Grey Wolf Algorithm
Grey Wolf Algorithm
https://doi.org/10.1007/s12652-019-01569-8
ORIGINAL RESEARCH
Received: 21 May 2019 / Accepted: 29 October 2019 / Published online: 9 November 2019
© Springer-Verlag GmbH Germany, part of Springer Nature 2019
Abstract
The rapid development of information technology leads to increasing the number of devices connected to the Internet.
Besides, the amount of network attacks also increased. Accordingly, there is an urgent demand to design a defence system
proficient in discovering new kinds of attacks. One of the most effective protection systems is intrusion detection system
(IDS). The IDS is an intelligent system that monitors and inspects the network packets to identify the abnormal behavior.
In addition, the network packets comprise many attributes and there are many attributes that are irrelevant and repetitive
which degrade the performance of the IDS system and overwhelm the system resources. A feature selection technique helps
to reduce the computation time and complexity by selecting the optimum subset of features. In this paper, an enhanced
anomaly-based IDS model based on multi-objective grey wolf optimisation (GWO) algorithm was proposed. The GWO
algorithm was employed as a feature selection mechanism to identify the most relevant features from the dataset that con-
tribute to high classification accuracy. Furthermore, support vector machine was used to estimate the capability of selected
features in predicting the attacks accurately. Moreover, 20% of NSL–KDD dataset was used to demonstrate effectiveness of
the proposed approach through different attack scenarios. The experimental result revealed that the proposed approach obtains
classification accuracy of (93.64%, 91.01%, 57.72%, 53.7%) for DoS, Probe, R2L, and U2R attack respectively. Finally, the
proposed approach was compared with other existing approaches and achieves significant result.
Keywords Intrusion detection system · Feature selection · Multi-objective optimisation · Swarm intelligence · Grey wolf
algorithm · Support vector machine · Classification
1 Introduction that transfer important information over the network and this
information must be delivered to the destination without any
The vast advances in information technology and the wide modification (Gholipour Goodarzi et al. 2014; Alamiedy
spread of Internet applications have led to increased use by et al. 2019). Besides, the spying and hacking techniques
people. Nowadays the use of technology becomes a prerequi- become more sophisticated and easily use by an ignorant
site for people’s daily life, for example, pay the bills online, person. Therefore, there is a need to implement a security
flight bookings, watching TV and so on (Kim et al. 2010). system that is able to monitor and inspect the enormous
In addition, there are many organisations and companies number of packets that pass through the network accurately
(Liao et al. 2013).
* Mohammed Anbar Furthermore, the existing security techniques like data
[email protected] encryption, client authentication, firewalls, and access con-
Taief Alaa Alamiedy trols are utilised as the first line of defence for computer
[email protected] and network security, nevertheless, these techniques can-
Zakaria N. M. Alqattan not furnish an idealistic security circumstance to protect
[email protected] the network entirely (Kim et al. 2010). Moreover, various
Qusay M. Alzubi researchers work on developing a security software/hard-
[email protected] ware that can reveal various kinds of new attacks and alert
to the security staff to take action. One of the most popular
1
National Advanced IPv6 Centre of Excellence (NAv6), security systems that provide higher security in computer
Universiti Sains Malaysia, 11800 USM Penang, Malaysia
13
Vol.:(0123456789)
3736 T. A. Alamiedy et al.
networks and to thwart attacks is an intrusion detection sys- 1.1.1 Host based‑IDS (HIDS)
tem (IDS) (Alamiedy et al. 2019). The concept of IDS was
identified first in a technical report by Anderson in 1980. This approach operates on the client machine and detects
The paper is structured as follows. Section 1.1 presents the the intrusion by reviewing and inspecting the local files in
concept of intrusion detection system. Section 1.2 illustrates the system such as log files, commands executed and sign
principle of feature selection technique. Section 2 discusses in events. In addition, it monitors the usage of hardware
the literature review related to this work. Section 3 presents resources; like memory, central processor unit (CPU) and
the description of the benchmark dataset that is used in this hard drive (Vithalpura and Diwanji 2015). Besides, when
work. Section 4 describes the methodology of the proposed there is any modification in the system or client files, the
approach. The experiment setup and analysis technique are IDS directly inform the system administrator.
explained in Sect. 5. The result and discussion are covered
in Sect. 6, and finally, Sect. 7 concludes the paper indicating 1.1.2 Network‑based IDS (NIDS)
future research directions.
This model detects the intrusion by observing and inspect-
1.1 Intrusion detection system (IDS) ing the network packets. The NIDS sensors are usually
deployed in various locations in the network. These sensors
IDS is a defensive system that’s responsible for identifying identify the intrusion by scanning the network traffic for any
intrusions and suspicious activities. This system is oper- abnormal behavior. In addition, these sensors operate in an
ated by monitoring and inspecting the behavior of the cli- inconspicuous mode. Consequently, it is very difficult for
ent device or network traffic. Beside that, the IDS issues the infringers to diagnose their place in the network (Lotfi
an alarm to notify the security team and register the action Shahreza et al. 2011). Additionally, another classification
into a log file to be used later for further investigation when of IDS is based on the detection approach. This type can be
there is a malicious activity detected in the network (Shen classified into signature-based IDS and anomaly-based IDS
and Wang 2011). In addition, the IDS can be categorised which are illustrated in the next sections.
into different classes based on certain criteria; such, as the
source of collecting information, detection approach and 1.1.3 Signature‑based IDS (SIDS)
IDS response type (Liao et al. 2013). Figure 1 demonstrates
a typical IDS taxonomy. The detection process in this approach is based on the com-
The deployment of the IDS sensors in the network is parison between the client activities with predestined attack
crucial to detect the intrusion successfully or not. Accord- patterns kept in the database. In addition, the database con-
ingly, the collecting data play an important role in the IDS tains the description of known attacks such as their signa-
detection process. This information can be collected either tures and attributes (Kumar and Prakash Sangwan 2012).
from the client device or network traffic depending on the In contrast, the IDS inspect the behavior of the inbound
installation location of IDS sensors. This type of the IDS network traffic and matches it with the database through
can be classified into two types, namely host-based IDS and the matching technique. In the case there is a match, then
network-based IDS. the system will trigger an alarm to notify the security staff
(Kumar and Joshi 2011). Furthermore, this approach is com-
petent for detecting known attacks accurately. However, this
model must be updated constantly to reveal zero-day attacks.
