Content uploaded by Farhad Soleimanian Gharehchopogh
Author content
All content in this area was uploaded by Farhad Soleimanian Gharehchopogh on Apr 28, 2020
Content may be subject to copyright.
RESEARCH ARTICLE
A wrapper-based feature selection for improving
performance of intrusion detection systems
Maryam Samadi Bonab
1
| Ali Ghaffari
2
|
Farhad Soleimanian Gharehchopogh
1
| Payam Alemi
3
1
Department of Computer Engineering,
Urmia Branch, Islamic Azad University,
Urmia, Iran
2
Department of Computer Engineering,
Tabriz Branch, Islamic Azad University,
Tabriz, Iran
3
Department of Electrical Engineering,
Urmia Branch, Islamic Azad University,
Urmia, Iran
Correspondence
Ali Ghaffari, Department of Computer
Engineering, Tabriz Branch, Islamic Azad
University, Tabriz, Iran.
Email: a.ghaffari@iaut.ac.ir
Summary
Along with expansion in using of Internet and computer networks, the pri-
vacy, integrity, and access to digital resources have been faced with permanent
risks. Due to the unpredictable behavior of network, the nonlinear nature of
intrusion attempts, and the vast number of features in the problem environ-
ment, intrusion detection system (IDS) is regarded as the main problem in the
security of computer networks. A feature selection technique helps to reduce
complexity in terms of both the executive load and the storage by selecting the
optimal subset of features. The purpose of this study is to identify important
and key features in building an IDS. To improve the performance of IDS, this
paper proposes an IDS that its features are optimally selected using a new
hybrid method based on fruit fly algorithm (FFA) and ant lion optimizer
(ALO) algorithm. The simulation results on the dataset KDD Cup99, NSL-
KDD, and UNSW-NB15 have shown that the FFA–ALO has an acceptable per-
formance according to the evaluation criteria such as accuracy and sensitivity
than previous approaches.
KEYWORDS
ant lion optimizer, feature selection, fruit fly algorithm, intrusion detection systems, KDD
Cup99, NSL-KDD, UNSW-NB15
1|INTRODUCTION
Considering the expansion in using the Internet and computer networks to exchange information between users, the
number of intrusions increases in an annual basis. The importance of maintaining security in such environment has
encouraged researchers to create intrusion detection system (IDS). The IDS, work on the features of traffic flow and
through investigating them, recognize whether it is intrusion or not. With regard to the method of detection, IDS can
be classified into two classes of detecting anomalous behavior and misuse detecting (signature-based detection).
1
In the
anomaly-based detection, a model of normal behavior is created. In order to create normal behavior model, approaches
such as clustering and machine learning techniques are applied. In signature-based detection, the premade intrusion
models (as signatures) kept the rule, and in case that such a model takes place in the system, intrusion is declared.
Feature selection with metaheuristic algorithms is discussed in various domains of machine learning and data min-
ing. Thus, one of the useful and effective methods in the path towards solving the problem of feature selection and its
related issues is the use of metaheuristic optimization methods; such algorithms can be grouped as random algorithms
that attempt for obtaining nearly optimal solution through multiple repetitions. Because the metaheuristic algorithms
Received: 23 November 2019 Revised: 11 March 2020 Accepted: 8 April 2020
DOI: 10.1002/dac.4434
Int J Commun Syst. 2020;e4434. wileyonlinelibrary.com/journal/dac © 2020 John Wiley & Sons, Ltd. 1of26
https://doi.org/10.1002/dac.4434
alone did not provide optimal solutions to the problems. Therefore, in the hybrid approach, combining the advantages
of algorithms can improve their performance.
2,3
One of the approaches for enhancing the efficiency of IDS is training
the system and the manner of training and in this regard, better training requires the selection of more important fea-
tures. There are two main types for feature selection: filter-based and wrapper-based methods. Filter-based methods rely
on the general characteristics of the training data; wrapper-based methods involve optimizing a predictor as part of the
selection process.
4
The wrapper-based feature selection is a more precise method, which is appropriate for IDS prob-
lems where accuracy plays a major role.
The purpose of creating hybrid algorithms is to show better performance in solving various optimization problems
through making use of the strong points existing within the hybrid algorithms. Two major properties in metaheuristic
algorithms are exploration and exploitation
5
: Exploration guarantees that the algorithm conducts an overall and effi-
cient search to find a solution or diversifying the global search in the solution space. In exploitation, the algorithms
attempt to improve candidate solutions. Establishing balance between these two parameters is importance because high
exploitation results in premature convergence and being trapped in a local optimum and high exploration, which leads
to a slow convergence with a slow rate of performance.
6
Two major problems exist in metaheuristic algorithms, which are premature convergence and slow convergence.
7
Problem of premature convergence is due to the lack of accuracy in the final solution. Slow convergence, means that
improving the quality of the solution is not fast enough. These two problems are related to the diversity of solutions
generated during the search process. High diversity guarantees finding better and more accurate solutions, though it
results in slow convergence and for this reason, a balance has to be maintained between accuracy and convergence.
Hybrid algorithms increase diversity in populations and it is due to increasing in search potential.
8
Reducing features
through the use of metaheuristic algorithms reveal better results since they generate the best optimum results in shorter
time and as a result, reduce the costs of designing computations.
9
Within the past few years, metaheuristic techniques inspired by natures such as ant colony optimization (ACO),
10
particle swarm optimization (PSO),
11
and bee colony optimization (ABC)
12
have been applied for the purpose of improv-
ing the performance of IDS techniques. In addition, such clustering and classification methods as simplified swarm
optimization,
13
GA/SVM (genetic algorithm/support vector machine),
14
fuzzy genetic,
15
SVM-KNN-PSO
16
have been
proposed for this aim. Usually after proposing metaheuristic algorithms by researchers, the multi-objective, binary,
hybrid, opposition-based learning (OBL), chaos-based, and so forth versions are presented for the purpose of solving
various optimization problems like feature selection. The hybrid methods for the optimization of algorithms
17
are used
to improve the search potential and hybrid the advantages of each algorithm and at the same time decrease their weak-
nesses.
8
In research studies,
5,18–21
metaheuristic algorithms and their hybrid forms have been used in feature selection.
The fruit fly algorithm (FFA)
22
is a population-based optimization algorithm that has been simulated according to
the behavior of fruit fly in finding food. This algorithm has been applied in various optimization problems such as clus-
tering medical data (hybrid with SVM),
23
multidimensional knapsack,
24
optimization problems of continuous
function,
25
and clustering.
26
In addition, the improved and chaos-based version
27
of this algorithm has been presented.
Its advantages are simple calculation process and operationalization, easier understanding due to the lower number of
parameters, and the ease of turning into program codes. Due to such factors, FFA is an appropriate instrument to solve
the majority of real-world problems.
28–30
Ant lion optimizer (ALO)
31
is a population-based optimization algorithm that mimics the interaction between ant
and ant lion for hunting. It has been applied in such areas as cluster-based data collection in wireless sensor
networks,
32
binary version of the ALO for feature selection,
33
chaos-based version for feature selection,
34
and multi-
objective version for engineering problems.
35
It has been approved that this algorithm has an acceptable performance
with regard to calculation time and search potential for finding optimum or near-optimal solutions. ALO balances
exploration and exploitation utilizing a single operator, which can adaptively search the domain of solutions for the
optimal solution.
33
ALO is one of the metaheuristic algorithm that show a good performance in searching the feature
space for optimal subset of features.
36
The dataset used in IDS often have many features and dimensions among which, a large number might be in the
form of less important features. Therefore, feature selection is an important aspect in IDS because it may impact the
performance of intrusion analysis. The purpose of feature selection is that less important features are eliminated from
the dataset so that the accuracy and speed of prediction in a classification algorithm are enhanced. One of the effective
methods in feature selection is using metaheuristic methods.
5
By reviewing other studies,
5,37–39
it is clear that, the
increased usage of metaheuristic algorithms in solving optimization problems such as feature selection has led to its uti-
lization in different discussions such as IDS.
2of26 SAMADI BONAB ET AL.
In this paper, it has been attempted to perform feature selection on IDS based on a hybrid version of the FFA and
ALO. The FFA–ALO is used for the problem of feature selection in IDS, and in order to hybrid the benefits of the algo-
rithms, they have been used in the hybrid form. To prevent being trapped in local optima, an appropriate diversity of
population has to be provided during the search process. Hybrid algorithms increase the diversity of populations, and
such high diversity guarantees access to better and more accurate solutions. In this paper, the high exploratory mecha-
nism of the ALO is hybrid with the high rate of convergence in the FFA so that a proper synergy can be obtained
through this hybridization.
The rest of the paper is organized as follows. The related works are reviewed in Section 2. In Section 3, the theoreti-
cal background of the paper is presented. The proposed hybrid method is discussed in Section 4. In Section 5, the exper-
imental results are reported in order to confirm the efficiency of the FFA–ALO. Finally, conclusion and future works
are discussed in Section 6.
2|RELATED WORKS
By reviewing other studies,
1,5,9,39–42
it is shown that the use of metaheuristic optimization algorithms for the pur-
pose of feature selection has increased. Recent studies show that metaheuristic algorithms have been enhanced in
the following manner: hybrid, binary, multi-objective, chaos-based, OBL, and so forth. Hybrid algorithms are used
for the purpose of hybridization the advantages of each one of them and the same, reducing their weaknesses. In
order to solve optimization problems with a discrete nature,
43–45
like feature selection, the domain of problem is
mapped to the discrete domain and the binary version of algorithms is proposed. In multi-objective optimization
problems,
37,46–48
an assumed solution cannot be scored only on the basis of one indicator. Chaos-based
34
methods
are used to improve search diversity in optimization algorithms. Despite the fact that chaos-based systems that are
apparently random and unpredictable, they have absolute structures and can be considered as suitable replace-
ments for random process in these algorithms. The main idea of OBL methods
49,50
is analyzing the current and
reverse solution and choosing the better one as the next generation of the population. In the following, a sum-
mary of some major studies by the help of feature selection and through using metaheuristic algorithms is
presented.
Ganapathy et al.
