Simulation analysis of intrusion detection system based on genetic attribute reduction algorithm and neural network based on rough set theory

Abstract

Keywords

Rough set genetic attribute reduction algorithm neural network intrusion detection system

1 Introduction

With the development of the internet and the richness of contents, it plays a more and more important role in people’s life [1]. But because the internet is an open platform, when it brings convenience to people, simultaneously, there are many potential risks and security problems. Among them, network intrusion is one of the important problems in the current internet. The destructiveness of network intrusion is, it has great harm to the internet users’ self - information, but under the influence of many factors, the means of network intrusion become more and more [2]. So we need to build a system that can detect the risk of computers. The establishment of a scientific and secure computer network environment in the Internet system.

Intrusion detection system is the invasion behavior of the bad people, detection way is through the computer network and computer software to analyze information in each node of the system [3]. Network and system searches from the network information to analyze whether there is a violation of security or the information on the existence of the system [4]. The system is based on the framework model of the network security system, using the genetic attribute reduction algorithm based on rough set and neural network intrusion detection system simulation analysis to test the quality of service, and finally get the best value of the most correct system parameters [5]. Repeated debugging and used in the actual network security management.

2 State of the art

The rough set theory used in this paper is a mathematical computing tool of uncertain factors in the 1980s, it deals with imprecise and uncertain math problems without the need to validate the data that provides the problem [6]. The data can be analyzed and processed directly, and the hidden knowledge of surface problems can be found out. By exploring the potential discipline of the problem, the application in many areas is also very extensive [7]. Most of the fields cited before are also used in the frontier military field. In recent years, rough set theory in the use of science and technology machine learning, computer data mining, and decision analysis application, the current database still exists the phenomenon of information redundancy. The ability to remove these redundant information can speed up the operation of the system [8]. Although the development of the current rough set theory is not perfect, we need to do more processing in the process of network security.

So we will use this research algorithm on the network security issue this time. In a study of effective algorithm research and rough set, this time using the construction of intrusion system combined with neural network algorithm and genetic algorithm [9]. Through these algorithms, the detection system can be constructed, and all the security problems can be processed. The detection system will be able to serve the network security system [10], turn away the information that will be harmful to the network and make our network world more secure.

3 Methodology

3.1 Genetic attribute reduction algorithm model based on rough set theory

Computer network intrusion detection system for short– IDS, IDS is a computer monitoring system, it through the real-time monitoring system, once found abnormal conditions issued a warning. IDS intrusion detection system is divided into several categories due to the different sources of information and detection methods: according to the information source can be divided into host-based ids and network-based ids, according to the detection methods can be divided into abnormal intrusion detection and misuse intrusion detection. Unlike the firewall, IDS intrusion detection system is a monitoring device, not connected on any link, no network traffic flow through it can work. Therefore, the only requirement for the deployment of IDS is that IDS should be attached to the links that all traffic must flow through. Here, “concern traffic” refers to the access traffic from high-risk network areas and the need for statistics, monitoring of network packets. In today’s network topology, it is difficult to find the previous hub - type shared media collision domain network, most of the network areas have been fully upgraded to the switched network structure. Therefore, the location of IDS in a switched network is generally chosen to be as close as possible to the source of the attack or as close as possible to the protected resource. These are usually on switches in the server area; on the first switch after the Internet access router; Key protected network segment on the LAN switches. As the market of intrusion detection system has developed rapidly in recent years. The basic structure of the intrusion detection system is shown in Fig. 1 below.

Fig.1

Schematic diagram of function for network intrusion firewall.