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3737
and examine the network packets. However, these packets selected features realise the best result or not. Finally,
consist of a lot of attributes (features) used to describe the the validation step checks if the selected features achieve
characteristics of the packet, for example, source/destina- the system requirement or not (Acharya and Singh 2018).
tion IP addresses, protocol type, and so on. Besides, there Additionally, this technique can be classified into three
are various repetitious and irrelevant features that curtail categories known as wrapper, filter, and hybrid methods.
the performance of IDS even though the analysis technique In this work, we use wrapper method during the feature
is highly sophisticated. Consequently, the IDS must han- selection stage, the following subsequent provides more
dle meticulously each significant information to detect the details on wrapper method.
abnormal behavior (LIU et al. 2011). In fact, there are sev-
eral techniques employed to increase the performance of
the IDS. One of the most prevalent techniques is feature 1.2.1 Wrapper method
selection. The following section demonstrates the principle
of feature selection technique. The feature subset in this approach is selected based on
the evaluation of machine learning algorithms. These
1.2 Feature selection technique algorithms are employed for the generation and evaluation
of the subcategory of features. In addition, the optimum
Feature selection is a method of taking a subset of signifi- subset of features produced after the algorithms will pro-
cant features (attributes) by eliminating the superfluous and duce some specific metrics like accuracy, detection rate
repetitive features from the dataset for building an adequate and so on. Furthermore, this approach aims to diminish
learning approach. In addition, this process can shortcut the the original set of features for producing an effective sub-
computation time and complexity (Dastanpour et al. 2014). set of features. However, these significant outcomes need
A feature selection technique in general comprises more processing time and exhaust the system resources
many steps as presented in Fig. 2. Firstly, the subset gen- (Kumari and Swarnkar 2011). The selection process is
eration step produces a subset of features that are extracted launched by generating a subset of features through the
from the original dataset, then, the subset evaluated in initialisation step, then the machine learning algorithm
the evaluation step based on the objective function (fit- evaluates the selected features with the release of the clas-
ness value) to determine the optimum subset of features. sification algorithm. Figure 3 illustrates the steps of the
Thirdly, the stopping criteria are to decide whether the wrapper method.
13
3738 T. A. Alamiedy et al.
2 Literature review boundaries are chosen with normal data contained in the
original dataset. The outliers are detected as using the
In recent years, many researchers use machine learning decision function and the model classifies outliers as
algorithms to solve different optimisation problems. The attack connection. The experimental results were per-
solution for these problems is signified by finding the formed on NSL–KDD Dataset. The overall performance
shortest path (optimum solution). In Internet security, of the planned method was enhanced in terms of the dis-
especially, anomaly-based IDS, the optimisation prob- covery rate and low false alarm rate in the evaluation of
lems like precision, huge datasets, lopsided circulation this methodical approach. Furthermore, the experimental
of information and most troublesomely, to distinguish result shows that their approach was able to reduce a sub-
the limits among typical and unusual parameters. Most of set of features and improve the classification accuracy to
these problems are solved by feature selection technique. (99%) and reduce the processing time. Beside that, the
In this section, we present various algorithms and methods solution evaluated based on classification accuracy which
employed as feature selection to improve the performance is considered as a single objective function.
of the IDS. Ghanem and Jantan (2016) anticipated a novel method
Alomari and Othman (2012) anticipated a wrapper- based on multi-objective artificial bee colony (ABC) for fea-
based component choice approach utilising the bee’s ture selection, particularly for intrusion detection systems.
algorithm (BA) as an exploration technique for subcat- Their approach is classified into two stages: generating the
egory generation, and also utilising SVM as the classifier. feature subsets of the Pare to front of non-dominated solu-
The analyses used four arbitrary subsets gathered from tions in the first stage and using the hybrid ABC and par-
KDD99. Every subset contains around 4000 records. The ticle swarm optimisation (PSO) with a feed-forward neural
performance of the anticipated method is assessed by network (FFNN) as a classifier to evaluate feature subsets
means of the standard IDS estimations. The evaluation in the second stage. Thus, the anticipated method consisted
criteria in their work based on the balance between the of two-fold steps: the first one, using a new feature selection
average accuracy with the average of selected features. technique called multi-objective ABC feature selection to
The experiential result shows that the detection accuracy diminish the number of features of network traffic data and
achieved (99%) and the feature set reduced to (8) features, the second one, used a new classification technique called
while the false alarm rate was (0.004). hybrid ABC–PSO optimised FFNN to classify the output
Alternatively, ant colony optimisation (ACO) and SVM data from the previous stage, determine an intruder packet,
choice feature weighting of network interruption recogni- and detect known and unknown intruders. The proposed
tion strategy proposed by (Xingzhu 2015). They combined approach did not only provide a new approach for feature
ACO to choose the components with a component weight- selection, but also proposed a new fitness function for fea-
ing SVM. In the first place, they utilised SVM grouping ture selection to diminish the number of features and achieve
precision and highlight subset measurement to develop a the minimum rate of classification errors and false alarms.
complete fitness weighting index. Subsequently, they used Acharya and Singh (2018) proposed an intelligent water
the ACO for an optimisation that is global and numer- drop (IWD) algorithm that is based on the feature selection
ous exploration capabilities to accomplish for the opti- technique. The method is characterised by the IWD algo-
mal solution feature search feature. The multi-objective rithm. Inspired by nature, the method is an optimisation
function based on the combination of classification error algorithm, is applicable in the selection of feature subset
with weighting features was used in their approach during while a vector machine plays the role of a classifier in the
subset evaluation. Finally, the results exhibited that the evaluation process of selected features. SVM was the clas-
proposed approach can successfully reduce the dimension sifier used. Amongst parameters used as evaluation were
of features and have enhanced network intrusion detection the size of feature subset, false alarm rate and the rate of the
accuracy to (95.75%). classifiers detection. Furthermore, the IWD is a meta-heu-
Rani and Xavier (2015) proposed a detection system ristic optimisation algorithm, yielded and optimised proce-
that is hybrid intrusive. The system is likewise cantered dure of selecting features for SVM. From 41 to 9, the model
on C5.0 decision tree, which also uses a One-Class SVM. substantially reduced the features. Parameters found to have
C5.0 is used to train the misuse discovery model in the been better improved as presented in the new model with a
hybrid intrusion detection system. The mismanagement proposed method (IWD + SVM) are precision, false alarm
detection model can distinguish recognised attacks with rate, accuracy and rate of detection. This outcome measured
a low false alarm rate. One-class SVM was applied to the improvement over other prevailing models. A precision rate
anomaly detection (trained using normal training traf- of 99.40% and an accuracy score of 99.09% were recorded
fic). In addition, during the training procedure, decision in the new model. While a low false rate of 1.4% and a preci-
sion rate of 99.10% were also recorded. The period used by
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3739
this prototype to do the training was remarkably minimised approach had shown taking a faster time to detect attacks and
to 1.15 min. Moreover, the score of detection rate was used produced good positive rates significantly and they were able
for subset evaluation during feature selection stage. to reduce the feature set of 18 features. Furthermore, they
In the work of (Negandhi et al. 2019), an intrusion detec- achieved 99.89% for classification accuracy of DoS attacks.