51
proposed “Weighted Distance Based Outlier Detection”algorithm to effective intrusion detection
in wireless environment on KDD (knowledge discovery and data mining) Cup99. This algorithm uses the relative loca-
tion of a point of data and assigned weight according to its perceived importance, then the weighted average calculation
is performed between all the data samples. In this case, nodes whose distance are greater than average are found, in the
next step, the inner weighted average is calculated for k, the nearest inner node. For the newer node, after calculation
of the weighted distance, if this value is greater than the weighted average, it is considered as abnormal traffic. The
detection accuracy for denial-of-service (DoS), probe, and other attacks is 99.62%, 99.42%, and 99.52%, respectively.
In Aghdam and Kabiri,
1
feature selection was conducted by utilizing ACO algorithm for the purpose of selecting
more effective specifications and increasing the efficiency of IDS; that is because eliminating useless features can
enhance the accuracy of detection. Results of simulation on two datasets KDD Cup99 and NSK–KDD reveal that focus-
ing on more important and effective features increases the speed of IDS, without affecting the accuracy in a significant
manner.
Ganapathy et al.
52
proposed the ICRF method that reduces learning, testing time, communication latency, over-
head, and false alarm rate and increases classification accuracy. The proposed method uses the combination of
ICRFFSA (intelligent CRF based feature selection algorithm) and LA-based classification algorithm for feature selection
in intrusion detection. Feature selection module in this method, uses feature selection agent, which selects the optimal
features subset from the 41 features in the KDD Cup99 for different types of attacks. Feature selection agent selects use-
ful features using appropriate rules. These rules are used to identify normal traffic and attacks. The number of selected
features for DoS, user-to-root (U2R), root-to-local (R2L), and probe attacks are 5, 11, 11, and 5, respectively.
In Acharya and Singh,
9
the intelligent water drops algorithm (WDA) was utilized for selecting features in the pro-
cess of IDS. This study was aimed at optimizing the process of feature selection through using the WDA so that it can
enhance the accuracy of SVM classificatory. This goal was achieved through reducing features in the KDD Cup99 by
using the WDA. Results of the hybrid method (hybrid SVM and the WDA) were compared with SVM, NB, k-means,
and the hybrid form of SVM and GA algorithms according to the ACC, DR, FAR, and PC criteria, and a significant
improvement was observed.
SAMADI BONAB ET AL.3of26
In,
38
ABC, ACO, and PSO metaheuristic algorithms were used to select more important features in the NSL-KDD
(network security laboratory-knowledge discovery and data mining). For the purpose of analyzing the process of feature
selection, KNN (k-nearest neighbor) and SVM (support vector machine) classifiers were used. The results obtained
through comparing the performance of KNN and SVM classifiers in the absence of feature selection with a case in
which PSO, ACO, and ABC are used reveal that the numbers of features in the dataset have been reduced from 41 to
11, 7, and 7, respectively. Therefore, the running time was significantly reduced, and at the same time, the accuracy
and rate of detection were increased and a reduction could be observed in the rate of false alarms; in addition, it was
shown that among the three metaheuristic algorithms, ABC has a better performance.
In their study,
53
Eesa et al. used the cuttlefish algorithm as a search strategy for the purpose of determining an opti-
mal subset of features. In addition, they use decision trees (DT) to make judgment on the features selected by the cuttle-
fish algorithm. The dataset used to analyze the proposed method in this study is KDD Cup99; the results showed that
in comparison to a case in which all features were used for the purpose of IDS, the proposed method increased the rate
of detection and accuracy and at the same time reduced the rate of false alarms.
In Selvakumar and Muneeswaran,
39
the firefly algorithm was used for the purpose of feature selection on IDS. From
the 41 features within the KDD Cup99, 10 features were extracted through using the proposed method, which is enough
for the purpose of IDS. Through reducing the required information, running time is decreased, structures are simplified,
and the classification performance is enhanced. The evaluation criteria included DR, FPR, and F-measure. Findings
revealed that compared with the use of all features, the performance of detection is enhanced and costs of calculations
are reduced. Unfortunately, output results of the firefly metaheuristic algorithm have been compared with the C4.5
classifiers and Bayesian networks, and no such comparison has been made with the performance of other metaheuristic
algorithms.
In Hajisalem and Babaie,
18
a new classification method was proposed that used a hybridization of ABC (Artificial
Bee Colony) and AFS (Artificial Fish Swarm) algorithms for the purpose of IDS; in this method, fuzzy c-means cluster-
ing techniques and feature selection based on cohesion were used to divide the education dataset and eliminate irrele-
vant. Then, “if …then”rules were formed through using the CART (classification and regression tree) technique based
on the selected features, and was used to detect normal and abnormal records. To evaluate the presented method, simu-
lation was conducted on the NSL–KDD as the general dataset and the UNSW-NB15 as the one suitable for detecting
newer attacks. Results obtained from this algorithm were compared with such methods as FSVM (Filter-based Support
Vector Machine), MDWT (Multi-level DWT), GAA (Geometric Analysis), DMM (Dirichlet Mixture Model), CVT (Com-
puter VisionTechniques), and PBIL-AIS (population based incremental learning- artificial immune system), and it was
shown that the proposed method has a better performance with regard to DR and FPR.
In Ghanem and Jantan,
37
a new multi-objective approach based on the ant colony algorithm was proposed for the
purpose of feature selection on IDS. This study was aimed not only at presenting a new method for feature selection
but also at introducing a fitness function in order to obtain the goals of feature selection such as minimizing the num-
ber of selected features, rate of false alarms, rate of classification error, and optimizing the accuracy of classifiers com-
pared to cases where all features are implemented.
Mohammadi et al. proposed an IDS based on feature selection.
54
In this method, for the purpose of selecting fea-
tures based on filter and wrapper, the feature classification algorithm based on linear correlation coefficient and the
cuttlefish algorithm were applied, respectively. The FGLCC-CFA (Feature grouping based on linear correlation coeffi-
cient-cuttlefish algorithm) method, a hybrid form of filter and wrapper-based methods and have the advantages of both,
was proposed so that the most optimal subset of features can be extracted from the dataset. The FGLCC-CFA algorithm
uses the high speed of FGLCC and the high accuracy of CFA for the purpose of selecting a subset from the set of fea-
tures. In the CFA method, selecting an optimal subset from the features is a time-consuming process. To solve this
problem, the FGLCC filter is used for the purpose of rank ordering the primary features, and the selected features enter
CFA as input features. To validate the proposed method, the KDD Cup99 dataset was applied. Findings obtained
through using FGLCC-CFA revealed that in comparison with the CFA and FGLCC algorithms, the hybrid method was
able to increase accuracy and the rate of detection and led to the reduction of false alarms.
In Alzubi et al.
44
, the binary grey wolf algorithm was utilized for the purpose of feature selection on the NSL-KDD,
and it was shown that this algorithm managed to make a balance between increasing accuracy and detection rate on
one hand and reducing FPR and the number of features on the other. Values obtained for these parameters were 99.22,
99.10, 0.0064, and 14, respectively. With regard to the mentioned criteria, this proposed algorithm was compared with
the binary GWO, AdaBoost, and PSO-discretize-HNB, and it was shown that the proposed method has been able to
make a proper balance between the mentioned parameters.
4of26 SAMADI BONAB ET AL.
In Raman et al.
55
the HC-IBGSA (hyper clique-improved binary gravitational search algorithm) SVM intrusion
detection technique is proposed to improve SVM performance in terms of detection rate and false alarm rate. This
method uses the properties of hyper clique, hyper graph, and novel mutation operator and Newton–Raphson position-
ing update function to search for optimal solutions and prevent premature convergence. It also uses the weighted objec-
tive function to establish a balance between maximizing detection rates, minimizing false alarm rates, and optimizing
the number of features. The classification accuracy reported by this algorithm on the UNSW-NB15 is 94.11%.
Hadeel Alazzam et al.
56
have proposed a wrapper-based feature selection algorithm for IDS that uses a pigeon-
inspired optimizer for the feature selection. Two binary versions of this algorithm, CPIO and SPIO, are presented for
feature selection issues on KDD Cup99, NSL-KDD, and UNSW-NB15.
In Emary et al.
33
a binary version of the ALO algorithm is presented to wrapper-based feature selection based on
KNN classifier with the aim of finding a minimum and optimal subset of features as well as maximizing the classifica-
tion performance. Twenty-one standard UCI datasets have been used to evaluate the proposed method, and the evalua-
tion criteria that used are statistical mean, classification error rate, statistical standard deviation, average computational
time, and average selection size. The proposed method has also been compared with the standard ALO, BBAT, PSO,
and genetic algorithm and has shown better performance.
In Zawbaa et al.
34
five different chaos-based versions of the ALO algorithm for KNN-based feature selection are
presented. Eighteen standard UCI datasets were used to evaluate the proposed method. The results obtained from clas-
sification accuracy and number of selected features for the proposed method, are compared with standard ALO, PSO,
and genetic algorithm.
In Mafarja et al.
36
six different versions (three versions with s-shaped binary mapping and three versions with
v-shaped binary mapping) are presented for mapping the ALO algorithm from the continuous space to the discrete
space. The performance of the proposed methods is compared with PSO, GSA (gravitation search algorithm), and
ALO. Evaluations show that the proposed methods explore the feature space more effectively and select the most
optimal features on 18 standard UCI datasets, which help to improve the classification accuracy. The evaluation
criteria used in this paper are average computational time, average number of selected features, and average classi-
fication accuracy.
In Table 1, the proposed methods in IDS based on the use of metaheuristic algorithm for the purpose of feature
selection have been compared with each other.
3|THEORETICAL BACKGROUND
In this section, we focus completely on the importance of feature selection in the problem of IDS and will implement
standard datasets on IDS for evaluating the FFA–ALO.
3.1 |Feature selection
Datasets that are used in IDS have a large number of features, which represent the features of traffic flows; in the mean-
time, some features may have little importance in detection process. Thus, selecting more effective features can increase
the accuracy and speed of IDS. Feature selection is applied for the purpose of attaining a better understanding of data
and selecting a subset of important features and is formulated as a multi-objective problem.
5
This problem is aimed at
improving the efficiency of classifiers and attaining a more precise classification of data compared with cases where all
features are applied.
