Cluster Computing (2022) 25:3299–3311

https://doi.org/10.1007/s10586-022-03564-9 (0123456789().,-volV)(0123456789().
,- volV)

Improving network intrusion detection by identifying effective

features based on probabilistic dependency trees and evolutionary
algorithm
Mahdi Ajdani1 • Hamidreza Ghaffary1

Received: 6 April 2021 / Revised: 29 December 2021 / Accepted: 12 February 2022 / Published online: 28 February 2022
 The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2022

Abstract
With the expansion of computer networks, attacks and intrusions into these networks have also increased. In order to
achieve complete security in a computer system, in addition to firewalls and other intrusion prevention equipment, other
systems called intrusion detection systems (IDS) are also required. This paper presents a new method for selecting effective
features on network intrusion detection based on the distribution estimation algorithm which employs the probability
dependency tree to identify the interactions between the features. To evaluate the performance of this algorithm, a new
dataset was used where the packets were divided into normal categories. The performance of the proposed algorithm was
investigated alone and in combination with other feature selection algorithms, including leading selection, regression
selection, random forest, and genetic algorithm. The effect of algorithm parameters, such as population size was explored
on the accuracy of intrusion detection. According to the results of this analysis as well as combining the results of accuracy
examination within the categories obtained using different feature selection algorithms, a subset of effective features in
intrusion detection was identified.

Keywords Data mining  NSL-KDD  KDD-cup99  Genetic algorithm  Security  Classification

1 Introduction data mining to detect intrusion include collecting data from

The purpose of intrusion detection is to prevent unautho-
rized use, misuse of databases, and damage to network
resources by both internal users and external intruders.
Intrusion detection systems, a key element of the security
infrastructure, are applied in many organizations. These
systems include hardware and software models as well as
templates that automate the network event monitoring
process to address security issues. Meanwhile, the purpose
of data mining is to discover or generate relationships
between initial observations as well as to predict observa-
tions using the obtained patterns. The four main stages of
& Hamidreza Ghaffary
the network with sensors of monitoring systems, convert-
ing raw data into data that can be used in data mining
models, creating data mining models, and analyzing the
results. Unsupervised [1] and supervised [2] data mining
are two common methods of data mining. In the unsuper-
vised method, the answer is discovered, but in the moni-
tored method, the response is characteristic and the
response to future observations must be predicted. The data
mining method in this paper falls into the category of
monitored algorithms [1]. After collecting data from the
network, a large set of samples with data mining models is
examined through which an educational set is created. The
accuracy of this model is then evaluated with an experi-
mental set. Several methods have been proposed for clas-
sification, such as k nearest neighbor [3], decision tree [4],

[email protected] support vector machine [5], Bayesian networks, and neural
Mahdi Ajdani networks [2, 3, 4]. In this study, a standard data set in the
[email protected] field of intrusion detection called NSL-KDD has been used.
1 This dataset contains 41 attributes and 5 different classes to
Department of Computer Science, Ferdows Branch, Islamic
Azad University, Ferdows, Iran characterize the behavior of packets in the network. These

123
3300
classes include a normal class along with the four intrusion
classes of DoS, U2R, R2L, and Prob attacks. The purpose
of selecting a data simplification feature is to identify and
use basic features. Feature selection is employed in many
areas, including text classification, data mining, pattern
recognition, signal processing, intrusion detection, etc. The
importance of feature selection is examined in two aspects.
The first is eliminating inappropriate and ineffective fea-
tures while the second deals with optimization problem to
obtain the optimal subset of features that would better meet
the intended purpose [5].
In this paper, a multi-class support vector machine is
used to detect intrusion using previously collected data. In
order to identify the effective features in intrusion detec-
tion, a type of distribution estimation algorithm [6] has
been used which models the relationships between the
features. The performance of this algorithm in feature
selection for this problem has been compared with that of
basic algorithms such as leading selection, backward
selection, as well as standard genetic algorithm. Next, to
improve the performance of the algorithm used, a mimetic
distribution estimation algorithm is proposed which
employs local random search. The results of evaluating the
performance of algorithms based on general and partial
performance (within categories) indicate the good ability of
this method in identifying effective features for intrusion
detection. Finally, by collecting the results obtained from
different feature selection algorithms, a subset of the most
important features for intrusion detection is identified and
introduced. In the second part of this paper, the background
of the research and the literature are reviewed. The third
section describes the method of applying the dependency
tree distribution estimation algorithm [7] to identify
effective features. In the fourth section, the results of the
performed experiments are presented and explained.
Finally, conclusions and suggestions for future work are
presented in the fifth section. Through timely allocation of
measures taken in the direction of oil supply to the system,
the security would hopefully be established in the network.
To achieve this goal, one of the tools that can be used is
data octave. So far, various data mining methods have been
used to learn the behavioral patterns of ordinary users and
disruptive users. This beta paper has been performed to
explore the speed and accuracy of intrusion allocation
using duct data methods implemented on KDD-Cup-99 and
NSL-KDD sample data. Also, this research paper focuses
on machine learning (ML) and data mining (DM) tech-
niques for cybersecurity, with an emphasis on ML/DM
methods to be compared with the proposed method. For
most ML procedures, there should be three steps, not two:
training, validation, and testing. ML and DM methods
often have parameters such as the number of layers and
nodes. After completing the training, there are usually
123
Cluster Computing (2022) 25:3299–3311
several models (for example, ANNs) available. To decide
which one to use and to have a good estimate of the error in
a test set, there must be a separate third set, the validation
dataset. The model that functions best on the validation
data should be the utilized model and should not be based
on its accuracy on the test data set. Otherwise, the reported
accuracy is optimistic and may not reflect the accuracy of
another similar but slightly different test set. There are
three major types of DM/DL approaches: supervised, semi-
supervised, and supervised. In unsupervised learning, the
main task is to find patterns, structures, and knowledge in
unsupervised data. When part of the data is labeled during
data acquisition or by human experts, the problem is called
semi-supervised learning. Adding tagged data is of signif-
icant help in solving the problem. If the data are fully
tagged, the training problem is supervised and it is usually
the task of finding a function or model that explains the
data. Methods such as curve fitting are used to model data
to the underlying problem. In general, this tag is a variable
or problem experts assume is relative to the data collected.
Unfortunately, the methods that are most effective for
cyber applications have not been developed. Also, given
the richness and complexity of the methods, it is impos-
sible to make a recommendation for each method based on
the type of attack the system is expected to detect. There is
no single criterion for determining the effectiveness of
methods, but several criteria that must be considered. There
are some features of this problem that make ML and DM
methods difficult to use. They are particularly relevant to
the fact that the model often needs to be retrained. An
effective area for research is the study of rapid gradual
learning techniques that can be used for daily updates of
models against abnormal use and intrusion detection as
introduced in this paper.
2 Literature review
2.1 Selecting a feature in the category
Detection of intrusion is essentially a matter of classifica-
tion. In this regard, feature selection is important, since
although there is no linear relationship between the number
of features and the performance of a category, exceeding
the number of attributes by a certain value will change the
performance of the category. Feature selection for large-
scale data improves the classifier performance, while also
reducing detection time and cost [6, 7]. In problems with a
large number of features, feature selection is a common
step in machine learning methods. One of the most com-
mon methods of selecting a feature of a step is to generate a
subset of features, to evaluate the subset, to terminate the
criterion, and to validate the results. In order to select a
Cluster Computing (2022) 25:3299–3311 3301