tion system using random forest on the NSL–KDD Dataset In the work of (Seth and Chandra 2016), a key feature
was proposed. In their work, the supervised learning algo- selection based on GWO algorithm was proposed. In their
rithm random forests were employed to train a model to approach, GWO was used to reduce the original set of fea-
detect various networking attacks. In addition, smart feature tures. In addition, NSL–KDD benchmark dataset was used
selection using Gini importance was used to reduce the num- to evaluate the proposed approach. Furthermore, the experi-
ber of features. The NSL–KDD dataset was used to evalu- mental result shows that their approach was able to reduce
ate the performance of the proposed approach. The experi- a subset of features and improve the classification accuracy
mental results show that the proposed model runs faster and to (99%) and reduce the processing time. Beside that, the
obtained 99.88% of classification accuracy. Beside that, the solution evaluated based on classification accuracy which
proposed approach reduced the number of selected features is considered as a single objective function.
from 41 to 25. An improved GWO algorithm integrated with cuckoo
In the study of (Çavuşoğlu 2019), a new hybrid approach search (CS) proposed by (Xu et al. 2017). In their approach,
for intrusion detection using machine learning methods, a they combined GWO with CS in order to improve the perfor-
hybrid and layered intrusion detection system was proposed. mance of the GWO. In addition, they observed that the fea-
In their work, they used a combination of different machine ture (service) contributes high false positive rate, therefore,
learning and feature selection techniques to provide high- they eliminated it from the dataset. Furthermore, the experi-
performance intrusion detection in different attack types. In mental results show that the proposed CS–GWO algorithm
the proposed system, firstly data pre-processing is performed achieve a better result compared to the standard version of
on the NSL–KDD dataset, then by using different feature both algorithms. Moreover, the proposed algorithm achieved
selection algorithms, the size of the dataset was reduced. In 83.54% for classification accuracy and reduced the feature
addition, they proposed two approaches for feature selection number into 6 features.
operation which are cfs subset eval and wrapper subset eval In the study of (Roopa Devi and Suganthe 2018) proposed
with different classification algorithms. The layered architec- a hybrid GWO algorithm with CS algorithm as a feature
ture is created by determining appropriate machine learning selection model combined with transudative support vec-
algorithms according to attack type. The NSL–KDD data- tor machine (SVM) for classification stage, in the approach
set was used to evaluate the performance of the proposed they used the min–max method during the pre-processing
approach. Besides, to demonstrate the performance of the step. The optimal subset of features extracted based on
proposed system, it was compared with the studies in the maximum mutual data, they used maximum mutual data
literature. The experimental outcomes show that the pro- used as the fitness function, the experimental result shows
posed system achieves high accuracy and low false-positive the proposed approach reduces the number of selected fea-
rates in all attack types. Table 1 shows a comparison of bio- tures to (18,17,34,8) for DoS, Probe, U2R and R2L attacks
inspired feature selection algorithms and presents a sum- respectively.
mary of existing studies. Zawbaa et al. (2018) proposed a hybrid bio-inspired heu-
ristic approach for large-dimensionally small-instance set
feature selection. In their work, they hybridised antlion opti-
3 Existing studies based on GWO algorithm misation with grey wolf optimisation. The proposed system
evaluated by using 50,000 features and 200 instances. The
The following studies present different types of feature results were compared to the genetic algorithm and particle
selection based on GWO algorithm which used to solve the swarm optimisation; however, the proposed system produced
optimisation problems in the intrusion detection system. better performance in terms of high accuracy of prediction,
Devi and Suganthe (2017) proposed a wrapped feature and the process was complex.
selection method based on GWO algorithm, they used a Velliangiri (2019) proposed hybrid intrusion detection
multi-objective fitness function to evaluate a subset of fea- model based on binary GWO (BGWO) with kernel prin-
tures in the feature selection stage, then for classification cipal component analysis for intrusion detection, in their
stage, they combine SVM with a Naive Bayes classifier. In approach, they used KPCA for select the optimum subset
addition, they used NSL–KDD to evaluate their system per- of features and multi-class SVM for classification stage. In
formance. In addition, they utilised the mutual information addition to that, they combined KPCA with the SVM clas-
to evaluate the candidate solution selected through feature sifier to improve the classification process, the GWO algo-
selection stage. Finally, the experimental result of their rithm employed to select the best values for SVM classifier.
13
3740
13
Table 1 Feature selection approaches based on various bio-inspired optimisation algorithms
Authors and year Feature selection algo- Dataset Feature length Classification algorithms Performance evaluation Objective function Work limitations
rithms
Alomari and Othman Bees algorithm KDD CUP99 8 Support vector machine Detection rate: 98.38 Multi—objective (aver- Result not appreciable for
(2012) False alarm rate: 0.004 age accuracy with aver- all classes
age feature numbers)
Xingzhu (2015) Ant colony + feature KDD CUP99 13 Support vector machine Detection rate: 95.75 Multi—objective (clas- Select a large set of fea-
weighting support vec- sification error with tures and focusing only
tor machine weighting features) on detection rate
Rani and Xavier (2015) Cuttle fish algorithm NSL–KDD – C5.0 + one class SVM Accuracy: 98.20 – Result calculated only for
False alarm rate: 1.405 accuracy and error rate
only
Ghanem and Jantan Artificial bee colony NSL–KDD – Feed-forward neural – Multi—objective (classi- The result was not appre-
(2016) optimisation network fication error rate with ciable for all classes
false alarm rate with
feature rate)
Acharya and Singh Intelligent water drop KDD CUP99 9 Support vector machine Detection rate: 99.40 Single—objective False alarm rate is high
(2018) algorithm false alarm rate: 1.405 (detection rate) and select one type of
attack
Negandhi et al. (2019) Gini importance NSL–KDD 25 Random forest Classification accuracy: – Select a large set of
99.88% features
Çavuşoğlu (2019) Cfs subset eval and NSL–KDD 25 Naïve bayes, random DoS Accuracy: 99.98% Single—objective (accu- Selecting a large set of
wrapper subset eval forest, J48, random racy) features and complexity
tree of analysis
T. A. Alamiedy et al.
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3741
Furthermore, the KDD-99 dataset was used to evaluate the results show that the HGGWA was greatly improved in
performance of the proposed model, and they were indicated convergence accuracy, which proves the effectiveness of
that the proposed method can reduce the training time and HGGWA in solving LSGO problems.