57
Benefits of feature selection include understanding the data, decreasing needed storage space,
and decreasing process costs.
54
In a dataset, the size of search space is increased exponentially with regard to the number of features. In prac-
tice, global search techniques are not feasible to attain a proper solution and are faced with the problem of being
trapped in local optima.
58
That is because having assumed N features in a dataset, the number of its possible and
various subsets would be 2N.
5
Finding a minimal subset from among features is an NP-hard problem
59
; thus,
metaheuristic algorithms are replacements to eliminate such limitations and make the global search possible. Fea-
ture selection is an area where metaheuristic algorithms have been applied. Regarding the fact that global search
presents all the possible solutions for a problem, metaheuristic algorithms show better performance compared with
global search mechanisms.
SAMADI BONAB ET AL.5of26
There are two different methods for evaluating the quality of selected features filter based and wrapper based. In
the filter-based feature selection, features are ordered according to their importance, and the best features are selected.
54
This method is not dependent on classifiers
60
and is independent of learning algorithms.
1,61
Figure 1 indicates feature
selection according to the filter-based method.
TABLE 1 Summary of literature review
# Approach Disadvantages Advantages Datasets
1 M. H. Aghdam et al.
1
Not using newer IDS datasets—
not comparing the proposed
method with methods that
have used metaheuristic
algorithms for feature selection
An 88% reduction in the number
of features—The proposed
method reduces both the
memory and the CPU
required for the purpose
of feature detection
through reducing the
number of features
KDD CUP99,
NSL-KDD
2 N. Acharya et al.
9
Not using newer IDS datasets Detection rate: 99.4075%,
accuracy: 99.0915%, rate
of false alarms: 1.405,
and precision: 99.108%
KDD CUP99
3 T. Khorram et al.
38
Not using newer IDS datasets Comparing the PSO, ABC, and
ACO algorithms for the
purpose of feature selection
in IDS and the better
performance of ABC
with a 98.7% detection
rate and 98.9% accuracy
NSL-KDD
4 A. S. Eesa et al.
53
Not using newer IDS datasets —KDD CUP99
5 B Selvakumar et al.
39
—Using a newer IDS dataset KDD CUP99
6 V. Hajisalem et al.
18
—Using newer IDS datasets NSL-KDD,
UNSW-NB15
7 W. Ghanem et al.
37
Not using IDS datasets for
evaluating the fitness
function and the
proposed algorithm
Introducing a fitness function to
attain goals of feature selection,
which include
minimizing the number
of selected features,
minimizing the rate of
false alarms, minimizing
the rate of classification
error, and optimizing
the precision of classifiers
compared to the cases
where all features are implemented.
—
8 Mohammadi et al.
54
Not using newer
IDS datasets
Using the proposed fitness function
to evaluate the proposed
method—Accuracy: 99.84%
KDD CUP99
9 Q. M. Alzubi et al.
44
Not using newer IDS
datasets—not
comparing the
proposed method
with the results of methods
that have recently been presented.
Using the proposed fitness
function to evaluate
proposed methods
NSL-KDD
10 Raman, M.G., et al.
55
Not using different classifiers
in the proposed method
and just use SVM
Using newer IDS datasets NSL-KDD,
UNSW-NB15
Investigation of algorithm
performance before and
after feature selection
6of26 SAMADI BONAB ET AL.
The wrapper-based method of feature selection is more precise than the previous one and can accommodate itself
with the machine learning algorithms (such as classifiers). In this method, a classification algorithm is used for the pur-
pose of evaluating a subset of features.
61
Figure 2 shows the mechanisms of the wrapper-based method.
In comparison with the wrapper-based method, the filter-based method for feature selection is faster and has lower
calculation complexities because calculating the distance between features, dependencies among features, and also
obtaining information gain from the calculation of classifier accuracy would be cheaper and faster.
5
In filter-based
methods, the importance of features is regarded as the criterion to evaluate a subset of features, while in wrapper-based
methods such evaluation is conducted according to the accuracy of classifiers. In these latter methods of feature selec-
tion, the best subsets are evaluated and extracted from the features based on getting a feedback from learning algo-
rithms (such as classifiers), and their accuracy usually exceeds that of filter-based methods.
62
In filter-based methods, in many cases, reaching to the best subset of features is not possible, while wrapper-based
methods can always provide high-quality solutions. While utilizing wrapper-based model of feature selection, three
important factors have to be taken into consideration
5,63
: classifier, criteria used for evaluating the subset of features
(accuracy, the rate of elimination for false alarms, etc.), and search techniques used to find the best hybridization of fea-
tures. In applications such as IDS in which the accuracy of detection is of significant importance, using the wrapper-
based feature selection is preferred due to guaranteeing a higher rate of accuracy.
3.2 |Fruit fly algorithm
The FFA was first proposed by Pen
22
based on the food-seeking behavior of fruit flies. The food-seeking behavior of
such flies is composed of two steps: first, it smells the food source by the help of its body organs and then flies towards
it; then, it gets closer to the location of food. The fly can also use its vision for finding food and the locations where
other fruit flies have gathered together and fly there.
64
The diagram of the group iterative food searching of fruit flies
has been shown in Figure 3. The manner of food seeking in the FFA has been presented in several stages
29
:
Stage 1: Size of the primary population, the maximal number of stages, and the primary location of fruit fly population
are defined randomly.
Stage 2: The unique direction and location of fruit flies for food seeking are determined. In Equation 1, irepresents the
ith fruit fly.
Xi=Xaxis +Rand value:
Yi=Yaxis +Rand value:
ð1Þ
Stage 3: Because the location of food is unknown, first the distance to the source (Dist) is estimated by Equation 2. The
rate of smelling (S), as Equation 3, has an inverse relationship with the distance.
Disti=ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
X2+Y2
p:ð2Þ
Si=1
Disti
:ð3Þ
FIGURE 1 Filter-based feature
selection
FIGURE 2 Wrapper-based feature
selection
SAMADI BONAB ET AL.7of26
Stage 4: The rate of smelling (S) is replaced in the smelling function (fitness function) to obtain the rate of smelling
(Smell) in the unique location of the fruit fly. This is conducted using Equation 4.
Smelli= Function Si
ðÞ:ð4Þ
Stage 5: The fruit flies having the best rate of smelling (the optimal rate) are selected from among the fruit fly popula-
tion through conducing Equation 5.
bestSmell bestindex½= Opt Smelli
ðÞ:ð5Þ
Stage 6: The best rate of smelling and the related Xand Yare maintained by the help of Equation 6, and then, the fruit
fly population flies towards that location.
Smellbest = bestSmell:
Xaxis = X bestindexðÞ:
Yaxis = Y bestindexðÞ:
ð6Þ
Stage 7: The optimization Stages 2 to 5 are repeated; if the rate of smelling exceeds that of the previous one, Stage 6 is
executed. As shown in Algorithm 1, the pseudo code related to the FFA is performed as follows.
Algorithm 1 FFA pseudo code
1) Initialize fruit fly swarm location randomly
For each fruit fly
2) give the random direction and distance for the search of food by smell; Using Equation 1
3) Distance to the origin is calculated; using Equation 2, Smell concentration judgment value is calculated; using
Equation 3
4) Substitutes smell concentration judgment value (S) into smell concentration judgments function (Fitness func-
tion); using Equation 4
End for
5) Find out the fruit fly with maximal smell concentration value and then let the fruit fly move towards the best
one; using Equation 5
6) Keep the best smell concentration value and X,Y; using Equation 6
7) Repeat the implementation of Step 2 to Step 5, then judge if the smell concentration is better than previous itera-
tive smell concentration, if so, implement Step 6.
3.3 |Ant lion algorithm
The ALO imitates the interaction of ant lions and ants in hunting. To model such interaction, ants move in the search
space, and the ant lions are allowed to hunt them and become more qualified by this goal.
31
Through placing them-
selves in a circular path, larva ant lions dig a conical hole within the sand and throw away the sand grains by their big
jaws. When ant lions notice that the prey has been trapped within the hole, it would try to catch it. However, insects
are not trapped in most cases immediately and are trying to be away by it. In such cases, ant lions intelligently throw
the grains of sand to the edges of their holes in order to force down their prey. When the prey is dropped on their jaws,
they pull it under the soil and eat it. After eating the prey, they throw what has been left and reform the hole for the
next hunt. In the ALO, the random movement of ants has been modeled based on the phenomenon of random walking
presented in Equation 7. In Equation 7, a running total and a random function have been presented that are utilized to
imitate the quality of random walking on various repetitions.
8of26 SAMADI BONAB ET AL.
AiðÞ= 0; cumsum 2r i1
ðÞ−1ðÞ;cumsum 2r i2
ðÞ−1ðÞ;…;…;cumsum 2r iiter
ðÞ−1ðÞðÞ:ð7Þ
rΔðÞ=0, if rand ≤0:5
1, if rand >0:5
(:ð8Þ
In Equation 7, A(i) stands for the random movement of the ith ant, i
ter
for the number of stages in repetition, and in
Equation 8, r(Δ) for a function of random generation where Δdetermines the size of the random step. To maintain the
random movement of ants in the search space, the Min–Max normalization is given in Equation 9, which is conducted
in order to make sure that the movement of ants occurs within the search space.
At
i=At
i−ai
:di−Ct
i
dt
i−ai
+Ci:ð9Þ
In Equation 9, A
ti
10 represents the location of the ith ant in the tth stage, a
i
is the smallest random step of the ith
ant, and C
ti
and d
ti
are the smallest and biggest ith variable in the tth stage, respectively. The random steps of ants,
under the influence of the traps made by ant lions, are placed in a 2D search space. This behavior has been formulated
in Equation 10:
Ct
i=Antliont
j+Ct
:
dt
i=Antliont
j+dt
:
ð10Þ
Here, c
t
and d
t
represent the smallest and biggest variable among all variables in the tth stage, respectively. c
ti
repre-
sents the smallest and biggest variables in the tth stage for the ith ant.
