Optimizing Feature Selection in Intrusion Detection Systems Using a Genetic Algorithm

with Stochastic Universal Sampling

Abstract: There can never be overdoing of security on a network; therefore, intrusion detection
systems (IDSs) are relevant. The IDS detection ability can be influenced greatly by feature
selection hence the following analysis. In the present article, we are describing a new approach
to a hybrid network intrusion detection system by using GA-SUS integrated with stacking
ensemble learning. First to a more astronomical scale, PCA is applied and then base models like
XGBoost and Gradient Boosting Classifier are used. To improve the prediction outcome, these
models were integrated with a logistic regression metaclassifier. In order to make it better,
hyperparameters are tuned through a deep Q-network (DQN) to get the best results. To the best
of our knowledge, one of the most common approaches to testing the efficiency of a method is
considering a benchmark dataset, whereby the accuracy we applied to the benchmark dataset was
arounf 97.61% with feature selection GA-SUS. This result strengthens the earlier assertion that,
with the current level of efficiency of our proposed approach, we are in a position to identify
both regular and undesirable activity in the network. Based on these implications, it can be
concluded that the GA-SUS-enhanced ensemble model can be considered as the solution for
boosting up the reliability and precision of the network intrusion detection systems.

Keywords: Genetic algorithm, stochastic universal sampling, feature selection, intrusion

detection.

1. Introduction
ATSIT Integration and technological evolution over the Internet call for efficient IDSs as a
means of secure protection. They protect against several cyber threats which in return improve
the security and integrity of network forms [1]. Feature selection is the core of any IDS in which
the discovery of discrete features that characterize communications taking place in a network and
the capability to distinguish between normal and anomalous is achieved. New challenges are
represented in the additional increase in attacks and advancements in technologies witnessed by
existing IDS solutions. More suggestion could be needed in MLM techniques during the
processing of a vast amount of data and transition in networking environment [2]. Therefore,
there is an increasing concern about how to build a method to extract ‘better’ high order features
when target is sect in the ocean of nonstationary traffic. This also requires enhancement of
generality and efficiency of the IDS so that to strengthen the arsenal of network protection from
new and unknown threats [3].

1.1. Feature Selection

Feature selection belongs to the essential sub-processes of the data pre-processing stage taking
place when creating and working on machine learning models as well as performing data
analysis. The next activity includes the selection of which of the characteristics from the set
influences the performance and computational complexity of the model significantly. The choice
of features also makes the data smaller and thus requires less computational work as well as
make the model more manageable by including useful features. This simplifies complexity and
assists a lot in preventing overtraining of such a kind to engage itself in performing very well on
the training data set and poorly on other data because of the complexity.

Fig 1. Advantages of feature selection [4]

Fig 1. Advantages of feature selection [4]

It may be observed from Fig. 1 that a number of advantages are attached to feature selection.
However, feature selection also helps to improve the interpretability of the models in the sense
that out or irrelevant features of the map of the data will not affect the complexities of the
models. To this end, it helps the model reduce overfitting, and thereby the model performs well
when tested on unseen data. However, feature selection proved to be helpful in eliminating noisy
components, resulting in an improvement in the quality of the provided dataset. In other words,
when feature selection is performed properly, one is left with models that are accurate, efficient,
and understandable - all qualities that are critical in the quest for insights and trustworthy
predictions.

1.2. Novelty and objectives

The principal contributions of this study include the enhancement of genetic algorithms with
stochastic universal sampling (GA-SUS) combined with recursive feature elimination (RFE) and
ensemble learning optimised through deep Q-networks (DQN). In contrast, the selection of
signals as well as the tuning of the models commonly involve techniques that are different from
those mentioned above, whereas this study offers a combined method that runs these steps in
parallel. First, the GA-SUS approach optimises feature selection with the help of genetic
algorithms, thus improving the accuracy and stability of the model.

The aim of this paper is to present and enhance a new approach to enhancing an NDIS by a more
refined feature selection and optimisation process. To overcome the limitations of the above
thought process, this study proposes a two-step strategy, including GA-SUS and RFE, in an
ensemble learning framework. The main objectives are to enhance the model performance,
increase the detection rates, and efficiently tune the hyperparameters using a DQN. This
approach aims to develop a better and more comprehensive solution for detecting the irregularity
of a network, thus improving the area of security in networks.

1.3. Paper Organization

Hence, this paper is divided into Section 1, Introduction to IDS and Feature Selection, through
which the aim of the study is stated. The second section of this paper provides a literature review
on IDS and the feature selection and genetic algorithms that have been applied in cybersecurity.
Section 3 provides an introduction to GA-SUS and its use, the genetic algorithm, SUS, and RFE
used in GA-SUS, and the overall process of feature selection optimisation. The following sub-
sections highlight an analysis of the performance of the GA-SUS model in benchmark datasets.
For the results and discussion, additional sections are provided in Section 4. Finally, the
conclusion enunciates the major research findings, limitations of the study, and suggestions for
subsequent research on enhancing IDS and cyber security.

