Evolutionary Intelligence (2020) 13:103–117

https://doi.org/10.1007/s12065-019-00293-8

SPECIAL ISSUE

Implementation of adaptive scheme in evolutionary technique

for anomaly‑based intrusion detection
Shubhra Dwivedi1 · Manu Vardhan1 · Sarsij Tripathi1 · Alok Kumar Shukla2

Received: 11 March 2019 / Revised: 31 May 2019 / Accepted: 4 June 2019 / Published online: 21 September 2019
© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Abstract
Intrusion detection has become important to network security because of the increasing connectivity between computers and
internet. Various Intrusion Detection Systems have been investigated to protect web or networks using several evolution-
ary methods and classification techniques. In this study, we propose a new technique by combining Ensemble of Feature
Selection (EFS) and Adaptive Grasshopper Optimization Algorithm (AGOA) methods, called EFSAGOA which can help
to identify the types of attack. In the proposed approach, initially, EFS method is applied to rank the attribute for selecting
the high ranked subset of attributes. Then, AGOA is employed to determine important attributes from the reduced datasets
that can contribute to predict the networks traffic behavior. Furthermore, adaptive behavior of GOA uses to decide whether
a record represents an anomaly or not, differing from some approaches acquainted in the literature. AGOA uses the Support
Vector Machine (SVM) as a fitness function to choose the extremely efficient features and to maximize the classification
performance. In addition, it is also applied to optimize the penalty factor (C), kernel parameter (𝜎), and tube size (𝜖) of SVM
classifier. The performance of EFSAGOA has been evaluated on modern intrusion data as ISCX 2012. The experimental
results demonstrate that the proposed method performs better and obtain high detection rate, accuracy, and low false alarm
rate compared to other state-of-art techniques in ISCX 2012 data.

Keywords ISCX 2012 · Network security · Adaptive grasshopper optimization algorithm · Intrusion detection

1 Introduction misuse-based and anomaly-based categories [2]. IDS based

Despite the expanding awareness with web or network
security, the current solutions stay unfitted for carefully
ensuring web, network applications and enterprise systems
against the threats from consistently ever-advancing network
attack methods, for example, Distributed-Denial-of-Service
(DDoS) and Computer Trojans. An intrusion detection sys-
tem (IDS) is one of the methods used to monitor and ana-
lyze events on a computer and/or network to identify any
abnormalities and malicious action or policy violations from
normal behavior [1]. The IDS can be classified in several
ways, but the most common are the categories based on
* Alok Kumar Shukla
on misuse can efficiently detect known attacks, namely
Snort. This type of IDS has a low rate of false alarms, but
does not recognize new attacks that do not incorporate any
rule in the records. The anomaly-based IDS constructs a
normal behavior model and then distinguishes any signifi-
cant deviation from this model as intrusions. This type of
IDS can detect new or unknown attacks, but it has a high
false alarm rate.
Over the past years, lots of research has been directed to
develop intellect IDS which can protect complete network
from attackers. One of the intellect IDS approach as Fea-
ture Selection (FS) is applied to select the optimal subset
of features that represents the entire dataset to increase the
accuracy and help to classify external record into normal or

[email protected] abnormal activities. Generally, feature selection methods are
classified in two ways: filter and wrapper methods [3]. The
1
Department of Computer Science and Engineering, NIT primary aim of filter based FS is to select the meaningful
Raipur, Raipur, Chhattisgarh, India and relevant features from the original IDS with minimum
2
Department of Computer Science and Engineering, GL Bajaj redundancy and the maximum discriminating ability. In
Institute of Technology and Management, Greater Noida, contrast to filters, wrapper approaches are a search strategy
India