Ant lion
tj
illustrates the location of the jth ant in the tth stage. The fitness value for each ant lion determines the
type of trap made by them and causes ants to be trapped in them while trying to escape and increases the probability of
being by ant lions. With the help of elitist concepts, the best solution reached in every generation is considered as the
elite ant lion, which influences the movement of ants in each stage. In order to model the hunting capability of ant
lions, the Roulette wheel is applied. The location of each ant is updated towards ant lion R
tA
and the elite ant lion R
tE
with the help of random movement as Equation 11.
Antt
i=Rt
A+Rt
E
2ð11Þ
FIGURE 3 Schematic diagram of the group iterative food
searching of fruit flies
26
SAMADI BONAB ET AL.9of26
For every ant lion, the ALO algorithm with the proposed stages is applied as follows: to model the hunting
capability of ant lions, the Roulette wheel is used. In the hunting of ants, the Roulette Wheel is applied to
select the ant lion that has the highest value for the fitness function during the process of optimization. It is
assumed that each ant can be hunted by one ant lion. Catching a prey and reconstructing the trap is the next
stage where ant lions consume the ants at the bottom of their traps and reform it to make a new trap and catch
another prey. Ant lions hunt their prey when the value of fitness function for the prey or their hunt is higher
than that of ant lions. In Equation 12, f(Ant) and findicate the values of fitness function for ants and ant lions,
respectively.
32
Antliont
j=Ant
t
i; if f Antt
i
> f Antliont
j
ð12Þ
The ALO has been defined in Algorithm 2:
Algorithm 2 ALO algorithm
31
1: Initialize first population of ants and ant lions randomly
2: Calculate the fitness of ants and ant lions
3: Find the best ant lions and assume it as the elite (determined optimum)
4: while the end criterion is not satisfied
5: for every ant
6: Select an ant lion using roulette wheel
7: Update c and d using c
t
=ct
I,dt=dt
I
8: Create a random walk and normalize it using Equations 7,(9)
9: Update the position of ant using Equation 11
10: end for
11: Calculate the fitness of all ants
12: Replace an ant lion with its corresponding ant if it becomes fitter Equation 12
13: Update elite if an ant lion becomes fitter than the elite
14: end while
15: Return elite
3.4 |Datasets for evaluation
The population focused in the current study consists of the KDD Cup99, NSL-KDD, and UNSW-NB15
65
standard
datasets.
3.4.1 |KDD Cup99 dataset
Since 1999, the KDD Cup99 dataset, from the UCI data warehouse, has been used as the standard dataset to evaluate
IDS. Each record has 41 features and a label to indicate the type traffic—whether it is normal or intrusion.
3.4.2 |NSL-KDD dataset
This dataset is an improved version of the KDD Cup99 dataset. The most important shortcoming of the KDD Cup99
dataset is the large number of duplicate records.
66
In other words, 78% and 75% of records in the training and test
datasets of the KDD Cup99 dataset are duplicated. The NSL-KDD dataset includes records each of them showing the
10 of 26 SAMADI BONAB ET AL.
relationship between two network hosts based on the protocols of the network. Details of the features such as the name
of attributes and the type of data have been presented in Table 2. The 42nd feature includes five distinct classes of net-
work connections and is classified in the following manner: one class as the normal class (normal flow) and four classes
as the intrusion traffic. The major four intrusion classes include DOS, probe, R2L, and U2R.
67
This dataset has been
used in a number of studies.
1,18,38
This dataset consists of one normal traffic type and 24 different intrusion traffic types
that have been classified into four groups and have been presented in Table 2.
68
•DoS attack: a kind of attack against a network that through consuming resources and memory floods the network
with unnecessary applications or keeps some of the calculations or resources of the memory busy and as a result,
denies authorized users access to a machine.
•U2R attack: a kind of abusive attack where the attacker enters a network through a normal user's account and
attempts to access its root.
•R2L attack: attacker attempts to gain local access a network as a machine user that has no access to the system.
•Probe attack: related to collecting information from a network of computers to use them in later applications.
Table 3 shows how data are distributed in the major classes of intrusion in the test and training datasets of the KDD
Cup99 and NSL-KDD.
Because features in this dataset have either continuous values or discrete values, they become incomparable. There-
fore, the following two procedures are run in order to process the data:
a Features mapping (e.g., protocol type, service, and flag) to numeric values.
b Features normalization: For the purpose of normalization, Min–Max procedure is used; in order to normalize
numeric values to the MinX and MaxX range, that show the highest and lowest values for the feature X, first (MinX,
MaxX) has to be turned into a new rage (new MinX, new MaxX) with the help of Equation 13
54,67,69
:
NewV =V−MinX
MAxX −MinX :ð13Þ
TABLE 3 Distribution of training and testing on NSL-KDD and KDD Cup99
1
Type of attack
NSL-KDD KDD Cup99
Training dataset Testing dataset Training dataset Testing dataset
DoS 9234 7458 391458 229853
U2R 11 533 54 2636
R2L 209 2421 1124 13781
Probe 2289 2421 4107 4166
Normal 13449 9711 97278 60593
SUM 25192 22544 494021 311029
TABLE 2 Categorize different types of attacks on NSL-KDD cup99
67
Attack
class List of attacks
DoS Back, Land, Neptune, Pod, Smurf, Teardrop, Apache2, Udpstorm, Processtable, Worm (10)
U2R Buffer_overflow, Loadmodule, Rootkit, Perl, Sqlattack, Xterm, Ps (7)
R2L Guess_Password, Ftp_write, Imap, Phf, Multihop, Warezmaster, Warezclient, Spy, Xlock, Xsnoop, Snmpguess,
Snmpgetattack,Httptunnel, Sendmail, Named (16)
Probes Satan, Ipsweep, Nmap, Portsweep, Mscan, Saint (6)
SAMADI BONAB ET AL.11 of 26
3.4.3 |UNSW-NB15 dataset
In Hajisalem and Babaie,
18
the UNSW-NB15 dataset has been utilized for analyzing their proposed method, while it
has been used in
65
as a dataset to detect newer attacks. In this dataset, the attack records are classified into nine classes;
this classification is presented in Table 4.
In addition, the manner of distributing traffic records for the nine intrusion classes and one normal class, in both
training datasets and test datasets, is presented in Table 5.
4|PROPOSED METHOD: FFA–ALO
In the proposed method, the two algorithms of FFA and ant lion will be hybrid to benefit from their specific advan-
tages. In this paper, feature selection based on the FFA and ALO has been proposed to improve the performance of
IDS. To present the proposed method, the following steps are conducted:
I hybridization the FFA and ALO
II Feature selection with the help of the hybrid algorithm and evaluating the selected features (wrapper-based feature
selection)
TABLE 5 Distribution of training and testing data on UNSW-NB15
70
Attack type Training dataset Testing dataset
Normal 5600 37000
Analysis 2000 677
Backdoor 1746 583
DoS 12264 4089
Exploits 33393 11132
Fuzzers 18184 6062
Generic 40000 18871
Reconnaissance 10491 3496
Shellcode 1133 378
Worms 130 44
SUM 175341 82332
TABLE 4 Categorize different types of attacks on UNSW-NB15
65
Type of
attack #Records Description
Normal 2 218 761 Natural transaction data.
Fuzzers 24 246 Attempting to cause a program or network suspended by feeding it with the generated random data.
Analysis 2677 It contains different attacks of spam, port scan and html files intrusions.
Backdoors 2329 A technique in which a system security mechanism is bypassed stealthily to access a computer or its data.
DoS 16 353 A malicious attempt to make a server or a network resource unavailable to users, usually by temporarily
interrupting or suspending the services of a host connected to the Internet.
Exploits 44 525 The attacker knows of a security problem within an operating system or a piece of software and
leverages that knowledge by exploiting the vulnerability.
Generic 215 481 A technique works against all block ciphers (with a given block and key size), without consideration
about the structure of the block cipher.
Reconnaissanc 13 987 Contains all strikes that can simulate attacks that collect information.
Shellcode 1511 A small piece of code used for payload in the exploitation of software vulnerability.
Worms 174 Attacker replicates itself in order to spread to other computers. Often, it uses a computer network to
spread itself, relying on security failures on the target computer to access it.
12 of 26 SAMADI BONAB ET AL.
III Predicting the labels of classes for the test dataset
After preparing and normalizing the training dataset, the feature selection is used to select the optimal subset of fea-
tures. In this paper, the FFA–ALO algorithm was adapted to selecting the optimal subset of features. Then, four classi-
fiers (SVM, KNN, naïve Bayes, and DT) were used to evaluate the selected features. In the next step, predicting the
labels of classes for the testing dataset is performed by using of the key features selected by the proposed method.
In Figure 4, a general overview of the proposed method of wrapper-based feature selection has been shown.
4.1 |FFA–ALO
Decreasing dimensionality, simplification, and shorter training time are the benefits of feature selection and plays a sig-
nificant role in IDSs.
71
Both FFA and ALO have been inspired by nature and are used in solving optimization problems.
In comparison with other intelligent optimization algorithms, the FFA algorithm is easier to understand and imple-
ment due to its smaller number of parameters, and its convergence speed is faster and easier to implement, and is easier
to run. This algorithm has been used while solving various optimization problems. In addition, it can be hybrid with
other techniques such as DTs, Bayesian theorem, fuzzy mathematics, neural networks, and so forth. The metaheuristic
algorithms proposed by researchers usually suffer from such problems as being trapped in local optima and solutions
with lower rates of accuracy. To overcome such problems and expand their domain of application, their reformed ver-
sions (e.g., hybrid forms) have been presented.
30
The ALO is suitable with regard to exploitation and is seldom trapped
in local optima due to the issue of elitism and using the mechanism of reducing the problems of compatibility. Higher
rates of exploration in this algorithm occur as a result of using random steps and the selection mechanism performed
by the Roulette wheel.
31
The random selection of ant lions through using the Roulette wheel guarantees exploration in
the search space. The random steps of ants around ant lions emphasize the exploration of the search space around ant
lions. Using random steps and the Roulette wheel helps the ALO to solve the problem of being trapped in local optima.
This algorithm is useful for solving limited problems having diverse search spaces.
31
For optimal subset of features,
ALO shows a good performance in searching the feature space.
36
In order to combine the advantages of the two algo-
rithms, FFA and ALO, the hybrid approach has been applied. To avoid the problem of being trapped in local optima, a
proper diversity has to be created during the process of search. Hybridization of the two algorithms increases the popu-
lation diversity and guarantees finding better solutions with higher accuracy.