subset of properties, the process of selecting and evaluating The value of y is equal to 1 or - 1 and each is a true
the subset is repeated until the termination condition is met. vector of the next p. The closest training data to separator
Generating a subset of features is essentially an explora- super pages are called backup vectors.
tory search process in a search space. The nature of this Accordingly, the goal is to find the separator super plane
process is determined by two basic issues. The search point with the longest distance from the backup vectors that
or starting points that affect the search direction must first be separates the dots with the dots. As displayed in Fig. 1, as
determined. The second issue is determining a search strat- the margin of the super plate is maximized, the separation
egy. Various strategies, including complete, sequential, and between categories is also maximized. Each super page can
random are applied to search for the optimal subset. Each be written as a set of x points that satisfies the condition; w
newly created subset must be evaluated against a standard. is a normal vector perpendicular to the super plane. W and
The evaluation criteria are classified into two groups, inde- b should be selected so as to create the maximum distance
pendent and dependent, given dependence on learning between parallel hyperplanes that separate the data. These
algorithms. In the independent model, the feature subset is hyperpages are described using Eq. (2):
selected independently of the learning algorithm. In the
dependent model, however, a learning algorithm is used as Wx  b ¼ 1
ð2Þ
an evaluator function [9] to select the appropriate subset. The Wx  b ¼ 1
stop criterion determines when the feature selection process
w is the orthogonal weight vector on the separating
should stop. Some stop criteria include setting some limits
superplanes and b denotes the width vector from the origin
that should not be violated, setting the maximum number of
of each superplate. The first equation is the positive sample
iterations, stopping the attribute selection process when
separator page and the second equation is the negative
adding attributes does not result in a better subset, or stop-
sample separator page. In a support vector machine, a set of
ping if a subset is selected well enough. A simple way to
points can be separated from each other in two linear and
validate results is to draw conclusions using prior knowl-
nonlinear ways. If the training data are linearly separable,
edge; however, in real-world programs, there is usually no
the two hyperpages in the margin of the dots can be con-
such knowledge; thus, we should use some indirect methods
sidered as having nothing in common; Then, attempts are
to monitor the performance change.
made to maximize the spacing of those superpages. When
The two basic algorithms for feature selection are for-
the data can be separated linearly, the support vector
ward and backward selection. The feature selection process
machine obtains an optimal hyperplane with a maximum
in the advanced selection method starts with an empty set
margin by solving an optimization problem while consid-
where each time the algorithm repeats, a feature is added to
ering the training data set.
the answer set and evaluated using the evaluator function.
This is repeated until the required number of attributes is
selected. The problem with the advanced selection algo-
rithm is that the added feature is not removed if it is
inappropriate from the answer set. The backward selection
algorithm, unlike the forward selection algorithm, starts
with a set containing all attributes, and in each iteration of
the algorithm, the selected attribute with the evaluator
function is removed from the attribute set. This continues
until the removal of any feature improves. The properties
removed from the collection in this way are no longer
added to the collection, even if they are appropriate.

2.2 Support vector machine

The support vector machine is a binary classifier that

separates two classes using a linear boundary. The goal in
linear data segmentation is to achieve a function that
determines the most marginal hyperplanes.
Assume the instructional data set contains n samples as
follows:

^ p ; yiI^f1; 1g n
D y ¼ ðxi; yiÞj; xiIgR ð1Þ
i¼1 Fig. 1 Superset separating the two classes 1 ? and 1 -