13
Vol.:(0123456789)

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

104
which selects set of features from network intrusion detec-
tion datasets that maximizes the objective function. In the
present decades, a large diversity of approaches have been
introduced to develop metaheuristics based intrusion detec-
tion system, which can achieve better network security and
also find the modern attacks [4].
To overcome computational costs due to the time-con-
suming trial-and-error parameter, researchers have been
actively applied the adaptation strategies in the metaheuristic
algorithms for solving the IDS problem. By using this con-
cept, the performance of metaheuristic algorithms regarding
diversity, premature convergence, and provide good quality
of solutions can be improved. In current decades, various
Evolutionary Computation (EC) techniques such as Dif-
ferential Evolution (DE), Genetic Algorithm (GA), Particle
Swarm Optimisation (PSO), and Grasshopper Optimisation
Algorithm (GOA) have been established for intrusion detec-
tion which work as wrapper methods [5].
In Saremi et al. [6] proposed a capable nature-inspired
algorithm called GOA which is inspired from the ideal
swarm behavior of insects in nature. The elemental limita-
tion of GOA is that it cannot guarantee optimality. A wrap-
per approach based on GOA, in 2018, Mafarja et al. [7] dis-
covered that contain selection operators and evolutionary
population dynamics way by using four diverse strategies
to overcome the drawbacks of the basic GOA such as slow
convergence and stagnation. Similarly, Opposition-based
Learning (OBL) based on GOA known OBLGOA by Ewees
et al. [8]. that contain two phases; in the first phase, an initial
population generated; and then used the Opposition-based
Learning (OBL) as an additional phase to modify the GOA
population in each iteration. The proposed algorithm was
discovered better-quality results and competent on global
unconstrained and constrained optimisation problems and
various real-life problems.
Among the learning methods (Naive Bayes, Multi-Layer
Perception and Artificial Neural Network (ANN)), SVM is
an effective classification technique, the main reason is that
the distribution of different types of attacks is imbalanced,
where the learning sample size of the low-frequent attacks is
too small compared to the high-frequent attack [9]. SVM is a
margin-based classifier based on small sample learning with
good generalization capabilities, which is frequently used
in real world applications. It realizes the theory of marginal
dimension and principle of structural risk minimum, thus
it does not have the over-fitting problem. To overcome the
problem, Kuang et al. [10] investigated an SVM model built
on Genetic Algorithm (GA) and Kernel Principal Compo-
nent Analysis (KPCA) to excerpt intrusion characteristics,
and GA to enhance the SVM parameter.
To avoid the expensive computational costs for choos-
ing the most suitable learners along with its control param-
eter values, we propose a framework for adaptive learning
13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Evolutionary Intelligence (2020) 13:103–117
signatures using biologically-inspired based approach
called AGOA. To overcome the limitation of individual
approaches, in this study, we propose a novel hybrid method
by combination of EFS as filter; and adaptive learning
approach called Adaptive Grasshopper Optimisation Algo-
rithm (AGOA) to detect the security violations in IDSs. It
can improve the solution quality by adjusting the regulation
parameters values and controlling the premature conver-
gence and stagnation.
The rest of the paper is planned as follows. Section 2
provides the related work on intrusion detection based
techniques for feature selection. Section 3 provides the
backgrounds details of filter methods, SVM classification
algorithm, and grasshopper method. Section 4, introduces
the proposed approach and outline to choose the noticeable
features from the ISCX 2012 dataset and discriminate the
different type of attacks. Section 5 illustrates the overall
working of proposed method. In Sect. 6, we evaluate the
performance on ISCX 2012 data. Section 7 discusses the
conclusion.
2 Related work
From the reported literature of intrusion detection systems
(IDSs) it is found that these systems come under five strate-
gies such as statistics-based, pattern-based, rule-based, state-
based, and heuristic-based [11]. In statistics-based methods,
predefined threshold, mean, and standard deviation are used
to identify the type of attacks. This work provides a literature
review of existing filter and wrapper FS method on intrusion
detection dataset. At first, the underlying data is described
in more detail. Then, this paper analyzes ISCX 2012 data-
set properties which is often used in available literature to
evaluate the quality of network based dataset. To make a
fair comparison with standard filter and wrapper methods,
proposed model is evaluated on new dataset as ISCX 2012.
Progressively, abundant applications such as feature
selection and classification model have been applied into
IDS datasets for finding the type of attacks. In the litera-
ture [12], FS algorithm with learning algorithm cannot
handle or do not scale extremely large volumes of data.
To handle this type of problems, in this research work our
focus is on filters and wrapper methods namely mutual
information and AGOA for finding the attacks. Detection
of attacks and intrusions are broadly thematic researches
that follow the trend of applying detection of intrusions.
The work of Tariq [13] combined methods of semantic
analysis and networks artificial neural networks for the
detection of network behaviors. Ambusaidi et al. [3] pre-
sented an approach based on mutual information to sys-
tematically choose the optimal feature concerning clas-
sification. In addition, it is to deal with dependent data
Evolutionary Intelligence (2020) 13:103–117
features which are linear and nonlinear proposed approach
was used. The efficacy of proposed approach was esti-
mated in the events of network intrusion identification
using Least Square Support Vector Machine based IDS
(LSSVM-IDS). The experiments were conducted on three
datasets such as KDD Cup 99, NSL-KDD and Kyoto
2006+ dataset. In addition, author [14] proposed a new
technique to detect an anomaly regarding normal and DoS
attack. The idea was based on behavior of network traffic
records to be evaluated by the proposed detection system.
The experiment was used two different datasets such as
KDD Cup 99 and ISCX 2012 and acquired remarkable
detection accuracy as 99.95% and 90.12% respectively.
To solve cyber-attack problems, recently several
metaheuristics techniques have been proposed to avoid the
anomaly based problem by using new updation scheme. The
metaheuristics methods imitate the natural process or the
biology phenomena to search the best solution efficiently.
Several metaheuristics methods such as Differential Evolu-
tion (DE), Genetic Algorithm (GA) [5], and Particle Swarm
Optimisation (PSO) have been established for intrusion
detection generally work as wrapper approaches.
GOA has applied to several fields due to its ease and pro-
ficiency such as financial stress prediction problem, partially
shaded PV array, wireless node localization, vibration signal
analysis in machine learning and computer networks [15].
The problems of numerous continuous, discrete, single-
objective and multi-objective optimization were effectively
solved by GOA with respect to various classic metaheuristics
algorithms such as differential evolution and particle swarm
optimisation to solve global optimal problems and acquire
success. From [16], proposed a new FS method based on
mathematical model of interaction between grasshoppers to
find food sources. Some modifications have applied to the
grasshopper optimization algorithm to seek it suitable for
a feature selection problem. GOFS was supplemented by
statistical measures during iterations to replace the dupli-
cate features with the most promising features. As reported
in [17], author proposed a novel FS algorithm using a sup-
port vector machine to diminish the feature domain of IDS
datasets. Keeping this in mind, wrapper approach as GOA is
used here for receiving the near-optimal solutions efficiently
in the boundless search space.
Each FS technique has its merits and demerits, and the
performance is based on the building intrusion detection
systems including the limitations associated with scenario,
such as precision, time and cost [18]. Still, the accessibility
of strategies, analysts generally agree that there is no FS
method which is impeccable. To deal with the above limita-
tions, various researchers endeavor to overcome the limita-
tions of both filter and wrapper methods [19]. Therefore, we
have used an ensemble method based on the filter FS method
and the wrapper approach on the IDS data.
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
105
Tsang et al. [20] presented a new IDS method to gener-
ate both precise and interpretable rules based on fuzzy from
web-traffic data for classification to expand the classifica-
tion performance. Using this dataset, the proposed model
attained the detection accuracy as 99.24% with optimal fea-
ture subsets. Recently, Khammassi and Krichen [21] pre-
sented a new wrapper method namely GA which has worked
as heuristic search method using logistic regression learner
approach for web intrusion detection systems for selecting
the finest subset of features. The experimental study was
accompanied on KDD Cup 99 dataset and UNSW-NB15
dataset. Shahreza et al. [22] anticipated a novel anomaly
detection technique by implementing self-organizing map
and particle swarm optimization approach.
In the addition, using fuzzy and SVM method, many
methods have been proposed that can increase the classi-
fication efficiency on revised version of benchmark dataset
like DARPA KDD 99 [23]. In contrast to filter methods,
evolutionary methods are claimed to be more precise as
feature selection method using radial basis function [24].
Manzoor et al. [25]. presented a feature reduction method
using merging ranks that obtained from information gain and
correlation-based methods to classify normal and abnormal
attack. A novel support vector machine model was proposed
by Kuang et al. [10]. that combined the kernel PCA with GA
for intrusion detection system, here, KPCA was employed as
a pre-processor of SVM to diminish the features vectors and
reduce the training time. So as to shrink the noise produced
by differences in features and to enhance the performance of
SVM, an enriched kernel function is suggested by implant-
ing mean square difference and mean values of features in
Radial Basis Function (RBF) as kernel function.
To mitigate Denial of Service (DoS) attacks, Vidal
et al. [26] offered an artificial immune framework which
has proficiency by matching the several immune reactions
and building of the immune memory framework. Experi-
ments on publically available datasets such as KDD Cup
99 and CAIDA have been conducted. The multi-objective
approach based on anomaly detection technique has pro-
posed called multi-objective PSO in the related of the Neural
Network [27]. The experimental simulations demonstrated
that hybrid algorithm can rapidly and commendably return
and ease DoS attacks in adversarial conditions regarding the
functional performance criteria. In [28], author proposed a
model for trajectory optimisation of the solar-powered UAVs
that combined object tracking in urban environment.
Overall, traditional IDS-based techniques are either veri-
fied on one or two kinds of attacks and determine execution
time and false positive rate at maximum in the previous lit-
erature. To solve the problem stated above, this paper has
integrated ensemble of filters and wrapper. In the first phase,
filter method (EFS) attempts to exclude irrelevant features
from the original data. Reduction in search space from the
13
106
entire original feature space to the pre-selected features, this
phase accelerates the step of processing for the next phase as
wrapper method (AGOA). Consequently, the results of this
prominent work is obtained as high accuracy and detection
rates, low false positive rate, and less processing time in
comparison to reported literature . Furthermore, to validate
the performance of the proposed approach, experiments are
accompanied by most important forms of intrusion attacks.
3 Background details
3.1 Feature selection
Feature selection is the process where we automatically
or manually select those features which contribute most to
our prediction variable or output in which we are interested
in. Having irrelevant features in our data can decrease the
accuracy of the models and our model can learn based on
irrelevant features.
As a generally accepted rule, feature selection methods
are assembled into two sets such as filter, and wrapper meth-
ods [29]. Wrapper approaches utilise FS as a part of train-
ing the learning model, whereas filter approaches choose
features independently from classification model. It is a
straightforward method and observes the features established
on the intrinsic behavior of the dataset before the learning
tasks [30]. In this paper, we have chosen the three filters
method such as Conditional Mutual Information Maximiza-
tion (CMIM), minimum-Redundancy-Maximum-Relevancy
(mRMR), and Joint Mutual Information (JMI) [31, 32], and
wrapper method as AGOA which selects the relevant attrib-
utes for better classification of attack types.
Recently, the selection of best feature subsets is one of the
promising tasks through information theory. In this study,
we have used concept of mutual information and measures
the effectiveness of picked features based on information
value with the intention of retaining correlated features
and excluding redundant features. None of the available
approaches can defeat problems such as low performance,
redundant features, and high computational burden. There-
fore, this study develop a new hybrid algorithm by integrat-
ing ensemble of feature selection (EFS) method and AGOA
to select the useful features for accurate attack prediction.
It supports us to concentrate on worthy feature sets and dif-
ferentiate among records of different labels which leads us
to predict an attack correctly.
3.2 Grasshopper optimization algorithm
The grasshopper optimisation algorithm [6] is an innovative
evolutionary algorithm motivated from the lives of grasshop-
pers. In their lifespan, there are two parts, namely nymph and
13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Evolutionary Intelligence (2020) 13:103–117
adulthood. It can move in swarms like one of the largest swarms
among all kind of creatures, while grasshoppers are generally
found exclusively, in nature [33]. The swarm behavior appear in
both the nymph and the adulthood stages which is a inimitable
aspect of the grasshoppers swarm [34]. The nymph grasshopper
jump and move as rotating cylinders in millions.
In general, algorithms which are inspired by nature, plau-
sibly divide the research process into two phases: explora-
tion and exploitation. In exploration phase, agents are stimu-
lated to move involuntarily, while they incline to run locally
in the space of exploitation. Widespread exploration and
prompt convergence inspires the employment of GOA. The
mathematical model used to simulate the swarm behavior
of grasshoppers is obtainable as [8] according to Eq. (1).
Yi = Soi + Gri + Awi (1)
where Yi represents the grasshopper position, Soi represent
the ith social interaction expressed in Eq. (3), Gri represents
the gravitational force on the ith agent, and Awi shows the
advection of wind. The random behavior of swarm can be
written as following Eq. (2).
Yi = r1 ∗ Soi + r2 ∗ Gri + r3 ∗ Awi (2)
where r1, r2, and r3 are random numbers lies between 0 and 1.
∑
n
Soi = sf (Dij )D̂ij (3)
j=1;i≠j
where Dij is the distance between the ith and the jth grass-
hopper, determined by Dij = |Yj − Yi |, sf is a function to
decide the power of social forces, as shown in Eq. (4), and
(Y −Y )
D̂ij = jD i is a unit vector from the ith grasshopper to the
ij
jth grasshopper. The sf function, which describes the social
forces, is described in Eq. (4):
sf (r) = Ie−r∕ln − e−r (4)
where I shows the intensity of attraction and ln is the attrac-
tive length scale.
Figure 1 shows the sf function, which demonstrate the
rational model of interactions between agents and comfort
zone. It can be seen that, this social interaction between the
grasshopper has been the driving force in some previous
models of swarms in an easier form.
The Gri component in Eq. (1) is enumerated by Eq. (5)
as follows:
Gri = −grêgr (5)
where gr shows the gravitational constant and êgr represents
unit vector for center of earth. The Awi component in Eq. (1)
is enumerated according to Eq. (6).
Awi = dêw (6)
Evolutionary Intelligence (2020) 13:103–117 107