2. Literature Review
Intrusion detection systems (IDSs) are vital because they offer protection by helping detect
intruders or other cyber activities. Recent studies in the field have addressed issues such as
optimising IDS features and selecting and improving IDS parameters. This review examines
novel techniques such as genetic algorithms, evolutionary algorithms, reinforcement learning,
and ensemble methods.

Bakır and Ceviz (2024) proposed a method in which hyperparameters were enhanced using a
hereditary formula while including a crossbreed function choice technique to boost IDS. They
used it for CICIDS 2017 information and accomplished renovations in terms of the discovery
precision and rate. Their recommended strategy was established to enhance the discovery
performance. The maximised hyperparameters enhanced the incorrectly unfavourable and
incorrectly favourable prices by as much as 61% and 62.5%, respectively, for XGBoost [5].
Cheng, Shang, and Qian (2024) additionally stressed discovery prices on function option
elements. They created a multi-objective transformative formula that concentrated on
maximising the variety of attributes to be chosen for category precision, together with the
discovery rate [6].

Ren et al. (2023) used reinforcement learning to design an IDS called a multiagent feature
selection network. An increase in accuracy of 99.1% on the NSL-KDD datasets proved that
reinforcement learning has a positive impact on IDS [7]. Another model, developed by Ren et al.
(2022), utilised deep reinforcement learning for feature selection and classification, and
demonstrated superior performance. This approach enhances the accuracy by as much as 96%.
(18%) [8]. Thajeel et al. (2023) proposed dynamic feature selection using a deep Q-network
multi-agent to predict cross-site scripting (XSS) attacks. Another more detailed model that can
be updated in real time is superior to existing benchmarks for several indicators [9].

We adapted this from the implementation of Kavitha, Kannan, and Suresh (2023) as a filter
selection technique in ensemble feature selection with deep learning for cloud-computing
intrusion detection framework. Requires an accuracy of 95% for it [10]. Mananayaka and Chung
(2023) proposed a novel two phase hybrid ensemble learning model with feature selection for
wired and wireless datasets and achieved very satisfactory attack detections [11]. In the same
year, Yin et al. proposed an enhanced model that uses information gain and random forest with
RFE to enhance the IDS and obtained an accuracy of 82.25% that has been enhanced to 84%.
The above algorithm was evaluated using just one among the datasets accessible in NSLKNN
known as UNSW-NB15 [12].

Saheed et al. (2023) incorporated Bat algorithm with the Residue Number System while
selecting the features of an IDS and observed better detection rates, accuracy and processing
speed improvement than conventional methods [13]. E and S (2024) adopted a Bagging-DRL, a
deep reinforcement learning model that uses several methods of feature extraction to outperform
the intrusion detection in IoT environments, to achieve a good accuracy of 98.36 NSL-KDD
[14]. Dutta et al. (2023) used the NSGA-II for dynamic features selection supporting an accuracy
of between 80% and 100%, which is impressive and a leap from benchmark models [15].

Table 1. Summary of literature review

Ref Dataset(s) Feature Models Conclusion limitation

no Selection
Technique

[5] CICIDS2017 hyperparameter X.G.,R.F. The usage of the Real-world

optimization proposed feature IDS systems
using an selection method often face
improved genetic together with the scalability
algorithm and genetic algorithm challenges
composite corresponds to the
feature subset improvement of the
selection time-related
characteristics of the
IDS systems

[6] NSL-KDD, Multi-objective CART MOEA/D- higher

UNSW- evolutionary Decision tree 3objective computational
 NB15 algorithm Logistic formulation costs and
Regression performs better than longer
2 objective optimization
Random times
Forest

[7] CSE-CIC- multi-agent GCN The overall energy require

IDS2018, feature selection consumption extensive
NSL-KDD appeared high, training to
although routine
converge to
patterns remain
protected, while optimal or
CSECIC-IDS2018 near-optimal
and NSL-KDD solutions.
datasets recorded
equally high
accuracy rates of
96.8%.
and 99.1%, and the
resultant F1-Scores
of the proposed
system were
estimated to be
96.3% and 99.1%.

[8] CSE-CIC- DT+RFE for deep This outcome makes Performance

IDS2018 feature selection reinforcement DRL+RFE overall is sensitive to
learning accuracy of 96.18 % the settings of
and F1-score of the reward
94.89 %. function and
learning
discount
factor in the
DRL model.

[9] four real Deep Q-network Multiple The improvement Effectiveness

XSS multi-agent classifiers percentages is dependent
datasets, feature selection of the mean on the
namely, D1- accuracy and F1- availability of
66, D2-167, measure varied continuous,
D3-30, and between 1.01 % and high-quality
D4-30. T 12.1 % and between labeled data.
0.55% and 6.88%
 respectively

[10] KDDCup- Filter, wrapper, DLM is the 95% accuracy Performance

99, NSL- and embedded short of RNN achieved heavily
KDD algorithms are along with depends on
classified as TDO the
filter-based optimization
ensemble feature by TDO,
selection. which might
not always
yield optimal
parameters.

[11] Aegean Wi- Automatic Two-phased AFS-RF achieved They may

Fi Intrusion feature selection Hybrid 98.79% accuracy struggle with
Detection include (AFS- Ensemble new or
Dataset DT, AFS-RF, learning evolving
AFS-ANN, and attack types
AFS-SVM.) that are not in
training data.