Algorithm 3 FFA–ALO pseudo-code
Set n, MaxSubItFFA, MaxSubItALO
While (t < MaxSubItFFA)
1: Generate randomly an initial population/*FFA
2: Calculate the random direction and distance for the search of food by smell. Using Equation 2
3: Distance to the origin is calculated; using Equation 3
4: Smell concentration judgment value is calculated; using Equation 4
5: Substitutes smell concentration judgment value (S) into smell concentration judgments function (Fitness func-
tion); using Equation 5
6: Find out the FFA with minimal smell.
7: Keep the best smell concentration value and X,Y; using Equation 6
8: Repeat the implementation of Step 2 to Step 6, then judge if the smell concentration is better than previous itera-
tive smell
Concentration, if so, implement Step 7
9: Recalculate the fitness value for the population.
10: If there is no improvement in the best fitness value, generate new population/*ALO
11: Substitutes best fitness (Step 7) to initial value of Elite_antlion_fitness.
12: Update the position of elite if any ant lions become fitter than it
13: Keep the elite in the population
14: Return best solution
SAMADI BONAB ET AL.13 of 26
In Algorithm , the proposed pseudo-code, which is the hybrid form of the FFA and ALO, has been presented. In
Figure 5, the FFA–ALO flowchart is presented.
The proposed FFA–ALO algorithm is a hybridization of the FFA and ALO and is composed of two stages: In the
first stage, the FFA is run; if no improvement was observed in the fitness value after a certain number of repetitions, a
new generation is created by the ALO in the second stage, and the best fitness value from the previous stage is deter-
mined as the primary fitness value for the elite ant lion, and if the fit value for any ant lion exceeds that of the elite ant
lion, the location of the elite one would be updated.
4.2 |Feature selection and evaluation of selected features
The proposed algorithm was used to find important features on the IDS dataset. An approach for selecting the feature
was in the form of a wrapper-based approach. In Table 6, features selected from the KDD Cup99, NSL-KDD, and
UNSBW-NB15 with utilizing presented method have been discussed.
FIGURE 4 Overview of the proposed
method
14 of 26 SAMADI BONAB ET AL.
To evaluate the selected features in the wrapper-based approach, classifiers were used. For this purpose, the features
extracted in the previous stage were applied as input for such common classifiers as SVM, KNN, naïve Bayes, and DTs.
5|EXPERIMENTAL RESULTS AND ANALYSIS
The FFA–ALO has developed in the MATLAB R2017a environment. These simulations are performed on the Windows
Ultimate7, with an Intel Corei5 processer and an 8-gigabyte RAM. For evaluating the performance of FFA–ALO, the
KDD Cup, and NSL-KDD were used as general datasets, and the UNSW-NB15 was used as a proper dataset for the
detection of newer attacks. To evaluate the performance of classification algorithms, some statistical indicators such as
the elapsed time, accuracy, specificity, and sensitivity were applied. In Figure 6, the confusion matrix that is also known
as the table of probabilities is shown. This matrix compares real classes with the predicted ones.
Accuracy: This shows the overall number of accurate predictions and is calculated through using Equation 14.
1
FIGURE 5 FFA–ALO flowchart
SAMADI BONAB ET AL.15 of 26
TABLE 6 Selected features by FFA, ALO, and FFA–ALO on IDS dataset
Datasets FFA ALO FFA–ALO
KDD Cup99 dst_bytes, Land, Hot, su_attempted, num_root,
dst_host_srv_diff_host_rate, dst_host_serror_rate,
dst_host_rerror_rate(8)
Duration, Service, flag, dst_bytes, num_access_files,
is_hot_login, count, srv_count, rerror_rate,
srv_rerror_rate, dst_host_same_srv_rate,
dst_host_diff_srv_rate, dst_host_srv_diff_host_rate,
dst_host_serror_rate(14)
Service, flag, Land, wrong_fragment, logged_in,
is_hot_login, count, srv_error_rate,
dst_host_count, dst_host_diff_srv_rate,
dst_host_srv_serror_rate,
dst_host_srv_rerror_rate(12)
NSL-KDD Service, flag, src_bytes, num_failed_logins, su_attempted,
is_guest_login, count, srv_rerror_rate,
srv_diff_host_rate,
dst_host_same_src_port_rate,dst_host_srv_rerror_rate(11)Duration, Protocol_type, Service, flag, dst_bytes, wrong_fragment, Urgent, Hot, su_attempted, num_access_files, srv_rerror_rate,
diff_srv_rate, dst_host_same_srv_rate, dst_host_srv_diff_host_rate, dst_host_rerror_rate (15)Protocol_type, Service, flag, src_bytes, dst_bytes, wrong_fragment, Urgent, Hot, su_attempted,
num_shells, is_guest_login, srv_count, diff_srv_rate, dst_host_srv_diff_host_rate, dst_host_srv_serror_rate, dst_host_srv_rerror_rate (16)UNSW-NB15Service, Dload, ackdat, smeans,
dmeans, res_bdy_len, ct_state_ttl, is_ftp_login, ct_src_ltm(9)Dur, proto, state, sbytes, dbytes, rate, dttl, sinpkt, sjit, swin, dtcpb, dwin, tcprtt, dmean, ct_srv_src, ct_state_ttl, ct_dst_src_ltm,
ct_ftp_cmd, ct_flw_http_mthd, ct_src_ltm (20)Dur, Spkts, sbytes, sttl, sloss, rate, dloss, sjit, djit, swin, tcprtt, ackdat, ct_srv_src, is_ftp_login, ct_srv_dst(15)
16 of 26 SAMADI BONAB ET AL.
Accuracy =TP +TN
TN +FP +FN +TP :ð14Þ
Specificity: In what percentage of cases the normal traffic is accurately labeled as normal and Equation 15 is used to cal-
culate it?
73
Specificity =TN
TN +FP:ð15Þ
Sensitivity: In what percentage of cases the proposed algorithm detects the intrusion traffic accurately and uses
Equation 16?
1
Sensitivity =TP
TP +FN :ð16Þ
5.1 |Evaluation on standard datasets
In this section, efficiency of the FFA–ALO has been compared with the FFA, the ant lion, and the PSO algorithms by
using seven standard datasets. The applied datasets have been extracted from the UCI machine learning data ware-
house. The characteristics of these datasets have been presented in Table 7.
The quality of the results that could be found by the clustering algorithm is compared with the criterion of the over-
all intracluster distance. The distance between samples present in each cluster and its center can be calculated through
applying Equation 17
74
:
FIGURE 6 Confusion matrix
72
TABLE 7 Dataset attributes
Dataset #Attributes (d) #Clusters (k) #Instances (n)
Iris 4 3 150
Glass 9 6 214
CMC 9 3 1473
Zoo 17 7 101
Balance scale 4 3 625
Ecoli 8 8 336
Lung cancer 56 3 32
SAMADI BONAB ET AL.17 of 26
fO,CðÞ=X
k
l=1 X
Oi∈Cl
dO
i,Zl
ðÞ
2,ð17Þ
where d(O
i
,Z
l
) represent the distance between each sample and the center of a cluster. The common metric for the
distance is the Euclidean distance and Equation 18 is applied:
dOi,OjðÞ=ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
X
d
p=1
Op
i−Op
j
2
v
u
u
t,ð18Þ
where drepresents the dimensions of each dataset. It is obvious that the smaller the set of distances, the better
would be the quality of clustering. The best solutions mean the worst solutions, and the standard deviation of results in
100 repetitions of each algorithm in each one of the datasets for the 20 primary population has been presented in
Table 8.
TABLE 8 Comparisons of the sum of within cluster distance
Sum of within-cluster distance
Dataset Criteria FOA ALO PSO PSO4
75
MBCO
75
FFA–ALO
Iris (k = 3) Best 102.900 102.7012 104.8196 103.51 96.03 96.788
Average 105.604 102.7013 107.8112 96.66 94.14 96.7891
Worst 145.231 102.7013 208.1349 119.14 104.22 96.7901
Std 7.5421 3.2852e-05 11.8615 4.45 2.46 0.00216
Glass (k= 6) Best 330.2541 306.2707 332.9678 291.33 225.00 225.1251
Average 345.2350 316.2708 343.7169 271.29 215.00 220.2074
Worst 450.2576 326.2709 594.3928 299.08 330.00 320.3638
Std 42.8912 6.8267e-05 39.9291 14.60 13.07 0.00416
CMC (k= 3) Best 5897.2236 5954.7896 5980.5017 5729.30 5685.21 5617.5816
Average 5898.3690 5954.7903 6059.0455 5694.20 5680.12 5617.6934
Worst 5912.102 5954.7912 8042.2911 5877.70 5798.20 5617.8566
Std 125.321 0.00041481 195.7336 40.24 1.97 0.01256
Zoo (k= 7) Best 210.4587 203.6083 209.0011 —— 169.8536
Average 211.5894 203.6084 210.4324 —— 169.8612
Worst 230.4821 203.6086 226.8718 ——169.8697
Std 8.32501 1.7432e-05 3.9542 —— 1.0032e-04
Balance (k= 3) Best 1425.6452 1425.6304 1425.7254 ——1425.5758
Average 1425.7584 1425.6305 1428.2231 ——1425.5774
Worst 1426.2891 1425.6308 1466.4676 ——1425.5829
Std 6.458 2.0251e-06 5.6151 —— 3.0411e-07
Ecoli (k= 8) Best 79.1463 79.1439 79.4502 —— 78.1564
Average 81.2365 79.144 90.2438 —— 78.16
Worst 85.6587 79.144 150.3863 —— 78.1657
Std 7.2365 1.5738e-05 14.2348 —— 2.3254e-06
Lung cancer (k= 3) Best 153.2586 154.78781 155.7484 —— 140.846
Average 153.5297 154.78784 156.4673 —— 140.8479
Worst 165.327 154.78789 176.0645 —— 140.853
Std 6.525 9.0516e-06 2.6877 —— 2.0521e-04
18 of 26 SAMADI BONAB ET AL.
