Sage Journals: Discover world-class research

Abstract

An intrusion detection method using rough-fuzzy set and parallel quantum genetic algorithm (RFS-QGAID) is proposed in this paper. The RFS-QGAID is applied to solve the serious problems of determining the optimal antibodies subsets used to detect an anomaly. To obtain a simplified antibodies collection for high dimensional Log data sets, RFS is applied to delete the redundant antibody features and obtain the optimal antibodies features combination. Then, the optimal attitudes are entered into the QGA classifier for learning and training in the following stage. At last, the detected Log antigens are fed into RFS-QGAID, and we can classify the intrusion types. With RFS-QGAID, we give the simulations, the results on real Log data sets show that: the higher detection accuracy of RFS-QGAID is higher detection accuracy, but the false negative rate is lower for small samples sets, the adaptive performance is higher than other detection algorithms.

Keywords

Rough set fuzzy set quantum parallel universe genetic algorithm

1. Introduction

As an effective network security defense tool, many Intrusion Detection Systems (IDS) based on artificial intelligence are proposed. The artificial intelligent algorithms include: deep learning (DL) [20], support vector machine (SVM) [2,11], fuzzy sets (FS) [23], outliers [18], random forest (RF) [9,10] and genetic algorithm (GA) [21]. Mohammed et al. designed an intelligent two-layer IDS for the new network Internet of Things (IoT) [14].

Alyaseen et al. designed an intrusion detection algorithm, they reduced the features with K-means and obtained higher classifying performance [2]. JooHwa et al. [10] designed an IDS, which was based on auto-encoder conditional algorithm, generatively adversarial networks and the RF algorithm (AE-CGAN-RF), auto-encoder conditional algorithm was adopted to obtain reduced features collection from high-dimensional data set.

Ren et al. applied the outliers method to calculate the attribute values and delete redundant features in a hybrid multilevel IDS [9]. These reduction algorithms can reduce partial redundant attributes, but they have shortcomings about the analysis of the characteristics of the relationship between attributes, so some redundant attributes are retained [24,25].

Because there are many redundant attributes in detected data of IDS [3,5,6,16,26], RS and FS are used in ID system. Pawlak put forward RS theory. Fortunately, RS is applied in the attributes reduction. RS has the ability to deal with incomplete and uncertain records set, get the best attributes by removing redundant. With RS and FS, we can get the memory antibodies [23].

For another, the ability of classifier directly decides the anomaly detection accuracy [12]. Yang improved the Clustering Algorithm with Modified Density Peak values (MDPCA) [23], and gave an IDS to improve the density of the peak to solve the problem of imbalance between detection rate and false detection rate. Song et al. [18] designed an anti-adversarial hidden markov model IDS (AA-HMM) to get higher classification ability. While those algorithms lack adaptivity. Orieb et al. proposed a pigeon-inspired optimization improved by a local search algorithm d (LS-PIO) [1] and applied it to an IoT network. Maya et al. gave a dual IDS with bagging and gradient boosting decision tree (GBDT) to decrease the false alarm rate [13]. Ankit and Ritika proposed an IDS based on deep neural network, they applied the fusion of statistical importance to select features [4].

The GA is applied to improve the self-adaptability in IDS. Zahra et al. gave an ID system with FS and GA, which are adopted to generate a reduced features collection, which included the fuzzy if-then antibodies classification rules, GA was applied to calculate the antibodies rule weights specification [21]. However, the initial population distribution of antibodies affect the detection performances of IDS greatly. For the fixing crossover probability values and mutation probability values of genetic operators, the global optimal solutions are unconducive to search.

In order to get higher intrusion detection performances, especially for the small samples sets, the Rough-Fuzzy Set method is proposed to delete the redundant attributes, obtain the optimum antibodies features sets and achieve effective compact features dataset after reducing all the unnecessary attributes. Then, synthesizing GA and the quantum computing, we design a MOP-AQGA algorithm. Finally, we propose an ID method based on RFS and QGA. Experiments are given on intrusion data which are collected from real network traffic records, and the results show that RFS-QGAID has better intrusion detection performances as it has higher detection, accuracy and lower false positive rate for small samples sets.

2. The RFS algorithm

2.1. Rough set

Combined the RS and AIS, the key definitions are given in following definitions [23].

Definition 1.
$a_{t g} \in A_{t g}$ , $a_{t g}$ is an antige, $A_{t g}$ denotes an antigen collection, $A_{t g} \subset S$ , $S = {0, 1}^{m}$ , ( $m \in N$ , $m > 0$ ), S is a binary string of m bits. N is the positive integers collection.
Definition 2.
$a_{t b} \in A_{t b}$ , $d \in S$ , $a_{g e} \in N$ , $A_{t b} {⟨ a_{t b}, a_{s}, a_{g e}, c ⟩}$ , $a_{s} \in {00, 01, 10}$ . $A_{t b}$ is an antibodies collection, $a_{s}$ denotes the status value of antibody, which includes three status: 00, 01 and 10, $a_{g e}$ presents the living time of antibody, c is the matching number of bits between antibodies and antigens. $A_{t b}$ contains three subsets $A_{t b I}$ , $A_{t b T}$ and $A_{t b M}$ , $A_{t b I}$ denotes the set which includes immature antibodies whose status are 00, $A_{tbI} = {I_{b} | I_{b} \in A_{tbI}, I_{b} . a_{s} = 00}$ , $A_{t b T}$ denotes the set which includes mature antibodies whose status are 01, $A_{tbT} = {T_{b} | T_{b} \in A_{tbT}, T_{b} . a_{s} = 01}$ ; $A_{t b M}$ the set which includes memory antibodies whose status are 10, $A_{tbM} = {M_{b} | M_{b} \in A_{tbM}, M_{b} . a_{s} = 10}$ .
Definition 3.
$A_{t} = S_{f} \cup N_{f}$ , all the antigens and antibodies form the collection $A_{t}$ . $S_{f}$ is on behalf of the normal behaviors collection, while $N_{f}$ stands for the attacks collection, the intersection between $S_{f}$ and $N_{f}$ is NULL.