[12] UNSW- Information gain MLP By using multi- The method is

NB15 and random classification specifically
forest with accuracy, the designed for
recursive feature performance of structured
elimination MLP is enhanced in datasets,
(RFE) the range of 82. which may
25% - 84. 24%. limit its
applicability
to
unstructured
data.

[13] NSLKDD Bat algorithm NB, KNN In regards to the The study's
network with Residue target, the proposed limitation is
data. Number System bat-RNS+PCA +NB that it only
algorithm obtained addresses
satisfactory results binary
in detecting its intrusion
location; it yielded a detection,
detection accurate
of 97.82% of the
 target.

[14] CSE-CIC- Self-improved DRL uses the test results The limitation
IDS2018 Seagull MLP, CNN, achieved a of the
and NSL- algorithm for the while O- maximum accuracy proposed
KDD enhancement of RNN of 0.9836 and Bagging-
databases Enriched interacts 0.9606 for NSL- DRL-based
Principal optimally KDD and CSE-CIC- Intrusion
Component with the IDS2018, Detection
Optimization surroundings respectively. model is its
or high
environment. computational
complexity
and resource
demands that
may limit its
real-time
applicability
particularly
where the
underlying
systems have
limited
computing
and
processing
capabilities.

[15] synthetic Improved online E-DFBFS in place Exhibit

(BGFD1, Dynamic Filter sequential of the conventional instability
BGFD2, and Based Feature extreme dynamic filter based when faced
features
BGFD3) and Selection using learning with
In multiple
real-world Non-dominated machine classification fluctuating
datasets sorting genetic families, there are data patterns,
(KDD 99 algorithm II several selection affecting the
and NSL- (NSGA-II) (DFBFS) methods reliability and
KDD 99) required. consistency
metrics of intrusion
detection
results.
2.1 Research gaps

Existing IDS systems that work towards increasing detection performance and effectiveness use
a higher level of sophistication for selecting features and hyperparameters in feature odeling.
Such methods are ineffective when facing large amounts of data and network traffic, and their
performance weakens as the amount of data increases. In addition, given the constant emergence
of new threats, IDS solutions should be effective and easily scalable to maintain high relative
detection accuracy for different types of attacks. However, despite the development in this area
of research, there is still a clear research gap that focuses on implementing comprehensive parent
selection mechanisms within GAs and feature refinement structures, such as RFEs. Previous
work has mainly consolidated singular methodologies, with negligible investigations of the
integration of various optimisation techniques to optimise the IDS.

This study proposes the application of a genetic algorithm with stochastic universal sampling
(GA-SUS) to select parents and recursive feature elimination (RFE) to fine-tune the features
used when building IDSs, thus enhancing their performance. The GA-SUS approach overcomes
the limitations of traditional methods by handling large datasets and adapting to the nature of
contemporary network traffic. As applied to the genetic algorithm, the application of SUS also
tries to improve the variation and the convergence rates of the selection part and hence better
feature subsets. Moreover, based on the analysis of these subsets, RFE is expected to adjust these
subsets further so that the IDS detection will be more accurate and efficient. Thus, the
performance of GA-SUS was assessed and compared with other studies with the view of
expecting superior performance in detecting different forms of attacks such as.

3. Methodology
It is the intention of this work to develop a hybrid, machine learning model for network intrusion
detection, with regards to the topics of feature selection, dimensionality reduction, and ensemble
learning. The ameliorative model includes genetic algorithm (GA), recursive feature elimination
(RFE), kernel linear discriminant analysis (KL), principal component analysis (PCA), deep Q-
network (DQN optimization steps) and stacked ensemble learning about it. The subsequent
sections define and explain each phase of the identified methodology sequentially starting from
the data pre-processing phase right up to the phase dealing with the evaluation of the final model.
In this part of the research, I present the architecture of the proposed system in Fig. 2.
 Fig 2. Architecture Diagram of proposed system

3.1 Dataset Description

NSL-KDD Dataset: This is an improved version of the KDD Cup 99 dataset, and is more
suitable for IDS assessment. This approach eliminates certain inaccuracies in the initial data, for
example, the presence of multiple records, which can introduce certain biases in the evaluation of
an IDS. NSL-KDD consists of several types of records and probes: normal, DoS, R2L, U2R, and
probes in the network traffic records. It is widely used to compare IDS effectiveness because it
provides a reasonable distribution that is close to the real traffic distribution. [16].

3.2 Data Preprocessing

The data used in the present work was first preprocessed and then presented into feature matrix
and label vector. The features are a set of relative parameters of network traffic, and the labels
are obtained as normal and intrusion traffic markers. To enhance the reliability and applicability
of the model, the dataset is partitioned into training and testing sets; most often, the ratio is 8:2.
For that purpose, the demeaning and standardizing operations were performed on the features
before submitting the dataset to feature selection. This step was used so that all the features made
their positive contributions to the model in equal measure. This assis in avoiding the situation in
which the features with a high variance guide the learning process.

