An adaptive intrusion detection system based on ensemble classifier with dynamic neural networks and modified cuttlefish algorithm

Abstract

The significant increase in technology development over the internet makes network security a crucial issue. In light of this, a protection system is needed for cyber-attack detection. An intrusion detection system (IDS) is used to detect such attacks. Modern IDS must handle large amounts of data with a high detection rate, taking into account detecting novel malicious attacks. Ensemble-based methods are a promising way to solve these issues. The efficiency of the IDS is mainly dependent on the selected features and used classification method. The artificial neural network (ANN) is a promising method to solve the IDS classification problem, but it requires a few parameters to be adjusted to work effectively. The ANN parameters can be adjusted simultaneously using metaheuristic algorithms, which introduces a dynamic ANN (DANN). Additionally, metaheuristic algorithms are exposed to premature convergence and low solution quality due to inadequate population diversity and inefficient search intensification. Thus, this research proposes multiple variants of the cuttlefish algorithms (CFA) to create the DANN. The first variant uses a solution migration strategy and a new local search with short-term memory to improve the solutions diversity and search intensification. This variant is introduced for solving continuous optimization problems such as the weights and biases of the ANN. As for the second variant, a constructive heuristic based on a rough-set theory is introduced to enhance the initial population of a discrete version of the CFA, which is used to set the ANN’s structure and optimize the data features. This enhancement creates an integrated filterwrapper approach to improve the feature selection process and classification accuracy (ACC). Furthermore, multiple DANNs are combined to form an ensemble classifier to create an adaptive IDS for detecting novel malicious attacks with different behaviour patterns. Together with the adaptive IDS, a new dataset known as UKM-IDS20 is generated from real-world network traffic. It is developed to ensure the IDS remains relevant as the network technology advances. The UKM-IDS20 dataset is analysed and compared to commonly used standard datasets, namely KDD99 and UNSW-NB15. The experimental results show that the introduced dataset contains relevant features for detecting common network attacks. In addition to that, the proposed IDS model demonstrates that it can achieve an ACC of 97.52%, 94.08%, and 94.66% using the KDD99, UNSW-NB15, and UKM-IDS20 datasets, respectively. Comparisons with several state-of-the-art methods are performed, and the outcomes indicate that the proposed method offers a competitive performance advantage over the alternatives. This study is anticipated to provide enough information to help cybersecurity academics generate effective IDSs and up-to-date datasets.