The standard deviation (std) is an index for illustrating the stability and strength of optimization. Smaller values of
the standard deviation denote that the optimizer always converges to a similar solution, while higher values indicate
that the optimization algorithm usually has a random performance.
41
5.2 |Simulation results on IDS datasets
In this section, the simulation results of the proposed FFA–ALO method have been presented to investigate its perfor-
mance on IDS and later, the obtained results will be compared with the results of some recently proposed methods.
5.2.1 |Simulation results
After performing feature selection by the FFA and ALO as well as the FFA–ALO, the SVM, KNN, naïve Bayes, and DT
were used to evaluate the selected features. In tables 9, 10, and 11, the output results of the FFA and ALO as well as the
FFA–ALO on the mentioned classifiers for such criteria as accuracy, specificity, and sensitivity have been presented.
The SVM classifier is responsible to create a hyper plane for the separation of classes, in a way that this plane can have
TABLE 9 Results of simulation on KDD Cup99
Elapsed time (s) Accuracy (%) Specificity (%) Sensitivity (%)
Classifier FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO
SVM 179.583 34.0775 32.4794 97.48 96.372 97.278 98.419 99.576 99.639 97.254 95.999 96.887
KNN 19.3645 23.6671 80.4359 97.769 97.62 99.344 98.429 99.231 99.245 97.577 97.433 97.908
Naïve
Bayes
463.487 828.392 379.6786 94.152 97.624 96.543 97.921 98.56 85.738 96.598 97.398 98.964
DT 1.7259 1.9254 2.9048 97.057 97.478 99.731 99.34 89.147 99.67 99.34 98.788 99.87
TABLE 10 Results of simulation on NSL-KDD
Elapsed time (s) Accuracy (%) Specificity (%) Sensitivity (%)
Classifier FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO
SVM 44.3796 64.662 46.9489 88.708 89.957 98.318 95.49 96.365 97.133 80.01 85.298 88.378
KNN 17.759 13.464 17.2148 89.022 96.839 99.06 95.788 95.387 95.603 78.776 83.28 89.568
Naïve
Bayes
477.918 302.179 478.3705 68.266 68.872 75.104 95.757 80.939 98.032 75.282 78.173 82.708
DT 0.3442 0.209 1.5011 88.609 81.292 99.316 92.895 96.705 97.106 94.715 96.015 99.246
TABLE 11 Results of simulation on UNSW-NB15
Elapsed time (s) Accuracy (%) Specificity (%) Sensitivity (%)
Classifier FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO FFA ALO
FFA–
ALO
SVM 9.9958 10.2136 10.3075 68.066 78.366 86.804 89.989 89.146 92.421 65.714 75.696 89.81
KNN 450.851 283.459 184.3329 85.773 77.117 91.987 85.357 75.962 89.674 86.661 79.577 89.992
Naïve
Bayes
2146.10 6120.51 2209.5895 74.679 75.547 85.4 36.912 36.035 52.325 98.004 97.13 98.675
DT 2.8718 3.6616 1.32845 90.629 91.52 99.127 88.853 86.381 91.769 88.853 86.381 93.469
SAMADI BONAB ET AL.19 of 26
the highest distance possible from the samples present in each class. The performance of KNN is based on classifying
samples according to the criteria of similarity.
76
The DT classifier is one of the machine learning techniques and is com-
posed of three components: node, edge, and leaf. Trees are made during the learning course. Within the process of test-
ing, with regard to the test results obtained during the course, each test data are classified through being navigated
from the tree root towards a leaf.
54
The naïve Bayes is a simple probabilistic classifier that uses a law of probability
called the Bayesian law for the purpose of classification.
The obtained results showed that through reducing the number of features used for the purpose of IDS and selecting
more important features, the proposed hybrid method has been able to excel the FFA and ALO on the UNSBW-NB15,
NSL-KDD, and KDD Cup99 with regard to the criteria of accuracy, specificity, and sensitivity.
Comparing Tables 9 and 11 indicate that the results obtained on the KDD Cup99 excel those of the UNSW-NB15
dataset with regard to the evaluation criteria including accuracy, specificity, and sensitivity. That is due to the fact that
though the KDD Cup99 has a longer history and lower rate of intrusion diversity, similarity of the features observed in
the normal and intrusion traffics of the UNSW-NB15 and its newness have made IDS complex in this dataset. In addi-
tion, comparing the results provided in Tables 9–11 shows that after conducting feature selection in the three datasets,
the DT classifier had a better performance with regard to the running time and acts faster. Furthermore, it was found
that with regard to the criterion of accuracy, the DT classifier exceled the other two classifiers. In the KDD Cup, the DT
had a better performance with regard to specificity, while in the UNSW-NB15 and NSL-KDD, the SVM classifier was
better.
5.2.2 |Simulation result and discussion
In this section, performance of the FFA–ALO has been investigated in comparison to a number of recently published
methods. In Figure 7, the results of comparing this method with such methods as ACO,
1
IWD,
9
and FGLCC
54
on the
KDD Cup99 have been shown, while Figure 8 illustrates the results of comparing it with the ABC–AFS,
18
(PSO, ACO,
ABC),
38
and MBGWO
44
on the NSL-KDD. As it can be observed in Figure 7, the FFA–ALO with the sensitivity of
99.89% has gained the best result compared with the previous ones on the KDD Cup99. In addition, Figure 8 indicates
that the values obtained by the FFA–ALO for accuracy and sensitivity on the NSL-KDD through using the DTs are
99.316% and 99.246%, respectively, and show acceptable performance with regard to both criteria in comparison with
the previous methods. In addition, the output results of Figure 8 indicate that with regard to accuracy, the FFA–ALO
has been able to obtain a value of 99.06% through using the KNN classifier, while the same values obtained by the use
of KNN in Hajisalem and Babaie and Khorram and Baykan
18,38
are 99% and 98.9%, respectively. Thus, it is shown that
the FFA–ALO has been able to attain a higher rate of accuracy through using the KNN and DT in comparison to
Hajisalem and Babaie
18
and Khorram and Baykan.
38
Tables 12–14 show the comparison between performance of the recently used methods and the proposed method
using the DT classifier on the KDD Cup99, NSL-KDD, and UNSW-NB15 datasets, respectively; the compared criteria
are number of features, accuracy, and sensitivity. The proposed method, despite having more features than some of the
previous methods, for accuracy and sensitivity criteria on KDD Cup99 with values of 99.731% and 99.87%, NSL-KDD
FIGURE 7 Comparison of the
accuracy and sensitivity of the FFA–
ALO with other methods on the
KDD Cup99
20 of 26 SAMADI BONAB ET AL.
FIGURE 8 Comparison of the
accuracy and sensitivity of the FFA–
ALO with other methods on the NSL-
KDD
TABLE 12 Comparison between several feature selection algorithms using KDD Cup99 corrected test set by DT
Reference Method #Features Accuracy ± STDV Sensitivity (TPR) ± STDV
(Chung & Wahid, 2012) SSO 6 0.924 ± (0.005) 0.985 ± (0.001)
(Ambusaidi et al. 2014) LSSVM 6 0.928 ± (0.001) 0.973 ± (0.001)
(Aslahi-Shahri et al. 2016) GA 10 0.940 ± (0.002) 0.981 ± (0.002)
(Keshtgary et al. 2018) SVM 10 0.948 ± (0.004) 0.978 ± (0.005)
(Mohammadi et al. 2019) FGLCC 10 0.932 ± (0.001) 0.991 ± (0.0002)
(Mohammadi et al. 2019) Cuttlefish 16 0.919 ± (0.001) 0.980 ± (0.0001)
(Hadeel Alazzam et al. 2020) Sigmoid-PIO 10 0.947 ± (0.001) 0.974 ± (0.001)
(Hadeel Alazzam et al. 2020) Cosine-PIO 7 0.960 ± (0.011) 0.982 ± (0.009)
Proposed method FFA–ALO 12 0.99731 ± (0.010) 0.9987 ± (0.001)
TABLE 13 Comparison between several feature selection algorithms using NSL-KDD corrected test set by DT
Reference Method #Features Accuracy ± STDV Sensitivity (TPR) ± STDV
(Shrivas & Dewangan, 2014) GR 29 0.793 ± (0.010) 0.660 ± (0.022)
(Enache & Sg^arciu, 2015) BAT 18 0.770 ± (0.004) 0.642 ± (0.008)
(Ambusaidi et al. 2016) LSSVM 18 0.762 ± (0.002) 0.613 ± (0.003)
(Moustafa & Slay, 2017) Hybrid association rules 11 0.796 ± (0.005) 0.665 ± (0.008)
(Aljawarneh et al. 2018) IG 8 0.808 ± (0.007) 0.707 ± (0.013)
(Tama et al. 2019) PSO 37 0.782 ± (0.008) 0.637 ± (0.012)
(Hadeel Alazzam et al. 2020) Sigmoid-PIO 18 0.869 ± (0.006) 0.817 ± (0.012)
(Hadeel Alazzam et al. 2020) Cosine-PIO 5 0.883 ± (0.010) 0.866 ± (0.019)
Proposed method FFA–ALO 16 0.99316 ± (0.000) 0.99246 ± (0.000)
TABLE 14 Comparison between several feature selection algorithms using UNSW-NB15 corrected test set by DT
Reference Method #Features Accuracy ± STDV Sensitivity (TPR) ± STDV
(Moustafa & Slay, 2017) Hybrid association rules 11 0.792 ± (0.0008) 0.721 ± (0.001)
(Tama et al. 2019) PSO 19 0.895 ± (0.0003) 0.863 ± (0.0004)
(Kumar et al. 2019) Rule-based 13 0.884 ± (0.003) 0.889 ± (0.005)
(Hadeel Alazzam et al. 2020) Sigmoid-PIO 14 0.913 ± (0.0002) 0.897 ± (0.0003)
(Hadeel Alazzam et al. 2020) Cosine-PIO 5 0.917 ± (0.000) 0.894 ± (0.000)
Proposed method FFA–ALO 15 0.99127 ± (0.000) 0.93469 ± (0.000)
SAMADI BONAB ET AL.21 of 26
with values, 99.316% and 99.246% for the UNSW-NB15, with values of 99.127% and 93.469%, respectively, has optimum
performance.
