0% found this document useful (0 votes)
33 views15 pages

Paper 17-Predicting DOS DDOS Attacks

This document reviews and evaluates different feature selection methods for machine learning models that predict DOS and DDOS attacks. It discusses traditional mitigation solutions for these attacks and their limitations. It then explains how machine learning can help overcome these limitations by analyzing network traffic data to detect abnormal patterns indicating attacks. Specifically, it focuses on evaluating the wrapper feature selection process, which uses search algorithms to select optimal feature subsets, for improving DOS/DDOS prediction models.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
33 views15 pages

Paper 17-Predicting DOS DDOS Attacks

This document reviews and evaluates different feature selection methods for machine learning models that predict DOS and DDOS attacks. It discusses traditional mitigation solutions for these attacks and their limitations. It then explains how machine learning can help overcome these limitations by analyzing network traffic data to detect abnormal patterns indicating attacks. Specifically, it focuses on evaluating the wrapper feature selection process, which uses search algorithms to select optimal feature subsets, for improving DOS/DDOS prediction models.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

(IJACSA) International Journal of Advanced Computer Science and Applications,

Vol. 12, No. 5, 2021

Predicting DOS-DDOS Attacks: Review and


Evaluation Study of Feature Selection Methods based
on Wrapper Process
Kawtar BOUZOUBAA1, Benayad NSIRI3 Youssef TAHER2
M2CS, Research Center STIS Center of Guidance and Planning (COPE)
National Graduate School of Arts and Crafts of Rabat Rabat, Morocco
(ENSAM) Mohammed V University in Rabat
Rabat, Morocco

Abstract—Now-a-days, Cybersecurity attacks are becoming systems, which is a pillar of information security ([6],[5]). The
increasingly sophisticated and presenting a growing threat to attackers seek to target computer systems, network devices,
individuals, private and public sectors, especially the Denial Of services and web applications to consume their CPU power,
Service attack (DOS) and its variant Distributed Denial Of bandwidth, memory and processing time ([7], [3]).
Service (DDOS). Dealing with these dangerous threats by using
traditional mitigation solutions suffers from several limits and The DDOS attack has the same purpose but with the
performance issues. To overcome these limitations, Machine difference of using intermediate of multiple networks between
Learning (ML) has become one of the key techniques to enrich, the attacker and its target ([7],[8]). This technique allows the
complement and enhance the traditional security experiences. In attacker to amplify its attack with orchestrating a simultaneous
this context, we focus on one of the key processes that improve sending of an excessive number of unwanted computing
and optimize Machine Learning DOS-DDOS predicting models: requests to its victim to overload its computing capacity.
DOS-DDOS feature selection process, particularly the wrapper
process. By studying different DOS-DDOS datasets, algorithms To deal with these DOS-DDOS attacks, some traditional
and results of several research projects, we have reviewed and mechanisms are deployed such as firewalls, software updates,
evaluated the impact on used wrapper strategies, number of antivirus, Intrusion Detection Systems (IDS), etc.
DOS-DDOS features, and many commonly used metrics to
However, many challenges and limits hinder these
evaluate DOS-DDOS prediction models based on the optimized
DOS-DDOS features. In this paper, we present three important
traditional techniques [6]. To overcome these limitations and
dashboards that are essential to understand the performance of drawbacks, Machine Learning (ML) techniques can be used as
three wrapper strategies commonly used in DOS-DDOS ML artificial intelligence systems to enrich, complement and
systems: heuristic search algorithms, meta-heuristic search and enhance the traditional security experiences.
random search methods. Based on this review and evaluation One of the key and critical pre-processing phases to
study, we can observe some of wrapper strategies, algorithms, success these DOS-DDOS ML models is feature selection.
DOS-DDOS features with a relevant impact can be selected to
This process selects the most representatives DOS-DDOS
improve the DOS-DDOS ML existing solutions.
characteristics from the initially DOS-DDOS dataset by
Keywords—DOS-DDOS attacks; feature selection; wrapper eradicating those that are redundant and insignificant.
process; machine learning Consequently, the obtained features subset improves the
execution time, the detection rate and the accuracy of the used
I. INTRODUCTION DOS-DDOS models.
With the exponential proliferation of Internet users, the In this context, this investigation presents a review and
network traffic has known a massive generation of data. These evaluation study related to DOS-DDOS attacks prediction
data are coming from individuals, private and public based on one of the effective methods to select relevant DOS-
organizations. Moreover, the hard complexity of the Internet DDOS features: Wrapper process.
architecture and its interdependent suffers from different
vulnerabilities, threats and risks ([1], [2]). Consequently, the This paper is organized as follows: In Section 2 we study
attackers find an impressive amount of vulnerable systems [3]. some traditional mitigation solutions and their limits.
Section 3 describes the interest of using machine learning
Nowadays, cybersecurity attacks are becoming (ML) in DOS- DDOS attacks prevention. Section 4 exposes
increasingly sophisticated, particularly the infrastructure the impact of feature selection on DOS-DDOS machine
attacks that make security analysis systems more vulnerable to learning projects. In Section 5 we review and we evaluate
several failures [1]. One of these most famous threats is recent and relevant feature selection results obtained by using
Denial Of Service attack (DOS) and its variant Distributed three commonly used wrapper strategies: heuristic search
Denial Of Service (DDOS) ([4],[5]). These serious and algorithms, meta-heuristic search and random search methods.
dangerous attacks violate the availability of information Finally, Section 6 presents our conclusions.

131 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

II. DEALING WITH DOS AND DDOS: TRADITIONAL information and are unable to detect and prevent many DOS-
MITIGATION AND SOLUTIONS DDOS attacks in real-time.
DOS-DDOS attacks can take many forms such as SYN To overcome these drawbacks, Machine Learning has
flood, SYN-ACK-ACK flood, UDP flood, ICMP flood, and so become one of the key techniques to enrich and complement
on. To deal with these forms of threats, many traditional, these traditional security experiences. In the paragraph below
external and internal DOS-DDOS mitigation solutions are we discuss briefly the benefits that can be attained by using
developed such as bandwidth provisioning, software updates, ML- techniques in DOS-DDOS attacks prevention.
firewalls, antivirus software and Intrusion Detection Systems
(IDS), etc. In the paragraph below, we discuss briefly these III. THE USE OF MACHINE LEARNING IN DOS-DDOS
traditional solutions and their limits. ATTACKS PREVENTION
Generally, the use of firewall solution provides many Machine Learning (ML) is an evolutionary field of
mitigation solutions such as filter-based forwarding at logical Artificial Intelligence (AI) composed of a set of rules,
interfaces, blocking of certain types of packets to reach a methods and functions [18]. Applied to deal with many
routing engine and packet counter and protection of a routing challenges in DOS-DDOS attacks, ML algorithms can learn
engine from DOS-DDOS attacks ([9],[10]). However, firewall from DOS-DDOS datasets and discover hidden knowledge
solutions suffer from many lacks of security. As an example, from them [19].
the attacker can modify his DOS-DDOS attacks and make it By finding interesting DOS-DDOS patterns from training
legitimate. DOS-DDOS data, ML algorithms allow preventing and
The software updates keep the software up to date to avoid predicting many recent forms of DOS-DDOS behaviors.
DOS-DDOS attacks on the application layer (the highest Contrary to the traditional security solutions, ML models
abstraction layer of the TCP/IP model) [11]. However, the are powerful tools that can analyze in real time high
irregularity of these updates creates a gateway to the attackers dimensional DOS-DDOS traffic [20], classify the behavior of
to modify the contents of memories (buffer overflow). the DOS-DDOS traffic to determine the normal one from the
The Intrusion Detection System IDS (Hardware/Software abnormal and predict with high accuracy DOS-DDOS attacks
solutions) is a complemented security for the firewall before they happen.
solutions. This solution is a common way often used to Based on DOS-DDOS security modeling process (Fig. 1)
analyze and detect DOS-DDOS attacks [12]. IDS techniques and many common algorithms like K-Nearest Neighbors
are used in the aims to detect, classify and respond to DOS- Algorithm (KNN), Support Vector Machines (SVM), Random
DDOS actions that affect the integrity, the confidentiality or Forest (RF) as well as Naïve Bayes (NB), etc. many recent
the availability of any network resources [13]. These systems research projects have shown other important preventing
are mainly based on two detection methods [14]: Misuse benefits of ML algorithms compared to the existing traditional
Detection (MD) and Anomaly Detection (AD). solutions ([1], [12], [21]).
The Misuse Detection is also known as Signature Feature selection is one of the critical pre-processing
Detection, Pattern Detection, Knowledge-Based or Rule-based process to succeed and to improve the benefits mentioned
detection. This technique is one of the most common methods above. In the paragraph below, we summarize the benefits of
of Antivirus. It filters malicious packet of the known attacks this process.
thanks to its signature database of known attacks. It detects
efficiently known attacks with low false positive.
Nevertheless, it shows limits on detecting new forms of threats
and many variants of known attacks.
The Anomaly Detection supervises the behavior of
network traffic. It alerts the system at the slightest changes
compared to the normal behavior. This method can detect new
forms of attacks but generates high false positives and doesn’t
give clear information about the malicious events in some
forms of attacks. Moreover, it is not feasible to IDS to
manipulate high dimensional variables. Consequently, this
technique can affect the efficiency and the velocity in
detecting intrusions ([15],[16], [17]).
In addition to the limitations and drawbacks mentioned
above, traditional techniques are hindered by many others
challenges [6]. As an example, many traditional strategies of
security are not sufficient to protect information systems Fig. 1. Machine Learning DOS-DDOS Security Modeling Process
against the new forms of DOS-DDOS attacks, need extra-
storage and computational resources due to the high level of
network traffic, suffer from a lack of source attacks