123
3302
If the data are linearly inseparable and the classes
overlap, the separation of classes with a linear boundary is
always accompanied by an error. In order to solve this
problem, the data are first transferred from the initial space
to a higher dimension space using a nonlinear transfor-
mation, so that in the new space, the classifications will
have less interference with each other. The transition to
higher dimensions is done through kernel functions. Dif-
ferent core functions have been introduced for this purpose,
such as polynomial function, radial base function, etc.
[8, 9].
2.3 Previous studies
Most intrusion detection systems mainly use a classifica-
tion algorithm for intrusion detection; however, these
systems only succeed in providing the best possible intru-
sion detection with a low false alarm rate. Various studies
have been conducted on the use of data mining techniques
to detect intrusion. Each of these studies seeks to provide
better results in achieving useful patterns in intrusion
detection systems. The data mining techniques applied in
this regard include the following:
Wang et al. [13] proposed a method of combining neural
networks and fuzzy clustering in order to enhance the
accuracy and stability in detecting low-recurrence attacks,
achieved by reducing the false-positive rate [28]. Initially,
the entire learning set is broken down into smaller subsets
using fuzzy clustering, and a suitable neural network is
applied to each subset. Each neural network can learn each
subset faster and more accurately, and finally, using the
fuzzy aggregation method [29], they obtain the main output
from the output of all neural networks. Chen and Abraham
[14] utilized the distribution estimation algorithm to detect
intrusion in order to train the leading neural network
classifier. The weights, bias, and function parameters used
in the neural network, such as the Gaussian or Sigmoid
function, were optimized by the distribution estimation
algorithm. In this paper, the neural network classification
was trained with particle swarm optimization algorithm
[31]. The comparison of the results revealed the high
accuracy and positive error rate in the neural network
training method with the distribution estimation algorithm.
Also, [15] proposed two neural network-based methods for
detecting abuse-based intrusion. The first method was to
use a neural network with fewer data and the main com-
ponent analysis technique [6], and the second method
involved applying a neural network with all the features of
the database. According to the results, the use of fewer
features in the KDDCUP99 database would improve the
time and memory parameters required for intrusion detec-
tion. In another similar work [16], an intrusion detection
system was introduced using a principal component
123
Cluster Computing (2022) 25:3299–3311
analysis algorithm to reduce the number of features for
reducing the system complexity and for using a support
vector machine to classify samples. The proposed system
speeded up intrusion detection processing and greatly
reduced the amount of memory required. Clustering was
used to identify normal behavior in [17]. Normal behaviors
were grouped in a normal cluster, with normal clusters \
used as signatures to detect intrusion, whereby any devia-
tion from it was considered intrusion. In [18], a hybrid
method called FWP-SVM-GA was proposed. In this
algorithm, initially the probability of combination and
mutation operators in the genetic algorithm was calculated
according to the evolutionary status of the population and
the optimal fit value, which was used to select the feature.
Its innovation was the calculation method of the fit func-
tion, which combined three parameters for each subset of
features: true positive rate (TPR), error rate (Error), and
number of selected features (NumF (S)). Finally, given the
subset of optimal properties, feature weights and SVM
parameters were optimized simultaneously.
In a similar work, [19] applied a recursive feature removal
algorithm such as the regression selection method to identify
related features in intrusion detection. They used two sets of
Gaussian kernel support vector bands and the nearest
neighbor to decide whether to omit the variables. To improve
the classification accuracy with each subset of features,
suitable values for the parameters of the classification algo-
rithms were obtained via the parameter adjustment method.
In another work [20], first, 17 and 35 related features were
selected from a total of 41 features in the NSL-KDD data-
base, respectively, using correlation-based feature selection
methods and Chi-Square. Then, support vector machine
classification models and intrusion detection neural net-
works based on selected features were employed. In [21],
using the particle swarm optimization algorithm, the
appropriate values for the parameters C (cost) and g (gamma)
in the backup vector category were found and the same
algorithm was used simultaneously to select a subset of
related features in the detection problem. In [8], the authors
proposed a hybrid principal component analysis (PCA)-
firefly based machine learning model to classify intrusion
detection system (IDS) datasets. The dataset utilized in that
study was collected from Kaggle. The XGBoost algorithm
was implemented on the reduced dataset for classification. In
[32], a Crow-Search based ensemble classifier was used to
classify IoT- based UNSW-NB15 dataset. Initially, the most
significant features were selected from the dataset using
Crow-Search algorithm, after which these features were fed
to the ensemble classifier based on Linear Regression,
Random Forest and XGBoost algorithms for training. In [33]
NSLKDD, ISCXIDS2012, and CICIDS2017 datasets were
used for training and testing purposes. The J48Consolidated
provided the highest accuracy of 99.868%, a
Cluster Computing (2022) 25:3299–3311 3303

misclassification rate of 0.1319%, and a Kappa value of
0.998. Thus, this classifier was proposed as the ideal classi-
fier for designing IDSs. Finally, in [34], the prominent
dimensionality reduction techniques, Linear Discriminant
Analysis (LDA) and Principal Component Analysis (PCA),
were investigated on four popular algorithms including
Machine Learning (ML), Decision Tree Induction, Support
Vector Machine (SVM), Naive Bayes Classifier, and Ran-
dom Forest Classifier using publicly available Car-
diotocography (CTG) dataset from University of California
and Irvine Machine Learning Repository. The experimen-
tation results demonstrated that PCA outperformed LDA in
all the measures. The performance of the classifiers, Deci-
sion Tree, and Random Forest examined was not affected
much using PCA and LDA. To further analyze the perfor-
mance of PCA and LDA, the experimentation was carried
out on Diabetic Retinopathy (DR) and Intrusion Detection
System (IDS) datasets. Experimentation results proved that
ML algorithms with PCA yielded better results when
dimensionality of the datasets was high. However, when
dimensionality of datasets was low, it was observed that the
ML algorithms without dimensionality reduction generated
better results. Table 1 summarizes the dataset feature values
in previous studies.
Special emphasis was placed on finding sample articles
describing the application of various ML and DM tech-
niques in cyberspace, both for cyber-attacks and intrusion
detection. Unfortunately, the methods that are most
effective for cyber applications have not been developed
and given the richness and complexity of the methods, it is
impossible to make a recommendation for each method
based on the type of attack that the system is expected to
detect. An unknown sample with a trained model, and
understandability of the final solution (classification) of
each ML or DM depending on the particular and some of
them may be more important than others. Another vital
aspect of ML and DM for cyber intrusion detection is the
importance of datasets for training and testing systems. ML
and DM methods cannot work without representative data,
and it is difficult as well as time-consuming to set such sets.
If an IDS could have access to the network and kernel level
data, it would be able to detect anomalies and misuse. If
only NetFlow data are available, this data should be aug-
mented by network-level data such as network that provide
additional features of dataset. If possible, network dataset
should be backed up with data.
The main gap observed is the availability of tagged data,
and as such it will certainly be a worthwhile investment to
collect data and tag some of them. With this new dataset,
several types of MLs and DMs can be used to develop
models, as opposed to limiting the ML list and being
effective for cyber applications. Significant improvements
can be made to cybersecurity using the ML and DM
methods using this dataset.
There are some features of this cyber problem that make
the ML and DM methods difficult to use, but in this paper