The bonding strength is denoted as affinity between $a_{t g}$ and $a_{t b}$ . Definition 4.
The affinity between $a_{t g}$ and $a_{t b}$ is generated with formula (1): $\begin{matrix} (1) & D = \sqrt{\sum_{i = 1}^{m} {(a_{t g^{i}} - a_{t b^{i}})}^{2}} \end{matrix}$ $a_{t g^{i}}$ and $a_{t b^{i}}$ denote the values of ith bit of $a_{t g}$ and $a_{t b}$ respectively.
Definition 5.
The decision system with antibodies attributes is denoted $AADT = ⟨ A, C_{atb} \cup D_{atb}, V_{atb}, f ⟩$ .

$A_{t} = {a_{t b^{1}}, a_{t b^{2}}, \dots, a_{t b^{n}}}$ , $A_{t} \neq ϕ$ , $a_{t b^{i}}$ denotes an antibody, $A_{t}$ is given in Definition 3.

$C_{atb} = {a_{t^{1}}, a_{t^{2}}, \dots, a_{t^{m}}}$ , $C_{atb}$ contains m attributes of antibodies called conditional attributes collection.

$D_{atb}$ denotes the antibodies category attributes collection, the union of $C_{atb}$ and $D_{atb}$ is $A_{t}$ , $C_{atb} \cap D_{atb} = ϕ$ .

$V_{a t} = ⋃_{a_{t b} \in C_{atb} \cup D_{atb}} V_{atb}$ , $V_{atb}$ is named $a_{t b}$ ’s domain;

$f : A_{t} \times C_{atb} \to V_{a t}$ , f denote the function between attitudes and antibodies attribute.
Definition 6.
For the collection $B_{t}$ , $B_{t} \subset A_{t}$ decides an antibodies relation of equivalence $IND (B_{t})$ : $IND (B_{t}) = {(a_{t b}, a_{t b}^{'}) \in A_{t} \times A_{t} | \forall a_{t b}^{″} \in B_{t}, f (a_{t b}, a_{t b}^{″}) = f (a_{t b}^{'}, a_{t b}^{″})$ . $A_{t}$ contains k types with $IND (B_{t})$ , every subtype has a kind of antibodies: $\begin{matrix} (2) & IND (B_{t}) = {[A_{t b}]}_{IND (B_{t})} = {A_{t b^{1}}, A_{t b^{2}}, \dots, A_{t b^{k}}} \end{matrix}$
Definition 7.
Antibody lower approximate collection $B * (A_{t b})$ contains all the certain antibodies, but the upper approximation collection includes all possible antibodies.

Let a decision system with antibodies attributes is $AADT = ⟨ A, C_{atb} \cup D_{atb}, V_{atb}, f ⟩$ , $\forall A_{t b}$ and $A_{t b} \subseteq A_{t}$ , equivalence relations $\forall B_{t} \subseteq A_{t}$ , the lower approximation of $A_{t b}$ is defined with $B * (A_{t b}) = ⋃ {A_{t b i}^{'} | A_{t b i}^{'} \in A_{t} / IND (B_{t}) \land A_{t b i}^{'} \in A_{t b}}$ .
Definition 8.
$AADT = ⟨ A, C_{atb} \cup D_{atb}, V_{atb}, f ⟩$ is a decision system with antibodies attributes, the positive domain of decision attribute is defined in formula (3): $\begin{matrix} (3) & {POS}_{B} (D_{atb}) = ⋃_{A_{t b} \in A_{t} / D_{atb}} B * (A_{t b}) \end{matrix}$
Definition 9.
Antibody attribute dependency is shown as follows. $\begin{matrix} (4) & r (C_{atb}, D_{atb}) = | POS (C_{atb}, D_{atb}) | / | A_{t} | \end{matrix}$ $| POS (C_{atb}, D_{atb}) |$ and $| A_{t} |$ are the total number of antibodies in $| POS (C_{atb}, D_{atb}) |$ and $AADT$ respectively.
Definition 10.
The significance degree of antibody attributes is given as: $\begin{matrix} (5) & SGF (a_{t b}, C_{atb}, D_{atb}) = r (C_{atb}, D_{atb}) - r ((C_{atb} - {a_{t b}}), D_{atb}) \end{matrix}$

2.2. FS

The theory of FS is described that all the attributes of log data are applied to generate a fuzzy matrix, at the same time, the antibodies’ classified results are calculated after analyzing the relationship of antibodies. The total number of FS and the subfunction of each subclass decide the final results [23].

Definition 11.
We divide all the antibodies into k ( $2 ⩽ k ⩽ n$ ) types of collections, $M_{fc}$ is: $\begin{matrix} (6) & A_{t c} = {A_{t b} | a_{t b^{i k}} \in [0, 1], \sum_{i = 1}^{c} a_{t b^{i k}} = 1; 0 < \sum_{k = 1}^{n} a_{t b^{i k}} < n} \end{matrix}$ $a_{t b^{i k}}$ is the kth antibodies $x_{k}$ , that is from the subset $A_{t b}$ .
Definition 12.
For each type of fuzzy k-division, the antibody objective function $J_{m}$ is defined: $\begin{array}{l} (7) & J_{m} (A_{t}, v) = \sum_{k = 1}^{n} \sum_{i = 1}^{c} {(a_{t b^{i k}})}^{m} {(d_{i k})}^{2} \\ (8) & d_{i k} = d (x_{k} - v_{i}) = {[\sum_{j = 1}^{m} {(x_{k j} - v_{i j})}^{2}]}^{\frac{1}{2}} \end{array}$

m ( $1 ⩽ m < \infty$ ) is the weight value of antibody, that is applied to change the fuzzy degree, and each category center coordinates are obtained with following formula: $\begin{matrix} (9) & v_{i j} = \frac{\sum_{k = 1}^{n} u_{i k}^{m} . x_{k j}}{\sum_{k = 1}^{n} u_{i k}^{m}}, j = 1, 2, \dots, p \end{matrix}$

The final purpose of RFS is to generate the best classification $U^{}$ , which is defined in formula (10): $\begin{matrix} (10) & J_{m}^{} (A_{t}^{*}, v) = min_{M_{f c}} J (A_{t}, v) \end{matrix}$
2.3. The rough fuzzy set algorithm

The goals of RFS are: we can get the diversity of antibodies, avoid the RFS-MOP-AQGAID’s local convergence. Standardized steps of the RFS are shown as Table 1.