In Figure 9, performance of the FFA–ALO on the UNSW-NB15 dataset has been compared with the ABC-AFS
18,77
methods, HC-IBGSA,
55
and in Moustafa and Slay,
77
no value has been reported for sensitivity. With the DT classifier,
the FFA–ALO has been able to obtain the accuracy of 99.127%, and with the naïve Bayes classifier, it has been able to
obtain the sensitivity of 98.675%. On the other hand, in Moustafa and Slay,
77
values obtained for accuracy by the DT
and naïve Bayes were 85.56% and 82.07%, respectively.
Table 15 shows the detection accuracy of the proposed method compared with other methods on the KDD Cup99
by type of attacks. The proposed method with 99.05%, 99.6%, 86.99%, and 30.79% for DOS, probe, U2R, and R2L attacks,
respectively, performs better than other methods.
Considering the reported results, the hybrid of two algorithms increases the population diversity and guarantees
finding better solutions with higher accuracy. In order to combine the advantages of the two algorithms, FFA and ALO,
this method has been applied. The FFA, due to having a smaller number of parameters, is simple, and its convergence
rate is faster. The ALO is suitable for exploitation and is seldom trapped in local optima due to the issue of elitism and
FIGURE 9 Comparison of
the accuracy and sensitivity of
the FFA–ALO with other
methods on UNSW-NB15
TABLE 15 Comparison of accuracy (%) between several feature selection algorithms using KDD Cup99
Ref. Algorithm DOS Probe Other U2R R2L
51
ID3 95.67 95.45 95.62 ——
C4.5 96.32 96.06 96.21 ——
SVM 97.52 97.34 97.42 ——
MSVM 98.46 98.27 98.43 ——
EMSVM 99.12 99.00 99.19 ——
WDBOD 99.62 99.42 99.52 ——
52
Proposed LAICRF 97.62 98.83 —86.91 32.43
Existing LACRF 97.40 98.60 —86.300 29.600
C4.5 (decision tree) 97.00 80.80 —1.800 4.600
Enhanced C4.5 97.12 81.5 —6.24 12.57
Multilayer perception 97.20 88.70 —13.200 5.600
4
SVM 92.30 91.53 60.73 ——
IAEMSVM 99.69 99.58 71.52 ——
IREMSVM 99.79 99.78 71.71 ——
Proposed method 99.05 99.6 —87.09 31.79
22 of 26 SAMADI BONAB ET AL.
using the mechanism of reducing the problems of compatibility. Also, ALO is useful for solving problems having
diverse search spaces and shows a good performance in searching the feature space for finding optimal subset of
features.
5.2.3 |Evaluation the computational complexity
The usual metrics to IDS evaluation such as accuracy, sensitivity, and computational complexity are important factors
that show the efficiency of the methods. IDS designing with lower complexity is a vital requirement. As mentioned in
Section 4, the proposed method is composed of three steps. Computational complexity of hybrid algorithm is
O(Itmax ×NP ×D) ×O(f(x)),where Itmax, NP, D, and f(x) indicate maximum iteration of algorithm, number of popula-
tion, dimension, and fitness function. Complexity of the tree building equals to O(n ×rlogr), where n and r indicates
the number of features and number of records, respectively. Complexity of sorting algorithm equals to O(nlogn). Com-
putational complexity of feature selection is O(ns
2
D) where n and s are feature number and number of subsets, respec-
tively. As a result, overall computational complexity O(Itmax ×NP ×D+n×rlogr+nlogn+ns
2
D) = O(n
2
). The
disadvantage of the proposed method is the time complexity due to the combination of the two algorithms rather than
the individual algorithms.
6|CONCLUSION AND FUTURE WORK
In this paper, a new algorithm based on the FFA–ALO was proposed for the purpose of IDS in order to distinguish
between the normal and abnormal behavior of networks. It has been applied for the purpose of wrapper-based feature
selection on the datasets of IDS and the elimination of less important features. This new method of classification was
applied on three known datasets including the KDD Cup99, NSL-KDD, and UNSW-NB15. For the purpose of evalua-
tion, the FFA–ALO was tested in two stages. In the first stage, performance of the FFA–ALO in terms of the sum of
within-cluster distance was investigated on seven standard datasets. In the second stage, after conducting feature selec-
tion by the proposed algorithm, four classifiers (SVM, KNN, naïve Bayes, and DT) were implemented to evaluate the
selected features, and the criteria used to evaluate performance consisted of the elapsed time, accuracy, specificity, and
sensitivity. The proposed method reduced the number of features from 41 to 12 and 16 in KDD Cup99 and NSL-KDD,
respectively, and 48 to15 in UNSW-NB15 dataset. The proposed method decreases the number of the features used for
the detection, so will significantly reduce both CPU time and the size of memory required for intrusion detection. This
shows that the proposed method is very reliable for intrusion detection. Results indicate that the proposed FFA–ALO-
based detection method outperforms other methods because it can provide better representation of the data not only on
earlier dataset but also on UNSW-NB15 as the one suitable for detecting newer attacks. This is due to the fact that it
can accurately detect attacks using smaller number of features. In the future studies, instead of classifying groups into
normal versus intrusion activities, more groups can be considered so that the algorithm can classify diverse types of
intrusion within the datasets of IDS.
ORCID
Ali Ghaffari https://orcid.org/0000-0001-5407-8629
REFERENCES
1. Aghdam MH, Kabiri P. Feature selection for intrusion detection system using ant colony optimization. Int J Netw Secur. 2016;18(3):
420-432.
2. Gharehchopogh FS, Shayanfar H, Gholizadeh H. A comprehensive survey on symbiotic organisms search algorithms. Artificial Intelli-
gence Review. 2019;1-48.
3. Gharehchopogh FS, Gholizadeh H. A comprehensive survey: whale optimization algorithm and its applications. Swarm Evol Comput.
2019;48:1-24.
4. Ganapathy S, Kulothungan K, Muthurajkumar S, Vijayalakshmi M, Yogesh P, Kannan A. Intelligent feature selection and classification
techniques for intrusion detection in networks: a survey. EURASIP J Wireless Comm Netw. 2013;2013(1):271.
5. Mafarja MM, Mirjalili S. Hybrid whale optimization algorithm with simulated annealing for feature selection. Neurocomputing. 2017;
260:302-312.
SAMADI BONAB ET AL.23 of 26
6. Shayanfar H, Gharehchopogh FS. Farmland fertility: a new metaheuristic algorithm for solving continuous optimization problems. Appl
Soft Comput. 2018;71:728-746.
7. Pandey HM, Chaudhary A, Mehrotra D. A comparative review of approaches to prevent premature convergence in GA. Appl Soft Com-
put. 2014;24:1047-1077.
8. Ting T, Yang XS, Cheng S, Huang K. Hybrid metaheuristic algorithms: past, present, and future. In: Recent Advances in Swarm Intelli-
gence and Evolutionary Computation. Cham: Springer; 2015:71-83.
9. Acharya N, Singh S. An IWD-based feature selection method for intrusion detection system. Soft Comput. 2018;22(13):4407-4416.
10. Fernandes G Jr, Carvalho LF, Rodrigues JJPC, Proença ML Jr. Network anomaly detection using IP flows with principal component
analysis and ant colony optimization. J Netw Comput Appl. 2016;64:1-11.
11. Bamakan SMH, Wang H, Yingjie T, Shi Y. An effective intrusion detection framework based on MCLP/SVM optimized by time-varying
chaos particle swarm optimization. Neurocomputing. 2016;199:90-102.
12. Rajasekhar A, Lynn N, Das S, Suganthan PN. Computing with the collective intelligence of honey bees–a survey. Swarm Evol Comput.
2017;32:25-48.
13. Chung YY, Wahid N. A hybrid network intrusion detection system using simplified swarm optimization (SSO). Appl Soft Comput. 2012;
12(9):3014-3022.
14. Aslahi-Shahri B, Rahmani R, Chizari M, et al. A hybrid method consisting of GA and SVM for intrusion detection system. Neural Com-
put Applic. 2016;27(6):1669-1676.
15. Hamamoto AH, Carvalho LF, Sampaio LDH, Abr~
ao T, Proença ML Jr. Network anomaly detection system using genetic algorithm and
fuzzy logic. Expert Syst Appl. 2018;92:390-402.
16. Aburomman AA, Ibne Reaz MB. A novel SVM-kNN-PSO ensemble method for intrusion detection system. Appl Soft Comput. 2016;38:
360-372.
17. Rizk-Allah R. Hybridization of fruit fly optimization algorithm and firefly algorithm for solving nonlinear programming problems. Int J
Swarm Intell Evol Comput. 2016;5(2):1-10.
18. Hajisalem V, Babaie S. A hybrid intrusion detection system based on ABC-AFS algorithm for misuse and anomaly detection. Comput
Network. 2018;136:37-50.
19. Mafarja MM, Mirjalili S. Hybrid binary ant lion optimizer with rough set and approximate entropy reducts for feature selection. Soft
Computing. 2018;1-17.
20. Oh I-S, Lee J-S, Moon B-R. Hybrid genetic algorithms for feature selection. IEEE Trans Pattern Anal Mach Intell. 2004;20(11):1424-1437.
21. Mahmoudi M, Gharehchopogh FS. An improvement of shuffled frog leaping algorithm with a decision tree for feature selection in text
document classification
22. Pan W-T. A new fruit fly optimization algorithm: taking the financial distress model as an example. Knowl Base Syst. 2012;26:69-74.
23. Shen L, Chen H, Yu Z, et al. Evolving support vector machines using fruit fly optimization for medical data classification. Knowl Base
Syst. 2016;96:61-75.
24. Meng T, Pan Q-K. An improved fruit fly optimization algorithm for solving the multidimensional knapsack problem. Appl Soft Comput.
2017;50:79-93.
25. Pan Q-K, Sang HY, Duan JH, Gao L. An improved fruit fly optimization algorithm for continuous function optimization problems.
Knowl Base Syst. 2014;62:69-83.
26. Xiao W, Yang Y, Xing H, Meng X. Clustering algorithm based on fruit fly optimization. In: International Conference on Rough Sets and
Knowledge Technology. Cham: Springer; 2015.