Table 1 Summary of feature

Field Value type Feature name Value type
values in previous studies
Analyzing Integer same_srv_rate Float
proxy logs Nominal dst_host_same_srv_rate Float
Using NLP Float dst_host_srv_serror_rate Float
techniques Float count Integer
Class imbalance Nominal logged_in Integer
problem Float dst_host_srv_diff_host_rate Float
rerror_rate Float src_bytes Integer
Analyzing Float service Nominal
proxy logs Float dst_host_rerror_rate Float
Using NLP Integer dst_host_diff_srv_rate Float
techniques Integer wrong_fragment Integer
Class imbalance Float num_compromised Integer
problem Float dst_bytes Integer
rerror_rate Integer diff_srv_rate Float
Analyzing Integer is_guest_login Integer
proxy logs Integer land Integer
Using NLP Integer num_failed_logins Integer
techniques Integer num_root Integer
Class imbalance Integer num_shells Integer
problem Integer num_outbound_cmds Integer
rerror_rate Integer

123
3304
we can solve these problem using NSL-KDD, CIDDS-001,
KDD99, and VIRUS TOTAL datasets, that will normalized
before used and many of proposed method that described
[6, 7, 8, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,
26, 27, 28, 29, 30, 31, 32, 33, 34] and introduce new
method with use strength of all them.
2.4 Evolutionary algorithms
Evolutionary algorithms are a random, production-based
approach to solving optimization problems. Genetic algo-
rithm is one of the most basic types of evolutionary algo-
rithms. This algorithm is inspired by natural selection
theory [10] and genetic recombination [11]. In this algo-
rithm, by recombining promising answers [12], the optimal
solution to the problem can be found. Use of this method in
various issues has led to favorable results, but in some
cases, simple selection and recombination are not effective
to achieve the optimal answer. This is more likely to be the
case when the structural blocks [13] of the optimal
response in the search space are poorly distributed. This is
due to the lack of effective conservation of structural
blocks or partial responses that arise in solutions. The term
answers to sub-problems representing the knowledge and
relationships that govern the dimensions of the problem are
called structural blocks. The search for a technique to
further protect structural blocks has led to the emergence of
a new class of evolutionary algorithms called distribution
estimation algorithms [10]. In the third section, these types
of algorithms will be further explained.
2.4.1 Genetic algorithm
The genetic algorithm uses genetic operators during the
reproductive phase. The operators [14], combination [15],
and mutation [16] are mostly used in genetic algorithms.
The use of these operators on a population causes disap-
pearance of the dispersion or genetic diversity of the
population. The general process of the genetic algorithm is
as follows:
In the first stage, an initial population is generated from
candidate pathways called chromosomes. The parent pop-
ulation is then selected from the initial population, which
uses an evaluator function for this purpose. Next, applying
combination and mutation operators to the parent popula-
tion and generating a population is a new solution called
child population. Finally, the population of new solutions is
combined with the initial population and the initial popu-
lation of the next generation is created [14]. This process
continues until one of the stopping conditions is met.
123
Cluster Computing (2022) 25:3299–3311
2.4.2 Distribution estimation algorithms
Distribution estimation algorithms prevent the removal of
partial responses on chromosomes as much as possible.
Indeed, by giving the structural blocks a high probability,
attempt is made for these blocks to appear in the offspring.
For this purpose, instead of using standard genetic opera-
tors, the probability distribution of promising answers is
estimated to generate candidate answers. At each stage of
the algorithm, a probabilistic model is constructed based on
selected population responses, with the next generation of
candidate solutions [17] generated by sampling this model.
Thus, distribution estimation algorithms are called proba-
bilistic model-based genetic algorithms where the two
combinations and mutations are replaced by constructing a
probabilistic model and sampling the constructed model
[11]. In general, distribution estimation algorithms are
based on the probabilistic model used with the number of
dependencies between genes divided into three categories:
univariate [18], bivariate [19], and multivariate [20]. The
difference in these three models is related to the number of
dependencies of each variable on other variables. The
algorithms in this category do not consider any interde-
pendence between genes. Indeed, structural blocks are of
the first order, and their probability distributions are cal-
culated by multiplying the marginal probabilities of all
variables in each individual, where the most popular of
these algorithms are the univariate margin distribution
algorithm [21], incremental learning population algorithm
[22], the dense genetic algorithm [23]. In many cases, most
variables are somehow related. In the bivariate model, the
algorithm is able to record some binary interactions
between variables using structures such as trees. In tree-
based models, one variable may be related to more than
one other variable whose offspring are placed in a tree
structure. These algorithms are able to model two-order
relationships between problem genes. Thus, the probability
distribution model will be slightly more complex than the
one-variable model, creating a form similar to the proba-
bility network between variables. Two-way information
maximization algorithms for input clustering [24] (MIMIC)
and the optimizer algorithm with two-way information tree
[25] (COMIT) are examples of these algorithms. Experi-
mental results have shown better performance of COMIT
algorithm compared to MIMIC, PBIL, and GA. The algo-
rithm for estimating the distribution of the dependency tree
used in this research is similar to COMIT.
In distribution estimation algorithms based on multi-
variate models, it is possible to model higher degrees of
relationships between variables. The developed dense
Cluster Computing (2022) 25:3299–3311
genetic algorithm [26] and the Bayesian optimization
algorithm are examples of such algorithms [11, 12]. The
major problem of these algorithms is the high complexity
and time-consuming process of the modeling due to the
complexity of the possible models used. As the process of
evaluating selected feature subsets with its classification
method is very complex, in this study, a dependent tree-
based two-variable algorithm is employed to search for
possible subsets space, which will be explained below.
2.4.3 Probabilistic dependency tree model
In a probabilistic model, the probability of different values
for the problem variables is obtained. Each possible model
contains a structure and a number of parameters. In the
structure of the probabilistic model, the dependencies of
the variables, and in the parameters of the probabilistic
model, the probability values of these dependencies are
specified. If the variables are binary, the probabilistic
model for each variable shows a probability of zero and
one. The method of calculating the value of probabilities is
based on the solutions available in the parent population.
The dependency tree is a two-variable model of the tree
type and obtains the relationship of each variable provided
another variable. This tree is a directional tree where the
nodes are problem variables. The probability distribution
defined by the tree structure is according to Eq. (3):
PðxÞ ¼ Onn¼m Pðxi jxj Þ ð3Þ
In the above relation, xj refers to the father; when xi is
the root, the value will be equal to p(xi). To learn the
dependency tree from the population, first the entropy of
each of the variables is obtained and the most irregular
variable is identified as the root. Then, based on the cri-
terion of mutual information [26], a dependency matrix is
formed between the problem variables, which has rows and
columns according to the number of problem variables; in
each of its cells, the mutual information between the two
variables is calculated. Subsequently, with a maximum tree
spanning tree construction algorithm, the variable load is