3.3 Feature Selection using Genetic Algorithm (GA)

One of the most valuable procedures is feature selection, which reduces the dimensionality of the
dataset and improves model performance and interpretability. As described in the genetic
algorithm approach above, the program starts with the generation of a population where the
members here are binary arrays, and these have been assigned the roles of representing features.
These are binary arrays or chromosomes, which indicate whether each feature is included (1) or
excluded (0). [17].

For fitness evaluation, each individual in the population was assessed based on its ability to train
a Random Forest classifier. If an individual selects at least one feature, the classifier is trained
using these features, and its accuracy in the validation set determines the fitness score of the
individual. If no features were selected, the fitness score was set to zero.

Selection was performed using stochastic universal sampling. First, the total fitness of the
population was computed. The step size is then determined based on the total fitness and
population size. Parents are chosen using a random start and pointers for a given size; the size is
divided within the step size with the probability of high fitness being selected higher.
Cross-over occurs whereby two selected parents are combined to form the offspring. A link was
selected randomly and the child received some specific trait from both parents, or the first part
was of one parent and the rest of the part was of other parent.

Mutation is used in generating new offsprings by randomly setting bits to 0 or 1 adding new
genetic feature to the population. A new population of the same size replaces the old one and this
process a predefined number of generations or when some stopping criteria is fulfilled.

Lastly the best from the final generation was chosen because it had the best fitness score out of
all the individuals. This individual pertains to the best subset of features that are being searched
sequentially by a genetic algorithm. The mathematical formula is as follows:

Initialization:

Initialize the population P={ pi ∣ i=1 ,2 , … , P},, where pi∈{0 , 1 }N is a binary array representing
a subset of features.

Fitness Evaluation:

For each individual pi∈P, compute the fitness:

Let F(pi) be the set of selected features:

F (p i)={ j ∣ pi [ j]=1 , j=1 , 2, … , N } (1)

If F (p i)≠∅:

Then use the features of the dataset to train a random forest classifier

The accuracy acc( pi) of the classifier is calculated.

Otherwise, acc ( pi )=¿ 0

Selection (Stochastic Universal Sampling):

Calculate the total fitness:

p
total fitness =∑ acc (p i) (2)
i=1

Determine the step size:

step¿ total fitness

P (3)
[ ]
2

Select parents:

Start point: start point =uniform¿ (4)

Pointers: pointers={start_point+k⋅step_size∣k=0,1,…,⌊P2⌋−1}

The indices based on cumulative fitness are selected.

Crossover:

For each pair of parents, pi, and pj :

Random crossover point c: c=random(0 , N −1)

Generate child:c k =( pi [:c ]⊕ p j [c :]) (5)

c k inherits the first c bits from pi and the remaining bits from p j

Mutation:

For each child ck:

For each bit c k [j]:

c k [j]=1−c k [j]with probability μ

New Generation:

The old population was replaced with the new generation of children.

This process continues for G generations or till we meet a certain criterion is met

Output:

Identify the best individual p∗ from the final generation: p∗¿ argmax acc ( pi) (6)
p∈P i

Recursive Feature Elimination (RFE)

Then, from feature subset got from GA, recursive feature elimination (RFE) was used to select
even better features. RFE functions by iteratively eliminating the least important features based
on the amount of contribution they make towards the improvement of the model until we arrive
at the number of features we need. Feature selection is addressed by using Random Forest
algorithm as a model to predict the importance of the features. Next, they considered turning off
one feature after another from the bottom, beginning from the least contributing feature and
retraining of the model. This process is continued until arrive at K best features only. These
features were used in the subsequent features reduction and estimation in the subsequent The
following sections feature reduction and estimation steps.

Dimensionality Reduction

To address the curse of dimensionality and further reduce the feature space, two dimensionality
reduction techniques are employed: Two methods identified are Kernel Linear Discriminant
Analysis (KLDA) and Principal Component Analysis (PCA).

KLDA was used to transform the data onto a shorter feature dimension and also minimising the
interclass distance (normal – intrusion). Based on a kernel function, KLDA can model the
nonlinear relationship of features, and then establish a better feature space.
T
Z KLDA =W KLDA X top (7)

where WKLDA is the projection matrix obtained by maximizing the Fisher criterion.

After that, the features will be transformed by using the PCA in order to select only p principal
components for comparison with the KLDA model. PCA removes projection directions
determined to present high variability of the data and as such, most of the noise and redundant
features
T
Z PCA =W PCA Z KLDA (8)

where WPCA is consists of eigenvectors corresponding to largest eigenvalues of the covariance

matrix of ZKLDA.

The final reduced dataset is denoted as Zfinal.

3.4 Model Training and Stacking Ensemble Learning

Base Models: For construct a solid intrusion detection system, various base models are trained
in the present work using a dataset that has been transformed into low dimensions by applying
the PCA technique. In particular, we used the XGBoost and Gradient Boosting Classifier as the
main base models of the ensemble.

XGBoost is selected for handling large datasets and intricate pattern detection because of the
gradient boosting framework upon which it is built. Additionally, GBC extends XGBoost, which
iteratively provides better approximations to the model with fewer errors. These models
complement each other to a great extent in the sense that they provide the benefit of handling
numerous aspects of data complexity and drive up the predictive capability.
Meta-Classifier: In the stacking ensemble approach, the logistic regression model contributes to
the role of a meta-classifier. It is primarily deployed to merge the outcomes of the base, from
which a final classification is generated. Logistic regression was again chosen because it is good
at weighting the results of other models, and it calculates the best weights for each base model
depending on the accuracy of the latter. The goal of this strategic integration is to increase the
ability of the model to distinguish normal behaviour from non-normal or abusive behaviour.