Table 1
Standardized process of the RFS

Standardized process of the RFS

1. The training samples are converted as $A_{t b}$ with Definition 2;

2. $AADT$ is generated with Definition 5;

3. Calculate the $IND (B_{t})$ with formula (2);

4. Generate the positive domain of decision attribute with formula (3);

5. Reduce the redundant attributes of $AADT$ by calculating all the significance of attributes;

6. Give the value of parameter k ( $2 ⩽ k ⩽ n$ ), $A_{t c}^{(0)} = A_{t c}^{'}$ . Every step is labeled with r tags, $r = 0, 1, 2, \dots$ ;

7. In every step, we calculate k centers values respectively ${v_{i}^{(r)}}$ , $v_{i}^{(r)} = \sum_{j = 1}^{k} v_{i j}$ ;

8. In the rth step, the matrix $A_{t c}^{(r)}$ is generated by formula: $u_{i k}^{(r + 1)} = {[\sum_{j = 1}^{k} {(\frac{d_{i k}^{(r)}}{d_{j k}^{(r)}})}^{2 / (m - 1)}]}^{- 1}$ , When $I_{k} = \emptyset$ or $u_{i k}^{(r + 1)} = 0$ , $i \in {\tilde{I}}_{k}$ , $I_{k} = {i | 2 ⩽ k < n, d_{i k}^{(r)} = 0}$ , so we can get: ${\tilde{I}}_{j} = {1, 2, \dots, k} - I_{j}$ , $\sum_{i \in I_{j}} u_{i j}^{(r + 1)} = 1$ .

9. If $‖ A_{t}^{(r + 1)} - A_{t}^{(r)} ‖ ⩽ ε_{L}$ ( $ε_{L}$ is a given accuracy), then stop, else $r = r + 1$ , and go to step 3.

10. Output the selected antibodies.

Standardized process of the RFS
1.	The training samples are converted as $A_{t b}$ with Definition 2;
2.	$AADT$ is generated with Definition 5;
3.	Calculate the $IND (B_{t})$ with formula (2);
4.	Generate the positive domain of decision attribute with formula (3);
5.	Reduce the redundant attributes of $AADT$ by calculating all the significance of attributes;
6.	Give the value of parameter k ( $2 ⩽ k ⩽ n$ ), $A_{t c}^{(0)} = A_{t c}^{'}$ . Every step is labeled with r tags, $r = 0, 1, 2, \dots$ ;
7.	In every step, we calculate k centers values respectively ${v_{i}^{(r)}}$ , $v_{i}^{(r)} = \sum_{j = 1}^{k} v_{i j}$ ;
8.	In the rth step, the matrix $A_{t c}^{(r)}$ is generated by formula: $u_{i k}^{(r + 1)} = {[\sum_{j = 1}^{k} {(\frac{d_{i k}^{(r)}}{d_{j k}^{(r)}})}^{2 / (m - 1)}]}^{- 1}$ , When $I_{k} = \emptyset$ or $u_{i k}^{(r + 1)} = 0$ , $i \in {\tilde{I}}_{k}$ , $I_{k} = {i \| 2 ⩽ k < n, d_{i k}^{(r)} = 0}$ , so we can get: ${\tilde{I}}_{j} = {1, 2, \dots, k} - I_{j}$ , $\sum_{i \in I_{j}} u_{i j}^{(r + 1)} = 1$ .
9.	If $‖ A_{t}^{(r + 1)} - A_{t}^{(r)} ‖ ⩽ ε_{L}$ ( $ε_{L}$ is a given accuracy), then stop, else $r = r + 1$ , and go to step 3.
10.	Output the selected antibodies.

In RFS, rough set algorithm is used to obtain the reduction of antibodies, while there are some attributes which are uncertain values, which are easily neglected.

3. The QGAID algorithm

3.1. Evolution process of QGA

As GA has an adaptive mechanism, with GA we can calculate the individual antibodies’ fitness and allocate certain antibody quantum rotation angle values. With GA, the IDS’ convergence rate can be accelerated. This antibody quantum rotation angle value mechanism can easily achieve diversity of antibodies in their later evolution period, so the results of intrusion detection may be obviously affected. We adopted four operators to finish the antibodies’ cooperative evolution, which include antibodies similarity calculation operator, antibody fitness calculation operator, antibody population variation correction coefficient operator, and antibodies mutation operator. So we can calculate the dynamic mutation probability of different individuals in their evolution generations, the population diversity can be increase in the late period of population evolution. Hamming distance denotes similarity of individual antibodies. With the hamming distance value decreasing, the two individuals are more similar. The operators are shown as follows:

Definition 13.
Antibody similarity calculation operator $a_{similar}$ : $a_{similar}$ is applied to get the differences of individuals in the current antibodies population, which is demonstrated as equation (11) [28]. $\begin{matrix} (11) & a_{similar} = \{\begin{matrix} \frac{x_{avger} - x_{mini}}{x_{maxi} - x_{mini}}, & x_{maxi} \neq x_{mini} \\ 0, & x_{maxi} = x_{mini} \end{matrix} \end{matrix}$