selected which is most related to the variables added to the
tree and is added to the dependency tree with an edge. This
operation continues until all the variables are added to the
tree. Finally, using a Monte Carlo estimation method, the
marginal probability of the root variable and the condi-
tional probability of other variables at the condition of their
parents are calculated according to the population of
promising solutions. New solutions (children) are gener-
ated independently of each other using the probabilistic
model learned. For this purpose, the structure of the
probabilistic model is used. The root is the first variable for
which the value is generated, as the root does not depend
on any variable. The probability of different values of the
3305
root variable is specified in the parameters section of the
probabilistic model, according to which a value is ran-
domly generated and replaced by the variable in the new
instance. This process is repeated for all other variables to
generate a value for all variables. To generate more solu-
tions, the above process must be repeated starting from the
root [11].
2.4.4 Random forest algorithm
The random forest algorithm was first introduced in 2001
by Bremen. The random forest is monitored by a classifi-
cation algorithm that includes a set of decision trees. The
decision tree algorithm is one of the most widely used
classification algorithms and data mining methods. In the
decision tree, the class or category is determined by fol-
lowing a set of questions related to the properties of the
data and looking at the current data to make a decision.
CART is the binary tree algorithm in the decision tree
algorithm. Random forest is a collection of CART trees
and is expressed in four stages [7].
1. K a subset of the training samples (D1, D2, …, Dk) are
selected from the sample code set in the training
section (D) by the Bootstrap sampling method. Finally,
the K decision tree will be created.
2. In the N branch of the classification tree node, the
special m is randomly assigned and according to the
minimum purity of the node, the best special among
the candidate M branches will be appointed. Trees will
grow accordingly.
3. This step is the repetition of the second step. K The
decision tree is produced.
4. The well-grown decisive trees form a random com-
posite forest. The actual sample on the final floor of the
random forest awaits a majority vote.
2.5 Identifying effective features
In this research, the dependency tree distribution estimation
algorithm is used to select the features. In this algorithm,
each person in the solution population represents a subset
of features. The support vector machine classification is
used to evaluate each solution from the population. After
selecting promising population solutions, they are used as a
data set to train a possible dependency tree model with the
method described in Sect. 2.3.3. After being evaluated in
the main population, the new solutions produced replaces
the previous worse solutions. The details of how to display
the feature subset in the algorithm and how to use the
support vector machine to evaluate solutions are described
below.
123
3306
2.6 Evaluation and coding function of solutions
Each subset of features is evaluated based on a multi-class
support vector machine classifier. For this purpose, this
category is first trained with a set of training data filtered
based on a subset of the given properties. It is then eval-
uated with experimental data sets that are similarly filtered.
A separate classification is trained for each class (one-vs-
all approach). Finally, the average performance of the
classification of different support vector machines on the
experimental data set is the criterion for evaluating the
feature subset. To encode each subset of attributes, as in
previous tasks, a binary string is used along the number of
attributes, with the number zero signifying that the corre-
sponding attribute is not selected while the number one
meaning that the attribute is selected in the subset.
2.7 Combined with local search
Memetic algorithms are a class of meta-heuristic algo-
rithms that are obtained through combining innovative
methods such as local search with basic search engines
such as evolutionary algorithms. They can improve the
performance of the basic search algorithm such as reducing
the time to achieve the optimal response [22]. Evolutionary
algorithms are usually created to search the entire search
space. Local neighborhood search, on the other hand,
searches for any answers found with an evolutionary
algorithm to find better answers. The selection of genera-
tion operators in a memetic algorithm as well as the type
and local search method used in it will lead to very dif-
ferent execution results. Accordingly, in this paper, a local
search algorithm is used which, after receiving the solution
obtained with the distribution estimation algorithm,
examines its proximity. The algorithm selects the adjacent
subset that is more appropriate, and selects it as distant as
possible. Finally, it replaces the current solution with the
best solution found.
This study was conducted to detect network intrusion.
To achieve this goal, a more comprehensive method called
the combination of random forest or the combination of
genetic algorithm was used. Increasing the evolutionary
algorithm leads to the specialization of their task; while
focusing the learners, it will help distribute the error around
the goal and ultimately enhance the accuracy of the deci-
sion-making system. Thus, by combining their opinions,
more accurate results will be obtained when compared
against similar studies.
123
Cluster Computing (2022) 25:3299–3311
3 Results
3.1 Dataset
In the NSL-KDD dataset, each record contains 43 fields.
Attribute 41 is a closed behavior field that specifies the
normal behavior or type of intrusion, and the last field
represents the degree of difficulty of detecting intrusion.
The label column has 5 categories, one normal class, and
four intrusion classes including DoS, U2R, R2L, and Prob.
In a denial of service attack, by saturating the target
machine with a connection request, high overhead is cre-
ated on the server, preventing the server from responding to
legitimate network traffic. In the user attack on the root, the
attacker uses a normal user account to exploit the vulner-
ability of the system in order to gain root privileges. In
external penetration, the attacker has the ability to send
packets to a machine, but it has no ID on the machine and
cannot access the system like a user. In intrusive scanning
infiltration, it scans the machine to determine vulnerabili-
ties or attacks that may be exploited later. This provides a
list of potential vulnerabilities of a machine that can be
used to carry out an attack.
The features in this data set are divided into numerical
and textual data in three categories: basic, content, and
traffic [23]. Basic features include those extracted from a
TCP / IP protocol connection. These features delay the
intrusion detection process. Examples of these features are
the connection time, type of protocol and service used, plus
bytes sent and received on a connection. Content Features:
Unlike many service-preventing and scanning attacks,
external-to-internal and user-to-root attacks do not have a
sequential pattern of anomalous repetition. This is because,
unlike service-blocking and scanning attacks, which have
multiple connections to hosts over a short period of time,
external intrusion and user-to-root penetration are embed-
ded in the data portion of network packets and generally
have a single connection. To detect this type of attack,
features capable of searching for infiltration behavior in the
packet data section are required, such as the number of
failed attempts. These attributes are called content attri-
butes. Examples of these features include the sum of
operations performed on a connection, number of failed
logins on a connection, user’s access to the system as an
administrator, etc. Traffic characteristics include the fea-
tures calculated according to the size of the window which
are divided into two groups: i) a group of connections
called time-based that have had the same service and host
Cluster Computing (2022) 25:3299–3311 3307