Deep Q-Network (DQN) Optimization

Q-Learning Setup: Realising that the ensemble model could be enhanced, for hyperparameter
tuning, we use a deep Q-network (DQN). Reinforcement learning is used in the form of a DQN,
which helps in selecting the best-suited values for the hyperparameters for the best results. In this
regime, the DQN influences the model in terms of the hyperparameters, and the response is a set
of rewards derived from the model’s evaluation results.

Training: When acquiring DQN, Q-values are updated when the amount of hyperparameters
defined rises. The objective is to improve the reward function, which in the present case is the
enhancement of the performance of the ensemble model. The same approach that is, following
the above outlined feature selection scheme, benefits the DQN in a way that it is able to bring
about ‘fine tuning’ of the hyperparameters to a level where classification differences of network
activities are enhanced.

3.5 Model Evaluation

Prediction: Finally, after training and optimisation of the models, the meta classifier and other
models in the loop were used to classify the test set. This involves providing an inference, that is
a union of the base models to provide the final class for each instance in the test set.

Performance Metrics: The assessment of the proposed model was performed using the following
features: accuracy, precision rate, recall rate, F1 score, and confusion matrix. Accuracy gives a
general measure of the developed model and checks correctness of the developed model.
Precision, and recall measure to some extent how many of the positive instances are correctly
classified and how few misclassifications in the form of false positives or false negatives are
there. As mentioned earlier the F1 score is a measure that is in-between precision and recall.
Finally, and taking as the last measure of the model, the confusion matrix allows estimating all
the true, false, negations and positives that can be retrieved from the assessed model.

Visualization: These outcomes were shown in various kinds of diagrams and graphs for the
objective of understanding and evaluating the performances of the models. Some of the visually
presented items include bar plots of feature importance and performance metrics; and confusion
matrices which can be used to check how well our model is performing.

Model Outputs: Model Outputs: The combination of selected features, the set of the training
parameters, and performance metrics in a final model is preserved for future use. The
documentation of the results comprises an evaluation of the proposed hybrid architecture for
network intrusion identification. In this detailed record, the actual and the predicted markings are
mentioned, which define how accuracy the model is beneficial for classifying the network
threats; hence, comprehend how independent utilization of methodologies can be beneficial.

Algorithm: Recent Hybrid Machine Learning Model for Network Intrusion Detection

Initialization
 X, y← Load data
 Hyperparameters←Set parameters for GA, RFE, KLDA, PCA, DQN, and Stacking mode
ls
Feature Selection using Genetic Algorithm (GA)
 Initialize Population:
o Population ← Random Initialization of N chromosomes

o For each chromosome ci∈Population:

 Evaluate Fitness:

 Features←Selected by ci
 Model←Train RandomForest on Features
 Fitness(ci)←Evaluate model accuracy
 Selection:
o Selected Chromosomes←Stochastic Universal Sampling (SUS) based on Fitness
 Crossover:
o Offspring←Apply Crossover on Selected Chromosomes
 Mutation:
o Mutated Offspring←Apply Mutation with rate pm
 Update Population:
o Population←Mutated Offspring
 Repeat:
o Repeat steps for G generations or until convergence.
 Final Selection:
o cbest←Chromosome with highest Fitness
Recursive Feature Elimination (RFE)
 Feature Ranking:
o Ranked Features←RFE with RandomForest on Features selected by cbest
 Feature Selection:
o Top Features←Select k best features
Dimensionality Reduction
 Apply KLDA:
o ZKLDA←KLDA on Top Features
 Apply PCA:
o ZPCA←PCA on ZKLDA reducing to p components
Model Training using Stacked Ensemble Learning
 Base Models:
o Base Models← Train models (XG Boost, GBC) on ZPCA
 Meta-Classifier:
o Meta-Model←Train Logistic Regression on predictions of Base Models
Deep Q-Network (DQN) Optimization
 Q-Learning Setup:
o States, Actions, Rewards, Q (s,a)←Define for DQN
 Training:
o Q(s,a)←Train DQN to optimize hyperparameters or thresholds Q (s,a)
Model Evaluation
 Prediction:
o ^y ←Predict using Meta-Model on test data
 Performance Metrics:
o Accuracy, Precision, Recall, F1-Score, Confusion Matrix←Evaluate on ^y
Output Results
 Save (Features, Model Parameters, Metrics)
 Visualize Performance

4. Results and Discussion

The results of the current study indicate that the intelligent hybrid model of GA-SUS feature
selection and stacking ensemble learning model with deep Q-learning neural network, which is
proposed in the current research, is critical for using in network intrusion detection. NSL-KDD
was used to benchmark the model with tests conducted to determine success rates, accuracy,
precision, recall, F1-score in differentiating between normal traffic, and anomalous traffic.
 Fig 3. Class Distribution