Fig. 1  Swarm of grasshoppers

in primitive corrective patterns
between individuals

where d represents the constant drift and êw represents unit
vector in the wind direction.
Their approach to move is more relevant with wind direc-
tion because the small grasshoppers have no wings. So, gri
and Awi from the Eq. (1) is substituted as following equation:
∑
n
sf (|Yj − Yi |)(|Yj − Yi |∕Dij ) − grêgr + dêw
Yi =
j=1;i≠j
where sf (r) = Ie−r∕ln − e−r and n is the number of grasshop-
pers. Equation (7) is utilized and can sense the communica-
tion between grasshoppers in swarm. However, due to agents
which hurriedly arrive at the comfort zone and as a result
swarm diverge from definite point, this mathematical model
may not be used openly to resolve optimisation problems. A
variant of Eq. (8) is used as follows to resolve optimisation
problems:
in Eq. (8). Noticing that the first element of this equation
treats the position of the current grasshopper concerning
other grasshoppers.
To balance exploration and exploitation search capability,
cz parameter is required to directly inverse propositional to
number of iterations. This equation helps exploitation when
the number of iteration rises. The cz coefficient decreases
(7)
the comfort zone proportionated to the number of iterations
and is enumerated as Eq. (9):
cz = czmax − t(czmax − czmin ∕tmax ) (9)
where czmax represent the maximum value, czmin represent
the minimum value, t represent the current iteration, and tmax
represent the maximum number of iterations.
3.3 Support vector machine

⎧ n Most of the learning algorithms have faced problems that

⎪ � � was isolation of the feature vector and prediction of the cor-
Yid =cz ∗ ⎨ cz(uld − lld �∕2)sf ((�Yjd − Yid �)) �Yj
⎪ j =1;i≠j rect label. To handle classification problems, in 1995, Vap-
⎩ nik has proposed a learning algorithm called support vector
(8)
⎫ machine [35]. Assume there are two hyper planes with two
�⎪ classes such as positive and negative. The main aim is to
− Yi �∕Dij ⎬ + T̂d
⎪ distinct these two planes by margin. The hyperplane can
⎭ capable in modification of its width and modify its direction.
Moreover, we likely to catch the maximum hyperplane that
Here, uld is the upper limit in Dth dimension, lld is lower
preserves the separation among classes.
limit in Dth dimension sf (r) = Ie−r∕ln − e−r , T̂d represents
In the last decades, the Kernel functions have received
the value of Dth dimension in the target and cz represents
considerable attention, in particular, due to the growing
decrease coefficient to reduce the comfort zone, repulsion
popularity of Support Vector Machines (SVM). The ker-
zone, and attraction zone. The next position of grasshopper
nel (k) function can be used in many applications since
is determined conferring to its current position, position of
they provide a simple link from linearity to non-linearity
the target and the position of all other grasshoppers is shown

13

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

108 Evolutionary Intelligence (2020) 13:103–117

for algorithms that can be expressed regarding dot prod- a weighty support vector and the training time will not
ucts. There are many implementations method to solve be shorter too.
the problem but in this manuscript we have used three
kernel in SVM which taken from LibSVM tool [36]. The
RBF kernel { f u n c t i o n} f o r m u l a t e d a s : 4 Proposed methodology
( ) |R −R |
2

k Ri , Rj = exp − i2𝜎 2 j where 𝛾 = 2𝜎1 2 , d is a

4.1 Ensemble of feature selection
constant value, Ri and Rj are samples or records, and 𝜎 is
a free parameter. Given an instances m, the training set is Recently, there have been boundless consideration to newly
supposed to be a finite set of m record/label pairs defined advanced FS methods for the IDS dataset. In this study, an
as following Eq. (10). effective method based on mutual information approach is
proposed for selection of feature subset called EFS which
S = 𝜚nj , li |(𝜚nj , li ) ∈ ℜnM (10) is presented in Algorithm 1. Using proposed ensemble
approach, we evaluate the merits and limitation of indi-
where 𝜚nj ∈ ℜnM and li ∈ 1, 2, 3, ..., c represents the records
vidual techniques for intrusion detection. The used FS
and labels (c) of dataset. And hyperplane is described in
methods are mRMR, JMI, and CMIM which can assign the
Eq. (11).
rank to the features of the IDS, and the output is collected
∑
m utilizing amalgamation of method see in Algorithm 1.
f (R) = 𝜁i li k(𝜚nj , R) + b (11)
i

where k (𝜚nj , R) represent a kernel function and sign of f(R)

Algorithm 1 Proposed ensemble feature selection
describe that which class is belong to, with non-zero support
Input Data: ψ – the number of ranked methods
vectors 𝜁i and a correct bias b.
Value : θ – the threshold of the number of features to be selected
Outcome: P – Best ranking feature set
Begin
3.3.1 Kernel function and parameters of SVM for l ← 1 to ψ do
Obtaining ranking Aψ using feature selection method ψ
In the last decades, the primary learning algorithms have end for
received considerable attention, in particular, due to the A = combining ranking Aψ with a ranking combination method
At = Select θ top attributes from A
growing acceptance of SVM. The kernel (k) function can be
Attain Optimal ranked features (P)
employed in several applications since they make available Return P
a simple link from linearity to non-linearity for algorithms
that can be stated regarding dot products. In this article, we 4.1.1 Ranking combination
will list three kernel functions formulated as:
In this study, we have investigated a novel ensemble
• Linear function method that obtains an absolute ranking of methods by
( ) ( )
 k Ri , Rj = Ri T * Rj + d merging outputs (as rankings) from particular rankers
• Polynomial function called aggregation to produce a final result. Several modi-
( ) ( )p
 k Ri , Rj = Ri T * Rj + d fied combination methods are obtainable in the literature
• RBF function { } but they have few drawbacks [37] therefore, we have used
( ) |Ri −Rj |
2

 k Ri , Rj = exp − 2𝜎 2
where d is a constant value, Ri and Rj are records or
instances, and p is the order of function.
When we use RBF function, in general, SVM provides
the decent performance in classification, which is not a
nominal kernel function for less number of parameters.
A network sample contain a large number of attributes,
and there exist substantial differences among them. When
the variances between the attributes are very large then
excluding RBF function in process of training will yield
the frequency vote approach for examining the rank of the
individual feature selection method.
4.1.2 Frequency vote
Frequency vote (FV) is a group decision-making system
and has setup which is beneficial as another more com-
pound schemes [38]. In the context of FS, each model
creates a prediction (votes) for each feature rank and the
final output estimate is the one that accepts more than
half of the votes. If any of the predictions do not acquire
more than half of the votes, we can observe that the