Table 2 Simulation assumptions

Feature fitness strategy: SVM Data set: NSL-KDD, CIDDS-001, KDD99 and virus total

Standardize:0–1 SVM type: one vs. all

population_size = 50,100,150 Kernel function: MLP
problem_size = 42 Number of packets in train data set: 100,000
max_generations = 10
Selection operator: binary tournament selection Number of packets in test data set: 12,000

200 0.88
in the last two seconds as the current connection; ii) a

Populaon

Accuracy
150 0.86
group designed to evaluate attacks that occur in more than 100 0.84
0.82
two seconds. These are features that determine the per- 50 0.8
centage of past connections to current connections with the 0 0.78

LOCAL&…

LOCAL&…

LOCAL&…
EDA
GA
FS
BS

EDA
GA
FS
BS

EDA
GA
FS
BS
same service and host, and are called machine-based. Also,
CIDDS-001, KDD99, and VIRUS TOTAL datasets are
used for comparing the algorithms with each other. Methods

3.2 Simulation assumptions Popoulaon ACCURACY

The dependency tree distribution estimation algorithm has
been implemented in C language; then, as a mex function,
it is possible to execute it in R version 3.4.2 environment.
Also, the relevant sections have been added to call the
evaluator function. Other default simulation values are
reported in Table 2. The NSL-KDD, CIDDS-001, KDD99,
and VIRUS TOTAL datasets are preprocessed and the data
are normalized before the tests. Also, non-numerical data
need to be converted to numerical data to train the support
vector machine classifier. Then, the genetic trait selection
algorithms, distribution estimation, distribution estimation
along with local search, leading selection, and regression
selection are implemented.
3.3 Results of simulation
In this section, the results of the experiments are presented
on the NSL-KDD database. Figure 2 compares the per-
formance of the five feature selection methods using the
support vector machine as an evaluation function in pop-
ulation sizes 50, 100, and 150. As can be seen, the leading
selection and backward selection algorithms are popula-
tion-free where population growth has no effect on their
performance. According to the obtained results, at smaller
population sizes, the genetic algorithm outperformed the
distribution estimation algorithm, where the difference in
accuracy has diminished with increasing the population
size. Use of a combination of distribution estimation
algorithm and local search has also significantly improved
its performance in small population sizes.
Fig. 2 Comparison of intrusion detection accuracy with the imple-
mentation of feature selection algorithms
Since the packets in the NSL-KDD, CIDDS-001,
KDD99, and VIRUS TOTAL database are classified into
five different classes, the degree of accuracy within the
obtained categories using different feature selection algo-
rithms and with different population sizes is presented in
Fig. 3. Influences that have a small number of samples to
learn in the training database are detected with far less
accuracy, causing reduced overall accuracy of the
detection.
3.4 Comparison
The results obtained from the proposed method for
selecting the effective features in intrusion detection in
Table 3 are compared with other similar tasks on the NSL-
KDD, CIDDS-001, KDD99, and VIRUS TOTAL data-
bases, using the support vector classifier. As can be
observed, the average accuracy obtained with the proposed
method has been compared with previous methods which
has been better in some cases. For example, compared to
the proposed method with the particle swarm optimization
algorithm [21], the accuracy of the results obtained was
better; however, in the methods used in references [19] and
[21], in addition to feature selection, the appropriate values
of the support vector machine classification parameters
were also obtained using optimization or manually. The
present study only focused on feature selection where

123
3308 Cluster Computing (2022) 25:3299–3311

Fig. 3 Comparison of accuracy

within categories resulting from feature selection
implementing feature selection
algorithms
1

0.5

u2r r2l prob dos normal

Table 3 Comparison with previous studies – Wrong_fragment (sum of packets with incorrect Check-
81.5 PSO-SVM (feature selection) [21]
sum code in a connection)
49.4 PSO-SVM (parameter tuning) [21]
– Count (number of connections that have the same
destination IP address)
82.3 Filter (35 features) ? SVM [20]
– Is_urgent_login (if the user accesses the system as a
81.27 RFE-SVM [19]
guest or moderator)
84.93 Local&EDA50-SVM
– Dst_host_srv_serroe_rate (percentage of connections
84 GA100-SVM
that have the same destination port number and their
85.62 FS-SVM
flag attribute value is S0, S1, S2 or S3)
86.68 GA-RF
– Difficulty detecting intrusion
Note that some features do not help much in detecting
intrusion and with most feature selection algorithms, they
common parameters for classification were considered. Of are considered irrelevant or redundant features:
note is the average performance report on the proposed – Duration (connection time)
algorithm compared to other methods, while other methods – Flag (connection status)
performance has been reported. – Hot (total operations performed on a connection)
– Num_faild_login (number of failed logins in a
3.4.1 Effective features in intrusion detection connection)
– Logged_in (if login is correct, it takes a value of one)
In Fig. 4, the results of the different algorithms studied are – Srv_diff_host_rate (percentage of feature 24 connec-
combined and the frequency of the selected features tions that have different destination machines)
obtained from five different execution times is shown. Each – Dst_host_count (the sum of connections that have the
column represents a feature, and the brightness of each cell same destination IP address)
in the image reflect the number of times that feature is – Dst_host_diff_srv_count (percentage of feature 32
selected in five different implementations of each algo- connections that have different services)
rithm (rows). The white squares indicate the selection of – Dst_host_serroe_rate (percentage of attribute 32 con-
the corresponding feature in each of the five execution nections whose flag attribute values are S0, S1, S2 or
times of the algorithm. S3)
Based on the combined results, the following features – Dst_host_rerroe_rate (percentage of attribute 32 con-
are effective in intrusion detection and have been selected nections whose flag attribute value is REJ)
with most feature selection algorithms:
Compared to the previously reported algorithm [23],
– Protocol_type (type of protocol used for connection) which did not use the concept of information gain and was
based on the ordinary decision tree, the method used in this