testing time. Finally, the proposed approach obtains accu- In the work of (Garg et al. 2019), a hybrid deep learning-
racy performance of (96.82%, 95.38%, 75.502%, 74.56%) for based model for anomaly detection in cloud data centre net-
(Probe, DoS, U2R, and R2L) attacks Consecutively. works was presented. In their research, a hybrid data process-
The authors (Srivastava et al. 2019a) proposed a nature- ing model for network anomaly detection was proposed that
inspired technique for intrusion detection system (IDS), in powers the performance of grey wolf optimisation (GWO)
their work, they use grey wolf optimiser as feature selection and convolutional neural network (CNN). The proposed
and they applied different types of classification technique model works in two phases for efficient network anomaly
lie k-nearest (KNN), support vector machine (SVM) and detection. In the first phase, improved GWO was used for
generalized regression neural network (GRNN). In addition, feature selection. In the second phase, improved CNN was
they utilised 10% of KDD-99 dataset for testing the model. used for classification stage. The efficacy of the proposed
The experimental result clarifies that the combination model model was validated on the benchmark (DARPA’98 and
of (GWO–KNN) achieves the best result in term of accuracy, KDD’99) and synthetic datasets. The results obtained dem-
sensitivity, and specificity compared to the other approaches. onstrate that the proposed cloud-based anomaly detection
The authors (Srivastava et al. 2019b) proposed and imple- model was superior in comparison to the other state-of-
mented different hybrid methods for intrusion detection sys- the-art models. In average, the proposed model exhibits an
tem, in their work, they used grey wolf optimisation (GWO) overall improvement of 8.25%, 4.08% and 3.62% in terms
algorithm with several classification techniques like entropy of detection rate, false positives, and accuracy, consistently;
basic graph (EBG), support vector machine (SVM), gen- relative to standard GWO with CNN.
eralised regression neural network (GRNN) and k-nearest A study of Experienced grey wolf optimiser through rein-
neighbor (KNN), the KDD-99 dataset was utilised to assess forcement learning and neural networks was presented by
the classification of data into normal or intrusion using dif- (Emary et al. 2018). In their work, a variant of GWO that
ferent hybrid classification techniques. Besides, the authors uses reinforcement learning principles combined with neural
divide the testing data into different volumes and measure networks to enhance the performance of the system. In addi-
the performance of the proposed approach. The outcomes tion, they utilised reinforcement learning to set it on an indi-
show that the GWO–EBG classification approach obtains vidual basis. The resulted algorithm is called experienced
the higher result compared to the other approaches. GWO (EGWO) and its performance was assessed on solving
In addition to that, the grey wolf optimisation (GWO) feature selection problems and on finding optimal weights
algorithm also implemented in other fields like science, for neural networks algorithm. Beside that, they used a set
medicine, industry, education and so on. The following of performance indicators to evaluate the efficiency of the
studies present examples for using GWO algorithm to solve proposed method. The Result shows that the proposed over
different types of optimisation problems. various datasets demonstrate an advance of the EGWO over
The authors (Makhadmeh et al. 2018) proposed a multi- the original GWO and other meta-heuristics such as genetic
objective grey wolf optimisation (GWO) algorithm to solve algorithms and particle swarm optimisation.
the power scheduling problem in smart homes, they used In the work of (Emary et al. 2015), a feature subset selec-
GWO to achieve an optimal schedule. In addition, they tion approach by GWO was presented, in their study, a clas-
evaluated their approach using seven consumption profiles sification accuracy-based fitness function was proposed by
and seven real-time electricity prices with different charac- GWO to find optimal feature subset. The aim of the GWO in
teristics. Moreover, in their work, they used three factors this work was to find optimal regions of the complex search
for evaluated the proposed approach which are electricity space through the interaction of individuals in the popula-
bill, peak-to-average ratio (PAR), and user comfort level. tion. The proposed approach proves better performance in
The experimental result shows that the proposed approach both classification accuracy and feature size reduction com-
obtains a significant impact on the final schedule. pared with particle swarm optimisation (PSO) and genetic
A hybrid genetic grey wolf algorithm (HGWO) for large algorithm (GA) over a set of UCI machine learning data
scale global optimisation (LSGO) was proposed by (Gu et al. repository, Moreover, the gray wolf optimisation approach
2019), In their work, they combined GWO with three genetic proves much robustness against initialisation in comparison
factors to improve the demerit of GWO when solving the with PSO and GA optimisers.
LSGO issues, three genetic operators are embedded into the The authors (Emary et al. 2017), proposed a method of
standard GWO and a hybrid genetic grey wolf algorithm multi-objective retinal vessel localisation using flower pol-
(HGGWA) was proposed. The performance of HGGWA was lination search algorithm with pattern search. In this work,
verified by ten benchmark functions. Finally, the simulation the proposed multi-objective fitness function uses flower
13
3742 T. A. Alamiedy et al.
pollination search algorithm (FPSA) to find optimal clus- Furthermore, this part of the dataset contains 25,192 sam-
tering of the given retinal image into compact clusters under ples for the training set and 11,850 samples for the testing
some constraints. In addition, the pattern search (PS) method set. The benefits of the NSL-KDD that stands out to the orig-
also used to enhance the segmentation results using another inal KDD-99 dataset illustrated in (Tavallaee et al. 2009).
objective function based on shape features. The database
namely DRIVE dataset was used to evaluate the perfor- 4.1 Dataset attacks types
mance of the proposed approach. The proposed approach
also compared with state-of-the-art techniques in terms of This part presents the main classes of attacks in the NSL-
accuracy, sensitivity, and specificity. KDD dataset. The dataset mainly contains four types of
A study on the impact of chaos functions on modern attacks which are illustrated in the following list of points:
swarm optimisers was identified by (Emary and Zaw-
baa 2016). In their study, they used chaos-based control • Denial of Service (DoS): In this type of attack, the
of exploration/exploitation rates against using systematic attacker tries to keep the system or memory resources
native control. Three recent algorithms were used in their too busy. Therefore, this process will make the machine
work namely grey wolf optimiser (GWO), antlion optimiser unable to handle any request from legitimate users or
(ALO) and moth-flame optimiser (MFO) in the domain of perform any other services.
machine learning for feature selection. In addition, they used • User to Root (U2R): The attacker starts the attack by
a set of standard machine learning data with a set of assess- obtaining some legitimate user credits. Then, the attacker
ment indicators. The experimental outcomes proved that the exploits the system vulnerabilities for getting permission
performance of optimisation algorithm enhanced by using to user root rights.
variational repeated periods of declined exploration rates • Remote to Local (R2L): The attacker sends a packet to
overusing systematically decreased exploration rates. the machine that is connected to the network. Afterwards,
The authors (Lu et al. 2017) investigated and proposed the attacker attempts to observe the vulnerabilities and
a true unique welding booking issue explored from the exploit privileges in the host system to gain access. Then,
hypothesis and handy application points of view. In the first the intruder becomes an administrator of the remote
place, they figured out a multi-objective scientific model machine.
