c u y value is computed by evaluating the outcomes on a separate testing dataset. The results imply that both the T R _ a c c u y and V L _ a c c u y values increased with an upsurge in the number of epochs. Accordingly, the performance of the NIDS-LOFSDL system is confirmed to achieve the maximum performance on both TR and TS datasets, with an increase in the number of epochs.
In Figure 6, the T R _ l o s s and V R _ l o s s results of the NIDS-LOFSDL algorithm on the UNSW-NB15 dataset are revealed. The T R _ l o s s corresponds to the error between the predictive performance and original values on the TR data. The V R _ l o s s represents the performance evaluation of the NIDS-LOFSDL technique on individual validation data. The outcomes imply that both T R _ l o s s and V R _ l o s s values were reduced with an increase in the number of epochs. This scenario portrays the enhanced performance of the NIDS-LOFSDL approach and its ability to produce an accurate classification. The minimal T R _ l o s s and V R _ l o s s values demonstrate the enhanced performance of the NIDS-LOFSDL method in capturing the patterns and relationships.
Figure 7 illustrates the classification outcomes of the NIDS-LOFSDL algorithm on the AWID database. Figure 7a,b exhibit the confusion matrices generated by the NIDS-LOFSDL methodology upon 60:40 of the TR set/TS set. The outcomes show that the NIDS-LOFSDL system outperformed all other techniques and detected and classified both the classes accurately. Then, Figure 7c depicts the PR outcomes of the NIDS-LOFSDL approach. The simulation value shows that the NIDS-LOFSDL system reached increased PR values on both the classes. Moreover, Figure 7d shows the ROC curve of the NIDS-LOFSDL methodology. The outcome values demonstrate the superior capability of the NIDS-LOFSDL algorithm with higher ROC values on both the classes.
Table 3 and Figure 8 demonstrate the recognition outcomes of the NIDS-LOFSDL methodology on the AWID database. The simulation value refers to the proficient recognition of both normal and attack samples. With the 60% TR set, the NIDS-LOFSDL system attained an average a c c u y of 96.92%, p r e c n of 96.92%, r e c a l of 96.92%, and an F s c o r e of 96.92%. Then, with the 40% TS set, the NIDS-LOFSDL methodology accomplished an average a c c u y of 96.88%, p r e c n of 96.89%, r e c a l of 96.88%, and an F s c o r e of 96.88%.
Figure 9 illustrates the training accuracy T R _ a c c u y and V L _ a c c u y values accomplished by the NIDS-LOFSDL algorithm on the AWID dataset. T L _ a c c u y is determined by evaluating the NIDS-LOFSDL methodology on the TR dataset, whereas the V L _ a c c u y value is computed by calculating the outcome on a separate testing dataset. The outcomes show that both the T R _ a c c u y and V L _ a c c u y values increased with an upsurge in the number of epochs. Therefore, the performance of the NIDS-LOFSDL methodology enhances the TR and TS datasets, with an increase in the number of epochs.
In Figure 10, the T R _ l o s s and V R _ l o s s curves of the NIDS-LOFSDL approach on the AWID dataset are shown. T R _ l o s s corresponds to the error between the predictive solution and the original values of the TR data. V R _ l o s s signifies the performance outcomes of the NIDS-LOFSDL technique on individual validation data. The outcomes imply that both T R _ l o s s and V R _ l o s s values tend to decrease with increasing numbers of epochs. The outcomes represent the enhanced performance of the NIDS-LOFSDL technique and its capability to produce accurate classification. The decreased T R _ l o s s and V R _ l o s s values demonstrate the better solution of the NIDS-LOFSDL technique in terms of capturing the patterns and relationships.
To ensure better results of the NIDS-LOFSDL technique, an extensive comparative analysis was conducted and the results are shown in Table 4 and Figure 11 [24,25]. The simulation values state that the SVM, NB-Bagging, NB-Adaboost, GCHSE, and CNN-Adaboost approaches achieved the worst performance. However, the BBAFS-DRL approach demonstrated a considerable performance with an a c c u y of 95.04%, p r e c n of 95.22%, r e c a l of 95.06%, and an F s c o r e of 95.04%. Nevertheless, the NIDS-LOFSDL technique outperformed all other models with a maximum a c c u y of 96.92%, p r e c n of 96.92%, r e c a l of 96.92%, and an F s c o r e of 96.92%. These outcomes confirm the effective performance of the NIDS-LOFSDL methodology on IDS.