123
Cluster Computing (2022) 25:3299–3311
Fig. 4 Selected properties
obtained from five times
execution of each algorithm
study has shown about 60.6% improvement in correct
allocation.
4 Conclusions
Infiltration detection is essentially a matter of classifica-
tion, and feature selection is one of the issues addressed in
classification. For large data, feature selection reduces the
detection time and cost, while also improving the classifier
efficiency. This paper compared the performance of genetic
attribute selection algorithms, distribution estimation,
hybrid distribution estimation with local search, leading
selection, and backward selection with the support vector
machine classification used as a function of the fit of these
algorithms. In this regard, a general experimental frame-
work was designed on two benchmark datasets namely,
NSL-KDD, VIRUS TOTAL with different state-of-art
machine learning classifiers including KNN-RF, PSO-RF,
PSO-SVM_GA and GA to investigate the influence of the
four feature evaluation measures on the classification
accuracy of an IDS. Under optimized parameter settings,
all classifiers provided competitive results, where RF
offered better detection accuracy with all feature evaluation
measures. On the other hand, all the other classifiers gave
the best detection accuracy with consistency measure for
most of the attack classes. Further, the effectiveness of the
feature evaluation measures on IDS detection performance
was analyzed. Here all the feature evaluation measures
revealed a good detection rate for most classes of attacks.
According to the obtained results, the genetic algorithm
with a population size of 100 maximized the detection
accuracy of normal packets. Also, the local search distri-
bution algorithm with a population size of 50 led to the
highest accuracy in detecting DOS-type attacks. Further, to
detect U2R attacks with the fewest samples in the training
database, the leading selection algorithm was better than
other algorithms in detecting intrusion resulted in R2L-type
attacks from the backward selection algorithm and Prob-
3309
type attacks from the local search distribution estimation
algorithm which uses a population of 150 led to more
accurate intrusion detection. Future research can use dis-
tribution estimation algorithms, including Bayesian opti-
mization algorithm and compare it with the results obtained
in this paper, and then draw a parametric map of the
algorithms used for the development of current research.
The point to be emphasized is that for tree-based methods
of decision-making, when the nominal property has a large
number of unique values, the learning time will be very
long and learning will be slow. With the proposed method,
the learning speed greatly increased and the accuracy was
acceptable. In problems with a large number of features,
feature selection is a common step in machine learning
methods. One of the common methods of selecting step
properties involves producing a subset of evaluation fea-
tures, termination criteria, and validation of results. A
simple way to validate the results is to draw conclusions
using prior knowledge; Nevertheless, in real-world pro-
grams, there is usually no such knowledge; thus, we must
use some indirect methods to monitor performance change.
Finally, Data mining models can be used as a powerful tool
in intrusion detection to predict the type of attack in net-
works. The model presented in this study can be used
alongside firewalls as a software assistant.
Declarations
Conflict of interest The authors declare that they have no conflict of
interest.
References
1. Fenanir, S., Semchedine, F., Baadache, A.: A machine learning-
based lightweight intrusion detection system for the internet of
things. Rev. Intell. Artif. 33(3), 203–211 (2019)
2. Koroniotis, N., Moustafa, N., Sitnikova, E., Turnbull, B.:
Towards the development of realistic botnet dataset in the
123
3310
internet of things for network forensic analytics: bot-iot dataset.
Futur. Gener. Comput. Syst. 100, 779–796 (2019)
3. Ghosh, J., Kumar, D., Tripathi, R.: Features extraction for net-
work intrusion detection using genetic algorithm (GA). In:
Gunjan, V.K. (ed.) Modern Approaches in Machine Learning and
Cognitive Science: A Walkthrough, pp. 13–25. Springer, Cham
(2020)
4. Gao, J., Chai, S., Zhang, B., Xia, Y.: Research on network
intrusion detection based on incremental extreme learning
machine and adaptive principal component analysis. Energies
12(7), 1223 (2019)
5. Abualigah, L., Jamal Dulaimi, A.: A novel feature selection
method for data mining tasks using hybrid sine cosine algorithm
and genetic algorithm. Clust. Comput. 24, 1–16 (2021)
6. Tang, J., Alelyani, S., Liu, H.: Feature selection for classification:
a review. In: Aggarwal, C. (ed.) Data Classification: Algorithms
and Applications, Data Mining and Knowledge Discovery Series.
CRC Press, London (2014)
7. Chandrashekar, G., Sahin, F.: A survey on feature selection
methods. Comput. Electr. Eng. 40(1), 16–28 (2014)
8. Ravinder, R., Kavya, R.B., Ramadevi, Y.: A survey on SVM
classifiers for intrusion detection. Int. J. Comput. Appl. 98(19),
38–44 (2014)
9. Bhavsar, Y.B., Waghmare, K.C.: Intrusion detection system using
data mining technique: support vector machine. Int. J. Emerg.
Technol. Adv. Eng. 3, 581–586 (2013)
10. She, W., Li, D., Xia, Y., Tian, S.: Parameter estimation of P-III
distribution based on GA using rejection and interpolation
mechanism. Clust. Comput. 22(1), 2159–2167 (2019)
11. Hauschild, M., Pelikan, M.: An Introduction and Survey of