which considered three dynamic occasions comprised of • Probing Attacks: The attacker scans the client/network
machine breakdown, work with discharge time postpone- machine to collect information. This information is very
ment and employment with low quality at the same time. useful to determine the weaknesses and vulnerabilities in
This model additionally includes succession subordinate the system that may be used later to compromise the cli-
setup time, work subordinate transportation times and con- ent’s machine system. Figure 4 shows number of normal
trollable preparing times. At that point, the author builds up and attacks instances in dataset training and testing sets.
a crossbreed multi-objective grey wolf optimisation agent
(HMO–GWO) to address this dynamic issue with the goal In addition, each type of main attacks contains many
to limit the make span, machine load, and precariousness sub-attacks, these types contain some features that help to
at the same time. It effectively minimizes the make span, identify the main type of attack. Figure 6 presents the distri-
machine load, and instability simultaneously. The weak- bution of attacks in the training and testing set.
nesses of this method are, it does not use information on
problem properties and consumes a long time to attain a set
of non-dominated solutions. 5 Methodology of the proposed model
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3743
20.00%
10.74% 12.22%
9.09%
10.00%
0.40% 0.89% 0.83%
0.00%
Normal DoS Probe R2L U2R
Training Set Tesng Set
a wide range of information values. This stage consists of Consequently, to avoid these dilemmas, the transformation
the subsequent steps. process was implemented to map symbolic features to numeric
features (Shah and Trivedi 2013). Figure 6 shows an example
5.1.1 Step 1—data transformation of data transformation process.
13
3744 T. A. Alamiedy et al.
5.1.2 Step 2—data normalisation where X` is the normalised value, X is the current value in
the feature’s record and X_maximum refer to the maximum
This process is defined as a method of calibrating the range values in the feature record. Finally, the range of record val-
of feature values into a well-proportioned range. In this work, ues falling between zeros and one values. Table 2 presents a
each value in the feature record is scaled using Eq. (1). list of features adjusted in this step.
X
X� = . (1)
X_maximum
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3745
The filtering step is typically used to select or eliminate Subset generation is a technique of heuristic search, within
some information from the dataset. In this work, the filtering which every sample in the search area specifies a candi-
method was utilised to extract and detach different classes date solution for subset evaluation. In this work, the random
of attacks to test the proposed approach in different types of subset generation technique (Kim et al. 2010) was used to
attack scenarios. Figure 7 illustrates the filtering process. generate a subset of features. The following Equation used
From Fig. 7, it could be noted that the NSL–KDD dataset in the initialisation step to generate the solution.
contains numerous classes of attacks. Additionally, every ( )
sub-attack refers to the main category of the dataset attacks; X(i,j) = xjmin + 𝛿 xjmax − xjmin . (2)
like: Denial of Service (DoS), Probe, Remote to Local (R2L)
and User to Root (U2R). Consequently, in this step, each where xij is dimension of matrix generated in the initialisa-
class of attack mapped to the main attack category. Lastly, tion step, xjmax and xjmin represent the upper and lower bound
the output is different dataset containers and each container of the matrix, and the values of parameter i form 1 to N, and
has a different kind of dataset attacks. the j parameter from (1 to D). Where N represents the num-
ber of solutions and D refer to the dimension of the solution
5.2 Stage 2: feature selection in the matrix.
13
3746 T. A. Alamiedy et al.
behavior of wolves to catch the prey represent the searching where X1, X2 and X3 are given by following Equations:
path to the optimal solution. In nature, grey wolves prefer
to live in a pack. The average size of the pack varies from 5
⃗1 = X
X ⃗ 𝛼 (t) − A
⃗ 1 .D
⃗𝛼 (8)
to 12 wolves (Mirjalili 2014). In addition, the packs’ mem-
bers are classified into four groups based on the level of the ⃗2 = X
X ⃗ 𝛽 (t) − A
⃗ 2 .D
⃗𝛽 (9)
wolf’s position in the pack that assists in improving the hunt-
ing process (Alzubi et al. 2019). These groups are named ⃗3 = X
X ⃗ 𝛿 (t) − A ⃗𝛿
⃗ 3 .D (10)
as follows: Alpha (α) consist of a male or a female, these
where X𝛼 , X𝛽 and X𝛿 are the positions of alpha, beta and
wolves are the leaders in the pack and responsible for deci-
delta wolves in iteration; i.e., the first three best solutions of
sion making, for example, hunting, waking, sleeping time
our problem. A1, A2 and A3 are presented in Eqs. 8, 9, and
and place. Besides, beta (β) is a second level which con-
10 respectively, and D𝛼 , D𝛽 and D𝛿 are given by the follow-
sists of male or female wolves and responsible for helping
ing Equations:
in some decisions for the other wolves in the packs. Delta (δ)
is the third level and they perform some important roles such ⃗ 𝛼 = ||C
⃗ .X ⃗ ||
⃗ −X
D (11)
as caretaker, sentinels, an elder in the pack and hunter. The | 1 𝛼 |
last level is omega (ω). This level is the weakest of the lves
in the hierarchal model and plays a role of scapegoat and ⃗ 𝛽 = ||C
⃗ .X ⃗ ||
⃗ −X
D
| 2 𝛽 (12)
should obey other individuals’ orders (Emary et al. 2016). |
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3747
where Zi is the binary value (discreate value) represented 5.2.3 Step 3: objective function (subset evaluation)
by 0 or 1, i refer to number of solutions and yi is the value
of solution (continues values) generated through initialisa- The objective function (fitness value) is used to evaluate
tion and final steps. Besides, by using Eq. (15), if the abso- each candidate solution selected by GWO algorithm. The
lute value of remainder is between 0 and 0.4999 or 1.5 and following points give more details on the standard and the
1.9999, the binary number is obtained as 0. Else if the abso- proposed multi-objective function.
lute value of the remainder is between 0.5 and 1.4999, the
binary number is obtained as 1. • Single Objective Function: The standard objective
Moreover, after completing one iteration by the algo- function which was used by many researchers to evalu-
rithm, the first three best solutions x𝛼 , x𝛽 and x𝛿 as positions ate a subset of features based on classification accuracy
of alpha, beta and delta wolves which will attract the other and ignoring the number of selected features. The clas-
wolves in the pack. The solution (position) that has the best sification accuracy can be calculated based on Eq. (16).