In (11), $x_{maxi}$ denotes the individual with the maximal hamming distance in current population, $x_{mini}$ denotes the individual with the maximal hamming distance, we calculate the average hamming distance value of all antibodies with the best antibodies in current population as $x_{avger}$ . The less $a_{similar}$ is, the more similar the individuals are, so we choose less mutation probability to maintain antibodies population steadily; in contrast, the larger $x_{sim}$ represents that larger antibodies mutation probability should be adopted to increase the diversity of antibodies.
Definition 14.
Antibody fitness calculation operator $a_{fitni}^{'}$ : $a_{fitni}^{'}$ is to calculate the ith individuals’ fitness, which is demonstrated in the following equation: $\begin{matrix} (12) & a_{fitni}^{'} = \{\begin{matrix} \frac{f_{max} - f_{i}}{f_{max} - f_{min}}, & f_{max} \neq f_{min} \\ 0, & f_{max} = f_{min} \end{matrix} \end{matrix}$

In equation (12), $f_{max}$ is behalf of the highest fitness value of all antibodies, $f_{min}$ presents the lowest fitness, $f_{i}$ denotes the ith antibody’s fitness value. The higher value of $y_{fit}^{'}$ means that the ith antibody is farther to the best antibodies. Therefore, we should adjust higher mutation probability when the antibodies evolve.
Definition 15.
Antibody population variation correction coefficient operator $F_{acc} (k)$ : $F_{acc} (k)$ denotes the relation of the antibodies’ evolution algebra k. $F_{acc} (k)$ is applied to change the antibody’s mutation probability for overcoming the antibodies population’s premature convergence. $F_{acc} (k)$ is demonstrated in equation (13): $\begin{matrix} (13) & F_{acc} (k) = \{\begin{matrix} F_{acc} (k - 1) + P \times \frac{s - k}{s}, & f_{max} (k) = f_{max} (k - T) \land k > T \\ F_{acc} (k - 1), & f_{max} (k) \neq f_{max} (k - T) \land k > T \\ 0, & k ⩽ T \end{matrix} \end{matrix}$

In (13), let’s suppose that n is behalf of the antibody’s current evolution algebra, s is the largest value of its evolutionary algebra, T is a constant, which is its iterations value, while the best antibodies are invariable any more. P ( $0 < P$ ) is a constant as well, which denotes the antibody’s adjusting coefficient, $f_{max} (k)$ is behalf of the optimized fitness value in the antibody’s kth generation populations. When the best fitness value of the antibodies populations are invariable for consecutive T generations, at the same time the evolution algebra do not achieve the maximum value. So we will use a larger mutation probability to modify the variation probability, the method is applied to calculated $F_{acc} (k)$ with parameters s, k and C in equation (13).
Definition 16.
Antibodies mutation operator: $a_{similar}$ , $a_{fitni}^{'}$ and $F_{acc} (k)$ are defined above, we apply them to obtain the antibodies’ current mutation probability, which is calculated with equation (14). $\begin{matrix} (14) & p_{n}^{'} = \{\begin{matrix} p_{0} \times a_{fit}^{n} \times a_{similar} + F_{acc} (k), & f_{max} \neq f_{min} \\ 0, & f_{max} = f_{min} \end{matrix} \end{matrix}$

In (14), $p_{n}^{'}$ denotes the ith antibody’s mutation probability in its kth generation population, $p_{0}$ is the initial mutation probability.
3.2. The QGA

There are three strategies in QGA, the first one is adaptive antibody correction of quantum rotation angle, which is adopted in antibody’s evolution; the second mechanism is the antibody cooperative evolution of multiple operators, with which we can obtain the optimized antibodies dynamically by modifying the mutation probability; the third one is multi-universe method, some optimal antibodies immigrant among different universes to increase the diversity the antibodies further. Therefore, antibodies quantum rotation angle is adopted to modify the antibody rotation angle step length dynamically with the antibody’s fitness. The antibody rotation angles are given in Table 2 [17].

Table 2
Antibody adaptive correction strategy

$x_{i}^{j}$ $b_{i}$ $f (x^{j}) ⩾ f (x_{best}^{t})$ $Δ θ_{i}^{j}$ $S (α_{i}^{j}, β_{i}^{j})$

$α_{i}^{j} β_{i}^{j} > 0$ $α_{i}^{j} β_{i}^{j} < 0$ $α_{i}^{j} = 0$ $β_{i}^{j} = 0$

0 0 False $θ_{1}^{j} = 0$ – – – –

0 0 True $θ_{2}^{j} = 0$ – – – –

0 1 False $θ_{3}^{j} = θ^{j}$ +1 −1 0 $\pm 1$

0 1 True $θ_{4}^{j} = θ^{j}$ −1 +1 $\pm 1$ 0

1 0 False $θ_{5}^{j} = θ^{j}$ −1 +1 $\pm 1$ 0

1 0 True $θ_{6}^{j} = θ^{j}$ +1 −1 0 $\pm 1$

1 1 False $θ_{7}^{j} = 0$ – – – –

1 1 True $θ_{8}^{j} = 0$ – – – –

$x_{i}^{j}$	$b_{i}$	$f (x^{j}) ⩾ f (x_{best}^{t})$	$Δ θ_{i}^{j}$	$S (α_{i}^{j}, β_{i}^{j})$
0	0	False	$θ_{1}^{j} = 0$	–	–	–	–
0	0	True	$θ_{2}^{j} = 0$	–	–	–	–
0	1	False	$θ_{3}^{j} = θ^{j}$	+1	−1	0	$\pm 1$
0	1	True	$θ_{4}^{j} = θ^{j}$	−1	+1	$\pm 1$	0
1	0	False	$θ_{5}^{j} = θ^{j}$	−1	+1	$\pm 1$	0
1	0	True	$θ_{6}^{j} = θ^{j}$	+1	−1	0	$\pm 1$
1	1	False	$θ_{7}^{j} = 0$	–	–	–	–
1	1	True	$θ_{8}^{j} = 0$	–	–	–	–