132 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

IV. IMPACT OF FEATURE SELECTION PROCESS DOS-DDOS In this context, we decided to focus our attention on the
MACHINE LEARNING PROJECTS assessment of the performance of many DOS-DDOS
experiments based on wrapper strategies and machine learning
Feature selection is one of the most critical pre-processing
algorithms.
process in building DOS-DDOS Machine Learning (ML)
models. This process is the first and crucial phase to improve By studying different DOS-DDOS datasets, algorithms
the prediction accuracy, the detection rate and to reduce the and recent results of several research projects, we review and
execution time of DOS-DDOS models [22]. we assess the impact of many recent wrapper strategies
applied to predicting DOS-DDOS attacks. We have taken a
According to Bindra et al. [23], feature selection methods
more focused look at the impact of these strategies on number
allow the DOS-DDOS security systems to distinguish DOS-
of DOS-DDOS features, detection rates, execution times and
DDOS attacks by using a minimum number of the most
accuracies of DOS-DDOS attacks prediction.
important features from network streams.
We present four dashboards that are essential to
Applied to DOS-DDOS ML algorithms, feature selection
understand the performances of three wrapper strategies
is focused on selecting small and concise DOS-DDOS sets of
commonly used in DOS-DDOS ML systems: heuristic search
characteristics describing the ML models [24]. It avoids the
algorithms, meta-heuristic search and random search methods.
used features to contain redundant (correlation with other
features) and noisier information of DOS-DDOS attacks B. Review and Evaluation Study of Feature Selection
without losing any piece of information. Consequently, it Methods based on Wrapper Process
reduces the high memory requirements of security systems
based on ML models ([25], [26], [27]). 1) Used Datasets: To evaluate the performance of the
wrapper strategies used in DOS-DDOS machine learning
Generally, the existing DOS-DDOS ML security systems models, we start our review by studying relevant DOS-DDOS
use three commonly main categories of feature selection datasets commonly used by several DOS-DDOS research
approaches: Filter, Wrapper and Hybrid methods [28]. projects. These datasets are cited below:
The Filter methods are based on statistical methods which The Knowledge Discovery and Data Mining (KDD’99)
evaluate the relevance of DOS-DDOS features independently dataset was built based on the synthetic data captured in
of any machine learning algorithms [27]. As a faster solution DARPA’98. This dataset is mainly composed of redundant
that computationally costs less, these methods are often used records. Moreover, this configuration forces ML algorithms to
in high dimensional DOS-DDOS traffic ([29],[30]). However, learn less about infrequent records than the redundant ones.
the evaluation of individual information cannot take into The inequality of attacks distribution between training and
consideration the correlation between the DOS-DDOS testing phase made the cross-validation more complicated.
features. Consequently, the final DOS-DDOS subset can
contain redundancy because some DOS-DDOS features can This dataset is composed of four main families of attacks
have the same ranking. and forty one features.
The wrapper strategies use a predetermined algorithm and The NSL_KDD was created to overcome the limits of the
its performance to assess the optimal DOS-DDOS subset KDD’99 [35]. However, the main disadvantage of the
features [31]. It executed in an iterative process, and at each NSL_KDD dataset, it does not include the modern low
iteration a new subset of DOS-DDOS features is generated to footprint attacks scenarios like the KDD’99.
be evaluated by the classification algorithm [32]. The criterion
The UNSW_NB15 is composed of nine family attacks and
of selection is principally based on the cross-validation
forty nine features. It includes a hybrid of the real modern
accuracy during the DOS-DDOS training data [33].
normal behaviors and the synthetic attack activities [35].
The Hybrid method is a combination between filter
Cyber Range Lab of the Australian Centre for Cyber
method followed by wrapper approach, which offers the
Security (ACCS) is a dataset mainly composed of hybrid
advantages of the two previous methods. It exploits their
modern normal activities and attacks behaviors. It is
different criteria in different search stages [34].
composed of forty-seven features[36].
V. RELATED WORK 2) Use model evaluation metrics: To evaluate the
A. Objective of the Study reviewed DOS-DDOS Wrapper strategies, we have selected
To detect and prevent DOS-DDOS attacks accurately, different metrics [37]. These metrics namely are:
wrapper methods one of the most effective strategies to Classification Accuracy (Acc), Detection Rate (DR), Recall
identify informative DOS-DDOS feature subsets from many (Re), Precision (Pr), Specificity (Sp), Sensitivity (Sen), F-
high-dimensional DOS-DDOS network streams. This Measure (FM), False Alert Rate (FAR), False Negative (FN)
approach of feature selection is often addressed in many and Time model execution (T).
security solutions based on ML tasks. Indeed, increasing
number of research projects have shown that many wrapper The formulas associated with these metrics are listed above:
strategies can have an important impact on Accuracy,
(1)
Detection Rate and time execution of existing DOS-DDOS
ML systems.

133 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

(2) The experiments based on the NB, C4.5, RF algorithms


and UNSW_NB15 dataset realized by Bellouch et al. (2018)
(3) [39], has shown that the prediction accuracy obtained by RF
(Acc_RF = 99.94%) is better than C4.5 (Acc_C4..5 = 95.82%)
and SVM (Acc_SVM = 92.28%). The NB algorithm shows less
(4)
accuracy (Acc_NB = 74. 19 %) compared to RF, C4.5 and
SVM.
(5)
The Bayesian Network (BN) algorithm used in the
(6) experiment of Katkar and Kulkarni [40] achieved good
accuracy (Acc_BN = 99.68%) in detecting DOS-DDOS attacks
thanks to its capacity of detecting anomalies in a multi-class
(7) [41].

(8) By comparing the experiments carried out by Jalill et


al.[38] and Katkar and Kulkarni [40], we have observed that
Where: TP is True Positive: correct positive prediction. SVM algorithm predict DOS-DDOS more accurately on the
TN is True Negative: correct negative prediction. FN is False dataset UNSW_NB15 compared to the KDD’99 dataset
Negative: incorrect negative prediction and FP is False (Acc_SVM_UNSW_NB = 92.28% > Acc_SVM_KDD = 62.5 %). This
Positive: incorrect positive prediction. important difference according to W. Xingzhu [42] is caused
by the redundant records on the KDD’99 dataset and SVM has
3) Impact of used DOS-DDOS datasets and algorithms on slower training on high dimensional datasets.
the wrapper process: Generally, the performance of DOS-
DDOS prediction models based on the Wrapper process 4) DOS-DDOS feature selection based on wrapper
depends strongly on the used ML algorithms and datasets. As process and heuristic search algorithms: Based on heuristic
shown in Table I, many algorithms performed well in functions or cost measures, wrapper strategies using heuristic
detecting DOS-DDOS attacks compared to others. The search algorithms optimize and iteratively improve the process
accuracy can range from Acc=62.5% by using KDD’99 of DOS-DDOS feature selection [43].
dataset and SVM algorithm to Acc=99.92% with Decision Many heuristic searches such as SFS (Sequential Forward
Tree J.48 algorithm and KDD’99 dataset. Indeed, according to search), SBS (Sequential Backward search), LRS (Plus L
the experiment of Jalill et al. (2010) [38] based on the Minus R Selection), RELR (Random Effect Logistic
KDD’99 dataset, the Support Vector Machine (SVM) Regression), and GFR (Gradually feature removal method)
algorithm has a serious problem in accurately detecting DOS- have been used by many recent important research projects to
DDOS attacks compared to the Decision Tree J.48 algorithm solve accurately the problem of DOS-DDOS feature selection.
which shows high prediction accuracy that exceed 99%. We discuss these projects in the paragraph below. At the
end of this subsection, we present our first dashboard
TABLE I. IMPACT OF USED DOS-DDOS DATASETS AND ALGORITHMS (Tables IIA, IIB, IIC) to summarize and to compare the
ON THE WRAPPER PROCESS
performances of these strategies.
Reference Dataset Algorithm Accuracy(%) As an example of wrapper strategies based on heuristic
SVM 62.5 search algorithms, we can cite the important investigation of
Jalill et al.
KDD’99 Kavitha and Chrita (2010) [44]. In this study, the authors used
[38] J.48 99.7
the Best First Search (BFS) method. They selected two subsets
J.48 99.92 composed simultaneously of seven and fourteen DOS-DDOS
REPTree 99.56 features. They applied four classifying algorithms: ID3, J48,
NB and One R. These experiments have shown that ID3 and
NB 87.50
J.48 using a subset composed of fourteen DOS-DDOS
Katkar and BN 99.68 features has the highest accuracy (Acc = 99%). One R and NB
Kulkarni. KDD’99 Sequential performed well in execution time (T=0.5s) with only seven
[40] Minimal features. The NB classifier achieved the highest specificity
99.72
Optimization with Sp_NB = 99% by using seven features and Sp_NB =100%
(SMO) by using fourteen features.
REPTree + J48
99.94 Mok et al. (2010) [45] used Random Effect Logistic
+BN
Regression (RELR) with a fixed Logistic regression (LR).
SVM 92.28
This method selected five DOS-DDOS features by using the
Bellouch et al. NB 74.19 Stepwise Variable Selection Search (SVSS) strategy based on
UNSW_NB15
[39] C4.5 95.82 the KDD’99 dataset. The method achieved an accuracy equal
to 98.74%.
RF 97.49

134 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

TABLE II. (A): WRAPPER METHOD BASED ON HEURISTIC SEARCH (HS)