Fig 3 illustrates the proportion of class labels within the dataset with the class label that appears
most frequently. Such distribution forms can be skewed where some classes like ‘DoS’ and
‘normal’ are more frequent than classes like ‘U2R.’ Such distribution is import for model
training and testing

Table 1. Classification Report of model using GA-SUS Feature Selection

precision recall f1-score support

DoS 0.99 0.99 0.99 10688
Probe 0.96 0.95 0.95 2749
R2L 0.85 0.74 0.79 792
U2R 0.00 0.00 0.00 25
normal 0.98 0.98 0.98 15450
accuracy 0.98 29704
macro avg 0.76 0.73 0.74 29704
weighted avg 0.97 0.98 0.98 29704

In Tables 1, the classification report of a model with GA-SUS feature selection is illustrated. The
model achieves an appreciable degree of accuracy: the overall accuracy is 0. 9761. Outstanding
performance for “DoS” (Denial of Service) category, shown that the model made a highly
accurate detection of such kind of attacks. The “Probe” category is another category that gives a
good result, but ‘DoS’ performance is slightly higher with good identification rate. Needless to
say, weaker performance can be observed in the “R2L” category, that has lower effectiveness for
this kind of recognition. The “U2R” category can be said as very poor with all the parameters
being nearly lowSince the presence of this category is negligible in the dataset, the detection
capability shows a very poor result. As for the last “normal” group, the model correctly
correlates their network activity with high performance indicators. In conclusion, the macro
levels of performance at each class is low to moderate but at the same time the weighted levels
indicates high competency of the model at identifying certain classes that are more dominant. Fig
4. Provides confusion matrix of the model that used GA-SUS feature selection algorithm.
 Fig 4. Confusion Matrix of model using GA-SUS feature selection

The proposed GA-SUS feature selection technique was compared with differential evolution-
based algorithms that have the maturity extension feature selection proposed in [22]. When
comparing the proposed GA-SUS with RFE ensemble learning approach to DE-ME, differences
in performance and technique are evident.

Table 2. Classification Report of model using DE-ME Feature Selection

precision recall f1-score support

DoS 0.90 1.00 0.94 10688
Probe 0.96 0.68 0.80 2749
R2L 0.91 0.83 0.87 792
U2R 0.00 0.00 0.00 25
normal 0.98 0.96 0.97 15450
accuracy 0.94 29704
macro avg 0.75 0.70 0.72 29704
weighted avg 0.95 0.94 0.94 29704

Classification Report of model using DE-ME Feature Selection is shown in Table 2.

Classification report shows overall high performance of the model in using feature selection
from DE-ME is 94.43%. Once more, the accuracy of the model is extremely high when it comes
to the detection of “DoS” and “normal” classes due to high coefficients of precision, recall, and
F1-score, which equals to 0.90 and above. The macro average F1-score is calculated to be 0.72
and clearly shows the variation in the performance of the model across the classes Hence the
weighted average F1-score of 0.94 reveals the overall performance of the model; however, it
somewhat biases towards the majority classes “DoS and “normal”. But this means that the model
is more accurate when it comes to frequent attacks but not as effective when it comes to rare
attacks.

(a) The Accuracy and loss of models using GA-SUS Feature Selection

(b) The Accuracy and loss of models using DE-ME Feature Selection
Fig 5. Accuracy and loss plot
Fig 5. (a) and (b) illustrates Accuracy and loss plot for GA-SUS and DE-ME feature selection
respectively. The accuracy and loss plots compare model performance using two feature
selection methods: DE-ME and GA-SUS. For both methods, the accuracy plot shows how well
the models correctly classify data over training epochs, while the loss plot tracks the error
reduction. Typically, a rising accuracy and a decreasing loss indicate good model training.
Comparing the two, GA-SUS likely shows better stability with smoother curves and higher final
accuracy, while DE-ME may have more fluctuations, suggesting GA-SUS's feature selection
yields a more consistent and accurate model. The plots help visualize the effectiveness of each
feature selection approach.
 Fig 6. Comparative Analysis of Classification Report

Fig 6 presents the Comparative Analysis of Classification Report. It visually compares the
corresponding performance indices of two different models or features selection algorithms. This
is likely to report, on the same screen, measures such as precision, recall, F1-score, and even
accuracy for each class, enabling a calibration. This comparison illustrates how various solutions
affect the model’s performance in detecting various kinds of attacks and normal traffic. In this
case and by the overlap of figure we are able to easily compare which of the GA-SUS featture
selection method performs better in general and which one has a problem with certain classes. It
offers information about the best and inferior aspects that can be used to strengthen the model.

4.1 Discussion
This study proposes a novel technique of GA-SUS with RFE for selecting the features for an IDS
employing three benchmark datasets. Compared to the existing approach, the proposed approach
yielded the results listed in Table. 3.

Various studies on IDS datasets have applied different feature selection and machine learning
algorithms. Our proposed model yielded decent results compared with those of other feature
selection approaches in the literature.