5. Conclusions

In the current study, a novel NIDS-LOFSDL technique has been developed for the detection of intrusions so as to accomplish network security. The NIDS-LOFSDL technique follows the concept of FS with a hyperparameter-tuned DL model for intrusion recognition. For the purpose of FS, the NIDS-LOFSDL technique uses the LOFS technique, which helps in improving the classification outcomes. Besides this, the ABiLSTM model is also executed for intrusion detection. In order to enhance the intrusion detection results of the ABiLSTM methodology, GTO is deployed for hyperparameter tuning. For validating the enhanced solution of the NIDS-LOFSDL system upon intrusion detection, a comprehensive range of experiments was conducted. The simulation values establish the promising results of the NIDS-LOFSDL system compared to the recent state-of-the-art DL approaches, with an improved accuracy of 96.88% and 96.92% on UNSW-NB15 and AWID datasets, respectively. Future research works can extend the proposed model to accommodate the dynamic and evolving nature of network threats. Besides this, continuous adaptation and learning mechanisms within the model, such as online or semi-supervised learning, can also be incorporated to enhance the capability of intrusion detection patterns proficiently. Finally, the scalability issue of the NIDS-LOFSDL technique should be resolved in order to enable it to be deployed in large-scale environments with high-speed data streams.

Funding

This research work was funded by Institutional Fund Projects under grant no. IFPIP: 194-611-1443. Therefore, the authors gratefully acknowledge the technical and financial support provided by the Ministry of Education and Deanship of Scientific Research (DSR), King Abdulaziz University (KAU), Jeddah, Saudi Arabia.

Data Availability Statement

Data sharing does not apply to this article as no datasets were generated during the current study.

Conflicts of Interest

The author declares no conflict of interest.