classification accuracy is alpha’s position, and then beta and
followed by delta. In each iteration of the algorithm, the
TP + TN
classifier is trained and validated, then the accuracy of the Accuracy = (16)
TP + TN + FP + FN
classifier is computed toward each subset (solution) of the
position matrix (Mirjalili 2014). where the false positive (FP) represents the number of sam-
Furthermore, in each iteration of the algorithm, the posi- ples incorrectly predicted as attack class, false negative (FN)
tion of each wolf in the pack changes, hence the change in refer to the number of samples incorrectly predicted as a
the positions of alpha, beta and delta wolves. All solutions normal class, whereas true positive (TP) is the number of
are on the corner of a hypercube. The grey wolf positions samples correctly predicted as attack class, and true negative
are converging towards the prey in each iteration. The wolf (TN) indicates to the number of samples correctly predicted
nearest to the prey is the best solution; i.e., alpha position. as a normal class. Beside that, the benefit of this objective
Figure 9 illustrates the flowchart of the proposed GWO function is that it performs high classification accuracy.
algorithm. However, it will not give attention to the number of selected
13
3748 T. A. Alamiedy et al.
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3749
Table 3 System parameter settings A (n) represent the final value of classification accuracy
items Values obtained by the standard and proposed multi-objective GWO
algorithms in each run of the experiment. Beside that, the
Number of populations 10 best accuracy value represents the maximum value reached
Number of iterations 40 through each run of the experiment, whereas the worst
Number of runs 20 value for classification accuracy represent the lowest values
Dimension of the solution 41 obtained by the standard and proposed multi-objective GWO
Range of search space [0, 1] algorithms in each run of the experiment.
Weight of the proposed fitness function W1 = 0.7, W2 = 0.3
13
3750 T. A. Alamiedy et al.
Bold values refer to the best result achieved during the experiments
TP true positive, FP false positive, TN true negative, FN false negative, SVM support vector machine,
GWO grey wolf optimisation, DoS denial of service, R2L remote to local, U2R user to root
Bold values represent to the best result achieved during the experiments
SVM support vector machine, GWO grey wolf optimisation, DoS denial of service, R2L remote to local,
U2R user to root
using Eq. (16), whereas in the multi-objective GWO algo- efficiently select the significant set of features that achieve
rithm computed in Eq. (17). From the Table above, it is clear high classification accuracy. Figure 10 shows the types of
that our proposed multi-objective GWO algorithm achieved input data to the SVM classifier.
superior result in the number of selected features for all Figure 11 displays the number of selected features
attack scenarios. Furthermore, the number of selected fea- achieved by the standard and proposed GWO algorithm
tures in R2L and U2R attack scenarios was impressive. Also, for 20 runs. In this DoS attack scenario, the number of
in terms of classification accuracy, the proposed GWO algo- selected features in each run produced after executing the
rithm obtains superior result compared to the others. In spite algorithms for 40 iterations as indicated in Table 3. From
of that the proposed GWO algorithm result in DoS attack the chart, it can be seen that the performance of the pro-
was approximately equal to the standard GWO algorithm. posed GWO algorithm achieved a fewer number of fea-
Finally, these results prove that the proposed approach could tures during the experiment runs. Whereas the standard
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3751
Table 6 Result of average and Algorithms Average classification Selected features Worst classification Selected
worst accuracy with number of accuracy accuracy features
selected features for DoS attack
scenario Standard GWO algo- 87.52 10 69.83 20
rithm + SVM classifier
Multi—objective GWO 89.18 3 70.43 23
algorithm + SVM
classifier
Bold values refer to the best result achieved during the experiments
GWO algorithm obtained a higher number of features. Table 6 presents the result of both average and worst
Therefore, the multi-objective function enhanced the per- accuracy with the number of selected features for DoS
formance of the proposed GWO algorithm in obtaining the attack scenario which is obtained after 20 runs of the
lowest number of selected features. experiment. From the Table, it could be observed that
the proposed GWO algorithm exceeded the highest result
13
3752 T. A. Alamiedy et al.
for average and worst accuracy compared to the standard Table 7 Result of average and worst accuracy with number of
GWO algorithm. Beside that, in terms of selected features, selected features for Probe attack scenario
the proposed GWO algorithm achieved the minimum num- Algorithms Average Selected Worst clas- Selected
ber of features with the average classification accuracy classification Features sification Features
case. Whereas the standard GWO algorithm obtained the accuracy Accuracy
lowest number of selected features for the worst classifica- Standard 86.86 10 71.87 22
tion accuracy case. GWO algo-
Figure 12 presents the number of selected features rithm + SVM
classifier
obtained by the standard GWO algorithm and proposed
Multi—objec- 85.59 5 69.12 13
GWO algorithm for 20 runs. In this probe attack scenario,
tive GWO
the number of selected features in each run produced after algo-
executing the algorithms for 40 iterations as mentioned in rithm + SVM
Table 3. From the graph, it could be noted that the pro- classifier
posed GWO algorithm performed the lowest number of fea- Bold values refer to the best result achieved during the experiments
tures during the experiment runs. While the standard GWO
algorithm gained a higher number of features compared to
the proposed GWO algorithm. Thus, it could be concluded of features during the experiment runs. While the standard
that the proposed multi-objective function was effective to GWO algorithm obtained a higher number of features.
enhance the performance of the proposed GWO algorithm Table 8 clarifies the result of both average and worst
to obtain the lowest number of significant features. classification with a number of selected features for
Table 7 displays the result of both average and worst clas- R2L attack scenario which obtained after 20 runs of the
sification accuracy with the number of selected features for experiment. From the Table, it could be recognised that
Probe attack scenario which is achieved after 20 runs of the the proposed GWO algorithm achieved a higher result for
experiment. From the Table, it could be noted for the best best accuracy compared to the standard GWO algorithm.
and worst classification accuracy, the proposed GWO algo- Beside that, for the average classification accuracy, the
rithm obtained close result compared to the standard GWO proposed GWO algorithm achieved a close result com-
algorithm. However, with respect to the selected features, pared to the standard GWO algorithm. In addition, the
the proposed GWO algorithm exceeded the standard GWO proposed GWO algorithm was superior from the standard
algorithm in achieving an optimum subset of features. GWO algorithm in the number of chosen features.