DOS-DDOS Number of
Used Metrics Metrics
feature selection DOS- DDOS DOS - Used
wrapper Used classifier Values Values
projects based on used dataset DDOS Metrics
strategy with FS without FS
wrapper methods features
Accuracy 97% 99% 99%
Sensitivity 97% 100% 98%
ID3
Specifity 97% 98% 100%
Time (s) 1.49 4.01 NA
Accuracy 97% 99% 99.9%
Sensitivity 97% 99.5% 97.8%
J48
Specifity 97% 97.5% 99.9%
Kavitha, and Chitra Time (s) 1.20 1. 86 NA
KDD’99 BFS 7 14
(2010) [44] Accuracy 96% 97% 99%
Sensitivity 92% 94% 98%
NB
Specifity 99% 100% 100%
Time (s) 0.05 0.09 NA
Accuracy 86% 97% 99.5%
Sensitivity 74% 72% 98%
OneR
Specifity 99% 92% 99.7%
Time (s) 0.05 0.16 NA
Mok et al. (2010)
KDD’99 Stepwise 5 RLER Accuracy 98.74% NA
[45]
Ahmad et al. (2011) Accuracy 99%
KDD’99 PCA-GA 12 MLP NA
[46] Time (h) 72
Accuracy 98.62% 98.67%
Yinhui et al. [47] KDD’99 SBS-GFR 19 SVM
Time(s) 2.37 3.97

TABLE II- (B): WRAPPER METHOD BASED ON HEURISTIC SEARCH (HS)

DOS-DDOS Number of
Used Metrics Metrics
feature selection DOS- DDOS DOS - Used
wrapper Used classifier Values Values
projects based on used dataset DDOS Metrics
strategy with FS without FS
wrapper methods features
Zhang and Wang
Accuracy 98.98% 95.7%
(2013) NSL_KDD SBS-BN 11 BN
Time(s) 4.73 18.94
[48]

Al-Jarrah et FSR-RF 15 99.90%


KDD’99 RF Accuracy 99.89%
al.(2014) [49] BER-RF 14 99.88%
Accuracy 99.89% NA
Lee et al. (2017) Detection Rate 99.9% NA
NSL_KDD SFFS-RF 10 C4.5
[50] FAR 0.1 1.07
Time(s) 0.18 NA
Accuracy 98.5% 99.0%
FDR + PLR 20 40 NA
Time(s) 17.98 32.95
Harish and Manju
Accuracy 98.27
(2018) KDD’99 FDR +SFS 25 KNN NA
Time(s) 17.74
[51]
Accuracy 98.78% NA
FDR +SBS 40
Time(s) 32.18 NA
Accuracy 93.1%
Precision 93.6%
12 NB NA
Recall 87.3%
F-measure 92.7%
Houseini Soodeh Accuracy 98.9%
Forward
and Mehrdad Precision 99.6%
NSL_KDD Feature 14 RF NA
(2019) Recall 99.8%
Selection
[52] F-measure 99.7%
Accuracy 98.2%
Precision 99.4%
10 DT NA
Recall 99.8%
F-measure 99.6%

135 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

Accuracy 96.1%
Precision 93.4%
20 MLP NA
Recall 91.8%
F-measure 94.9%
Accuracy 97.7%
Precision 99.8%
11 KNN NA
Recall 99.8%
F-measure 99.8%
Accuracy 99,41% 99,91%
RF
Time (s) 66.82 191.06
Accuracy 99,35% 99,84%
Bagging
Malhotra and CfsSubsetEval Time (s) 17,7 109.9%
NSL_KDD 6
Sharma (2019) [53] + BestFirst Accuracy 99,37% 99,83%
PART
Time (s) 8.07 99.1
Accuracy 99,78% 99,78%
J48
Time (s) 7.95 61.68
Accuracy 97.66% 97.61%
Wang et al.(2020)
NSL_KDD SBS-MLP 31 MLP Detection Rate 94.88% 94.78%
[54]
FAR 0.62% 0.63%
Accuracy 92.15% 92.11%
Sensitivity 90.20% 88.71%
10 SVM Specificity 97.26% 96.93%
Precision 90.23% 91.42%
Polat, and Cetin Their Dataset F_measure 90.21% 89.91%
(2020) composed of SFFS
[55] 12 Features Accuracy 98.30% 95.67%
Sensitivity 97.73% 93.87%
6 KNN Specificity 99.45% 98.01%
Precision 97.72% 97.05%
F_measure 97.70% 95.30%

TABLE II-(C): WRAPPER METHOD BASED ON HEURISTIC SEARCH (HS)

DOS-DDOS feature Number


Used Metrics Metrics
selection projects of DOS Used Used
DOS- DDOS used dataset wrapper Values Values
based on wrapper -DDOS classifier Metrics
strategy with FS without FS
methods features
Accuracy 91.44% 91.07%
Sensitivity 87.82% 87.27%
6 ANN Specificity 97.31% 96.58%
Precision 88.11% 89.89%
Polat, and Cetin F_measure 87.89% 88.45%
Their Dataset composed of
(2020) SFFS
12 Features Accuracy 94.87% 94.48%
[55]
Sensitivity 92.05% 91.77%
8 NB Specificity 98.43% 98.29%
Precision 93.29% 92.94%
F_measure 92.01% 91.79%
Accuracy 99,44% 99,83%
RePTree
Time(s) 5,76 3.59
Accuracy 94,15% 97,1%
Logiboost
Time(s) 9,96 18.3
Accuracy 90,6% 97,95%
Alabdulwahab RBF
CfsSubsetEval 6 Time(s) 45.91 81.01
and Moon NSL_KDD
+ BestFirst Accuracy 96,26% 97,17%
(2020) [31] BayesNet
Time(s) 5.64 4.69
Accuracy 89,09% 97,4%
SMO
Time(s) 514.7 1137.71
Accuracy 99,46% 99,87%
NBTree
Time(s) 14.23 213.18
Accuracy 82.08% 86.00%
Umar et al. (2020) Best First Detection Rate 97.94% 98.62%
UNSW_NB15 19 ANN
[56] Forward-DT FAR 37.36% 29.45%
Time(s) 240 660

136 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

Accuracy 79.11% 81.6%


Detection Rate 99.31% 99.64%
SVM
FAR 45.64% 40.51
Time(s) 15540 10860
Accuracy 83.21% 84.78%
Detection Rate 96.44% 96.46%
KNN
FAR 33.01% 29.53%
Time(s) 600 1020
Accuracy 86.41% 86.82%
Detection Rate 97.95% 98.7%
RF
FAR 27.73% 27.74%
Time(s) 37.8 44.4
Accuracy 55.61% 55.61%
Detection Rate 19.38% 19.39%
NB
FAR 0.01% 0.01%
Time(s) 2.86 4.64
Accuracy 94.32% 98.9% 94.62% 99.6%
Detection Rate 98.48% 99.0% 97.54% 99.6%
ANN
FAR 14.56% 1.11% 11.64% 0.23%
Time(s) 325 123 348 94
Accuracy 93.56% 98.0% 93.67% 98.5%
SVM Detection Rate 99.54% 97.1% 99.63% 98.1%
FAR 19.19% 1.17% 19.14% 1.08%
Umar and Chen Time(s) 10236.6 921.6 5213.4 972.6
Best First -
(2020) [57] UNSW_NB15 NSL_KDD 20
DT Accuracy 95.8% 99.1% 93.81% 99.5%
KNN Detection Rate 97.28% 99.2% 96.24% 99.4%
FAR 7.36% 0.97% 11.42% 0.36%
Time(s) 502.8 331.2 747.6 563.4
Accuracy 98.51% 99.7% 95.74% 98.8%
RF Detection Rate 99.17% 99.7% 97.84% 99.7%
FAR 2.89% 0.22% 8.77% 0.1%
Time(s) 33.6 13.2 32.4 15
(Acc_(15 features) = 99.98% > Acc_(14 features) = 99.88 %) and
Ahmad et al. (2011) [46] used Principal Components (Acc_(15 features) = 99.98% > Acc_(42 features) = 99.89%).
Analysis (PCA) to reduce the features and to choose the
highest eighteen values. Genetic Algorithm (GA) was applied J. Lee et al. (2017) [50] proposed SFFS-RFC to generate
as wrapper method to the reduce space. This method selected DOS-DDOS features subset and to measure the performance
twelve DOS-DDOS features. By using the Multi Layer of each subset. This experiment has shown that SFFS-RFS
Perceptron (MLP) as classifier on the output of GA and the improved the performance of the accuracy and the detection
KDD’99 dataset, this model has shown high accuracy rate of attacks classification with only ten DOS-DDOS
(Acc_MLP = 99%) by using a minimum of features equal to 12 (Acc_(10 features) = 99.89% and DR_(10 features ) = 99.9%). It
and the time of execution equal to 72 h. realized a fewer FAR (FAR_(10 features) = 0.1% < FAR_(41 features)
= 1.7%) compared to the existing methods using the classifier
L. Yinhui et al. (2012) [47] applied Gradually Feature C4.5 and reduced the execution time (T_(10 features) = 0.18 s).
Removal method (GFR) which selected nineteen best DOS-
DDOS features. This strategy was based on SBS as search Harish and Manju (2018) [51] combined the Fisher Ratio
strategy and SVM as classifier. The accuracy of this model Discrimination (FRD) with three different search strategies:
has been slightly reduced (Acc_(19 features) = 98.62% < Acc_(42 SFS, SBS and LRS. They concluded that FDR using LRS,
features) = 98.67%) by using a wrapper step. The execution time KNN and twenty DOS-DDOS features outperformed other
has been reduced from T _(42 features) = 18.94s to T_(19 features) = methods. Thanks to its capacity to remove non-performing
3.73 s. DOS-DDOS features from the initial subset, this strategy
achieved a better accuracy with twenty features (Acc_(20 features)
Zhang and Wang (2013) [48] adopted SBS-BN and
= 98.87% > Acc_SFS_(25 features) = 98.27%) compared to FDR-
Bayesian network approach as a wrapper strategy. This SFS which selected 25 features. However, the execution time
experiment selected three best DOS-DDOS features and of FDR-SFS is less than FDR-LRS (T_SFS_(25 features) = 17.74 s <
achieved good accuracy (Acc_(3 features) = 98.98% > Acc_(42 T_SFS_(20 features) = 17.98 s). On the other side the FDR-LRS
features) = 95.7%) with an interesting time of execution (T_(3
with forty features showed a good accuracy compared to the
features) = 2.37s < T_(42 features) = 3.97s).
accuracy of FDR-SBS with the same number of features
Al-Jarrah et al. (2014) [49] proposed a set of RF algorithm (Acc_LRS_(40 features) = 99.09% > Acc_SBS_(40 features) = 98.78%).
with forward and backward elimination ranking features However the execution time of FDR-SBS is better compared
selection techniques. This experiment demonstrated that FSR- to FDR-LRS (T_SBS_(40 features) = 32.18s < T_LRS_(40 features) =
RF outperforms with fifteen best features, BER-RF with 32.95s).
fourteen features and RF with all used DOS-DDOS features:

137 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

Soodeh and Mehrdad (2019) [52] proposed a new Alabdulwahab and Moon (2020) [31] used the NSL_KDD
framework composed of a hybridization of different dataset to evaluate different algorithms based on
algorithms. The objective of this framework is to handle new CfsSubsetEval and Best First as wrapper strategy. They tested
types of attacks better than other existing frameworks based CfsSubsetEval with six supervised classifiers: Logiboost,
on Forward Feature Selection (FFS). By using NSL_KDD RBF, BayesNet, SMO and RepTree. By using six most
dataset, this framework has shown that RF outperformed other relevant DOS-DDOS features, this experiment has shown an
algorithms with only thirteen features in attack detection important improvement of the execution time (T_NBTree_(6
accuracy (Acc_(13 features) = 98.9%). In the case of DOS-DDOS features) = 14.23s < T_NBTree_(42 features) = 213.18s, T_Logiboost_(6
attacks, the KNN classifier has achieved the highest precision features) = 9.96s < T_Logiboost_(42 features) = 18.3s. However, the
with eleven features (Pr_(11 features)= 99.8%). The classifiers RF, accuracy was better without using the wrapper process
DT and KNN achieved the highest Recall value (Re = 99.8 (Acc_NBTre_(6 features) = 99.46 % < Acc_NBTree_(42 features) =
%), and the highest F-measure (FM_RF_(14 features) = 99.7%, 99.87%). However, the RepTree algorithm decreased the
FM_DT_(10 features) = 99.6%, and FM_KNN_(11 features) = 99.8%). The accuracy and increased the execution time (Acc_RepTree_(6 features)
classifier NB showed the lowest measured values of all these = 99.44% < Acc_RepTree_(42 features) = 99.83%, T_RepTree_(6 features) =
metrics: Acc_NB = 93.10%, Pr_NB = 93.6%, Re = 87.3%, 5.76s > T_RepTree_(42 features) = 3.59 s).
FM_NB = 92.7%.
Umar et al. (2020) [56] applied Best First Forward as
Malhotra and Sharma (2019) [53] used CfsSubsetEval and search strategy and DT to evaluate the performance of their
Best First as wrapper method. Based on NSL_KDD dataset detecting attacks model. This strategy selected nineteen best
and RF Bagging, PART and J.48 algorithms, this strategy features by using UNSW_NB15 dataset. The assessment of
selected eight best DOS-DDOS features. It increased slightly this experiment was based on five metrics: Acc, DR, FAR and
the accuracy and decreased significantly the execution time T. This method has shown that the execution time has overall
for all the classifiers. The accuracy of J.48 is 99.78% by using decreased for different used classifiers (T_ANN_(19 features) = 240s
6 and 42 features. However, this strategy decreased the < T_ANN_(42 features)=660s, RF (T_RF_(19 features) =37.8s < T_RF_(19
execution time (T_J.48_(42 features) = 61.68s > T_J.48_(6 features) = features)= 44.4s), NB (T_NB_(19 features) = 2.86 s < T_NB_(42 features) =
7.95s). The RF model decreased slightly the accuracy 4.64 s).
(Acc_RF_(6 features) = 99.41% < Acc_RF_(42 features) = 99.91%), and
decreased drastically the execution time (T_RF_(6 features) = By using nineteen DOS-DDOS features, the five metrics
66.82s < T_RF_(42 features) = 191.06 s). values of ANN, RF and SVM models are slightly the same as
the baseline model.
M. Wang et al. (2020) [54] combined SBS with Multi
Layer Perceptron (MLP) to select the optimal DOS-DDOS The NB model achieved the worst detection rate
features by using NSL_KDD dataset. This experiment showed (DR_NB_(19 features) = 19.38%) and the same FAR value as the
that SBS-MLP can find an optimal DOS-DDOS feature subset baseline model (FAR_NB_(19 features) = FAR_NB_(42 features) =
and performed better accuracy than the full DOS-DDOS 0.01%).
feature set among all the MLP-based detection methods The same performance was observed by the RF model
(Acc_(31 features) = 97.66% > Acc_(42 features)= 97.61%). It (FAR_RF (19 features) = 27.73% = FAR_RF_(42 features)=27.74%).
enhanced the detection rate (DR_(31 features) = 94.88 %> DR_(42
However, the classifiers KNN, SVM, ANN and RF
features) = 94.78%). It decreased the FAR value (FAR_(31 features) =
0.62% < FAR_(42 features) = 0.63%). increased the FAR value (FAR_ANN_(19 features) = 37.36% >
FAR_ANN_(42 features) = 29.45%,
Polat et al. (2020) [55] evaluated the classifiers SVM,
KNN, ANN and NB on their dataset initially composed of FAR_SVM_(19 features) = 45.64% > FAR_SVM_(42 features) =
twelve features. This experiment used SFFS as a wrapper 40.51%).
approach. They evaluated the performance of this approach by Umar and Chen (2020) [57] used Best First as search
calculating many metrics: accuracy, sensitivity, specificity, strategy and DT as evaluator of their wrapper process. Based
precision and F-measure. By using a wrapper step and only on UNSW_NB15, NSL_KDD datasets and four classifiers
selected DOS-DDOS features instead of all features, these (ANN, SVM, KNN and RF), this process has selected twenty
different models increased the accuracy (Acc_ANN_(6 features) = best DOS-DDOS features. The authors used five metrics to
91.44% > Acc_ANN_(42 features) = 91.07%) < (Acc_SVM_(10 features) = evaluate their models: Acc, DR, FAR and T. As results of this
92.15% > Acc_SVM_(42 features) = 92.11%) < (Acc_NB_(8 features) = experiment, the RF algorithm outperformed the other used
94.87% > Acc_NB_(42 features) = 94.48%) < (Acc_KNN_(8 features)= classifiers. By using the NSL_KDD dataset, the used wrapper
98.30% > Acc_KNN_(42 features)= 95.67. However, the precision process enhanced the accuracy and reduced the execution time
of SVM and KNN is slightly decreased by integrating the (Acc_RF_(20 features) = 99.7 % > Acc_RF_(42 features) = 98.8 %,
feature selection process compared to the initial set with all T_RF_(20 features) = 13.2s < T_RF_(42 features) = 15s). The use of
features (Pr_SVM_(10 features) = 90.23% < Pr_SVM_(42 features) = UNSW_NB15 dataset and the wrapper step enhanced the RF
91.42%), (Pr_ANN_(6 features) = 88.11% < Pr_ANN_(42 features) = accuracy and slightly increased the execution time due to the
89.89%). The specificity is enhanced for all the used models, unnormalized data (Acc_RF_(20 features) = 98.51% > Acc_RF_(42
particularly by using a KNN model (Sp_SVM_(10 features) = features) = 95.74%, T_RF_(20 features) = 33.6s > T_RF_(42 features) =
97.26%, Sp_ANN_(6 features) = 97.31%, Sp_NB_(8 features) = 98.43% , 32.4s).
Sp_KNN_(6 features) = 99.45%).

138 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

The performances of KNN, SVM and ANN were slightly 5) DOS-DDOS based on wrapper process and meta-
lower by using twenty features, UNSW_NB15 and NSL_KDD heuristics search: Meta-heuristics are new optimization
datasets. methods used in DOS-DDOS feature selection problems to
However, the SVM model increased drastically the provide near-optimal solution [34]. These methods are based
execution time (T_SVM_(20 features) = 10236.6s > T_SVM_(42 features) on two main search strategies [58]. The first strategy is used to
= 5213.4s) by using the UNSW_NB15 and NSL_KDD guarantee a global and efficient search to find a solution of
datasets. The KNN and RF classifiers decreased the FAR DOS-DDOS feature selection. The second strategy is used to
value on the UNSW_NB15 dataset: (FAR_KNN (20 features) = improve feature selection solutions.
7.36% < FAR_RF_(42 features)= 11.42 %, FAR_RF_(20 features) = 2.89
% < FAR_RF_(42 features) = 8.77%). Important research projects have applied meta-heuristic
strategies to solve the problem of DOS-DDOS feature
However, the SVM model increased drastically the selection. In the paragraph below we discuss the important
execution time (T_SVM_(20 features) = 10236.6s > T_SVM_(42 features) results of these investigations. At the end of this subsection,
= 5213.4s) by using the UNSW_NB15 and NSL_KDD we present our second dashboard (Tables IIIA, IIIB, IIIC) to
datasets. The KNN and RF classifiers decreased the FAR summarize and to compare the performances of these
value on the UNSW_NB15 dataset: (FAR_KNN_(20 features) = strategies.
7.36% < FAR_RF_(42 features)= 11.42 %, FAR_RF_(20 features) = 2.89
% < FAR_RF_(42 features) = 8.77%).