Estimation of Distribution Algorithms. Missouri Estimation of
Distribution Algorithms Laboratory Report No. 2011004,
Department of mathematics and Computer Science University of
Missouri–St. Louis (2011).
12 Bharathisindhu, P., Selva Brunda, S.: An improved model based
on genetic algorithm for detecting intrusion in mobile ad hoc
network. Clust. Comput. 22(1), 265–275 (2019)
13. Wang, G., Hao, J., Ma, J., Huang, J.: A new approach to intrusion
detection using Artificial Neural Networks and fuzzy clustering.
Expert Syst. Appl. 37, 6225–6232 (2010)
14. Chen, Y., Abraham, A.: Estimation of Distribution Algorithm for
Optimization of Neural networks for Intrusion Detection System.
In: International Conference on Artificial Intelligence and Soft
Computing ICAISC, pp. 9–18 (2006).
15. Sheikhan, M., Jadidi, Z., Farrokhi, A.: Intrusion detection using
reduced-size RNN based on feature grouping. Neural Comput.
Appl. 25, 1185–1190 (2010)
16. Praneeth, N.S.K.H., Varma, N.M., Ramakrishna, N.R.: Principle
component analysis based intrusion detection system using sup-
port vector machine. In: IEEE international conference on recent
trends in electronics information communication technology,
pp. 1344–1350 (2016).
17. Kumar, G., Kumar, K., Sachdeva, M.: The use of artificial
intelligence based techniques for intrusion detection: a review.
Int. Sci. Eng. J. Artif. Intell. Rev. 34, 369–387 (2010)
18 Tao, P., Sun, Z., Sun, Z.: An improved intrusion detection algo-
rithm based on GA and SVM. In: Zhao, W. (ed.) Human-Centered
Smart Systems and Technologies, vol. 6. Piscataway, IEEE
Access (2018)
123
Cluster Computing (2022) 25:3299–3311
19 Jonathan, A., Mandala, S.: Increasing feature selection accuracy
through recursive method in intrusion detection system. IJOICT
4(2), 43–50 (2018)
20. Taher, K., Jisan, B., Rahman, M.: Network intrusion detection
using supervised machine learning technique with feature selec-
tion. In: International conference on robotics, electrical and signal
processing techniques (ICREST) (2019).
21. Manekar, V., Waghmare, K.: Intrusion detection system using
support vector machine (SVM) and particle swarm optimization
(PSO). Int. J. Adv. Comput. Res. 4(3), 6 (2014)
22 Acampora, G., Iorio, C., Pandolfo, G., Siciliano, R., Vitiello, A.:
A memetic algorithm for solving the rank aggregation problem.
In: Hošková-Mayerová, S. (ed.) Algorithms as a Basis of Modern
Applied Mathematics, pp. 447–460. Springer, Cham (2021)
23 Tavallaee, M., Stakhanova, N., Ghorbani, A.A.: Towards credible
evaluation of anomaly based intrusion detection methods. IEEE
Trans. Syst. Man Cybernet. Part-C 40(5), 516–524 (2010)
24. Pelikan, M.: ‘‘Genetic Algorithms’’, Missouri Estimation of
Distribution Algorithms Laboratory Report No. 2010007,
Department of mathematics and Computer Science University of
Missouri–St. Louis (2010).
25. Lee, S.M., Kim, D.S., Park, J.S.: A survey and taxonomy of
lightweight intrusion detection systems. J. Internet Serv. Inf. Sec.
(2012). https://doi.org/10.22667/JISIS.2012.02.31.119
26. Mukkamala, S., Sung, A.H.: Identifying significant features for
network forensic analysis. Using artificial intelligent techniques.
Int. J. Digital Evid. 1(4), 1–16 (2003)
27. Tidke, S.M., Vishnu, S.: Intrusion Detection System using
Genetic Algorithm and Data Mining. An overview. Int. J. Com-
put. Sci. Inf. 1, 91–95 (2012)
28. Sonawane, H.A., Pattewar, T.M.: A comparative performance
evaluation of intrusion detection based on neural network and
PCA. Presented at the IEEE ICCSP conference, pp. 841–845
(2015).
29 Ding, Y., Zhou, K., Bi, W.: Feature selection based on
hybridization of genetic algorithm and competitive swarm opti-
mizer. Soft Comput. 24, 11663–11672 (2020)
30. Ajdani, M., Ghaffary, H.: Introduced a new method for
enhancement of intrusion detection with random forest and PSO
algorithm. Sec. Privacy 4(2), 1147 (2021)
31. Bhattacharya, S., Reddy Maddikunta, P.K., Kaluri, R., Singh, S.,
Reddy Gadekallu, T., Alazab, M., Tariq, U.: A novel PCA-firefly
based XGBoost classification model for intrusion detection in
networks using GPU. Electronics 9(2), 219 (2020)
32. Srivastava, G., et al.: An ensemble model for intrusion detection
in the Internet of Softwarized Things. In: Adjunct proceedings of
the 2021 international conference on distributed computing and
networking (2021).
33 Panigrahi, R., et al.: Performance Assessment of supervised
classifiers for designing intrusion detection systems: a compre-
hensive review and recommendations for future research. Math-
ematics 9(6), 690 (2021)
34 Reddy, G.T., et al.: Analysis of dimensionality reduction tech-
niques on big data. IEEE Access 8, 54776–54788 (2020)
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.
Cluster Computing (2022) 25:3299–3311
Mahdi Ajdani I am 35 years old.
I am a very motivated individual
and I’m not working right now,
so I have enough time and
energy to do my PhD excersises.
The main reason that I wanna do
PhD course is that I love
researching and I am very eager
to improve and develop my
knowledge and skills. There-
fore, I believe that I am a good
candidate for being a PhD
student.
3311
Hamidreza Ghaffary completed
his bachelor’s degree in com-
puter science at Sharif Univer-
sity of Technology and his
master’s degree at the Univer-
sity of South Tehran and his
doctorate at Ferdowsi Univer-
sity. He is currently a faculty
member and assistant professor
at the Faculty of Computer
Engineering, Ferdows Azad
University. His interests are
machine learning, pattern
recognition and image
processing.
123