13

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Evolutionary Intelligence (2020) 13:103–117
ensemble method unable to make a constant prediction
for the record. If any of the predictions do not get more
than one of the votes, we can assume that the ensemble
method unable to make a constant prediction for particular
instance then we prefer lowermost vote value regarding
score value. So, we can attempt the most voted prediction
as the final prediction as illustrated in Eq. (12).
∑
M
∑
M
dn,j = argmaxk∈{1,2,…,L} dn,k (12)
n=1 n=1
Here, M represents the number of feature selection method,
and L selects some attributes. For attribute k, the sum
∑M
n=1 n,k tabulates the number of votes for k. Plurality
d
chooses the attribute k which maximizes the sum.
4.2 Adaptive grasshopper optimization algorithm
To enhance the basic GOA merits, firstly we have analysed
the disadvantage of GOA. From the starting of GOA, posi-
tions of all the agents are randomly initialised. Agents culti-
vate a leaning to affect towards the target (i.e, T̂d in the social
interaction of swrams), however, if initialised positions of
the agents are concentrated near the local-best and far from
the best overall, the agents can be attentive by the best locale
that means GOA is aware to initial positions selection, so
improvement strategies should be able to help search agents
come from the local best trap.
Grasshopper optimisation algorithm with adaptive strat-
egy referred as AGOA, is a significant and promising variant
of GOA. Furthermore, the adaptation strategy in cz in the
basic GOA is only related to the generation [Eq. (9)], and
does not consider dynamically change the value of cz from
the system by the feedback of search process. Therefore, cz
should be designed as an adaptive parameter related to the
fitness value of each generation and performance of the cur-
rent population. That is, based on the Eq. (13), the fitness of
the selected population (Pop) by the selection technique and
best population should be introduced as feedback.
For the local best trap, this paper utilises the natural selec-
tion strategy (𝛿), and adaptation mechanism to help GOA
swoop of the trap. For the adaptive strategy on cz, dynamic
feedback mechanism based on the genetic algorithm adap-
tation strategy is used. According to the methodology of
natural selection [39], 𝛿(𝛿 < Pop) grasshoppers should be
selected and eliminated randomly from the population. Pop-
ulation is selected by the tournament selection according to
the fitness function of each grasshopper. Then, the positions
of the eliminated 𝛿 grasshoppers are randomly re-initialized.
By using natural selection strategy, the population can
move towards a better-quality of solution. For now, the posi-
tion re-initialization for the eliminated agents can diffuse
the position of grasshoppers properly and spread the search
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
109
space of population. Thus, the local solution can be avoid-
able to some amount.
Instead of using fixed values of cz, AGOA utilizes the pop-
ulation information in each generation and adaptively adjust
the cz in order to maintain the population diversity as well
as to sustain the convergence capacity. In AGOA, the adjust-
ment of cz depends on the fitness values of the solutions. This
research detects convergence by observing the range between
the maximum and minimum fitness values of the population.
When the value of cz is the large, then the complete search is
too difficult and the optimal solution may be lost. When the cz
value is small, the exploration can stop in the minimum zone.
In this scenario, we have used an alternative approach to an
evaluation of population selection assessment using simple
SVM classifiers. In AGOA, the value of cz can be estimated
by using Eq. (13).
{ [ f −f ]
k1 . f max−f g , fg ≥ favg
cz = max avg (13)
k2 , fg < favg
where fmax represents the maximum of all agents fitness
when AGOA do a search operation, favg represents the aver-
age fitness, fg represents the average fitness of the three
parents in selection operation. k1 and k2 represents the four
constant value in between 0 and 1. Overall procedure of
adaptive grasshopper optimization algorithm is demon-
strated in Algorithm 2.
Inspired by Grey Wolf Optimization (GWO) [40], the
democratic decision-making mechanism is introduced to
AGOA strategy. The expected positions of all grasshoppers
are decided by the leading agents simultaneously. The best
three grasshoppers in AGOA are manifested as 𝛼 , 𝛽 , 𝛾 as
the leading agents. The mathematical formulation of AGOA
mechanism is described in Eq. (14).
⎧ n
�
⎪ � �
Yid =cz ∗ ⎨ cz(uld − lld �∕2)sf (�Yjd − Yid �) �Yj
⎪ j =1;i≠j
⎩
(14)
⎫
��⎪ T̂𝛼 + T̂𝛽 + T̂𝛾
− Yi �∕Dij ⎬ +
⎪ 3
⎭
where T̂𝛼 , T̂𝛽 , T̂𝛾 are the leading agents in the whole
grasshoppers.
4.2.1 Binary adaptive grasshopper optimization algorithm
Generally, in binary FS problem, the agents (particles) of
binary optimization algorithm can only move to closer and
distant angles of this hypercube by flipping one or more bits
of position vector Y = {Y1 , Y2 , … , Yd } is designated as the
13
110 Evolutionary Intelligence (2020) 13:103–117

search space of a hypercube [41]. The location of an agent is the agents updates their positions using the rules enumer-
being updated by accumulating the current position vector, ated in Eq. (16).
meanwhile the basic GOA was expected to deal with con- { ( )
tinuous FS problem. Still, to deal with binary FS problem, 1, if rand < T Yid+1
(16)
d+1
Yi =
current AGOA approach cannot be used. As stated by prior 0, otherwise
study [42], employed a transfer function is an efficient and
In general, particular problem in existing algorithms is that
appropriate approach of transforming a continuous into a
it does not prevent individuals from being stuck in a local
binary value. Mostly, transfer function is utilized to yield the
optimum. To resolve this kind of issue, this paper proposes a
probability of altering the position 0 to 1 or vice versa posi-
novel hybrid FS algorithm to find the better quality of solu-
tion of the ith agent in the jth dimension in the current itera-
tion regarding classification accuracy and minimize the size
tion (t) as an input parameter is described in algorithm 2.
of irrelevant features. In addition, a new encoding scheme is
also investigated to evaluate the classification.