TABLE III. (A): WRAPPER METHODS BASED ON META-HEURISTIC SEARCH (MHS)

DOS-DDOS feature
Used Number of
selection projects DOS- DDOS Used Values metrics Values metrics
wrapper DOS -DDOS Used Metrics
based on wrapper used dataset classifier with FS without FS
strategies features
methods
Accuracy 99.92%
Jun,et al. (2010)[59] KDD’99 ABC 5 SVM NA
Time (s) 12.20
Accuracy 93.36%
Alomari and A. Othman
KDD’99 BA 6 SVM Detection Rate 90.22% NA
(2012) [60]
FAR 4.56%
De la Hoz et al. (2014)
NSL_KDD NGHA-II 25 GHSOM Accuracy 99.5% 96.02%
[61]
Senthilnayaki, et al.
KDD’99 GA 10 SVM Accuracy 99.15% 82.45%
(2015) [62]
Bagging Accuracy 99.71%
NA
(PART) Time (s) 1589
Gaikwad and Thool Accuracy 77.79%
NSL_KDD GA 15 PART NA
(2015) [63] Time (s) 274
Bagging Accuracy 77.86%
NA
(C4.5) Time (s) 1795

TABLE III-(B): WRAPPER METHODS BASED ON META-HEURISTIC SEARCH (MHS)

DOS-DDOS feature
Used Number of
selection projects DOS- DDOS Used Values metrics Values metrics
wrapper DOS -DDOS Used Metrics
based on wrapper used dataset classifier with FS without FS
strategies features
methods
Gaikwad and Thool Accuracy 79.08%
NSL_KDD GA 15 C4.5 NA
(2015) [63] Time (s) 176.05
Wang Xingzhu (2015) Detection Rate 97.09% 92.71%
KDD’99 ACO 10 SVM
[42] Time(s) 17.99 23.51
Accuracy 92,83% 73,26%
Eesa et al. (2015) [64] KDD’99 CFA 10 ID3 Detection Rate 92.05% 71.08%
FAR 3.9% 17.685%
Accuracy 99.37% 96.93%
Kang and Kim (2016) LSA- K-
NSL_KDD 25 MLP Detection Rate 99.42% 93.38%
[65] means
FAR 0.66% 0.96%
Precision 81.66% 87.86%
Hosseinzadeh and
KDD’99 ACO 4 NN Recall 99.78% 80.02%
Kabiri (2016) [66]
F-measure 89.82% 83.76%

139 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

Precision 99.97%
KDD’99 18 RF NA
Khammassi and Recall 99.98%
GA-LR
Krichen (2017) [26] Precision 36.09%
UNSW_NB15 20 C4.5 NA
Recall 4.11%
Detection Rate 97.17% 89.64%
21 SVM
FAR 1.6% 6.88%
Enache et al. (2017)
Detection Rate 89.85% 90.53%
[67] NSL_KDD PSO 20 NB
FAR 5.34% 6.66%
Detection Rate 96.66% 95.67%
20 C4.5
FAR 2.62% 3.02%
Yin Chunyong et al. Accuracy 99.5%
KDD’99 ICSA 21 KNN -
(2017) [68] FAR 0.1%
Accuracy 96.04% 93.9%
KNN Detection Rate 94.9% 91.9%
Time (s) 52 291
PSO 11
Accuracy 96.02% 91.4%
SVM Detection Rate 92.3% 89.9%
Time (s) 309 722
Accuracy 98.13% 93.9%
KNN Detection Rate 97.2% 91.9%
Time (s) 67 291
NSL_KDD ACO 7
Accuracy 95.6% 91.4%
Khorram and Baykan SVM Detection Rate 93% 89.9%
(2018) [69] Time (s) 142 722
Accuracy 98.9% 93.9%
KNN Detection Rate 98.7% 91.9%
Time (s) 53 291
7
Accuracy 97.1% 91.4%
SVM Detection Rate 93.9% 89.9%
ABC
Time (s) 341 722
Accuracy 99.12% 85.56%
Specificity 91.76% NA
UNSW_NB15 15
Sensitivity 93.46% NA
Time(s) 1.32 NA

TABLE III-(C): WRAPPER METHODS BASED ON META-HEURISTIC SEARCH (MHS)

DOS-DDOS feature
Used Number of
selection projects DOS- DDOS Used Values metrics Values metrics
wrapper DOS -DDOS Used Metrics
based on wrapper used dataset classifier with FS without FS
strategies features
methods
Accuracy 98.90% NA
Mazini et al. (2019)[70] NSL_KDD ABC 25 AdaBoost Detection Rate 99.61% NA
FAR 0.01% NA
Accuracy 99.73% 97.99%
Specificity 99.67% NA
KDD 12
Sensitivity 99.87% NA
Time(s) 2.90 NA
Accuracy 99.31% 99.31%
Samadi Bonab et al. Specificity 97.10% NA
NSL_KDD FFA-ALO 16 DT
[58] Sensitivity 99.24% NA
Time(s) 1.50 NA
Accuracy 99.12% 85.56%
Specificity 91.76% NA
UNSW_NB15 15
Sensitivity 93.46% NA
Time(s) 1.32 NA
best parameter to the SVM classifier. This method achieved
As an example of relevant research projects based on good accuracy (Acc_SVM_(5 features) = 99.92%) and improved the
wrapper process and meta-heuristic search, we can cite the time of execution (T_SVM_(5 features) = 12.20 s).
important investigation of Jun Wang et al. [59]. In this study,
the ABC-SVM approach was adopted as wrapper feature Alomari and Ali Othman (2012) [60] used an approach
selection process. This wrapper strategy selected five DOS- based on the Bees Algorithm (BA) as a wrapper feature
DDOS best features from the KDD’99 dataset and found the method by using the classifier SVM. This experiment selected

140 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

six DOS-DDOS features collected from the KDD'99 data set. = 93.38 %, FAR_(25 features) = 0.66% < FAR_(42 features) =
features)
They compared BA-SVM with other methods and concluded 0.96%).
that their method achieved high detection rate and accuracy
(DR_SVM_(6 features) = 90.22%, Acc_SVM_(6 features) = 93.36%) on Hosseinzadeh Aghdam and Kabiri (2016) [66] build an
detecting attacks with a low FAR (FAR_SVM_(6 features) = intrusion detection system based on ACO (Ant Colony
4.56%). Optimization) feature selection method. This method
converges faster to the optimal DOS-DDOS subset composed
De La Hoz et al. (2014) [61] used a multi-objective of four DOS-DDOS features. This strategy has increased the
procedure based on NSGA-II algorithm as wrapper feature Recall and the F-measure values (Re_(4 features) = 99.78% >
selection to reduce the complexity of Growing Hierarchical Re_(42 features) = 80.02 %, FM_(4 features) = 89.82% > FM_(42 features)
Self-Organising Maps (GHSOM) algorithm. This wrapper = 83.76%). However, the precision is slightly decreased
method selected twenty-five representative features. As one of compared to the baseline model (Pr_(4 features) = 81.66 % < Pr_(42
the multiple-objective based on the NSGA-II, the Jaccard features) = 87.86 %).
index is evaluated after training the GHSOM. Their
proposition improved the accuracy compared to the baseline Khammassi and Krichen (2017) [26] combined Genetic
model (Acc_(25 features) = 99.5% > Acc_(42 features) = 96.02%). Algorithm with Logistic Regression (LR) as Wrapper feature
selection method. This experiment based on different decision
Senthilnayaki et al. (2015) [62] combined Genetic tree classifiers (C4.5, RF, and NBTree) has maximized the
Algorithm (GA) with SVM. This study achieved high accuracy by using the KDD’99 and UNSW_NB15 datasets
accuracy (Acc_(10 features) = 99.15%) with only ten best DOS- with eighteen and twenty DOS-DDOS best features. The LR-
DDOS features compared to the baseline model (Acc_(42 RF strategy has achieved a high precision and Recall values
features) = 82.45%). (Pr_(18 features) = 99.97%, Re_(18 features ) = 99.98%).
Gaikwad and Thool (2015) [63] used Genetic Algorithm as By using UNSW_NB15 dataset with twenty DOS-DDOS
wrapper feature selection which selected fifteen features. The features, the LR-C4.5 process has achieved the worst Recall
authors used two classifiers Partial Decision Tree (PART) and and precision values (Re_(20 features) = 4.11 %, Pr_(20 features) =
C4.5, and they employed the Bagging on the two previous 36.09%).
classifiers. This experiment has shown that using PART with
the bagged classifier enhanced the accuracy and increased the Enache et al. (2017) [67] conducted their experiment on
execution time (Acc_Bagging_PART = 99.71% > Acc_PART = the NSL_KDD dataset with many wrapper approaches
77.79%, T_Bagging_PART = 1589s > T_PART = 274s ). On the other (Algorithm (BA) ad Particle Swarm Optimization (PSO)). To
side, using C4.5 with Bagging decreased the accuracy and evaluate these strategies they used the classifiers C4.5, SVM
increased drastically the execution time (Acc_Bagging_C4.5 and BN.
=77.86% < Acc_C4.5 = 79.08%, T_Bagging_C4.5 = 1795s > T_C4.5 = The PSO-SVM process outperformed the other classifiers
176.05s). with only twenty-one features. It enhanced the detection rate
Wang Xingzhu (2015) [42] combined ACO feature and decreased the FAR value (DR_(21features) = 97.17 > DR_(42
features) = 89.64 %, FAR_(21 features) = 1.6 % < FAR_(42 features) =
weighting SVM. This wrapper strategy selected ten most
important DOS. 6.88 %).