Table 3. Comparison of GA-SUS with RFE in existing studies

Ref no Feature Selection Model Dataset

algorithm Accuracy
achieved(%
)
NSL-KDD

[18] BukaGini (gini Random forest 99

Importance) classifier
 [19] Feature importance RF
(RF)

[20] Condensed nearest CNN 95.54

neighbors
Radial basis 94.28
(CNN) function (RBF)

[12] IGRF-RFE MLP

[21] GA in MapReduce SVM, ANN, RT, 90.45%

LR, and NB

Our GA-SUS with RFE Ensemble learning - 97.61%

model DQN

BukaGini, with a Random Forest classifier, achieved a high accuracy of 99%. Other
methods, such as convolutional neural network (CNN) and Radial Basis Function (RBF),
yielded accuracies of 95.54% and 94.28%, respectively. The GA in the MapReduce
approach combined with SVM, ANN, RT, LR, and NB achieved 90.45% accuracy. Our
model, utilising GA-SUS with Recursive Feature Elimination (RFE) and ensemble
learning optimised by DQN, achieved a notable accuracy of 97.61%, demonstrating its
effectiveness in intrusion detection.
Although the proposed model offers good results, certain limitations still exist. There
appears to be no perfect dataset for studying invertible graphs; however, the present work
employed the NSL-KDD dataset which has been used in most previous studies but may
not portray real-life network traffic and emerging threats. Furthermore, the optimisation
process used in DQN is quite efficient, but at the same time, it is costly and time
consuming; hence, its applicability to large datasets or real-time data may be problematic.
This study also presupposes that the selected features remain the best under various
network conditions, which may not be true. Future work could consider extending the
work to other types of datasets with larger and diverse groups of users, and also compare
the performance of the model in real-time activities in dynamic network topologies.

5. Conclusion
The findings from this study highlight the feasibility of the proposed hybrid model of
GA-SUS with RFE for feature selection and DQN for fine-tuning an ensemble learning
model of classifiers for network intrusion detection. It reaches an accuracy of 97.60% on
the NSL-KDD dataset and is able to detect different types of attacks, such as revival of
DoS attacks and probe attacks, as it solves the problem of class imbalance. The proposed
 multi-objective optimisation harnessing of a Genetic Algorithm with stochastic universal
sampling for selection and Deep Q-Networks thus contributes to the design of new
approaches for improving the generalisation of the model by reducing its sensitivity to
changes in the training data. As a result, the development of the study has limitations
evident as follows; this kind of attack is very rare, but because it is present in the dataset
very few times, the performance for such types like U2R remains below par. Future work
may investigate better detection rates for these minority classes by investigating better
data augmentation techniques or by using enriched deep neural networks. Furthermore,
the model could be tested on other datasets as well as real-time environments, and such
aspects could also be further explored. Extending this approach to address dynamic cyber
threats or using it for more general and larger sets would further improve the approach to
help with network security use cases.