4.2.3 Optimizing SVM parameters with AGOA

Algorithm 2 Pseudo code of BAGOA
Begin
Set the swarm size (nPop),czmax , czmin and maximum number of iterations tmax ; GOA is a robust metaheuristics algorithm that has employed
Estimate the fitness value of each agent; to solve the variety of real-world engineering problems intro-
Select the elite grasshopper according to tournament strategy;
Tˆα , Tˆβ , Tˆγ = best search agents;
duced by Saremi et al. [6] based on grasshopper optimisation
while (t < tmax ) do algorithm. The GOA algorithm is the most popular approach
Update cz according to Eq. (13);
in the evolutionary techniques because of the convergence
for i ← 1 to n do
Normalize the distances between Grasshoppers Y; rate and less adjusting parameters. In AGOA algorithm, the
Modify the current agent Yi position according to Eq. (14); potential solutions in the optimisation problems are consid-
end for
Update Tˆα , Tˆβ , Tˆγ
ered as the population from the class. It has characteristics
t=t+1; of simple computation and less memory requirement for
end while
calculation of algorithms.
Return Tˆα
The primary purpose of this algorithm is to realise the
4.2.2 New encoding scheme best agents through cooperation and sharing information
among the grasshopper swarms (nPop). It is used to explain
A binary vector shows the position in proposed method and linear and non-linear issues by discovering all areas of state
yet, step vector is a floating-point vector, on the other hand; space and developing prospective areas over initial and
step vector is employed to look for the possibility to change updation phase that can be pragmatic to characterize in the
from zero to one or one to zero when one of the positions of population. Thus, in this article, AGOA method is employed
agent can be updated. A transfer function uses to transform to optimise the parameters 𝜎 , 𝜖 , and C of SVM see in Fig. 2.
the probability of swapping a position vectors aspects from And, a classification performance regarding accuracy is uti-
zero to one and vice versa. In the available literature, the lized as the fitness function to assess the fitness which is
most popular activation function is sigmoid function which described in next subsection of the study.
is used to normalize the step vector in the between 0 and
1. Usually, the disadvantage associated to sigmoid function 4.2.4 Fitness function
is that there is consistency among a significant value in Yid
in the positive and negative direction and then it indicates To maximize the classification performance regarding detec-
the fact that the more movement is essential relying on the tion rate and accuracy, this paper has employed wrapper
previous position. To resolve this issue, we have introduced as AGOA approach which plays a significant role in fea-
new encoding scheme to the component of step vector. The ture selection. The ultimate goal of AGOA is to choose a
proposed V-shaped transfer function T(Yid ) is highlighted subset of features to attain the better classification accuracy
in Eq. (15). compared to the use of all available features. Use of fitness
(( ) function is to exploit accuracy of classifier of the algorithm
| ) |
T(Yid+1 ) = exp | Yid + a ∕ (1 − b)| achieved through the selected features during the evolution-
| | ary process see in Eq. (17).
(( ) ) (15)
| d |
− 1∕exp | Yi + a ∕ (1 − b)| + 1
| | T P + TN
Accuracy = (17)
where a and b are pre-defined constant value its remain static TP + TN + FP + FN
in whole search process. After computing the probabilities,

13

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Evolutionary Intelligence (2020) 13:103–117
Fig. 2  Optimizing the param-
eters of the SVM with AGOA
where Tp , TN , FP , and FN represent as True Positive, True
Negative, False Positive, and False Negative.
5 Overall structure of proposed
methodology
Each FS method has their potentials and limitations, and the
performance is relying on the type of data, as well as on the
constraints associated to the situation i.e., accuracy, time and
budget. However, the convenience of developed methods,
experts generally agree that there is no perfect FS method.
Keeping in mind, in this paper, firstly, we have presented an
ensemble FS method then the wrapper method as AGOA is
applied to choose an optimal subset of features from ISCX
2012 dataset filtered by EFS method. The proposed method
enriches the classification performance and also reduces the
search complexity for generating the feature sets concluded
ISCX 2012 dataset. Generally, GOA is widely applied to
numerical optimisation problems. In this article, we pro-
poses a novel hybridization of ensemble feature selection
and adaptive GOA methods called EFSAGOA to solve the
IDS problem, can see in Fig. 3. AGOA is population-based
metaheuristics search method inspired by grasshopper
swarms phenomena determined as a unit of cultural evolu-
tion that is proficient of local modifications and to separate
a type of an attack in the case of a new agent which aids to
determine the early detection [43]. In addition, evaluate the
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
111
performance of proposed method, we have used SVM as
fitness function in the AGOA and find the best agent with
optimal number features.
The overall process of hybrid algorithm for feature selec-
tion is comprised of four main steps: (a) data collection, (b)
data preprocessing training and test data are preprocessed
and important features that can distinguish one class from
the others are selected, (c) classifier training, where the
model for classification is trained using AGOA-SVM, and
(d) attack recognition, where the trained classifier is used to
detect intrusions on the test data.
5.1 Data collection
The data collection is the counterpart and a fundamental
step for intrusion detection system. The type of data source
and the position in which the data is collected are the two
determining factors in the design and efficacy of an IDS.
To make available the most appropriate security for the
host or target network, this study intends IDS based web
network to test proposed approach. Throughout the phase
of training, the samples of data collected are classified
according to the web level protocols and are labeled on
the basis of knowledge of the domain. However, the data
gathered in the test phase are classified only conferring to
the protocol types.
13
112 Evolutionary Intelligence (2020) 13:103–117

Fig. 3  Overall structure of our

approach for intrusion detection
ISCX 2012 Dataset

Data Pre-processing

Hybrid model for feature selecon

Reduced dataset

10 fold Cross Validaon

Training sets and Tesng

sets

SVM -L SVM -P SVM -R

Building Learning algorithm using SVM

Anomaly Detecon
Engine

Normal Behavior Yes

Permied
Found?
No
Alert Counter Measure

5.2 Data preprocessing
In this section, we obtain the data during data collection
phases. It is utilized for our experiments to evaluate the
necessary feature in IDS data namely ISCX 2012 [44]. The
data pre-processing process covers three vital components
revealed as follows:
fixed range so that the bias in favor of higher-valued features
are eliminated from the data set. Each characteristic within
each sample is normalized by the tremendous value and falls
in the same interval as [− 1, +1]. The data transfer and nor-
malization process are also employed on the test data.
5.3 Classifier training

Once the significant number of the subset is chosen, this

5.2.1 Data transferring
During this subsection, each record in the input dataset is
denoted as a matrix of real values for the trained classifier.
Accordingly, every representative symbolic in a data set
initially turns into a numerical value.
5.2.2 Data normalization
In the proposed method, we have used the data pre-process-
ing step like data normalization after every representative
symbolic in a data set initially turns into a numerical value.
It is a process of down-scaling the value of each feature in a
optimal sets is then obtained in the classifier training stage in
which it is utilized by SVM. In the ISCX 2012 data ,choose
the optimal features from all attributes present in the dataset.
Since SVM can effortlessly deal with binary classification
issues and because of having different classes, have different
class, so differentiate the instances from dataset we employ
SVM classifier.
5.4 Attack recognition
In totality, it is necessary to create a classifier to distinguish
among attacks to consider multi class problem. As for deci-
sion boundaries in this case, we can do more direct. The first