27. Miti
c M, Vukovi
c N, Petrovi
c M, Miljkovi
c Z. Chaotic fruit fly optimization algorithm. Knowl Base Syst. 2015;89:446-458.
28. Wang L, Liu R, Liu S. An effective and efficient fruit fly optimization algorithm with level probability policy and its applications. Knowl
Base Syst. 2016;97:158-174.
29. Hu J, Wang C, Liu C, Ye Z. Improved K-means algorithm based on hybrid fruit fly optimization and differential evolution. In: 2017 12th
International Conference on Computer Science and Education (ICCSE). IEEE; 2017.
30. Chikh R, Chikhi S. Clustered negative selection algorithm and fruit fly optimization for email spam detection. J Ambient Intell Human
Comput. 2017;10(1):1-10.
31. Mirjalili S. The ant lion optimizer. Adv Eng Software. 2015;83:80-98.
32. Yogarajan G, Revathi T. Improved cluster based data gathering using ant lion optimization in wireless sensor networks. Wireless Pers
Comm. 2018;98(3):2711-2731.
33. Emary E, Zawbaa H, Hassanien AE. Binary ant lion approaches for feature selection. Neurocomputing. 2016;213:54-65.
34. Zawbaa HM, Emary E, Grosan C. Feature selection via chaotic antlion optimization. PLoS ONE. 2016;11(3):1-21.
35. Mirjalili S, Jangir P, Saremi S. Multi-objective ant lion optimizer: a multi-objective optimization algorithm for solving engineering prob-
lems. Appl Intell. 2017;46(1):79-95.
36. Mafarja M, Eleyan D, Abdullah S, Mirjalili S. S-shaped vs. V-shaped transfer functions for ant lion optimization algorithm in feature
selection problem. In: Proceedings of the International Conference on Future Networks and Distributed Systems. Cambridge, United King-
dom: Association for Computing Machinery; 2017 p. Article 21.
37. Ghanem W, Jantan A. Novel multi-objective artificial bee colony optimization for wrapper based feature selection in intrusion detection.
Int J Adv Soft Comput Appl. 2016;8(1): 70-81.
24 of 26 SAMADI BONAB ET AL.
38. Khorram T, Baykan NA. Feature selection in network intrusion detection using metaheuristic algorithms. Int J Adv Res, Ideas Innovat
Technol. 2018;4(4):704-710.
39. Selvakumar B, Muneeswaran K. Firefly algorithm based feature selection for network intrusion detection. Comput Secur. 2019;81:
148-155.
40. Gauthama Raman MR, Somu N, Kirthivasan K, Liscano R, Shankar Sriram VS. An efficient intrusion detection system based on
hypergraph - genetic algorithm for parameter optimization and feature selection in support vector machine. Knowl Base Syst. 2017;134:
1-12.
41. Emary E, Zawbaa HM. Feature selection via Lèvy antlion optimization. Pattern Anal Appl. 2018;1-20.
42. Gharehchopogh FS, Jabbari N, Azar ZG. Evaluation of fuzzy k-means and k-means clustering algorithms in intrusion detection systems.
Int J Sci Technol Res. 2012;1(11):66-72.
43. Beheshti Z, Shamsuddin SM, Yuhaniz SS. Binary accelerated particle swarm algorithm (BAPSA) for discrete optimization problems.
J Global Optim. 2013;57(2):549-573.
44. Alzubi QM, Anbar M, Alqattan ZN, Al-Betar MA, Abdullah R. Intrusion detection system based on a modified binary grey wolf optimi-
sation. Neural Comput Applic. 2019;1-13.
45. Bostani H, Sheikhan M. Hybrid of binary gravitational search algorithm and mutual information for feature selection in intrusion detec-
tion systems. Soft Comput. 2017;21(9):2307-2324.
46. Zavala GR, Nebro AJ, Luna F, Coello Coello CA. A survey of multi-objective metaheuristics applied to structural optimization. Struct
Multidisc Optim. 2014;49(4):537-558.
47. Armano G, Farmani MR. Multiobjective clustering analysis using particle swarm optimization. Expert Syst Appl. 2016;55:184-193.
48. Xue B, Zhang M, Browne WN. Particle swarm optimization for feature selection in classification: a multi-objective approach. IEEE Trans
Cybern. 2013;43(6):1656-1671.
49. Rojas-Morales N, Rojas M-CR, Ureta EM. A survey and classification of opposition-based metaheuristics. Comput Ind Eng. 2017;110:
424-435.
50. Mahdavi S, Rahnamayan S, Deb K. Opposition based learning: a literature review. Swarm Evol Comput. 2018;39:1-23.
51. Ganapathy S, Jaisankar N, Yogesh P, Kannan A. An intelligent system for intrusion detection using outlier detection. In 2011 International
Conference on Recent Trends in Information Technology (ICRTIT). 2011. IEEE
52. Ganapathy S, Vijayakumar P, Yogesh P, Kannan A. An intelligent CRF based feature selection for effective intrusion detection. Int Arab
J Inform Technol (IAJIT). 2016;13(1):44–50.
53. Eesa AS, Orman Z, Brifcani AMA. A novel feature-selection approach based on the cuttlefish optimization algorithm for intrusion detec-
tion systems. Expert Syst Appl. 2015;42(5):2670-2679.
54. Mohammadi S, Mirvaziri H, Ghazizadeh-Ahsaee M, Karimipour H. Cyber intrusion detection by combined feature selection algorithm.
J Inform Secur Appl. 2019;44:80-88.
55. Raman MG, Somu N, Jagarapu S, et al. An efficient intrusion detection technique based on support vector machine and improved binary
gravitational search algorithm. Artif Intell Rev. 2019;1-32.
56. Alazzam H, Sharieh A, Sabri KE. A feature selection algorithm for intrusion detection system based on pigeon inspired optimizer. Expert
Syst Appl. 2020;148:113249.
57. Harvey DY, Todd MD. Automated feature design for numeric sequence classification by genetic programming. IEEE Trans Evol Comput.
2015;19(4):474-489.
58. Xue B, Zhang M, Browne WN. Particle swarm optimisation for feature selection in classification: novel initialisation and updating mech-
anisms. Appl Soft Comput. 2014;18:261-276.
59. Chen Y, Miao D, Wang R. A rough set approach to feature selection based on ant colony optimization. Pattern Recognit Lett. 2010;31(3):
226-233.
60. Selvamani D, Selvi V. A comparative study on the feature selection techniques for intrusion detection system. Asian J Comput Sci
Technol. 2019;8(1):42-47.
61. Gu S, Cheng R, Jin Y. Feature selection for high-dimensional classification using a competitive swarm optimizer. Soft Comput. 2018;
22(3):811-822.
62. Rao H, Shi X, Rodrigue AK, et al. Feature selection based on artificial bee colony and gradient boosting decision tree. Appl Soft Comput.
2019;74:634-642.
63. Mafarja M, Aljarah I, Faris H, Hammouri AI, al-Zoubi AM, Mirjalili S. Binary grasshopper optimisation algorithm approaches for fea-
ture selection problems. Expert Syst Appl. 2019;117:267-286.
64. Wang L, Shi Y, Liu S. An improved fruit fly optimization algorithm and its application to joint replenishment problems. Expert Syst Appl.
2015;42(9):4310-4323.
65. Moustafa N, Slay J. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In
2015 military communications and information systems conference (MilCIS). 2015. IEEE
66. Kevric J, Jukic S, Subasi A. An effective combining classifier approach using tree algorithms for network intrusion detection. Neural
Comput Applic. 2017;28(1):1051-1058.
67. Dhanabal L, Shantharajah S. A study on NSL-KDD dataset for intrusion detection system based on classification algorithms. Int J Adv
Res Comput Comm Eng. 2015;4(6):446-452.
SAMADI BONAB ET AL.25 of 26
68. Moussaid NE, Toumanari A. Overview of intrusion detection using data-mining and the features selection. In 2014 International Confer-
ence on Multimedia Computing and Systems (ICMCS). 2014.
69. Ibrahim LM, Basheer DT, Mahmod MS. A comparison study for intrusion database (Kdd99, Nsl-Kdd) based on self organization map
(SOM) artificial neural network. J Eng Sci Technol. 2013;8(1):107-119.
70. Moustafa N, Slay J. A hybrid feature selection for network intrusion detection systems: central points. arXiv preprint arXiv:1707.05505,
2017.
71. Madbouly AI, Barakat TM. Enhanced relevant feature selection model for intrusion detection systems. Int J Intell Eng Informat. 2016;
4(1):21-45.
72. Maza S, Touahria M. Feature selection for intrusion detection using new multi-objective estimation of distribution algorithms. Appl
Intell. 2019;49(12):4237-4257.
73. Choudhury S, Bhowal A. Comparative analysis of machine learning algorithms along with classifiers for network intrusion detection. In
2015 International Conference on Smart Technologies and Management for Computing, Communication, Controls, Energy and Mate-
rials (ICSTM). 2015.
74. Han X, Quan L, Xiong XY, Almeter M, Xiang J, Lan Y. A novel data clustering algorithm based on modified gravitational search algo-
rithm. Eng Appl Artif Intel. 2017;61:1-7.
75. Das P, Das DK, Dey S. A modified bee colony optimization (MBCO) and its hybridization with k-means for an application to data clus-
tering. Appl Soft Comput. 2018;70:590-603.
76. Kar P, Banerjee S, Mondal KC, Mahapatra G, Chattopadhyay S. A hybrid intrusion detection system for hierarchical filtration of anoma-
lies. In: Information and Communication Technology for Intelligent Systems. Singapore: Springer; 2019:417-426.
77. Moustafa N, Slay J. The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the com-
parison with the KDD99 data set. Inform Secur J: Global Perspect. 2016;25(1-3):18-31.
How to cite this article: Samadi Bonab M, Ghaffari A, Soleimanian Gharehchopogh F, Alemi P. A wrapper-
based feature selection for improving performance of intrusion detection systems. Int J Commun Syst. 2020;
e4434. https://doi.org/10.1002/dac.4434
26 of 26 SAMADI BONAB ET AL.
A preview of this full-text is provided by Wiley.
Content available from International Journal of Communication Systems
This content is subject to copyright. Terms and conditions apply.