Figure 13 displays the number of selected features Figure 14 displays the number of selected features pro-
achieved by the standard GWO algorithm and proposed duced by the standard GWO algorithm and proposed GWO
GWO algorithm for 20 runs. In this R2L attack scenario, algorithm for 20 runs. In this R2L attack scenario, the num-
the number of selected features in each run produced ber of selected features in each run produced after executing
after executing the algorithms for 40 iterations as shown the algorithms for 40 iterations as shown in Table 3. From
in Table 3. From the chart, it can be recognised that the the Figure, it can be seen that the proposed GWO algorithm
proposed GWO algorithm achieved the minimum number produced the lowest number of features during the experi-
ment runs. While the standard GWO algorithm reached a
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3753
Table 8 Result of average and Algorithms Average classification Selected features Worst classification Selected
worst accuracy with number of accuracy accuracy features
selected features for R2L attack
scenario Standard GWO algo- 54.95 12 48.01 20
rithm + SVM classifier
Multi—objective GWO 53.18 5 44.15 2
algorithm + SVM
lassifier
Bold values refer to the best result achieved during the experiments
higher number of features compared to the proposed GWO However, for worst classification accuracy case, the pro-
algorithm. Therefore, the multi-objective function was suc- posed GWO algorithm produces almost the same result for
cessful in improving the performance of the proposed model accuracy compared to the standard GWO algorithm. Beside
to produce the significant subset of features. that, regarding to the number of selected features, the pro-
Table 9 presents the result of both average and worst clas- posed GWO algorithm obtains the optimal subset of features
sification accuracy cases with a number of selected features experiment compared to the standard GWO algorithm.
for U2R attack scenario which is obtained after 20 runs of Table 10 illustrates the comparison of our proposed
the experiment. From the Table, it could be observed that approach with other existing approaches. In this compari-
the proposed GWO algorithm exceeded the highest value for son, all types of attacks are considered as one attack sce-
average accuracy compared to the standard GWO algorithm. nario. This scenario shows the efficiency of the proposed
13
3754 T. A. Alamiedy et al.
Table 9 Result of average and Algorithms Average classification Selected Worst classification Selected
worst accuracy with number of accuracy features accuracy features
selected features for U2R attack
scenario Standard GWO algorithm + SVM 34.29 6 8.59 18
classifier
Multi—objective GWO 36.58 2 8.51 15
algorithm + SVM classifier
Bold values refer to the best result achieved during the experiments
Author & year Feature Selection Dataset Classification algo- Classificatiosn accu- No. of Analysis technique
algorithms rithms racy selected
features
Bold values indicate the best result achieved during the experiments
GWO to detect different types of attacks at the same time. In accuracy. In addition, 20% portion of the NSL—KDD
addition, we implemented and evaluated the other existing dataset was used to test the performance of the proposed
approaches using the same parameters and values that was approach. The analysis technique in this study is based on
obtained in our proposed approach. Due to the inability to data separation. This technique plays a key role in evaluat-
use the same values and characteristics that were utilised in ing the effectiveness of the IDS system and disclosing the
these approaches as a consequence of the limited hardware real performance through testing it against new types of net-
resources. It could be observed from the Table that the pro- work attacks. Furthermore, the findings conducted on the
posed multi-objective GWO algorithm obtained significant proposed approach were able to produce high classification
result compared to the other existing approaches in terms accuracy with an optimal subset of features with different
of classification accuracy and number of selected features. types of attack scenario. Moreover, the effectiveness and
Beside that, the authors (Seth and Chandra 2016; Çavuşoğlu feasibility of the proposed approach were verified by com-
2019) achieved 99% for accuracy. However, they used cross- paring it with recent approaches and shows better results.
validation method for analysis. Whereas, we used splitting For future research directions, it is suggested that the
dataset analysis which clarifies the real performance of the researchers perform the proposed multi-objective function
system in detecting new types of network attacks. with other bio-inspired algorithms to solve different opti-
misation problems in addition, these algorithms could be
applied to improve the performance of the SVM classifier by
8 Conclusion and future research direction selecting the optimal RBF parameters. Furthermore, we will
expand on this area in our future work through the imple-
This study sets out to investigate the impact of a new multi- mentation of new parameters for the multi-objective function
objective function GWO algorithm to improve the perfor- such as detection rate, classification error and so on. Finally,
mance of the IDS. The proposed multi-objective GWO was we will apply other benchmark datasets that contain new
used in this study through the feature selection process to kinds of network attacks.
choose an optimal subset of features with high classification
13
Anomaly‑based intrusion detection system using multi‑objective grey wolf optimisation… 3755
References Kim DS, Nguyen H-N, Ohn S-Y, Park JS (2010) Fusions of GA and
SVM for anomaly detection in intrusion detection system. In:
International Symposium on Neural Networks. pp 415–420
Acharya N, Singh S (2018) An IWD-based feature selection method
Kiran MS (2015) The continuous artificial bee colony algorithm for
for intrusion detection system. Soft Comput 22:4407–4416. https
binary optimization. Appl Soft Comput J 33:15–23. https://doi.
://doi.org/10.1007/s00500-017-2635-2
org/10.1016/j.asoc.2015.04.007
Alamiedy TA, Anbar M, Al-Ani AK et al (2019) Review on fea-
Kumar S, Joshi RC (2011) Design and implementation of IDS using
ture selection algorithms for anomaly-based intrusion detec-
snort, entropy and alert ranking system. In: 2011—international
tion system. Adv Intell Syst Comput 843:605–619. https://doi.
conference on signal processing, communication, computing and
org/10.1007/978-3-319-99007-1_57
networking technologies, ICSCCN-2011. pp 264–268
Alomari O, Othman ZA (2012) Bees algorithm for feature selection
Kumar V, Prakash Sangwan O (2012) Signature based intrusion detec-
in network anomaly detection β-Hill climbing for optimization
tion system using SNORT. Int J Comput Appl Inf Technol I, Issue
problems view project feature selection on high-dimensional data
III 1:2278–7720
view project. Artic J Appl Sci Res 8:1748–1756
Kumari B, Swarnkar T (2011) Filter versus wrapper feature subset
Alzubi QM, Anbar M, Alqattan ZNM et al (2019) Intrusion detection
selection in large dimensionality microarray: a review. Int J Com-
system based on a modified binary grey wolf optimisation. Neural
put Sci Inf Technol 2:1048–1053
Comput Appl 1:1–13. https://doi.org/10.1007/s00521-019-04103
Liao HJ, Richard Lin CH, Lin YC, Tung KY (2013) Intrusion detec-
-1
tion system: a comprehensive review. J Netw Comput Appl
Çavuşoğlu Ü (2019) A new hybrid approach for intrusion detection
36:16–24. https://doi.org/10.1016/j.jnca.2012.09.004
using machine learning methods. Appl Intell 49:2735–2761. https
Liu R, Rallo R, Cohen Y (2011) Unsupervised feature selection using
://doi.org/10.1007/s10489-018-01408-x
incremental least squares. Int J Inf Technol Decis Mak 10:967–
Cortes C (1995) Support|[ndash]|vector networks. Mach Learn 20:273–
987. https://doi.org/10.1142/s0219622011004671
297. https://doi.org/10.1023/A:1022627411411
Lotfi Shahreza M, Moazzami D, Moshiri B, Delavar MR (2011)
Dastanpour A, Ibrahim S, Mashinchi R (2014) Using genetic algorithm
Anomaly detection using a self-organizing map and parti-
to supporting artificial neural network for intrusion detection sys-
cle swarm optimization. Sci Iran 18:1460–1468. https: //doi.