13

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Evolutionary Intelligence (2020) 13:103–117
part of the experiments in the field of article used, class of
recordings to coincide with the normal class if they inform
as normal data, on the contrary if they consider attacks. We
have adjusted parameters with the maximum accuracy for
the classification are nominated as the most suitable param-
eters. At that time, the optimal parameters are used to train
the SVM classifiers.
6 Experimental setup and results
6.1 Performance measures
We enhance the classification performance of proposed
approach using the SVM classifiers with the help of five per-
formance evaluation metrics, such as Accuracy, Precision,
Detection rate (DR), False alarm rate (FAR), and F-measure
taken from [45].
6.2 Description of the used data
Information Security Center of Excellence (ISCX) data-
set was built in the University of New Brunswick ISCX to
provide a modern-day benchmark for ID system [46]. The
dataset derived from real packets for seven days of network
activity such as HTTP, SMTP, SSH, IMAP, POP3 and FTP
protocols concealing various scenarios of normal and mali-
cious activities. The dataset includes a total of 2,450,324
flows and contain 19 features such as app name”, “total
destination packets”, “total source packets”, “total source
bytes”, “total destination bytes”, “source payload as base64”,
“source port”, “destination”,”destination payload as base64”,
“destination payload as UTF”, “direction”, “source TCP
flags description”, “destination TCP flags description”,
“source”, “protocol name”, “destination port”, “start date
time”, “stop date time”, and “tag” excluding class.
6.3 Experimental settings
The platform of investigation has implemented to advance
and test the proposed approach using MATLAB environ-
ment under a Windows 8 operating system with 2.4 GHz
Table 1  Comparison of feature ISCX 2012 dataset
ranking of nineteen features in
ISCX 2012 data Methods Feature ranking
CMIM f_4,f_13,f_3,f_6,f_14,f_12,f_18,f_1,f_5,f_2,f_16,f_11,f_7,f_17,f_15,f_8,f_10,f_9,f_19
JMI f_14,f_12,f_18,f_1,f_4,f_13,f_3,f_6,f_5,f_2,f_8,f_10,f_9,f_19,f_16,f_11,f_7,f_17,f_15,
mRMR f_4,f_3,f_6,,f_1,f_5,f_2,f_16,f_11,f_8,f_13,f_14,f_12,f_18,f_7,f_17,f_15,f_10,f_9,f_19
EFS f_4,f_3,f_1,f_2,f_5,f_8,f_16,f_10,f_7,f_15,f_10,f_9,f_19
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
113
Pentium Core i7, 16 GB RAM. Take SVM as per the clas-
sifier concerning the selection of best parameters can effect
performance of approach unwillingly, so we have employed
LibSVM tool [47]. The parameters of all optimisation
approaches are taken as: population size is 30 and maximum
number of iterations set as 100.
6.4 Experimental results and analysis
As stated before, our aim is to develop an efficient intrusion
detection method with high accuracy and low false alarms.
In this subsection, we exhibit the ISCX 2012 dataset utilized
for assessment, the numerous tests utilized as a part of our
investigations used in proposed model. Their correspond-
ing assessment measurements have adapted to evaluate the
execution of the proposed model. In the available literature,
a lot of researchers performed several experiments on the
NSL-KDD and KDD Cup 99 [48, 49] datasets , but we have
studied a new set of data called ISCX 2012 and implemented
various experimental tools and techniques [50]. Table 1
shows selected features by EFS approach in comparisons to
other filter methods.
6.4.1 Comparison of filter feature selection methods using
SVMs
In the experimental work, we have employing tenfold cross-
validation using SVM classifier in the ISCX 2012 dataset.
The results of this experiment are displayed in Table 2 in
terms of accuracy, DR, precision, and f-measure. From the
Table 2, we can observe that the accuracy of the classifier is
not much remarkable in ISCX 2012 dataset, particularly for
SVM-L. The greater values of this performance measures
signify an outstanding classification performance. It dem-
onstrates that when ISCX 2012 combines with EFS, it has
achieved an accuracy of 94.98% in ISCX 2012 dataset with
SVM-R, and significantly over takes all other classification
methods.
6.4.2 Comparison of proposed method with existing
state‑of arts
In available literature, several methods of feature selection
have been applied for the identification of attack from ISCX
13
114 Evolutionary Intelligence (2020) 13:103–117

Table 2  Percentage of average Dataset Classifiers Measure CMIM mRMR JMI EFS
performance in three feature
selection method and Proposed ISCX 2012 SVM-R Accuracy 91.52 92.06 88.40 94.98
filter methods with ISCX 2012
DR 90.05 91.69 88.72 93.12
dataset
Precision 86.18 90.16 87.65 91.69
F-measure 90.14 88.11 88.95 92.09
SVM-P Accuracy 88.26 90.33 90.14 93.32
DR 86.99 87.22 88.87 92.85
Precision 86.48 86.76 87.79 91.01
F-measure 85.34 88.32 86.23 90.55
SVM-L Accuracy 82.32 82.89 82.23 90.16
DR 82.11 83.87 84.78 90.31
Precision 82.43 82.16 81.36 88.67
F-measure 83.24 80.96 83.24 87.62

2012 dataset. Despite this, there is no arrangement by which
the FS method produces noteworthy subsets of attributes for
attack classification. A specific FS strategy can be superior
to others for some IDS datasets, or other FS strategy may
work better for some other data sets. In Table 3, all the SVM
methods take on RBF which works as a kernel function, in
normal SVM detection model, the parameters 𝜎 , 𝜖 , and C
are randomly selected in ISCX 2012 dataset. In proposed
SVM detection model, the optimal parameters 𝜎 , 𝜖 , and C
are obtained by EFSAGOA algorithm through 30 simulation
experiments.
In the experimental work, we have made comparison
between the performance of proposed (EFSAGOA) and the
three different optimization algorithm with SVM classifier.
Table 4 compare the performance of the EFSAGOA method
concerning average accuracy for ISCX 2012 data. From
Table 4, the acquired outcomes illustrates that the proposed
technique is greater than other nature-inspired approaches.
Now, we have evaluated proposed method in comparison
to GOA-SVM, GA-SVM, EFS-SVM and SVM with the
detection rate (DR), Execution training time (EtrD), false
alarm rate (FAR) and Execution test time (EteD) in ISCX
2012 dataset over each fold. To show the performance of
EFSAGOA with SVM-R, experiments have been done to
make examinations with attacks. The performance evalua-
tions of all employed approaches concerning their Execution
training time (EtrD), Execution testing time (EteD) are dis-
played in Fig. 4 on ISCX 2012 dataset.
As illustrated in Table 5, the proposed algorithm has
acquired significant outcomes in comparison to prevailing
state-of-art regarding accuracy, high DR, low FAR amongst
all employed approaches in IDS data. Figure 5 shows the
overall performance of proposed technique is superior to the
other methods for intrusion recognition in different datasets.
The acquired outcomes demonstrate that proposed shows
significant improvements in DR, and accuracy.
7 Conclusion
An IDS monitors network traffic searching for suspicious
activity and known threats, sending up alerts when it finds
malicious issues. For long time cyber-security equipment in
corporate, intrusion detection as a function remains critical
in the modern enterprise, but may not be as a standalone
solution. keeping in this mind, in this paper, a novel hybrid
IDS has introduced by combination of EFS and AGOA for
the detection and classification of anomalies, caused by an
attack in the computer network. The main contributions of
this study can be summarized as follows. Firstly, a super-
vised filter-based feature selection method is introduced,
namely ensemble FS which combines ranking of features
generated by different filters which can help to remove the

Table 3  Comparative Datasets Methods Parameters Training Testing accuracy Runtime

performance on ISCX 2012 accuracy
dataset 𝜎 𝜖 C

ISCX 2012 Single SVM 0.6215 0.0215 4.2437 92.93 90.45 927.9467
EFS-SVM 0.6987 0.0041 6.3956 97.95 96.37 652.2594
GA-SVM 0.3245 0.0029 4.8167 99.96 98.26 390.7865
GOA-SVM 0.0943 0.0015 1.7432 98.95 98.45 418.9453
Proposed 0.0765 0.0011 1.5521 99.32 99.13 324.4312