References

  1. Thakkar, A.; Lohiya, R. Fusion of statistical importance for feature selection in Deep Neural Network-based Intrusion Detection System. Inf. Fusion 2023, 90, 353–363. [Google Scholar] [CrossRef]
  2. Pranto, B.; Alam Ratul, H.; Rahman, M.; Diya, I.J.; Zahir, Z.-B. Performance of machine learning techniques in anomaly detection with basic feature selection strategy—A network intrusion detection system. J. Adv. Inf. Technol. 2022, 13, 36–44. [Google Scholar] [CrossRef]
  3. Katib, I.; Ragab, M. Blockchain-Assisted Hybrid Harris Hawks Optimization Based Deep DDoS Attack Detection in the IoT Environment. Mathematics 2023, 11, 1887. [Google Scholar] [CrossRef]
  4. Moizuddin, M.D.; Jose, M.V. A bio-inspired hybrid deep learning model for network intrusion detection. Knowl.-Based Syst. 2022, 238, 107894. [Google Scholar] [CrossRef]
  5. Talukder, M.A.; Hasan, K.F.; Islam, M.M.; Uddin, M.A.; Akhter, A.; Yousuf, M.A.; Alharbi, F.; Moni, M.A. A de-pendable hybrid machine learning model for network intrusion detection. J. Inf. Secur. Appl. 2023, 72, 103405. [Google Scholar]
  6. Sah, G.; Banerjee, S.; Singh, S. Intrusion detection system over real-time data traffic using machine learning methods with feature selection approaches. Int. J. Inf. Secur. 2023, 22, 1–27. [Google Scholar] [CrossRef]
  7. Maabreh, M.; Obeidat, I.; Abu Elsoud, E.; Alnajjar, A.; Alzyoud, R.; Darwish, O. Towards Data-Driven Network Intrusion Detection Systems: Features Dimensionality Reduction and Machine Learning. Int. J. Interact. Mob. Technol. 2022, 17, 123–135. [Google Scholar] [CrossRef]
  8. Ragab, M.; Alshammari, S.M.; Al-Ghamdi, A.S. Modified Metaheuristics with Weighted Majority Voting Ensemble Deep Learning Model for Intrusion Detection System. Comput. Syst. Sci. Eng. 2023, 47, 2497–2512. [Google Scholar] [CrossRef]
  9. Ragab, M.; Sabir, M.F.S. Outlier detection with optimal hybrid deep learning enabled intrusion detection system for ubiquitous and smart environment. Sustain. Energy Technol. Assess. 2022, 52, 102311. [Google Scholar] [CrossRef]
  10. Kocher, G.; Kumar, G. Analysis of machine learning algorithms with feature selection for intrusion detection using unsw-nb15 dataset. Int. J. Netw. Secur. Its Appl. 2021, 13, 21–31. [Google Scholar] [CrossRef]
  11. Sharma, B.; Sharma, L.; Lal, C.; Roy, S. Anomaly based network intrusion detection for IoT attacks using deep learning technique. Comput. Electr. Eng. 2023, 107, 108626. [Google Scholar] [CrossRef]
  12. Mohy-Eddine, M.; Guezzaz, A.; Benkirane, S.; Azrour, M. An efficient network intrusion detection model for IoT security using K-NN classifier and feature selection. Multimed. Tools Appl. 2023, 82, 23615–23633. [Google Scholar] [CrossRef]
  13. Hosseini, S.; Sardo, S.R. Network intrusion detection based on deep learning method in the internet of thing. J. Reliab. Intell. Environ. 2023, 9, 147–159. [Google Scholar] [CrossRef]
  14. Syed, N.F.; Ge, M.; Baig, Z. Fog-cloud based intrusion detection system using Recurrent Neural Networks and feature selection for IoT networks. Comput. Netw. 2023, 225, 109662. [Google Scholar] [CrossRef]
  15. Du, J.; Yang, K.; Hu, Y.; Jiang, L. NIDS-CNNLSTM: Network intrusion detection classification model based on deep learning. IEEE Access 2023, 11, 24808–24821. [Google Scholar] [CrossRef]
  16. Ravi, V.; Chaganti, R.; Alazab, M. Recurrent deep learning-based feature fusion ensemble meta-classifier approach for intelligent network intrusion detection system. Comput. Electr. Eng. 2022, 102, 108156. [Google Scholar] [CrossRef]
  17. Atefinia, R.; Ahmadi, M. Network intrusion detection using multi-architectural modular deep neural network. J. Supercomput. 2021, 77, 3571–3593. [Google Scholar] [CrossRef]
  18. Wang, Z.; Jiang, D.; Huo, L.; Yang, W. An efficient network intrusion detection approach based on deep learning. Wirel. Netw. 2021, 1–14. [Google Scholar] [CrossRef]
  19. Ra’ed, M.; Al-qudah, N.E.A.; Jawarneh, M.S.; Al-Khateeb, A. A Novel Improved Lemurs Optimization Algorithm for Feature Selection Problems. J. King Saud Univ. -Comput. Inf. Sci. 2023, 35, 101704. [Google Scholar]
  20. Jiang, K.; Huang, Z.; Zhou, X.; Tong, C.; Zhu, M.; Wang, H. Deep belief improved bidirectional LSTM for multivariate time series forecasting. Math. Biosci. Eng. 2023, 20, 16596–16627. [Google Scholar] [CrossRef]
  21. Ghith, E.S.; Tolba, F.A.A. Tuning PID Controllers Based on Hybrid Arithmetic Optimization Algorithm and Artificial Gorilla Troop Optimization for Micro-Robotics Systems. IEEE Access 2023, 11, 27138–27154. [Google Scholar] [CrossRef]
  22. UNSW_NB15. 2023. Available online: https://www.kaggle.com/datasets/mrwellsdavid/unsw-nb15 (accessed on 26 August 2023).
  23. Bee-Mar. AWID Intrusion Detection. 2023. Available online: https://github.com/Bee-Mar/AWID-Intrusion-Detection/blob/master/final_documents/resources/dataset-headers-reduced-removed-null.zip (accessed on 26 August 2023).