Let us suppose that antibody x, $f (x)$ denotes its fitness value; $x_{i}^{j}$ represents the ith gene value of the jth antibody, which is 0 or 1; $b_{i}$ is behalf of the ith best antibody value; the antibody rotation angle direction in the corresponding polar coordinates is denoted as $S (α_{i}^{j}, β_{i}^{j})$ ; $θ^{j}$ denotes the step length value of the jth antibody, where $θ^{j}$ is calculated with equation (15). $\begin{matrix} (15) & θ^{j} = \{\begin{matrix} \frac{f_{j} - f_{min}}{f_{max} - f_{min}} (K_{2} - K_{1}) + K_{1}, & f_{max} \neq f_{min} \\ K_{1}, & f_{max} = f_{min} \end{matrix} \end{matrix}$

In (15), the antibody rotation angle step length is linearly to the antibody’s fitness, therefore, individuals with higher fitness will be allocated a larger antibody rotation angle step length for antibodies’ variety, on the contrary, antibodies that have lower fitness will be assigned a smaller one, so that the antibodies will vary more lowly.

In antibodies’ current population, we calculate the antibodies’ rotation angle step length of the ith evolution according to the antibodies rotation direction of the jth individuals, which is demonstrated as equation (16). $\begin{matrix} (16) & Δ θ_{i}^{j} = θ^{j} \times S (α_{i}^{j}, β_{i}^{j}) \end{matrix}$

To decrease the extra calculation complexity, and improve the efficiency of IDS, we apply the model of 4 universes in QGA. In the 4 universes strategy, the main universe is the management center, it controls the other three auxiliary universes and translates the antibodies. In the auxiliary universe, antibodies evolve independently in their life cycles.

In some period, some part of excellent antibodies with high fitness are translated from the auxiliary universes to the main universe. In the main universe, we choose the optimal antibodies and send them to the three auxiliary universes respectively. Then certain worst antibodies with low fitness are weed out. The proposition of exchanging antibodies is 10 percent to 20 percent in all the antibodies population.

The QGA is presented in Table 3.

Table 3

QGA

The QGA
Set up the initial antibodies population: ( $t_{s} = 0$ );
For ( $i = 0$ ; $i < 3$ ; $i + +$ )//in every universe, select the optimal antibodies collection:
Generate a new antibodies set $Q_{i} (t_{s})$ ;
Observe each antibody in $Q_{i} (t_{s})$ and get the antibody’s observed state $P_{i} (t_{s})$ ;
With equation (12), generate the fitness $a_{fitni}^{'}$ of each antibody in $P_{i} (t_{s})$ ;
Choose the best antibodies with high fitness and put them into $B_{i} (t_{s})$ ;
End
while (the antibodies algebra evolution value<= threshold value) do
For ( $i = 0$ ; $i < 3$ ; $i + +$ )//in every universe, optimize the antibodies:
$t_{s} = t_{s} + 1$ ;
Observe each antibody in $Q_{i} (t_{s})$ and get the antibody’s observed state $P_{i} (t_{s})$ ;
With equation (12), generate the fitness $a_{fitni}^{'}$ of each antibody in $P_{i} (t_{s})$ ;
Obtain the antibody angle rotation step $θ^{j}$ with equation (15);
Update $Q_{i} (t_{s})$ with $θ^{j}$ ;
Choose the best antibodies with high fitness and put them into $B_{i} (t_{s})$ ;
Generate antibody similarity calculation operator with equation (11);
Obtain antibody fitness calculation operator with equation (12);
Calculate antibody population variation correction coefficient operator with equation (13);
Obtain the antibodies’ current mutation probability with equation (14);
Antibodies operate mutation with their current mutation probability above;
Choose the optimal antibodies and translate them to the main universe;
Select the best antibodies and update the worst ones in the other three auxiliary universes respectively.

3.3. The RFS-QGAID

The RFS-QGAID includes two main steps: training initial antibodies to get memory antibodies off-line, detect the intrusions on-line. The training phase is described in following steps:

The offline log records are as the initial input resources. We get the initial memory antibodies with RFS, the final decision table is $AADT$ ;

Execute the RFS, delete the redundant attributes from log records data sets with high-dimensional features. The significance between the features and different log records categories are calculated in the samples collection to generate the optimal antibodies combination.

Put the best antibodies above into the QGA classifier and generate the memory antibodies.

In the detection phase, the main two steps are as follows:

Sample from the received log records packets, get the flow log records details with the attributes in simplified $AADT$ .

Delete the unnecessary attributes and generate the d-dimensional significant attributes from the flow log records by the RFS submodule. Then, the flow log data are compared with the memory antibodies which are generated from the QGA classifier, at the same time, the accurate classified detection results are obtained, the records with results are the new antibodies which are input the QGA to update the antibodies set.

4. Simulations and results analysis

4.1. Data collection and parameters setup

To obtain the effective performances of the RFS-QGAID, we finish the experiments with the standard benchmark NS-KDD, which are offered by Lincoln laboratory for simulations of intrusion detection, the training samples collection KDDTrain+ has 125,973 records. Test sample collection contains 2 kind of sets: KDDTest−21 and KDDTest+, and each data set contains five categories of samples: Normal, Dos, the Probe, U2R and R2L.

When RFS-QGAID runs, all the log records in KDDTrain+ are used to train to obtain the initial antibodies, and KDDTest+ is used to test RFS-QGAID algorithm. The log records distribution is demonstrated in Table 4.