In the construction of the intrusion detection system simulation model based on neural network, we need to establish the model to study the intrusion detection system. In the abstract transformation into the image of the research model. First of all, we will be interested in the goal of intrusion detection system, form a finite set, defined as the universe, and categories the knowledge in different categories. The two objects are not, which can be seen as an equivalent relation in which any subset X of the equivalent relation can be referred to as a concept in the U, where it can be treated as an empty set concept, any concept in the U as an abstract concept, we can define a partition condition of ξ, defined as follows: $U = {X_{1}, X_{2}, \dots X_{r}}, X_{i} \subseteq U, X_{i} \neq \emptyset$ (1) $C = {c_{1}, c_{2}, \dots, c_{r}}$ (2)

Y as a conditional attribute set, D as a decision attribute set, we make the following information function calculation, $U \times C \to V$ (3) $U \times D \to V$ (4)

The upper form of the information function, where $F = C \cup D, C \cap D = \emptyset, V = \cup V_{a}, a \in F$ and V_a represent the range of the attribute a. $S = (U, C, D, f, d)$ (5)

As a knowledge base about U, R and U is an equivalent relation, we construct a set of all the equivalence of R, in which it constitutes the partition of a U set. We also need to define two knowledge bases– K = (U, P) and, so that the K value is an equivalent. The calculated records are shown in Table 1 below.

Table 1

The calculation process of table value is recorded as follows

KB	Information function	Decision attribute set	Average entropy	Calculate K value
0–40	3.6	2.2	2.9	2.9
40–80	7.3	3.4	5.35	5.35
80–120	2.3	5.3	3.9	3.9
120–160	1.4	4.7	3.05	3.05
160–200	2.3	5.3	3.8	3.8
200–250	7.3	3.4	5.35	5.35

In the rough set theory, the information expression system is described by the basic features. Information expression system can be expressed when face network security problems. When a network intrusion is in progress, we first need to obtain the data packets from the nodes of the network and the system, and analyze the intrusion behavior of the obtained packets. The speed of analysis and determination of the requirements that cannot meet the real-time requirement is accelerated. At this time, the algorithm model can analyze the packets containing the attack behavior, in order to obtain good network protection ability and intrusion detection effect. Due to the development of network technology and the widespread use of the network, with the network data flow increasing. In order to be able to meet the real-time requirements, the data in the network packet must be compressed and reduced, in which redundant data is removed, and only the attributes that affect the final decision are retained. This can improve the efficiency of intrusion detection, reduce the loss of hardware, and also meet the requirements of real-time and accuracy. After this operation, the rough set theory after the analysis of incomplete information processing, can be relieved from the prior information, in this process can develop the hidden rules between the time, take useful features, and can use simple knowledge to express. Because it has great advantages in dealing with redundant information, it is very necessary for intrusion detection system.

3.2 Genetic attribute reduction algorithm and neural network combination

Genetic algorithm is a universal mathematical algorithm and it uses the model, which simulates an algorithm of the natural evolution process of organisms. In this paper, we use the basic genetic algorithm to search the optimal solution. The computational foundation of the algorithm is a population. Through the selection process of the self - superior and inferior in the population, the search process of the optimal solution is reached. Neural network algorithm is a mathematical algorithm composed of analog higher animal neural network, through the abstract simulation of the neural operation of the human brain constitutes a complex network system. The advantage of neural network is that it can simulate the human neural system to carry on a large-scale collaborative information processing ability, not only that, this algorithm has the self-learning ability, can perform the operation while completing its own evolution process. In this study, we combine the two algorithms together, give full play to their advantages, and avoid their shortcomings, so as to achieve a best of both worlds. Better to provide powerful help for intrusion detection system. This paper adopts the algorithm based on genetic algorithm to neural network algorithm. The flowchart of the algorithm is shown in Fig. 2 below.

Fig.2

Intrusion detection system based on rough reduction algorithm.

Since the received raw data is a string of abstract character formats, we need to convert these raw data into the form of a decision table, and at the same time indicate the condition attributes and decision attributes of the information. So for the condition of detection, we must deal with two parts, the first is to transform the data, the second is to detect the data obtained. We preprocess the test data, convert it into a two-dimensional table, and convert the character value into the number; Then, the continuous attributes are discretized according to certain rules, and then the parameters are set according to the function of the genetic algorithm, and the final data set is obtained. We put these data sets into a unified input to the genetic algorithm model, through many times training to make neural network algorithm can self-learn to a certain degree. In the genetic algorithm the setting of fitness function is always a very important content, as the core of the algorithm, its setting is related to the whole calculation speed of the algorithm, because it is also the objective function of the algorithm. Therefore, we set the fitness function must contain two main contents, first we should be able to maintain the attribute classification ability after reduction, and then to ensure the unity of the final result, need to ensure the convergence speed of the function, so this adaptive function setting is as follows: $F (x) = \frac{card (U) - card (L_{1})}{card (U)} + \frac{card ({posL}_{1} (D))}{K}$ (6)