13

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

Evolutionary Intelligence (2020) 13:103–117 115

Fig. 4  Comparison of training time and testing time on ISCX 2012 dataset

Table 4  Comparison the Methods Measures Fold1 Fold2 Fold3 Fold4 Fold5 Fold6 Fold7 Fold8 Fold9 Fold10
experimental performance in
ISCX 2012 dataset ProposedDR (%) 95.43 95.02 94.61 94.51 94.99 97.65 99.45 98.57 99.01 98.96
FAR (%) 1.012 1.012 0.876 1.124 1.00 0.865 1.112 0.98 0.843 0.913
EtrD 1.54 2.67 3.43 4.43 2.45 3.57 1.89 2.76 2.59 1.57
EteD 2.24 3.69 4.56 5.36 4.57 5.34 3.78 3.68 4.56 4.58
GOA-SVM DR (%) 93.56 92.36 91.31 93.36 94.26 95.26 97.06 94.26 93.08 96.34
FAR (%) 1.654 1.832 1.865 2.452 1.436 1.542 2.543 1.127 1.532 1.214
EtrD 2.54 4.49 4.64 3.65 4.13 4.42 4.14 5.37 6.34 4.34
EteD 4.67 5.66 6.53 4.39 6.35 6.54 5.34 8.27 7.14 6.54
GA-SVM DR (%) 88.43 85.43 87.72 85.16 86.32 88.31 89.37 88.34 90.10 89.42
FAR (%) 5.624 3.265 3.122 4.342 5.010 5.046 3.235 3.253 3.145 3.254
EtrD 3.75 6.03 6.54 4.56 5.46 5.39 6.42 6.68 7.47 7.24
EteD 4.78 7.52 7.38 5.43 6.57 7.47 7.54 7.18 9.05 10.08
EFS-SVM DR (%) 87.98 85.23 87.57 84.78 85.43 87.43 88.32 87.22 89.68 89.03
FAR (%) 5.78 4.34 5.62 5.73 6.57 6.49 5.79 6.39 4.89 7.38
EtrD 5.86 8.58 7.49 7.41 8.73 8.38 7.69 7.36 9.53 8.47
EteD 6.37 8.45 9.35 6.29 8.51 9.65 10.48 8.93 10.52 11.52
SVM DR (%) 87.76 85.01 87.32 84.08 83.36 86.32 87.21 86.38 89.22 88.36
FAR (%) 6.57 11.23 13.74 9.05 14.21 11.36 16.38 10.39 9.06 11.23
EtrD 14.78 18.53 15.38 17.27 19.16 16.46 18.25 16.29 20.17 18.21
EteD 18.75 19.87 20.48 21.32 24.37 18.25 20.44 19.11 24.12 25.08

Table 5  Comparison results in ISCX 2012 dataset irrelevant features. However, GOA is quickly trapped in local
Dataset Method Feature DR FPR Accuracy optima, and premature convergence seems when applied to
sophisticated problems. To overcome this issue, we have
ISCX 2012 HbPHAD [51] All 99.04 * * introduced adaptive behavior of GOA, called AGOA that can
EMD [14] * 90.04 7.92 90.12 contribute to predict the networks traffic behavior accurately.
SLFN [52] 11 88.16 5.56 * In addition, AGOA technique is applied to choose appropri-
IG-PCA-Ensem- 7 99.1 0.01 99.011 ate SVM parameters, which escape over-fitting concern of
ble [53]
SVM. The proposed model has provided a high detection
Proposed method 5 99.23 0.067 99.13
rate of 99.23%, accuracy of 99.13% and a low false alarm

13

Content courtesy of Springer Nature, terms of use apply. Rights reserved.