Table 4
Log records distribution of NSL-KDD [7]

No Type KDDTrain+ KDDTest+

1 Normal 67,343 9,710

2 DoS 45,927 7,458

3 Probe 11,656 2,422

4 U2R 52 67

5 R2L 995 2,887

Sum 125,973 22,544

No	Type	KDDTrain+	KDDTest+
1	Normal	67,343	9,710
2	DoS	45,927	7,458
3	Probe	11,656	2,422
4	U2R	52	67
5	R2L	995	2,887
Sum	125,973	22,544

Because there are a small amount of U2R attacks records, U2R set belongs to a small samples collection, all the 67 U2R records are applied as the simulation data. In equation (15), we set the minimum antibodies rotation angle step length value $K_{1} = 0.001 π$ , and the maximum one $K_{2} = 0.05 π$ , the initial antibodies mutation probability is set as $P_{0} = 0.8$ , constant P of the antibodies variation operator adjustments is denoted as 0.08.

The RFS-QGAID is realized with C. The configuration RFS-QGAID examination environment: the type of CPU is the Intel Pentium 4, 3.20 GHz, memory is 16 GB, the OS is Windows 2016.

4.2. Records preprocessing and evaluation standard of ID

The detecting experiments contain 4 main steps: log records normalization, reducing the redundant attributes, training the log samples, and testing the flow log records. Some attributes may have smaller features value may be easily ignored, for the reason that there are large difference between various attributes. The log records should be transformed to a standard format, then RFS is adopted to delete the unnecessary attributes.

The log records collection includes n antibody samples, and faj[l] denotes the ith attribute value of the jth antibody. The mean value of antibody is demonstrated as equation (17), and the standard deviation value is shown as equation (18): $\begin{array}{l} (17) & \bar{f} a_{k} [l] = \frac{1}{n} \sum_{k = 1}^{n} f a_{k} [l] \\ (18) & s_{k} [l] = \sqrt{\frac{1}{n - 1} \sum_{j = k = 1}^{n} {(f a_{k} [l] - \bar{f} a_{k} [l])}^{2}} \end{array}$

${\bar{f}}_{k} [l]$ denotes the mean value of the lth antibody attribute, $s_{k} [l]$ presents the standard deviation value of the ith antibody attribute. So all the antibody attributes can be normalized as equation (19) [8]: $\begin{matrix} (19) & \hat{f} a_{k} [l] = \frac{f a_{k} [l] - \bar{f} a_{k} [l]}{s_{k} [l]} \end{matrix}$

The evaluation standards of the detecting results are shown in following formula [15]: $\begin{array}{l} (20) & DR = \frac{TP}{TP + FN} \\ (21) & FAR = \frac{FP}{TN + FP} \\ (22) & Pre = \frac{TP}{TP + FP} \\ (23) & Acc = \frac{TP + TN}{TP + TN + FP + FN} \\ (24) & F 1 -score = \frac{2 \times DR \times Pre}{DR + Pre} \end{array}$

TP is the total number of flow log records that are attacks, and they are accurately identified; TN is the total number of flow log records that are normal behaviors, and they are accurately identified; FP presents the total number of flow log records that are attacks, and they are falsely identified as normal behaviors; FN presents the total number of records that are normal behaviors, and they are falsely identified as attacks [19,22].

4.3. The best attributes collection based on RFS

RFS algorithm is adopted to delete the unnecessary features and generate the optimal antibodies, the detecting classifier combines these attributes with calculating their significance.

We can conclude from the experiments that when there are total 19 attributes, the deviation value of the RFS’s DR and FAR is maximal, meanwhile the DR reaches 95%. When there are 25 features, the deviation value of the DR and FAR’s between the mRMR and FRS is maximal. Therefore, the top 19 significant attributes are selected as the features of antigens and antibodies with the RFS. Similarly, in the study by Zhang and Zhang [27], the same methods are used with NMIFS and IIFS-MC algorithms, we can get 20 features.

The conclusion demonstrates that RFS owns better attribute reduction ability than mRMR, NMIFS and IIFS-MC. Table 5 gives the final attribute subsets with the two algorithms above.

Table 5
The selected attributes subsets

Algorithm Number of attributes Selected attributes (label number)

RFS 19 2, 3, 4, 5, 6, 12, 23, 24, 15, 25, 29, 30, 32, 33, 35, 36, 37, 38, 39

NMIFS 20 12, 3, 6, 23, 2, 32, 5, 24, 36, 35, 33, 1, 30, 37, 4, 29, 39, 38, 25

IIFS-MC 20 2, 3, 17, 4, 5, 18, 12, 6, 15, 16, 8, 19, 11, 13, 14, 23, 28, 10, 22, 36

mRMR 25 32, 27, 23, 5, 3, 12, 13, 22, 11, 2, 9, 37, 28, 38, 1, 4, 6, 14, 29, 40, 39, 35, 33, 41, 30

Algorithm	Number of attributes	Selected attributes (label number)
RFS	19	2, 3, 4, 5, 6, 12, 23, 24, 15, 25, 29, 30, 32, 33, 35, 36, 37, 38, 39
NMIFS	20	12, 3, 6, 23, 2, 32, 5, 24, 36, 35, 33, 1, 30, 37, 4, 29, 39, 38, 25
IIFS-MC	20	2, 3, 17, 4, 5, 18, 12, 6, 15, 16, 8, 19, 11, 13, 14, 23, 28, 10, 22, 36
mRMR	25	32, 27, 23, 5, 3, 12, 13, 22, 11, 2, 9, 37, 28, 38, 1, 4, 6, 14, 29, 40, 39, 35, 33, 41, 30

From Table 5,we can conclude that the simper features collection is obtained, so the computation complexity of RFS can be used to decrease the detection time.

4.4. The intrusion detection performances compared with related works

The K-means [2], the AE-CGAN-RF [9], AA-HMM [18], MDPCA DBN [23], GPSO [25] and FRS-QGA algorithm proposed in Section 1 are used to execute the experimental log data set. The five kinds of samples collections ROC (Receiver Operating Characteristic) curves are shown in Fig. 1.

Fig. 1.

The ROC curves.