DDOS features which achieved high detection rate and By using eighteens selected features, the process BA-C4.5
reduced the execution time (DR_(10 features) = 97.09% > DR_(42 achieved an interesting detection rate and increased slightly
the FAR value (DR_(18 features) = 96.01 % > DR_(42 features) = 95.67
features) features) = 92.71 %, T_(42 features) = 23.51s > T_(10 features) =
17.99s ). %, FAR_(18 features) = 3.20 % > FAR_(42 features) = 3.02 %).

Eesa et al. (2015) [64] modified the Cuttle Fish Algorithm Yin Chunyong et al. (2017) [68] used an artificial immune
(CFA) and used it as wrapper feature selection method. They system as wrapper method which improved the Clonal
applied the classifier ID3 to detect attacks by using the Selection Algorithm (ICSA). This method based on the theory
KDD’99 dataset with ten best features. The process showed a of biological immune system learning process selected
real improvement of accuracy and detection rate compared to twenty-one features from the KDD’99 dataset.
all used features (Acc_(10 features) = 92.83% > Acc_(42 features) = This subset realized a good accuracy and low FAR value
73.26%, DR_(10 features) = 92.05% > DR_(42 features) = 71.08%). (Acc_(21 features) = 99.5%, FAR_(21 features) = 0.1%).
Moreover, the FAR value decreased from FAR_(42 features) =
17.68% to FAR_(10 features) = 3.9 %. Khorram and Baykan (2018) [69] tested and compared the
performances of three wrapper feature selection methods by
Kang and Kim (2016) [65] employed Local Search using two classifiers: SVM and KNN. The used wrapper
Algorithm (LSA) and K-means to find the optimal DOS- methods are Particle Swarm Optimization (PSO), Ant Colony
DDOS subset features, to reduce the training time and to avoid Optimization (ACO) and Artificial Bee Colony (ABC).
the over-fitting problem. This experiment evaluated the
performance of twenty five selected DOS-DDOS features. The This experiment showed that ABC-KNN strategy with
result has shown that using LSA-K-means as wrapper feature seven features outperformed the use of all features (T_ABC-
step with MLP enhanced the accuracy, increased the detection KNN_(7 features) = 53s < T_KNN_(42 features) = 291s, Acc_ABC-KNN_(7

rate and reduced the FAR value (Acc_(25 features) = 99.37% > features) = 98.9 % > Acc_KNN_(42 features) = 93.9%,

Acc_(42 features) = 96.93%, DR_(25 features) = 99.42% > DR_(42

141 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

DR_ABC-KNN_(7 features) =98.7 % > DR_KNN_(42 features) = 91.9 the problem region. These stochastic methods are mainly used
%). to solve the global problem optimizations [71].
Mazini et al. (2019) [70] employed ABC as wrapper To optimize the DOS-DDOS feature subsets, many
process to optimize their IDS by using NSL_KDD dataset, the important research projects have used wrapper process and
classifier AdaBoost and the parameters regulation method. random search methods to solve this problem. We discuss
This strategy selected twenty-five DOS-DDOS features these projects in the paragraph below. At the end of this
and achieved a high accuracy, detection rate and low FAR subsection, we present our third dashboard (Table IV) to
values (Acc_(25 features) = 98.90%, DR_(25 features) = 99.61%, summarize and to compare the performances of these
FAR_(25 features) = 0.01%). strategies.

Samadi Bonab et al. [58] proposed an improved version of As an example of these important investigations, we can
IDS based on the hybrid method Fruit-Flu algorithm (FFA) cite the important study of Lin et al. (2012) [72] which
and the Lion Optimizer algorithm (ALO) as wrapper combined Simulated Annealing (SA) with SVM algorithm to
approach. This strategy based on the datasets KDD’99, get the best feature subset. This experiment selected twenty
NSL_KDD and UNSW_NB15 reduced the used features from three best DOS-DDOS features which evaluated by SA as
41 to 12 on KDD’99, from 41 to 16 on NSL_KDD and from random search and C4.5 decision tree as classifier. Compared
48 to 15 on UNSW_NB15. It applied the DT algorithm as a to the initial set of features, the selected subset achieved a high
classifier on these different datasets. The performances are accuracy equal to 99.96%.
evaluated by using five metrics: Acc, Sp, Sen and T. This Chowdhury et al. (2016) [36] used a wrapper feature
experiment has shown an enhanced accuracy and reduced the selection method based on SA as random search and the
execution time on KDD’99 and UNSW_NB15 datasets (Acc_ ACCS dataset. This strategy selected three best features to
KDD’99_(12 features) = 99.73% > Acc_ KDD’99_(42 features) = 97.99%, detect attacks.
Acc_UNSW_NB15_(15 features) = 99.12% > Acc_UNSW_NB15_(42 features) =
85.56%). On the NSL_KDD dataset the use of this wrapper By applying the SVM algorithm with SA, this experiment
process didn’t change the accuracy (Acc_NSL_KDD_(16 features) = has showed better accuracy, low FAR and FN values
Acc_NSL_KDD_(42 features) =93%). However, the specificity was compared to all used features (Acc_ SVM_(3 features) = 98.76% >
lower on UNSW_NB15 and NSL_KDD compared to KDD’99 Acc_SVM_(42 features) = 88.03%, FAR_SVM_(3 features) = 0.09% <
(Sp_UNSW_NB = 91.76 % < Sp_NSL_KDD = 97.10% < Sp_KDD= FAR_SVM_(42 features) = 4.2%, FN_SVM_(3 features) = 1.15% <
99.67%). FN_SVM_(42 features) = 7.77 %).
The Tables IIIA, IIIB, IIIC summarize and compare the Hasan Md El Mehedi et al. (2016) [73] adapted the
performances of all wrapper process and meta-heuristic Random Forest algorithm (RF) to select twenty-five best
strategies discuss above. features by using the KDD’99 dataset. The performances
evaluation is based on 3 metrics: accuracy, precision and
6) DOS-DDOS feature selection based on wrapper FAR. Compared to the initial used dataset with all features,
process and Random search methods: Random search this wrapper strategy increased the accuracy, the precision and
methods applied DOS-DDOS feature selection projects to decreased the FAR value (Acc_(25 features) = 91.90% > Acc_(42
evaluate the DOS-DDOS features on random sampling around features) = 91.41%, Pr_(25 features) = 98.94% > Pr_(42 features) =
98.91%, FAR_(25 features) = 5.82% < FAR_(42 features) = 7.52%).

TABLE IV. WRAPPER METHOD BASED ON RANDOM METHODS

DOS-DDOS feature
Used Number of
selection projects DOS- DDOS Used Values metrics Values metrics
wrapper DOS -DDOS Used Metrics
based on wrapper used dataset classifier with FS without FS
strategies features
methods
Lin et al. [72] KDD’99 SA-SVM 23 SA-DT Accuracy 99.96% NA
Accuracy 98.76% 88.03%
Chowdhury et al. [36] ACCS SA 3 SVM FAR 0.09% 4.2%
FN 1.15% 7.77%
Accuracy 91.90% 91.41%
Hasan Md El Mehedi
KDD’99 RF 25 RF Precision 98.94% 98.91%
et al. [73]
FAR 5.82% 7.52%
Najeeb and Dhannoon
NSL_KDD BFA 15 NB Accuracy 94.83% 89.9%
(2018) [74]
Detection Rate 91.5% 79.55%
Almasoudy et al.
NSL_KDD DE 9 ELM Precision 81.18% 94.90%
(2019) [75]
F_measure 86.03% 80.44%