  24. Wang, A.; Wang, W.; Zhou, H.; Zhang, J. Network intrusion detection algorithm combined with group convolution network and snapshot ensemble. Symmetry 2021, 13, 1814. [Google Scholar] [CrossRef]
  25. Priya, S.; Kumar, K.P.M. Binary bat algorithm based feature selection with deep reinforcement learning technique for intrusion detection system. Soft Comput. 2023, 27, 10777–10788. [Google Scholar] [CrossRef]
Figure 1. Overall process of the NIDS-LOFSDL algorithm.
Figure 1. Overall process of the NIDS-LOFSDL algorithm.
Mathematics 11 04607 g001
Figure 2. Flowchart of the LO algorithm.
Figure 2. Flowchart of the LO algorithm.
Mathematics 11 04607 g002
Figure 3. UNSW-NB15 dataset. (a,b) Confusion matrices, (c) PR_curve, and (d) ROC.
Figure 3. UNSW-NB15 dataset. (a,b) Confusion matrices, (c) PR_curve, and (d) ROC.
Mathematics 11 04607 g003
Figure 4. Average values of the NIDS-LOFSDL technique applied to the UNSW-NB15 database.
Figure 4. Average values of the NIDS-LOFSDL technique applied to the UNSW-NB15 database.
Mathematics 11 04607 g004
Figure 5. A c c u y curve of the NIDS-LOFSDL technique on the UNSW-NB15 database.
Figure 5. A c c u y curve of the NIDS-LOFSDL technique on the UNSW-NB15 database.
Mathematics 11 04607 g005
Figure 6. Loss curve of the NIDS-LOFSDL technique on the UNSW-NB15 database.
Figure 6. Loss curve of the NIDS-LOFSDL technique on the UNSW-NB15 database.
Mathematics 11 04607 g006
Figure 7. AWID dataset: (a,b) Confusion matrices, (c) PR_curve, and (d) ROC.
Figure 7. AWID dataset: (a,b) Confusion matrices, (c) PR_curve, and (d) ROC.
Mathematics 11 04607 g007
Figure 8. Average values of the NIDS-LOFSDL technique on the AWID dataset.
Figure 8. Average values of the NIDS-LOFSDL technique on the AWID dataset.
Mathematics 11 04607 g008
Figure 9. A c c u y curve of the NIDS-LOFSDL technique on the AWID dataset.
Figure 9. A c c u y curve of the NIDS-LOFSDL technique on the AWID dataset.
Mathematics 11 04607 g009
Figure 10. Loss curve of the NIDS-LOFSDL technique on the AWID dataset.
Figure 10. Loss curve of the NIDS-LOFSDL technique on the AWID dataset.
Mathematics 11 04607 g010
Figure 11. Comparative analysis outcomes of the NIDS-LOFSDL algorithm and other methodologies.
Figure 11. Comparative analysis outcomes of the NIDS-LOFSDL algorithm and other methodologies.
Mathematics 11 04607 g011
Table 1. Details of two datasets.
Table 1. Details of two datasets.
UNSW-NB15 Dataset
ClassNo. of Instances
Normal15,000
Attack15,000
Total Instances30,000
AWID Dataset
ClassNo. of Instances
Normal15,000
Attack15,000
Total Instances30,000
Table 2. Recognition outcomes of the NIDS-LOFSDL technique applied to the UNSW-NB15 database.
Table 2. Recognition outcomes of the NIDS-LOFSDL technique applied to the UNSW-NB15 database.
Class A c c u y P r e c n R e c a l F 1 S c o r e
TR set (60%)
Normal96.1897.5596.1896.86
Attack97.5896.2397.5896.90
Average96.8896.8996.8896.88
TS set (40%)
Normal96.0897.5496.0896.81
Attack97.5996.1597.5996.86
Average96.8396.8496.8396.83
Table 3. Recognition outcomes of the NIDS-LOFSDL technique on the AWID dataset.
Table 3. Recognition outcomes of the NIDS-LOFSDL technique on the AWID dataset.
Class A c c u y P r e c n R e c a l F 1 S c o r e
TR set (60%)
Normal97.2996.5697.2996.93
Attack96.5597.2996.5596.92
Average96.9296.9296.9296.92
TS set (40%)
Normal97.3496.4897.3496.91
Attack96.4297.3096.4296.86
Average96.8896.8996.8896.88
Table 4. Comparative analysis outcomes of the NIDS-LOFSDL algorithm and other methods [24,25].
Table 4. Comparative analysis outcomes of the NIDS-LOFSDL algorithm and other methods [24,25].
Methods A c c u y P r e c n R e c a l F 1 S c o r e
NIDS-LOFSDL96.9296.9296.9296.92
BBAFS-DRL95.0495.2295.0695.04
SVM 75.9178.7276.2477.76
NB-Bagging70.0169.5372.8170.93
NB-Adaboost71.3474.4473.1374.07
GCNSE 80.1780.0181.2880.82
CNN-Adaboost74.1669.2871.5368.16
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

AlGhamdi, R. Design of Network Intrusion Detection System Using Lion Optimization-Based Feature Selection with Deep Learning Model. Mathematics 2023, 11, 4607. https://doi.org/10.3390/math11224607

AMA Style

AlGhamdi R. Design of Network Intrusion Detection System Using Lion Optimization-Based Feature Selection with Deep Learning Model. Mathematics. 2023; 11(22):4607. https://doi.org/10.3390/math11224607

Chicago/Turabian Style

AlGhamdi, Rayed. 2023. "Design of Network Intrusion Detection System Using Lion Optimization-Based Feature Selection with Deep Learning Model" Mathematics 11, no. 22: 4607. https://doi.org/10.3390/math11224607

APA Style

AlGhamdi, R. (2023). Design of Network Intrusion Detection System Using Lion Optimization-Based Feature Selection with Deep Learning Model. Mathematics, 11(22), 4607. https://doi.org/10.3390/math11224607

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop