A Feed-Forward and Pattern Recognition ANN Model For Network Intrusion Detection
A Feed-Forward and Pattern Recognition ANN Model For Network Intrusion Detection
A Feed-Forward and Pattern Recognition ANN Model For Network Intrusion Detection
Abstract—Network security is an essential element in the administrator that there is a suspected possible intrusion.
day-to-day IT operations of nearly every organization in Therefore, we can say that IDSs are proactive systems
business. Securing a computer network means rather than a reactive system [2]. There are two different
considering the threats and vulnerabilities and arrange the types of intrusion detection mechanism: 1) host-based, 2)
countermeasures. Network security threats are increasing network based. Each kind has different methods to defend
rapidly and making wireless network and internet and secure the network data, and each of them has its
services unreliable and insecure. Intrusion Detection own pros and cons [3]. The host-based intrusion detection
System plays a protective role in shielding a network system examines the internal data of the computer
from potential intrusions. In this research paper, Feed network, while network-based instruction detection
Forward Neural Network and Pattern Recognition Neural system examines data transmission between different
Network are designed and tested for the detection of computer networks [4]. Majority of researchers have
various attacks by using modified KDD Cup99 dataset. In recommended the use of KDD Cup99 dataset to predict
our proposed models, Bayesian Regularization and network attacks. Most of the proposed methods failed to
Scaled Conjugate Gradient, training functions are used to ensure high performance in detection rate. Some
train the Artificial Neural Networks. Various researchers have used all 41 available features of this
performance measures such as Accuracy, MCC, R- dataset for detection which could lead to misclassification
squared, MSE, DR, FAR and AROC are used to evaluate and also require much time to build the model [5]. On the
the performance of proposed Neural Network Models. other hand some of the researchers have selected the
The results have shown that both the models have optimum subsets of features using feature selection
outperformed each other in different performance techniques to improve the performance. This paper
measures on different attack detections. compares Pattern Recognition and Feed-Forward Neural
network on intrusion detection and explores that which
Index Terms—Intrusion detection, Security, Anomaly model delivers excellent results in term of Accuracy,
detection, Intrusion Detection System, NSL-KDD, Neural MCC, R-squared, MSE, DR, FAR and AROC. The
Networks. remaining paper is organized as follows: Section II
presents the related work. Section III and IV presents the
used KDD dataset and share some details of different
I. INTRODUCTION intrusion attacks respectively. Section V presents
Artificial Neural Network model. Section VI discusses
In computer networks, an intrusion means to steal, alter, various performance measures, used to evaluate the
destroy or gain access to or make unauthorized use of a proposed model. The experimental results are presented
network system [1]. With the phenomenal growth of in section VII. Conclusion is described in section VIII.
internet technology, network security has become a
critical part of information security. Information Security
is the basic concern of computing because many types of
II. RELATED WORKS
attacks are increasing day by day. Therefore, it is
essential for network administrators to detect these kinds Many researchers have been working on classification
of attacks before they can occur. Many techniques and models using machine learning techniques in many areas
frameworks have been proposed for network instruction such as sentiment classification [6,7,8,9,10,11] Rainfall
detection by providing high-speed intrusion detection predication [12,13] and Network instruction detection
mechanism. An Intrusion Detection System (IDS) is a [14,15,16,17,18,19,20,21]. Some of the studies which
mechanism to detect and prevent intrusive activities. It is have contributed in intrusion detection systems are
considered a significant part in any information system discussed here. In [14] a mutual info-based algorithm is
which defends the network from any kind of potential proposed and analytically chosen as the best feature for
intrusions. Usually the IDS do no not practically perform the classifications. The proposed algorithm can also parse
any action against attackers to prevent the attack; its main a linear and nonlinear dependent data features. The result
feature is to send an alert request to the network shows that the algorithm shares few other important
Copyright © 2019 MECS I.J. Computer Network and Information Security, 2019, 4, 19-25
20 A Feed-Forward and Pattern Recognition ANN Model for Network Intrusion Detection
features for LSSVM-IDS to get better accuracy results We have selected the normal dataset (without feature
and low computation cost as compared to previous selection) and merged training and test data into one
methods. Researchers in [15] reviewed different single file for each attack type. The merged datasets used
vulnerabilities in cloud computing systems and presented in this research is available at [41]. This dataset was also
a collective instruction detection system to improve the pre-processed by using feature-coding. Furthermore,
privacy and security of the big data. Researchers in [16] categorical feature encoding was used to change the
presented a T-IDS, built on a novel randomized data categories to numeric values, and nominal field will then
portioned learning approach; it consists of a compact be represented in numerical categories instead of text.
network feature selection technique, feature sets, and Nominal file represents certain classes, e.g., TCP, ICMP,
multiple randomized meta-learning techniques. This UDP or hostnames, etc. After the feature-coding process,
presented approach has successfully gained 99 percent data features are displayed in the table.
accuracy and 21 second training time on botnet dataset.
In [17], the research objective is to decrease the duration Table 1. KDD Dataset Description
of active-time of the instruction detection system without
Name of the
adjusting their effectiveness. For validation, they files
Features Description
proposed a model to reflect the interaction between
intrusion detection systems as a multiplayer cooperative
game where few players are practically conflicting, and KDD_DDoS.csv
some have feasible cooperative goals. [18] proposed a
framework comprising of access control detection,
protocol whitelisting, and multi-parameter-based KDD_Probe.csv
detection. The SCADA-specific instruction detection
system is applied, and results are validated by permanent
and realistic cyber-physical test-bed and data from real
500kV smart substation. Researchers in [19] proposed an KDD_R2L.csv
approach on how traffic can be distributed to multiple
IDS in order to improve prediction the of network
KDD_U2R.csv
intrusions as well as to balance the load. The clustering-
based approach is presented, which distribute flows
reported by the routing information and flow data rate. The training and test dataset both consist of 41 features
Many experiments show that the presented scheme labeled as normal traffic or specific attack types. The
quickly detects attacks and deliver a better balance of labels or classes of KDD data are further divided into two
traffic loads. In [20], researchers presented an IDS categories which represent attack or no attack accordingly.
Internet of Things approach by using a suppressed fuzzy
clustering-based algorithm and PCA scheme. The results
show that as compared to past methods, this method IV. TYPES OF INTRUSIONS
generates better results. Researchers in [21] presented The KDD Cup 1999 modified dataset contains the
Spark-Chi-SVM scheme for the intrusion detection. The following four attack classes (Table. 1):
Researchers has adopted ChiSqSelector for the feature
selection and developed an IDS technique by applying A). Denial-of-service Attack
SVM based classifier on Apache Spark Big Data platform. It was 1999 when a new kind of attack was discovered
The result shows that Spark-Chi-SVM approach delivers which is later known as Distributed Denial-of-service
better performance and decrease training time for the Big attack [24]. A substantial amount of commerce,
data. Researchers in [22] proposed a new hybrid model educational and even government websites suffered from
that can be used to estimate the intrusion scope threshold this attack. DDoS attacker attempts to flood the network
degree based on the network transaction data’s optimal and prevents the network traffic. Sometimes, the attacker
features that were made available for training According tries to disrupt a particular individual from accessing a
to results the presented technique showed 99.81% and required service. Hackers mostly attack by using DDoS
98.56% results for the binary class and multi-class for anything ranging from pranks to revenge against some
datasets respectively. corporations to express their anger or political activism
[25].
III. KDD CUP 1999 DATA B). Probe Attack
The KDD dataset is shared by MIT Lincoln Lab, and is Probing is another type of attack in which hackers
widely used by many researchers during the past few mostly scan targeted network computers to trace out
years [23]. The experimental dataset used in our research potential vulnerabilities and weaknesses that may later be
work is a modified version of the KDD CUP99 data [40]. useful to exploit in the hope of attacking or
We have used four datasets (one for each attack type). compromising the entire system. Generally, Probing
Two types of datasets for each attack are available (1: attacks are used in machine learning or data mining, e.g.,
with feature selection and 2: without feature selection). portsweep, mscan, saint, and nmap [26].
Copyright © 2019 MECS I.J. Computer Network and Information Security, 2019, 4, 19-25
A Feed-Forward and Pattern Recognition ANN Model for Network Intrusion Detection 21
Copyright © 2019 MECS I.J. Computer Network and Information Security, 2019, 4, 19-25
22 A Feed-Forward and Pattern Recognition ANN Model for Network Intrusion Detection
function. Scaled Conjugate Gradient training algorithm is In the confusion matrix, Accuracy is the measurement
using step size scaling mechanism; this technique reduces rate of correct classifications. Accuracy is calculated by
time consumption and line search per learning iteration. taking the ratio of correct prediction to total number of
Most researchers agree that the Conjugate Gradient predictions. Accuracy can be expressed as:
Method is a well-suited training function to deal with
large scale problems in an efficient way [34]. TP TN
Accuracy (5)
TP TN FP FN
VI. PERFORMANCE METRICS
This research used many accuracy measures to VII. RESULTS & DISCUSSION
evaluate the performance of the used ANN models which
The purpose of this research is to analyze the
are discussed as follows.
2
performance of Feed Forward Artificial Neural Network
R-squared ( R ) is known as the coefficient of FFANN and Pattern Recognition Artificial Neural
determination. It is a statistical measure to overview that Network (PRANN) on the detection of various network
how close enough the data is to be fitted within the attacks. All experiments are conducted in MATLAB
regression line. The R-squared value of the test data is 2018. In Feed-forward and Pattern Recognition neural
measured to determine how much the used technique fits network, 10 neurons were used with a single hidden layer.
the data. R-squared > 0.9 is treated as good fit [35]. The input layer of the Artificial Network has a total
Mean Squared Error (MSE) is the average of squared number of neurons equal to a total number of features or
error that is used as loss function for least squares attributes in a given dataset. In the final output layer of
regressions. MSE is the sum of the squared difference the ANN, two neurons are used which belong to the class
among predicated and actual targets, divided by the as attack or no attack modules accordingly. The Feed-
number of data points [36]. Forward Neural Network is trained by using Bayesian
Regularization training function, and Pattern Recognition
MSE
(t i o i )2
(1)
Neural Network is trained by Scaled Conjugate Gradient
training function. The dataset is divided into three
n
different parts: 70% of training data, 15% of validation
data, and 15% of test dataset. The experiential results of
The Area Under Curve (AUC) is mostly measured to
proposed approaches are presented in Table 2 in terms of
compare different ROC curves. The high value of AUC
Accuracy, MCC, R-squared, and MSE for U2R attacks.
indicates that the classifier is producing more accurate
predictions. AUC provides an aggregate measure of Table 2. Results for Root Attack (U2R)
performance across all possible classification thresholds.
AROC is the area under ROC curve. It is a single number Model Accuracy MCC R-squared MSE
summary of the performance [37]. FFANN 99.8356 0.9967 0.9902 0.0050
Detection Rate (DR) indicates the ratio among total
PRANN 99.6712 0.9934 0.9941 0.0029
number of intrusions detected by the system (True
Positive) to a total number of intrusions present in the
dataset [38]. The highest Accuracy and MCC are obtained by
FFANN Model. However, PRANN outperformed in
TP terms of R-squared and MSE.
DR (2)
TP FN Table 3. Results for Denial of Service Attack (DoS)
False Alarm Rate (FAR) is the measurement of Model Accuracy MCC R-squared MSE
performance which indicates the rate of samples FFANN 99.7429 0.9949 0.9927 0.0036
misclassified and a total number of typical association PRANN 98.7952 0.9759 0.9807 0.0096
show in the dataset.
Table 3 shows the results obtained from both the
FP
FAR (3) models (FFANN, PRANN) regarding the detection of
TN FP Denial of Service Attack (DoS). FFANN outperformed in
all measured (Accuracy, MCC, R-squared, and MSE).
Mathew’s Correlation Coefficient (MCC) is also
considered as one of the widely used performance Table 4. Results for Probing Attack
measure metric. It is defined as the ratio between the
Model Accuracy MCC R-squared MSE
observed and predicted binary classifications [39].
FFANN 98.8345 0.9767 0.9790 0.0104
TN TP FN FP
MCC (4) PRANN 98.9232 0.9785 0.9826 0.0086
( FP TP)( FN TP)(TN FP)(TN FN )
Copyright © 2019 MECS I.J. Computer Network and Information Security, 2019, 4, 19-25
A Feed-Forward and Pattern Recognition ANN Model for Network Intrusion Detection 23
Table 4 shows the results obtained from both models PRANN is 0.9999 for U2R and lowest score is 0.9953 for
(FFANN, PRANN) and reflects that PRANN performed R2L. By using FFANN model, highest AROC sore
better in all measures. 0.9998 is recorded for DoS and lowest score 0.9977 is
recorded for R2L.
Table 5. Results for Remote to Local Attack (R2L)
Copyright © 2019 MECS I.J. Computer Network and Information Security, 2019, 4, 19-25
24 A Feed-Forward and Pattern Recognition ANN Model for Network Intrusion Detection
Copyright © 2019 MECS I.J. Computer Network and Information Security, 2019, 4, 19-25
A Feed-Forward and Pattern Recognition ANN Model for Network Intrusion Detection 25
How to cite this paper: Ahmed Iqbal, Shabib Aftab,"A Feed-Forward and Pattern Recognition ANN Model for
Network Intrusion Detection", International Journal of Computer Network and Information Security(IJCNIS), Vol.11,
No.4, pp.19-25, 2019.DOI: 10.5815/ijcnis.2019.04.03
Copyright © 2019 MECS I.J. Computer Network and Information Security, 2019, 4, 19-25