tem. J Commun Comput 11:1–13
org/10.1016/j.scient.2011.08.025
Devi EMR, Suganthe RC (2017) Feature selection in intrusion detec-
Lu C, Gao L, Li X, Xiao S (2017) A hybrid multi-objective grey
tion grey wolf optimizer. Asian J Res Soc Sci Humanit 7:671.
wolf optimizer for dynamic scheduling in a real-world welding
https://doi.org/10.5958/2249-7315.2017.00197.6
industry. Eng Appl Artif Intell 57:61–79
Dhanabal L, Shantharajah DSP (2015) A Study On NSL–KDD dataset
Makhadmeh SN, Khader AT, Al-Betar MA, Naim S (2018) Multi-
for intrusion detection system based on classification algorithms.
objective power scheduling problem in smart homes using grey
Int J Adv Res Comput Commun Eng 4:446–452. https://doi.
wolf optimiser. J Ambient Intell Humaniz Comput. https://doi.
org/10.17148/IJARCCE.2015.4696
org/10.1007/s12652-018-1085-8
Emary E, Zawbaa HM (2016) Impact of chaos functions on modern
Mirjalili S (2014) Grey wolf optimizer MATLAB code. Adv Eng
swarm optimizers. PLoS One 11:1–26. https://doi.org/10.1371/
Softw 69:46–61
journal.pone.0158738
Negandhi P, Trivedi Y, Mangrulkar R (2019) Intrusion detection
Emary E, Zawbaa HM, Grosan C, Hassenian AE (2015) Feature subset
system using random forest on the NSL–KDD dataset. Emerg-
selection approach by gray-wolf optimization. In: Afro-European
ing research in computing. Information communication and
Conference for Industrial Advancement. Springer, Cham, pp 1–13
applications. Springer, Berlin, pp 519–531
Emary E, Zawbaa HM, Hassanien AE (2016) Binary grey wolf optimi-
Özgür A, Erdem H (2017) The impact of using large training data
zation approaches for feature selection. Neurocomputing 172:371–
set KDD99 on classification accuracy. PeerJ Prepr 5:e2838v1
381. https://doi.org/10.1016/j.neucom.2015.06.083
Rani MS, Xavier SB (2015) A hybrid intrusion detection system
Emary E, Zawbaa HM, Hassanien AE, Parv B (2017) Multi-objective
based on C5. 0 decision tree and one-class SVM [J]. Int J Curr
retinal vessel localization using flower pollination search algo-
Eng Technol 5:2001–2007
rithm with pattern search. Adv Data Anal Classif 11:611–627.
Roopa Devi EM, Suganthe RC (2018) Enhanced transductive support
https://doi.org/10.1007/s11634-016-0257-7
vector machine classification with grey wolf optimizer cuckoo
Emary E, Zawbaa HM, Grosan C (2018) Experienced gray wolf opti-
search optimization for intrusion detection system. Concurr
mization through reinforcement learning and neural networks.
Comput 1–11. https://doi.org/10.1002/cpe.4999
IEEE Trans Neural Networks Learn Syst 29:681–694. https://doi.
Seth JK, Chandra S (2016) Intrusion detection based on key fea-
org/10.1109/TNNLS.2016.2634548
ture selection using binary GWO. In: 2016 3rd international
Garg S, Kaur K, Kumar N et al (2019) A hybrid deep learning-based
conference on computing for sustainable global development
model for anomaly detection in cloud datacenter networks. IEEE
(INDIACom). pp 3735–3740
Trans Netw Serv Manag 16:924–935. https://doi.org/10.1109/
Shah B, Trivedi BH (2013) Data set normalization: for anomaly
tnsm.2019.2927886
detection using back propagation neural network. In: IEEE-
Ghanem WAHM, Jantan A (2016) Novel multi-objective artificial bee
international conference on research and development prospec-
colony optimization for wrapper based feature selection in intruc-
tus on engineering and technology (ICRDPET)
tion detectoin. Int J Adv Soft Comput its Appl 8:70–81
Shen J, Wang J (2011) Network intrusion detection by artificial
Gholipour Goodarzi B, Jazayeri H, Fateri S et al (2014) Intrusion detec-
immune system. In: IECON proceedings (industrial electron-
tion system in computer network using hybrid algorithms (SVM
ics conference). pp 4716–4720
and ABC). J Adv Comput Res 5:43–52
Srivastava D, Singh R, Singh V (2019a) An intelligent gray wolf
Gu Q, Li X, Jiang S (2019) Hybrid genetic grey wolf algorithm for
optimizer: a nature inspired technique in intrusion detection
large-scale global optimization. Complexity 2019:2653512. https
system (IDS). J Adv Robot 6:18–24
://doi.org/10.1155/2019/2653512
13
3756 T. A. Alamiedy et al.
Srivastava D, Singh R, Singh V et al (2019b) Analysis of different Xingzhu W (2015) ACO and SVM selection feature weighting of net-
hybrid methods for intrusion detection system. 757–764 work intrusion detection method. Int J Secur its Appl 9:259–270.
Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed https://doi.org/10.14257/ijsia.2015.9.4.24
analysis of the KDD CUP 99 data set. In: 2009 IEEE Sympo- Xu H, Liu X, Su J (2017) An improved grey Wolf optimizer algo-
sium on Computational Intelligence for Security and Defense rithm integrated with cuckoo search. In: Proceedings of the 2017
Applications. IEEE, pp 1–6 IEEE 9th international conference on intelligent data acquisition
Tribak H, Delgado-Márquez BL, Rojas P et al (2012) Statistical and advanced computing systems: technology and applications,
analysis of different artificial intelligent techniques applied IDAACS 2017. pp 490–493
to intrusion detection system. In: Proceedings of 2012 inter- Zawbaa HM, Emary E, Grosan C, Snasel V (2018) Large-dimension-
national conference on multimedia computing and systems, ality small-instance set feature selection: a hybrid bio-inspired
ICMCS 2012. pp 434–440 heuristic approach. Swarm Evol Comput 42:29–42. https://doi.
Velliangiri S (2019) A hybrid BGWO with KPCA for intru- org/10.1016/j.swevo.2018.02.021
sion detection. J Exp Theor Artif Intell 00:1–16. https://doi.
org/10.1080/0952813x.2019.1647558 Publisher’s Note Springer Nature remains neutral with regard to
Vithalpura JS, Diwanji HM (2015) Analysis of fitness function in jurisdictional claims in published maps and institutional affiliations.
designing genetic algorithm based intrusion detection system.
J Sci Res Dev 3:86–92
Wolf L, Shashua A (2005) Feature selection for unsupervised and
supervised inference: the emergence of sparsity in a weighted-
based approach. J Mach Learn Res 6:378–384. https: //doi.
org/10.1109/iccv.2003.1238369
13