116
Fig. 5  Comparison of average accuracy and detection rate in ISCX 2012 dataset
rate of 0.067 in ISCX 2012 dataset. This quality constructs
the model computationally more efficient. The future work
will include integrating SVM with other metaheuristics opti-
mization feature search approaches to acquire more profi-
cient hybrid models.
References
1. Kusyk J, Uyar MU, Sahin CS (2018) Survey on evolutionary
computation methods for cybersecurity of mobile ad hoc net-
works. Evol Intell 10:95–117
2. Yao X (2017) The realisation of goal-driven airport enclosures
intrusion alarm system. Int J Grid Util Comput 8:1–6
3. Ambusaidi MA, He X, Nanda P, Tan Z (2016) Building an
intrusion detection system using a filter-based feature selection
algorithm. IEEE Trans Comput 65:2986–2998
4. Alkhamisi GTMB Abrar Omar, Buhari Seyed M (2016) An inte-
grated incentive and trust-based optimal path identification in
ad hoc on-demand multipath distance vector routing for manet.
Int J Grid Util Comput
5. Mirjalili SZ, Mirjalili S, Saremi S, Faris H, Aljarah I (2018)
Grasshopper optimization algorithm for multi-objective opti-
mization problems. Appl Intell 48:805–820
6. Saremi S, Mirjalili S, Lewis A (2017) Grasshopper optimisation
algorithm: theory and application. Adv Eng Softw 105:30–47
7. Mafarja M, Aljarah I, Heidari AA, Hammouri AI, Faris H,
Ala’M A-Z, Mirjalili S (2018) Evolutionary population dynam-
ics and grasshopper optimization approaches for feature selec-
tion problems. Knowl Based Syst 145:25–45
8. Ewees AA, Elaziz MA, Houssein EH (2018) Improved grass-
hopper optimization algorithm using opposition-based learning.
Expert Syst Appl 112:156–172
9. Aburomman AA, Reaz MBI (2017) A novel weighted support
vector machines multiclass classifier based on differential evolu-
tion for intrusion detection systems. Inf Sci 414:225–246
10. Kuang F, Xu W, Zhang S (2014) A novel hybrid KPCA and
SVM with GA model for intrusion detection. Appl Soft Comput
18:178–184
13
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Evolutionary Intelligence (2020) 13:103–117
11. Denning DE (1987) An intrusion-detection model. IEEE Trans
Softw Eng 2:222–232
12. Benmessahel I, Xie K, Chellal M, Semong T (2019) A new evo-
lutionary neural networks based on intrusion detection systems
using locust swarm optimization. Evol Intell 12:1–16
13. Tariq M, Majeed H, Beg MO, Khan FA, Derhab A (2019)
Accurate detection of sitting posture activities in a secure iot
based assisted living environment. Future Gener Comput Syst
92:745–757
14. Tan Z, Jamdagni A, He X, Nanda P, Liu RP, Hu J (2014) Detec-
tion of denial-of-service attacks based on computer vision tech-
niques. IEEE Trans Comput 64:2519–2533
15. Satyapal Singh AKS, Mohan Kubendiran (2019) A review of
intrusion detection approaches in cloud security systems. Int J
Grid Util Comput 10:361–374
16. Zakeri A, Hokmabadi A (2019) Efficient feature selection
method using real-valued grasshopper optimization algorithm.
Expert Syst Appl 119:61–72
17. Pervez MS, Farid DM (2014) Feature selection and intrusion
classification in NSL-KDD cup 99 dataset employing SVMS.
In: 2014 8th international conference on software, knowledge,
information management and applications (SKIMA). IEEE, pp
1–6
18. Abraham A, Jain R, Thomas J, Han SY (2007) D-SCIDS: dis-
tributed soft computing intrusion detection system. J Netw
Comput Appl 30:81–98
19. Hamamoto AH, Carvalho LF, Sampaio LDH, Abrão T, Proença
ML Jr (2018) Network anomaly detection system using genetic
algorithm and fuzzy logic. Expert Syst Appl 92:390–402
20. Tsang C-H, Kwong S, Wang H (2007) Genetic-fuzzy rule min-
ing approach and evaluation of feature selection techniques for
anomaly intrusion detection. Pattern Recognit 40:2373–2391
21. Khammassi C, Krichen S (2017) A GA-LR wrapper approach
for feature selection in network intrusion detection. Comput
Secur 70:255–277
22. Shahreza ML, Moazzami D, Moshiri B, Delavar M (2011) Anom-
aly detection using a self-organizing map and particle swarm opti-
mization. Sci Iran 18:1460–1468
23. Zaman S, Karray F (2009) Lightweight ids based on features
selection and ids classification scheme. In: 2009 international con-
ference on computational science and engineering, vol 3. IEEE,
pp 365–370
Evolutionary Intelligence (2020) 13:103–117
24. Buchtala O, Klimek M, Sick B (2005) Evolutionary optimization
of radial basis function classifiers for data mining applications.
IEEE Trans Syst Man Cybern Part B (Cybern) 35:928–947
25. Manzoor I, Kumar N et al (2017) A feature reduced intru-
sion detection system using ann classifier. Expert Syst Appl
88:249–257
26. Vidal JM, Orozco ALS, Villalba LJG (2018) Adaptive artificial
immune networks for mitigating dos flooding attacks. Swarm Evol
Comput 38:94–108
27. Karami A, Guerrero-Zapata M (2015) A hybrid multiobjective
RBF-PSO method for mitigating dos attacks in named data net-
working. Neurocomputing 151:1262–1282
28. Wu J, Wang H, Li N, Yao P, Huang Y, Su Z, Yu Y (2017) Dis-
tributed trajectory optimization for multiple solar-powered UAVs
target tracking in urban environment by adaptive grasshopper opti-
mization algorithm. Aerosp Sci Technol 70:497–510
29. Al-Betar MA, Awadallah MA (2018) Island bat algorithm for
optimization. Expert Syst Appl 107:126–145
30. Cai J, Luo J, Wang S, Yang S (2018) Feature selection in machine
learning: a new perspective. Neurocomputing 300:70–79
31. Il-Agure Z, Attallah B (2019) How mutual information inter-
prets anomalies using different clustering. Int J Grid Util Comput
10:36–41
32. Cover TM, Thomas JA (2012) Elements of information theory.
Wiley, Hoboken
33. Fathy A (2018) Recent meta-heuristic grasshopper optimization
algorithm for optimal reconfiguration of partially shaded PV array.
Sol Energy 171:638–651
34. Luo J, Chen H, Xu Y, Huang H, Zhao X et al (2018) An improved
grasshopper optimization algorithm with application to financial
stress prediction. Appl Math Model 64:654–668
35. Cortes C, Vapnik V (1995) Support-vector networks. Mach Learn
20:273–297
36. Chang C-C, Lin C-J (2011) Libsvm: a library for support vector
machines. ACM Trans Intell Syst Technol (TIST) 2:27
37. Ebrahimpour MK, Eftekhari M (2017) Ensemble of feature selec-
tion methods: a hesitant fuzzy sets approach. Appl Soft Comput
50:300–312
38. Rankawat SA, Dubey R (2017) Robust heart rate estimation from
multimodal physiological signals using beat signal quality index
based majority voting fusion method. Biomed Signal Process
Control 33:201–212
39. Blickle T, Thiele L (1996) A comparison of selection schemes
used in evolutionary algorithms. Evol Comput 4:361–394
40. Mirjalili S, Mirjalili SM, Lewis A (2014) Grey wolf optimizer.
Adv Eng Softw 69:46–61
41. Mafarja M, Aljarah I, Heidari AA, Faris H, Fournier-Viger P, Li
X, Mirjalili S (2018) Binary dragonfly optimization for feature
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
117
selection using time-varying transfer functions. Knowl Based Syst
161:185–204
42. Lee C-P, Leu Y, Yang W-N (2012) Constructing gene regulatory
networks from microarray data using GA/PSO with DTW. Appl
Soft Comput 12:1115–1124
43. Soufan O, Kleftogiannis D, Kalnis P, Bajic VB (2015) DWFS: a
wrapper feature selection tool based on a parallel genetic algo-
rithm. PLoS ONE 10:e0117988
44. Shiravi A, Shiravi H, Tavallaee M, Ghorbani AA (2012) Toward
developing a systematic approach to generate benchmark datasets
for intrusion detection. Comput Secur 31:357–374
45. Elhag S, Fernández A, Bawakid A, Alshomrani S, Herrera F
(2015) On the combination of genetic fuzzy systems and pair-
wise learning for improving detection rates on intrusion detection
systems. Expert Syst Appl 42:193–202
46. Nisioti A, Mylonas A, Yoo PD, Katos V (2018) From intrusion
detection to attacker attribution: a comprehensive survey of unsu-
pervised methods. IEEE Commun Surv Tutor 20:3369–3388
47. Ravale U, Marathe N, Padiya P (2015) Feature selection based
hybrid anomaly intrusion detection system using K means and
RBF kernel function. Procedia Comput Sci 45:428–435
48. Shukla AK (2019) Building an effective approach toward Intrusion
detection using ensemble feature selection. Int J Inf Secur Priv
(IJISP) 13(3):31–47
49. Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed
analysis of the KDD cup 99 data set. In: IEEE symposium on
computational intelligence for security and defense applications,
2009. CISDA 2009. IEEE, pp 1–6
50. Nadiammai G, Hemalatha M (2014) Effective approach toward
intrusion detection system using data mining techniques. Egypt
Inform J 15:37–50
51. Yassin W, Udzir NI, Abdullah A, Abdullah MT, Muda Z, Zulzalil
H (2014) Packet header anomaly detection using statistical
analysis. In: International joint conference SOCO’14-CISIS’14-
ICEUTE’14. Springer, pp 473–482
52. Huang H, Khalid RS, Yu H (2017) Distributed machine learning
on smart-gateway network towards real-time indoor data analytics.
In: Data science and big data: an environment of computational
intelligence. Springer, pp 231–263
53. Salo F, Nassif AB, Essex A (2019) Dimensionality reduction with
ig-pca and ensemble classifier for network intrusion detection.
Comput Netw 148:164–175
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.
13
Terms and Conditions
Springer Nature journal content, brought to you courtesy of Springer Nature Customer Service Center GmbH (“Springer Nature”).
Springer Nature supports a reasonable amount of sharing of research papers by authors, subscribers and authorised users (“Users”), for small-
scale personal, non-commercial use provided that all copyright, trade and service marks and other proprietary notices are maintained. By
accessing, sharing, receiving or otherwise using the Springer Nature journal content you agree to these terms of use (“Terms”). For these
purposes, Springer Nature considers academic use (by researchers and students) to be non-commercial.
These Terms are supplementary and will apply in addition to any applicable website terms and conditions, a relevant site licence or a personal
subscription. These Terms will prevail over any conflict or ambiguity with regards to the relevant terms, a site licence or a personal subscription
(to the extent of the conflict or ambiguity only). For Creative Commons-licensed articles, the terms of the Creative Commons license used will
apply.
We collect and use personal data to provide access to the Springer Nature journal content. We may also use these personal data internally within
ResearchGate and Springer Nature and as agreed share it, in an anonymised way, for purposes of tracking, analysis and reporting. We will not
otherwise disclose your personal data outside the ResearchGate or the Springer Nature group of companies unless we have your permission as
detailed in the Privacy Policy.
While Users may use the Springer Nature journal content for small scale, personal non-commercial use, it is important to note that Users may
not:

1. use such content for the purpose of providing other users with access on a regular or large scale basis or as a means to circumvent access
control;
2. use such content where to do so would be considered a criminal or statutory offence in any jurisdiction, or gives rise to civil liability, or is
otherwise unlawful;
3. falsely or misleadingly imply or suggest endorsement, approval , sponsorship, or association unless explicitly agreed to by Springer Nature in
writing;
4. use bots or other automated methods to access the content or redirect messages
5. override any security feature or exclusionary protocol; or
6. share the content in order to create substitute for Springer Nature products or services or a systematic database of Springer Nature journal
content.
In line with the restriction against commercial use, Springer Nature does not permit the creation of a product or service that creates revenue,
royalties, rent or income from our content or its inclusion as part of a paid for service or for other commercial gain. Springer Nature journal
content cannot be used for inter-library loans and librarians may not upload Springer Nature journal content on a large scale into their, or any
other, institutional repository.
These terms of use are reviewed regularly and may be amended at any time. Springer Nature is not obligated to publish any information or
content on this website and may remove it or features or functionality at our sole discretion, at any time with or without notice. Springer Nature
may revoke this licence to you at any time and remove access to any copies of the Springer Nature journal content which have been saved.
To the fullest extent permitted by law, Springer Nature makes no warranties, representations or guarantees to Users, either express or implied
with respect to the Springer nature journal content and all parties disclaim and waive any implied warranties or warranties imposed by law,
including merchantability or fitness for any particular purpose.
Please note that these rights do not automatically extend to content, data or other material published by Springer Nature that may be licensed
from third parties.
If you would like to use or distribute our Springer Nature journal content to a wider audience or on a regular basis or in any other manner not
expressly permitted by these Terms, please contact Springer Nature at

[email protected]