142 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

Najeeb and Dhannoon (2018) [74] proposed an IDS model study and related research, for their patience, motivation, and
that combined the Binary Firefly (BFA) method with the immense knowledge.
Naïve Bayes (NB) classifier by using the NSL_KDD dataset. REFERENCES
The BFA is initialized by a binary sequence contrary to the
[1] F. Ullah, M. Ali Babar, “Architectural Tactics for Big Data
Firefly (FA) algorithm. This model was iterated two hundred Cybersecurity Analytics Systems: A Review,” Journal of Systems and
times with fifteen selected features and achieved better Software, 151, 81–118, 2019, doi:10.1016/j.jss.2019.01.051.
accuracy compared to all used features (Acc_(25 features) = [2] R. Vishwakarma, K. Ankit Jain, “A survey of DDoS attacking
94.83% > Acc_(42 features) = 89.9%). techniques and defence mechanisms in the IoT network,”
Telecommunication Systems: Modelling, Analysis, Design and
Almasoudy et al. (2019) [75] has realized an IDS Management, 73(1), 3–25, 2020.
experiment based on Differential Evolution (DE) as wrapper [3] K.M. Prasad, D.A.R.M. Reddy, D.K.V. Rao, “DoS and DDoS Attacks:
based approach by using the NSL_KDD dataset. Nine Defense, Detection and Traceback Mechanisms - A Survey,” Global
candidate features are randomly selected. The Extreme Journal of Computer Science and Technology, 2014.
Learning Machine (ELM) is used as classifier to compute the [4] J.-H. Cho, J.-Y. Shin, H. Lee, J.-M. Kim, G. Lee, “DDoS Prevention
accuracy of DOS-DDOS features until it achieved high System Using Multi-Filtering Method,” Atlantis Press: 774–778, 2015,
doi:10.2991/cmfe-15.2015.182.
accuracy. Applied to DOS-DDOS attacks predicting, this
[5] S. Qadir Mir, S. Quadri, “Information Availability: An Insight into the
method achieved high detection rate, high F-measure and Most Important Attribute of Information Security,” Journal of
decreased slightly the precision (DR_(9 features) = 91.5% > DR_(42 Information Security, 07, 185–194, 2016, doi:10.4236/jis.2016.73014.
features) = 79.55%, FM_(9 features) = 86.03 % > FM_(42 features) = [6] M. Sachdeva, G. Singh, K. Saluja, K. Singh, “DDoS Incidents and their
80.84%, Pr_(42 features) = 94.90 % > Pr_(9 features) = 81.18%). Impact: A Review,” Int. Arab J. Inf. Technol., 7, 14–20, 2010.
[7] X. Liang, T. Znati, “On the performance of intelligent techniques for
VI. CONCLUSION intensive and stealthy DDos detection,” Computer Networks, 164,
106906, 2019, doi:10.1016/j.comnet.2019.106906.
Nowadays, cybersecurity attacks grow over time,
[8] Ibrahim Salim M., T.A. Razak, “A study on IDS for preventing Denial
especially the Denial of Service attack (DOS) and its variant of Service attack using outliers techniques,” in 2016 IEEE International
Distributed Denial of Service (DDOS). These famous attacks Conference on Engineering and Technology (ICETECH), 768–775,
continue to threaten private and public activities everywhere. 2016, doi:10.1109/ICETECH.2016.7569352.
[9] Y.V. Srinivasa Murthy, K. Harish, V. Varma, K. Sriram, B. Revanth,
Dealing with these threats by using Machine Learning “Hybrid Intelligent Intrusion Detection System using Bayesian and
(ML) models can hold a great promise in DOS-DDOS security Genetic Algorithm (BAGA): Comparitive Study,” International Journal
systems. By learning from and identifying a large amount of of Computer Applications, 99, 1–8, 2014, doi:10.5120/17342-7808.
network traffic, these predictive models can efficiently handle [10] O. Salem, M. HOTTE, Q.-E. LUTTIN, T. ASCOET, Protection contre
the DOS-DDOS threats and overcome several limits and les attaques de déni de service dans les réseaux IP, Paris Descarte IUT,
ECTEI: 31, 2015.
performance issues of the traditional security solutions.
[11] J. Jang-Jaccard, S. Nepal, “A survey of emerging threats in
One of the key preprocessing phases to success and cybersecurity,” Journal of Computer and System Sciences, 80(5), 973–
optimize these DOS-DDOS cybersecurity intelligence models 993, 2014, doi:10.1016/j.jcss.2014.02.005.
is feature selection step, particularly the feature selection [12] K.R. Bandara, T. Abeysinghe, A. Hijaz, D. Darshana, H. Aneez, S.J.
Kaluarachchi, K.D. Sulochana, M. DhishanDhammearatchi, “Preventing
method based on the Wrapper strategies. DDoS attack using Data mining Algorithms,” International Journal of
Using Wrapper techniques improved significantly the Scientific and Research Publications, 6(10), 390–400, 2016.
selection of the relevant DOS-DDOS features and enhanced [13] L. Gnanaprasanambikai, N. Munusamy, “Data Pre-Processing and
Classification for Traffic Anomaly Intrusion Detection Using NSLKDD
the performance of many existing ML solutions. Dataset,” Cybernetics and Information Technologies, 18, 2018,
doi:10.2478/cait-2018-0042.
In this paper, we have advanced the development of this
previous work by studying different DOS-DDOS datasets, [14] S.X. Wu, W. Banzhaf, “The use of computational intelligence in
intrusion detection systems: A review,” Applied Soft Computing, 10(1),
algorithms and the results of several research projects. We 1–35, 2010, doi:10.1016/j.asoc.2009.06.019.
have reviewed and evaluated the impact of many important [15] A. Alazab, M. Hobbs, J. Abawajy, M. Alazab, “Using feature selection
wrapper strategies used by many existing DOS-DDOS for intrusion detection system,” in 2012 International Symposium on
security systems. Communications and Information Technologies (ISCIT), IEEE, Gold
Coast, Australia: 296–301, 2012, doi:10.1109/ISCIT.2012.6380910.
We have summarized the findings in three dashboards that [16] V.O. Ferreira, V.V. Galhardi, L.B.L. Gonçalves, R.C. Silva, A.M.
are essential to understand the performance of three wrapper Cansian, “A model for anomaly classification in intrusion detection
strategies commonly used in DOS-DDOS ML models: systems,” Journal of Physics: Conference Series, 633, 4, 2015,
heuristic search algorithms, meta-heuristic search and random doi:10.1088/1742-6596/633/1/012124.
search methods. [17] M. Bataghva, “Efficiency and Accuracy Enhancement of Intrusion
Detection System Using Feature Selection and Cross-layer Mechanism,”
This study shows that many wrapper strategies, Electronic Thesis and Dissertation Repository, 2017.
algorithms, DOS-DDOS features with a relevant impact can [18] I.H. Sarker, A.S.M. Kayes, S. Badsha, H. Alqahtani, P. Watters, A. Ng,
be selected to improve the DOS-DDOS ML existing solutions. “Cybersecurity data science: an overview from machine learning
perspective,” Journal of Big Data, 7(1), 41, 2020, doi:10.1186/s40537-
ACKNOWLEDGMENT 020-00318-5.
[19] J.B. Fraley, J. Cannady, “The promise of machine learning in
I would like to express my sincere gratitude to my cybersecurity,” in SoutheastCon 2017, 1–6, 2017,
Professors and my family for the continuous support of my doi:10.1109/SECON.2017.7925283.