References
[1] A. Thakkar and R. Lohiya, "A survey on intrusion detection system: feature selection,
model, performance measures, application perspective, challenges, and future research
directions," Artificial Intelligence Review, vol. 55, no. 1, pp. 453–563, Jul. 2021.
[Online]. Available: https://doi.org/10.1007/s10462-021-10037-9
[2] M. Di Mauro, G. Galatro, G. Fortino, and A. Liotta, "Supervised feature selection
techniques in network intrusion detection: A critical review," Engineering Applications
of Artificial Intelligence, vol. 101, p. 104216, May 2021. [Online]. Available:
https://doi.org/10.1016/j.engappai.2021.104216
[3] S. Das et al., "Network Intrusion Detection and Comparative Analysis Using Ensemble
Machine Learning and Feature Selection," in IEEE Transactions on Network and Service
Management, vol. 19, no. 4, pp. 4821-4833, Dec. 2022. [Online]. doi:
10.1109/TNSM.2021.3138457.
[4] E. Jaw and X. Wang, “Feature Selection and Ensemble-Based Intrusion Detection
System: An Efficient and Comprehensive Approach,” Symmetry, vol. 13, no. 10, p. 1764,
Sep. 2021, doi: 10.3390/sym13101764. Available: https://doi.org/10.3390/sym13101764
[5] H. Bakır and Ö. Ceviz, "Empirical Enhancement of Intrusion Detection Systems: A
Comprehensive Approach with Genetic Algorithm-based Hyperparameter Tuning and
Hybrid Feature Selection," Arabian Journal for Science and Engineering, Apr. 2024.
[Online]. Available: https://doi.org/10.1007/s13369-024-08949-z
[6] Z.-H. Cheng, H. Shang, and C. Qian, "Detection-Rate-Emphasized Multiobjective
Evolutionary Feature Selection for Network Intrusion Detection," arXiv (Cornell
University), Jun. 2024. [Online]. Available: https://arxiv.org/abs/2406.09180
[7] K. Ren, Y. Zeng, Y. Zhong, B. Sheng, and Y. Zhang, "MAFSIDS: a reinforcement
learning-based intrusion detection model for multiagent feature selection networks,"
Journal of Big Data, vol. 10, no. 1, Sep. 2023. [Online]. Available:
https://doi.org/10.1186/s40537-023-00814-4
[8] K. Ren, Y. Zeng, Z. Cao, and Y. Zhang, "ID-RDRL: a deep reinforcement learning-based
feature selection intrusion detection model," Scientific Reports, vol. 12, no. 1, Sep. 2022.
[Online]. Available: https://doi.org/10.1038/s41598-022-19366-3
[9] I. K. Thajeel, K. Samsudin, S. J. Hashim, and F. Hashim, "Dynamic feature selection
model for adaptive cross site scripting attack detection using developed multiagent deep
 Q learning model," Journal of King Saud University. Computer and Information
Sciences/Maǧalaẗ Ǧamʼaẗ Al-malīk Saud : Ùlm Al-ḥasib Wa Al-maʼlumat, vol. 35, no. 6,
p. 101490, Jun. 2023. [Online]. Available: https://doi.org/10.1016/j.jksuci.2023.01.012
[10] C. Kavitha, S. M, T. R. Gadekallu, N. K, B. P. Kavin, and W.-C. Lai, "Filter-
Based Ensemble Feature Selection and Deep Learning Model for Intrusion Detection in
Cloud Computing," Electronics, vol. 12, no. 3, p. 556, Jan. 2023. [Online]. Available:
https://doi.org/10.3390/electronics12030556
[11] A. K. Mananayaka and S. S. Chung, "Network Intrusion Detection with Two-
Phased Hybrid Ensemble Learning and Automatic Feature Selection," IEEE Access, vol.
11, pp. 45154–45167, Jan. 2023. [Online]. Available:
https://doi.org/10.1109/access.2023.3274474
[12] Y. Yin et al., "IGRF-RFE: a hybrid feature selection method for MLP-based
network intrusion detection on UNSW-NB15 dataset," Journal of Big Data, vol. 10, no.
1, Feb. 2023. [Online]. Available: https://doi.org/10.1186/s40537-023-00694-8
[13] Y. K. Saheed, T. O. Kehinde, M. A. Raji, and U. A. Baba, "Feature selection in
intrusion detection systems: a new hybrid fusion of Bat algorithm and Residue Number
System," Journal of Information and Telecommunication, pp. 1–19, Nov. 2023. [Online].
Available: https://doi.org/10.1080/24751839.2023.2272484
[14] G. F. E and S. S, "Enhanced intrusion detection in wireless sensor networks using
deep reinforcement learning with improved feature extraction and selection," Multimedia
Tools and Applications, May 2024, doi: 10.1007/s11042-024-19305-6. Available:
https://doi.org/10.1007/s11042-024-19305-6
[15] A. J. Rabash, M. Z. A. Nazri, A. Shapii, and M. K. Hasan, "Non-Dominated
Sorting Genetic Algorithm-Based Dynamic Feature Selection for Intrusion Detection
System," IEEE Access, vol. 11, pp. 125080–125093, Jan. 2023. [Online]. Available:
https://doi.org/10.1109/access.2023.3328395
[16] S. Mohanty and M. Agarwal, "Recursive Feature Selection and Intrusion
Classification in NSL-KDD Dataset Using Multiple Machine Learning Methods," in
Communications in computer and information science, 2024, pp. 3–14. [Online].
Available: https://doi.org/10.1007/978-3-031-56998-2_1
[17] Z. Halim et al., "An effective genetic algorithm-based feature selection method
for intrusion detection systems," Computers & Security, vol. 110, p. 102448, Nov. 2021.
[Online]. Available: https://doi.org/10.1016/j.cose.2021.102448
[18] M. A. Bouke, A. Abdullah, K. Cengiz, and S. Akleylek, "Application of BukaGini
algorithm for enhanced feature interaction analysis in intrusion detection systems,"
PeerJ. Computer Science, vol. 10, p. e2043, Apr. 2024. [Online]. Available:
https://doi.org/10.7717/peerj-cs.2043
[19] N. M. Khan, N. M. C, A. Negi, and I. S. Thaseen, "Analysis on Improving the
Performance of Machine Learning Models Using Feature Selection Technique," in
Advances in Intelligent Systems and computing, 2019, pp. 69–77. [Online]. Available:
https://doi.org/10.1007/978-3-030-16660-1_7
[20] F. Z. Belgrana, N. Benamrane, M. A. Hamaida, A. M. Chaabani, and A. Taleb-
Ahmed, "Network Intrusion Detection System Using Neural Network and Condensed
Nearest Neighbors with Selection of NSL-KDD Influencing Features," Jan. 2021.
[Online]. Available: https://doi.org/10.1109/iotais50849.2021.9359689
[21] D. Mehanović, D. Kečo, J. Kevrić, S. Jukić, A. Miljković, and Z. Mašetić,
"Feature selection using cloud-based parallel genetic algorithm for intrusion detection
data classification," Neural Computing & Applications, vol. 33, no. 18, pp. 11861–11873,
Mar. 2021. [Online]. Available: https://doi.org/10.1007/s00521-021-05871-5
[22] M. Faris, M. N. Mahmud, M. F. M. Salleh, and B. Alsharaa, “A differential
evolution-based algorithm with maturity extension for feature selection in intrusion
detection system,” Alexandria Engineering Journal, vol. 81, pp. 178–192, Oct. 2023.
[Online]. Available: https://doi.org/10.1016/j.aej.2023.09.032