The results in Fig. 1 show that compared with the existing common detection methods, we apply FRS-QGA algorithm to detect the normal records, and the other four attacks (DOS, the Probe, R2L and U2R), and obtain a lower FAR, but a higher DR.

The RFS-QGAID algorithm is compared with the algorithms in Section 1, such as K-means [2], AE-CGAN-RF [10], AA-HMM [18], MDPCA-DBN [23], GPSO [25], LS-PIO [1], Dual-IDS [13] and DNN [4]. To execute the abnormal detection simulation, all the attacks records are settled as abnormal behaviors. In order to get the precise performance of RFS-QGAID algorithm, we run the algorithm with each records collection for 10 times to get the detection performances, such as DR, Acc, FAR, Pre and F1 score, finally calculate the average values respectively and compare them with other detection algorithms. The results are demonstrated in Table 6.

Table 6

The comparisons results (/ denotes the uncharted value)

Algorithm	DR	Acc	FAR	Pre	F1 score
K-means [2]	95.17	95.75	1.87	N/A	N/A
AE-CGAN-RF [10]	61.57	66.18	13.06	95.51	74.87
AA-HMM [18]	91.06	93.48	/	93.63	92.33
MDPCA-DBN [23]	93.55	94.36	2.34	/	/
LS-PIO [1]	97.5	97.95	11.2	/	87.19
Dual-IDS [13]	/	91.57	1.3	98.67	91.5
DNN [4]	/	99.84	1.1	99.94	99.37
GA+Fuzzy [21]	95.33	/	0.18	/	/
RFS-QGAID	98.24	98.87	0.29	97.69	97.83

The results demonstrated in Table 6 show that the RFS-QGAID has 0.11% higher false positives and 2.91% higher detection rate than GA + Fuzzy in the study by Varzaneh and Rafsanjani [21]; the other four performance indicators are almost more excellent than other intrusion methods, meanwhile the algorithm proposed in this paper has a better balance between detection rate and the rate of false positives.

To verify the classification ability of RFS-QGAID for different types of attacks, particularly the small data sets, the results are compared, which are demonstrated in Table 7.

Table 7

The first comparisons

Method	Norm	Dos	Prb	U2R	R2L
Mixed multilayer model [2]	98.13	99.54	87.22	21.93	31.39
MDPCA-DBN [23]	97.38	81.09	73.94	17.25	6.50
Outlier+RF [9]	97.66	97.32	95.34	21.05	31.96
RFS-QGAD	95.86	97.75	92.83	75.21	86.74

Table 7 shows that the RFS-MOP-AQGAID owns the highest DR among all the intrusion methods according to small sample data set: Probe, U2R and R2L attacks. RFS-MOP-AQGAID has higher DR, it can improve the adaptivity of the intrusion algorithm.

Literature [23] demonstrated the algorithm’s confusion matrix, with which we calculate the DR, Pre and F1 score, and compare them with the results in this paper (Table 8).

Table 8

The second comparison of different algorithms

Type	DR		Pre		F1 score

	MDPCA-DBN	RFS-QGAD	MDPCA-DBN	RFS-QGAD	MDPCA-DBN	RFS-QGAD
Morm	71.42	95.86	97.38	97.67	82.40	93.51
Dos	96.34	97.75	81.09	95.31	88.06	96.24
Probe	85.85	92.83	73.94	92.62	79.45	92.37
U2R	11.82	75.21	6.50	53.01	8.39	67.51
R2L	57.30	86.74	17.25	83.17	26.51	95.24
average	64.54	89.68	55.23	84.36	56.96	88.97

We can conclude from Table 8 that the proposed RFS-QGAID owns higher DR, Pre, and F1 score than MDPCA-DBN in the study by Yang et al. [23]. Particularly for Probe, U2R and R2L, the proposed algorithm’s detection abilities are better for small amount of records.

5. Conclusions

This paper apply the RFS algorithm to delete the unnecessary antibodies features and generate the optimal initial antibodies from flow log sample attributes collections. From the simulation results, we obtain an effective antibodies collection of the higher dimensional attributes.

In the meantime, we design a QGA to classify the behaviors. In QGA, antibody similarity calculation operator, antibody fitness calculation operator and antibody population variation correction coefficient operator and antibodies mutation operator are used to generate individual’ mutation probability dynamically, meanwhile, adaptive parallel quantum GA was applied to guarantee the variety of antibodies. Experiment results demonstrate that, the detection accuracy, false positive rate, and better adaptivity of RFS-QGAID are all better than current IDS, especial for small samples sets. However the flaw of RFS-QGAID is that the performances for new types of attacks need to be strong. The next research is to study the zero-day attacks deploy the RFS-QGAID in the new generation network.

Conflict of interest

None to report.

References

Abu Alghanam ,

Almobaideen ,

Saadeh and

Adwan , An improved PIO feature selection algorithm for IoT network intrusion detection system based on ensemble learning, Expert Systems With Applications 213 (2023). doi:10.1016/j.eswa.2022.118745.

W.L.

Alyaseen ,

Z.A.

Othman and

M.Z.A.

Nazri , Multi-level hybrid support vector machine and extreme learning machine based on modified K-means for intrusion detection system, Expert Systems with Applications 67(1) (2017), 296–303. doi:10.1016/j.eswa.2016.09.041.

Amiri ,

M.R.

Yousefi ,

Lucas ,

Shakery and

Yazdani , Mutual information-based feature selection for intrusion detection systems, Journal of Network and Computer Applications 34(4) (2011), 1184–1199. doi:10.1016/j.jnca.2011.01.002.

Ankit and

Ritika , Fusion of statistical importance for feature selection in deep neural network-based intrusion detection system, Information Fusion 90 (2023), 353–363. doi:10.1016/j.inffus.2022.09.026.

T.S.

Chou ,

K.K.

Yen and

Luo , Network intrusion detection design using feature selection of soft computing paradigms, International Journal of computational Intelligence 4(3) (2008), 196–208.

Chunhui and

Wenjuan , Enhancing intrusion detection with feature selection and neural network, International Journal OF Intelligent Systems 7(36) (2021), 3087–3105. doi:10.1002/int.22397.

Y.B.

He ,

G.J.

Mendis and

Wei , Real-time detection of false data injection attacks in smart grid: A deep learning-based intelligent mechanism, IEEE Trans. Smart Grid 5(8) (2017), 2505–2516. doi:10.1109/TSG.2017.2703842.

Imamverdiyev and

Abdullayeva , Deep learning method for denial of service attack detection based on restricted Boltzmann machine, Big Data 2(6) (2018), 159–169. doi:10.1089/big.2018.0023.

Jiadong ,

Xinqian ,

Qian ,

Haitao and

Xiaolin , An multi-level intrusion detection method based on KNN outlier detection and random forests, Journal of Computer Research and Development. 56(3) (2019), 566–575 (in Chinese). doi:10.7544/issn1000-1239.2019.20180063.

10.

JooHwa and

KeeHyun , AE-CGAN-RF model based high performance network intrusion detection system, Applied Sciences-Basel 20(9) (2019), 1–14. doi:10.3390/app9204221.

11.

G.K.

Kumar ,

R.R.

Kumar ,

M.S.

Basha and

K.N.

Reddy , Intrusion detection using an ensemble of support vector machines, Advances in Engineering, Management and Sciences 3(s) (2019), 266–275. doi:10.26782/jmcms.spl.3/2019.09.00020.

12.

G.V.

Lashkia and

Anthony , Relevant irredundant feature selection and noisy example elimination, IEEE Transactions on Systems Man and Cybernetics part B-Cybernetics 34(2) (2004), 888–897. doi:10.1109/TSMCB.2003.817106.

13.

H.L.L.

Maya and

A.T.

Bayu , Dual-IDS: A bagging-based gradient boosting decision tree model for network anomaly intrusion detection system, Expert Systems With Applications 213 (2023). doi:10.1016/j.eswa.2022.119030.

14.

M.A.

Mohammed and

I.A.

Ali , An intelligent two-layer intrusion detection system for the Internet of things, IEEE Transactions on Industrial Informatics 1(19) (2023), 683–692. doi:10.1109/TII.2022.3192035.

15.

Moustafa , Designing an Online and Reliable Statistical Anomaly Detection Framework for Dealing with Large High-Speed Network Traffic, University of New South Wales, Canberra, 2017.

16.

L.Z.

Peng ,

H.L.

Zhang ,

Yang and

Y.H.

Chen , Feature evaluation for early stage Internet traffic identification, Algorithms and Architectures for Parallel Processing 8630 (2014), 511–525. doi:10.1007/978-3-319-11197-1_39.

17.

Sha-Sha , Quantum Genetic Algorithm Base on Adaptive Mechanism and Its Application, Shandong University of Technology, Zi Bo, 2020.

18.

C.Y.

Song ,

Pons and

Yen , An anti-adversarial hidden Markov model for network-based intrusion detection, Applied Sciences-Basel 12(8) (2018), 1–25. doi:10.3390/app8122421.

19.

Tao ,

Zhaojie ,

Yuling ,

Chunmei ,

Yanling and

Yixian , Is semi-selfish mining available without being detected?, International Journal of Intelligent Systems (2021), 1–22. doi:10.1002/int.22656.

20.

Teng ,

Qixiang ,

Jiabao ,

Ruitao ,

Xianmin and

Ya , Adversarial attacks on deep-learning-based SAR image target recognition, Journal of Network and Computer Applications 162 (2020). doi:10.1016/j.jnca.2020.102632.

21.

Z.A.

Varzaneh and

M.K.

Rafsanjani , Intrusion detection system using a new fuzzy rule-based classification system based on genetic algorithm, Intelligent Decision Technologies 15 (2021), 231–237. doi:10.3233/IDT-200036.

22.

Xiaohui ,

Ming ,

Hu ,

Guang ,

Huayang ,

Zhendong et al., DeepWAF: Detecting web attacks based on CNN and LSTM models, Cyberspace Safety and Security, PT II 11983 (2019), 121–136. doi:10.1007/978-3-030-37352-8_11.

23.

Y.Q.

Yang ,

K.F.

Zheng ,

C.H.

Wu ,

X.X.

Niu and

Y.X.

Yang , Building an effective intrusion detection system using the modified density peak clustering algorithm and deep belief networks, Applied Sciences-Basel 2(9) (2019), 238–262. doi:10.3390/app9020238.

24.

Yilei ,

Guoyu ,

Tao ,

Lifeng ,

Yanli ,

Lishan ,

Yi et al., Optimal mixed block withholding attacks based on reinforcement learning, International Journal of Intelligent Systems 12(35) (2021), 2032–2048. doi:10.1002/int.22282.

25.

Ying-Wu ,

Jia-Hai and

Jin-Xiang , Anomaly detection based on traffic information structure, Journal of Software 21(10) (2010), 2573–2583. doi:10.3724/SP.J.1001.2010.03698.

26.

Yu and

Huan , Efficient feature selection via analysis of relevance and redundancy, Journal of Machine Learning Research 5 (2004), 1205–1224.

27.

Zhang and

J.H.

Zhang , Intrusion detection using normalized mutual information feature selection and parallel quantum genetic algorithm, International Journal on Semantic Web and Information Systems 22(1) (2022), 1–24. doi:10.4018/IJSWIS.315747.

28.

Zhi-jian ,

Yu-hang ,

Pan-jing ,

Xiao-hong and

Cai-hong , Cooperative evolution of multiple operators based adaptive parallel quantum genetic algorithm, Acta Electonica Sinica 47(2) (2019), 266–273. doi:10.3969/j.issn.0372-2112.2019.02.002.