143 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

[20] F. Ullah, M. Ali Babar, “Architectural Tactics for Big Data Procedia Computer Science, 127, 1–6, 2018,
Cybersecurity Analytic Systems: A Review,” Journal of Systems and doi:10.1016/j.procs.2018.01.091.
Software, 151, 2018, doi:10.1016/j.jss.2019.01.051. [40] V.D. Katkar, S.V. Kulkarni, “Experiments on detection of Denial of
[21] S. Sambangi, L. Gondi, “A Machine Learning Approach for DDoS Service attacks using ensemble of classifiers,” in 2013 International
(Distributed Denial of Service) Attack Detection Using Multiple Linear Conference on Green Computing, Communication and Conservation of
Regression,” Proceedings, 63(1), 51, 2020, Energy (ICGCE), 837–842, 2013, doi:10.1109/ICGCE.2013.6823550.
doi:10.3390/proceedings2020063051. [41] M.H. Bhuyan, D.K. Bhattacharyya, J.K. Kalita, “Network Anomaly
[22] R. Panthong, A. Srivihok, “Wrapper Feature Subset Selection for Detection: Methods, Systems and Tools,” IEEE Communications
Dimension Reduction Based on Ensemble Learning Algorithm,” Surveys Tutorials, 16(1), 303–336, 2014,
Procedia Computer Science, 72, 162–169, 2015, doi:10.1109/SURV.2013.052213.00046.
doi:10.1016/j.procs.2015.12.117. [42] W. Xingzhu, “ACO and SVM Selection Feature Weighting of Network
[23] N. Bindra, M. Sood, “Evaluating the Impact of Feature Selection Intrusion Detection Method,” International Journal of Security and Its
Methods on the Performance of the Machine Learning Models in Applications, 9(4), 259–270, 2015, doi:10.14257/ijsia.2015.9.4.24.
Detecting DDoS Attacks,” Romanian Journal of Information Science [43] J.J. Lu, M. Zhang, Heuristic Search, Springer, New York, NY: 885–886,
and Technology, 3, 250–261, 2020. 2013, doi:10.1007/978-1-4419-9863-7_875.
[24] M. Joshi, T.H. Hadi, “A Review of Network Traffic Analysis and [44] B. Kavitha, S. Karthikeyan, B. Chitra, Efficient Intrusion Detection with
Prediction Techniques,” Network Traffic Analysis and Prediction, 23, Reduced Dimension Using Data Mining Classification Methods and
2015. Their Performance Comparison, Springer Berlin Heidelberg, Berlin,
[25] Z. Foroushani, Y. Li, “Intrusion Detection System by Using Hybrid Heidelberg: 96–101, 2010, doi:10.1007/978-3-642-12214-9_17.
Algorithm of Data Mining Technique,” in ICSCA 2018: Proceedings of [45] M.S. Mok, S.Y. Sohn, Y.H. Ju, “Random Effects Logistic Regression
the 2018 7th International Conference on Software and Computer Model for Anomaly Detection,” Expert Syst. Appl., 37(10), 7162–7166,
Applications, Kuantan, Malaysia: 119–123, 2018, 2010, doi:10.1016/j.eswa.2010.04.017.
doi:10.1145/3185089.3185114.
[46] I. Ahmad, A. Abdullah, A. Alghamdi, M. Hussain, K. Nafjan, “Intrusion
[26] C. Khammassi, S. Krichen, “A GA-LR wrapper approach for feature Detection Using Feature Subset Selection based on MLP,” Scientific
selection in network intrusion detection,” Computers & Security, 70, Research and Essays, 6(34), 6804–6810, 2011, doi:10.5897/SRE11.142.
255–277, 2017, doi:10.1016/j.cose.2017.06.005.
[47] L. Yinhui, J. Xia, S. Zhang, J. Yan, X. Ai, K. Dai, “An efficient
[27] V. Bolón-Canedo, N.S. Maroño, A. Alonso-Betanzos, Feature Selection intrusion detection system based on support vector machines and
for High-Dimensional Data, Springer International Publishing, 2015, gradually feature removal method,” Expert Systems with Applications,
doi:10.1007/978-3-319-21858-8. 39, 424–430, 2012, doi:10.1016/j.eswa.2011.07.032.
[28] F. Amiri, “Mutual information-based feature selection for intrusion [48] F. Zhang, D. Wang, “An Effective Feature Selection Approach for
detection systems,” Journal of Network and Computer Applications, Network Intrusion Detection,” in 2013 IEEE Eighth International
34(4), 1184–1199, 2011, doi:10.1016/j.jnca.2011.01.002. Conference on Networking, Architecture and Storage, 307–311, 2013,
[29] V. Bachu, J. Anuradha, “A Review of Feature Selection and Its doi:10.1109/NAS.2013.49.
Methods,” Cybernetics and Information Technologies, 19, 3, 2019, [49] O.Y. Al-Jarrah, A. Siddiqui, M. Elsalamouny, P.D. Yoo, S. Muhaidat,
doi:10.2478/cait-2019-0001. K. Kim, “Machine-Learning-Based Feature Selection Techniques for
[30] V. Kumar, S. Minz, “Feature selection: A literature review,” Smart Large-Scale Network Intrusion Detection,” in 2014 IEEE 34th
Computing Review, 4, 211–229, 2014, doi:10.1145/2740070.2626320. International Conference on Distributed Computing Systems Workshops
[31] S. Alabdulwahab, B. Moon, “Feature Selection Methods Simultaneously (ICDCSW), 177–181, 2014, doi:10.1109/ICDCSW.2014.14.
Improve the Detection Accuracy and Model Building Time of Machine [50] J. Lee, D. Park, C. Lee, “Feature Selection Algorithm for Intrusions
Learning Classifiers,” Symmetry, 12(9), 1424, 2020, Detection System using Sequential Forward Search and Random Forest
doi:10.3390/sym12091424. Classifier,” KSII Transactions on Internet and Information Systems,
[32] S. Dwivedi, M. Vardhan, S. Tripathi, “Defense against distributed DoS 11(10), 5132–5148, 2017.
attack detection by using intelligent evolutionary algorithm,” [51] B.S. Harish, N. Manju, “Hybrid Feature Selection Method Using
International Journal of Computers and Applications, 1–11, 2020, Fisher’s Discriminate Ratio to Classify Internet Traffic Data,” in
doi:10.1080/1206212X.2020.1720951. Proceedings of the 4th International Conference on Frontiers of
[33] K. Yan, D. Zhang, “Feature selection and analysis on correlated gas Educational Technologies, ACM, New York, NY, USA: 75–79, 2018,
sensor data with recursive feature elimination,” Sensors and Actuators doi:10.1145/3233347.3233369.
B: Chemical, 212, 353–363, 2015, doi:10.1016/j.snb.2015.02.025. [52] H. Soodeh, A. Mehrdad, “The hybrid technique for DDoS detection with
[34] N. Mlambo, W. Cheruiyot, M.W. Kimwele, “A Survey and Comparative supervised learning algorithms,” Computer Networks, 158, 35–45, 2019,
Study of Filter and Wrapper Feature Selection Techniques,” The doi:10.1016/j.comnet.2019.04.027.
International Journal Of Engineering And Science, 5(10), 57–67, 2016. [53] H. Malhotra, P. Sharma, “Intrusion Detection using Machine Learning
[35] N. Moustafa, J. Slay, “UNSW-NB15: a comprehensive data set for and Feature Selection,” International Journal of Computer Network and
network intrusion detection systems (UNSW-NB15 network data set),” Information Security, 11(4), 43–52, 2019,
in 2015 Military Communications and Information Systems Conference, doi:10.5815/ijcnis.2019.04.06.
1–6, 2015, doi:10.1109/MilCIS.2015.7348942. [54] M. Wang, Y. Lu, J. Qin, “A dynamic MLP-based DDoS attack detection
[36] M.N. Chowdhury, K. Ferens, M. Ferens, “Network Intrusion Detection method using feature selection and feedback,” Computers & Security,
Using Machine Learning,” in Computer Science, CSREA Press: 30–35, 88, 101645, 2020, doi:10.1016/j.cose.2019.101645.
2016. [55] H. Polat, O. Polat, A. Cetin, “Detecting DDoS Attacks in Software-
[37] M.E. Elhamahmy, H.N. Elmahdy, I.A. Saroit, “A New Approach for Defined Networks Through Feature Selection Methods and Machine
Evaluating Intrusion Detection System,” in CiiT International Journal of Learning Models,” Sustainability, 12(3), 1–16, 2020.
Artificial Intelligent Systems and Machine Learning, 290–298, 2010. [56] M.A. Umar, C. Zhanfang, Y. Liu, “Network Intrusion Detection Using
[38] Kamarularifin Abd Jalil, Muhammad Hilmi Kamarudin, Mohamad Wrapper-based Decision Tree for Feature Selection,” in Proceedings of
Noorman Masrek, “Comparison of Machine Learning algorithms the 2020 International Conference on Internet Computing for Science
performance in detecting network intrusion,” in 2010 International and Engineering, ACM, Male Maldives: 5–13, 2020,
Conference on Networking and Information Technology, 221–226, doi:10.1145/3424311.3424330.
2010, doi:10.1109/ICNIT.2010.5508526. [57] M.A. Umar, Z. Chen, Effects of Feature Selection and Normalization on
[39] M. Belouch, S. El Hadaj, M. Idhammad, “Performance evaluation of Network Intrusion Detection, 2020, doi:10.36227/techrxiv.12480425.
intrusion detection based on machine learning using Apache Spark,”

144 | P a g e
www.ijacsa.thesai.org
(IJACSA) International Journal of Advanced Computer Science and Applications,
Vol. 12, No. 5, 2021

[58] M. Samadi Bonab, A. Ghaffari, F. Soleimanian Gharehchopogh, P. Detection,” in 2017 21st International Conference on Control Systems
Alemi, “ A wrapper ‐ based feature selection for improving and Computer Science (CSCS), 239–244, 2017,
performance of intrusion detection systems,” International Journal of doi:10.1109/CSCS.2017.40.
Communication Systems, 33, 2020, doi:10.1002/dac.4434. [68] C. Yin, L. Ma, L. Feng, “Towards accurate intrusion detection based on
[59] W. Jun, L. Taihang, R. Rongrong, “A real time IDSs based on artificial improved clonal selection algorithm,” Multimedia Tools and
Bee Colony-support vector machine algorithm,” Suzhou, Jiangsu, China: Applications, 76(19), 19397–19410, 2017, doi:10.1007/s11042-015-
91–96, 2010, doi:10.1109/IWACI.2010.5585107. 3117-0.
[60] O. Alomari, Z. Ali Othman, “Bees Algorithm for feature selection in [69] T. Khorram, N. Baykan, “Feature selection in network intrusion
Network Anomaly detection,” 8(3), 1748–1756, 2012. detection using metaheuristic algorithms,” International Journal Of
[61] E. de la Hoz, E. de la Hoz, A. Ortiz, J. Ortega, A. Martínez-Álvarez, Advance Research, Ideas and Innovations in Technology, 4(4), 704–710,
“Feature selection by multi-objective optimisation: Application to 2018.
network anomaly detection by hierarchical self-organising maps,” [70] M. Mazini, B. Shirazi, I. Mahdavi, “Anomaly network-based intrusion
Knowledge-Based Systems, 71, 322–338, 2014, detection system using a reliable hybrid artificial bee colony and
doi:10.1016/j.knosys.2014.08.013. AdaBoost algorithms,” Journal of King Saud University - Computer and
[62] B. Senthilnayaki, K. Venkatalakshmi, A. Kannan, “Intrusion detection Information Sciences, 31(4), 541–553, 2019,
using optimal genetic feature selection and SVM based classifier,” in doi:10.1016/j.jksuci.2018.03.011.
2015 3rd International Conference on Signal Processing, [71] H.E. Romeijn, Random search methods, Springer US, Boston, MA:
Communication and Networking (ICSCN), 1–4, 2015, 3245–3251, 2009, doi:10.1007/978-0-387-74759-0_556.
doi:10.1109/ICSCN.2015.7219890. [72] S.-W. Lin, K. Ying, C. Lee, Z.-J. Lee, “An intelligent algorithm with
[63] D.P. Gaikwad, R.C. Thool, “Intrusion Detection System Using Bagging feature selection and decision rules applied to anomaly intrusion
with Partial Decision TreeBase Classifier,” Procedia Computer Science, detection,” Appl. Soft Comput., 12(10), 3285–3290, 2012,
49, 92–98, 2015, doi:10.1016/j.procs.2015.04.231. doi:10.1016/j.asoc.2012.05.004.
[64] A.S. Eesa, Z. Orman, A.M.A. Brifcani, “A novel feature-selection [73] M.A.M. Hasan, M. Nasser, S. Ahmad, K.I. Molla, “Feature Selection for
approach based on the cuttlefish optimization algorithm for intrusion Intrusion Detection Using Random Forest,” Journal of Information
detection systems,” Expert Systems with Applications, 42(5), 2670– Security, 7(3), 129–140, 2016, doi:10.4236/jis.2016.73009.
2679, 2015, doi:10.1016/j.eswa.2014.11.009. [74] R.F. Najeeb, B.N. Dhannoon, “Improving Detection Rate of the
[65] S.-H. Kang, K.J. Kim, “A feature selection approach to find optimal Network Intrusion Detection System Based on Wrapper Feature
feature subsets for the network intrusion detection system,” Cluster Selection Approach,” Iraqi Journal of Science, 59(1.B), 426–433, 2018,
Computing, 19(1), 325–333, 2016, doi:10.1007/s10586-015-0527-8. doi:10.24996/ijs.2018.59.1B.23.
[66] M. Hosseinzadeh Aghdam, P. Kabiri, “Feature Selection for Intrusion [75] F. Almasoudy, W. Al-Yaseen, A. Idrees, “Differential Evolution
Detection System Using Ant Colony Optimization,” International Wrapper Feature Selection for Intrusion Detection System,” Procedia
Journal of Network Security, 18, 420–432, 2016. Computer Science, 167, 1230–1239, 2019,
[67] A. Enache, V. Sgârciu, M. Togan, “Comparative Study on Feature doi:10.1016/j.procs.2020.03.438.
Selection Methods Rooted in Swarm Intelligence for Intrusion

145 | P a g e
www.ijacsa.thesai.org

You might also like