The function in the upper form can be divided into two parts: the first part is: $h (x) = \frac{card (U) - card (L_{1})}{card (U)}$ , in which card (U) representing the sum of all the attributes in the system– U, card (L₁) indicating that the chromosome L gene represents the number of “1”, indicating the value of the property values useful for the chromosome. When the number of this attribute becomes less and less, it is the time to achieve the fitness. The second part– f (x) = card (posL₁ (D)), which refers to the intensity of the implication– D, which is certain in the specific problem. Therefore, we need to adjust the algorithm in the design process, in this algorithm; we need to ensure the priority of the classification ability of attribute reduction, after considering the minimum of the number. K is to determine f (x) is important than h (x), so that can delimit a feasible solution of the region to search, and can be in the feasible solution to set the individual hardness value. This algorithm model is probably accomplished.

4 Result analysis and discussion

After the completion of the intrusion detection system simulation analysis based on the combination of genetic attribute reduction algorithm and neural network based on rough set. We mainly use MATLAB software to complete, so we need to install the neural network test toolbox, first of all, copy the neural network toolbox files, so that can call the neural network toolbox function. Our tests are as follows: using 3 - layer neural network structure, the input node number is 13, the number of output nodes is 5, and the number of hidden layer is 30. This is the output layer of the hidden layer transfer function is similar to the S- shape function. The training algorithm adopts the improved gradient descent algorithm, after the maximum number of training is 2000; the calculation error of the system is reduced to 0.0001. In order to speed up the convergence, the selected data needs to be normalized, and the data is normalized within [–1, 1] range, as shown in Table 2 after the test.

Table 2
Recording points of convergence points calculated by normalizing

Function Population size Convergence times Average convergence algebra Average convergence value

Traditional genetic s 50 500 25 0.9999

algorithm f 300 482 31 0.8765

Others improved s 50 500 25 0.6532

genetic algorithm f 300 496 24 0.8953

	Function	Population size	Convergence times	Average convergence algebra	Average convergence value
Traditional genetic	s	50	500	25	0.9999
algorithm	f	300	482	31	0.8765
Others improved	s	50	500	25	0.6532
genetic algorithm	f	300	496	24	0.8953

Through the above table, we can see that the proposed genetic neural network algorithm compared with the traditional neural network algorithm. Whether in the algorithm of the data function convergence to the degree of good detection rate, can be very good to meet the current needs of the network intrusion detection algorithm system. After the demonstration of the data, we also need to detect the ability of the algorithm model when face different types of network intrusion detection mode. After the test of various intrusion methods, we can obtain the detection of various types of intrusion patterns as shown below in Fig. 3

Fig.3

The detection of various types of intrusion patterns.

Through above you can see, compared with before the existing neural network algorithm, the algorithm of the model from the invasion of the types of DOS attacks or Probr types of intrusion attack or in the face of the U2R and R2L type of attack detection rate has a larger increase. In addition, the algorithm has been improved a lot, which is because there are very few attack samples. In order to obtain these two types of attack, there is less attack form. The error rate of the improved algorithm is greatly reduced, which proves that the improved algorithm has achieved great achievements.

In order to be able to self-learning ability of genetic neural network algorithm to improve, so this time we just in the original data input point data, through many times test observation in time and the algorithm of the optimal value of records on the number of iterations, the results of Table 3 shows.

Table 3

Optimal value and algorithm iteration number record result table

Intrusion mode	Detection time	Iiterations	Detection degree	Convergence time
DOS	4/10	4–6	0.8	5.8
Probr	4/10	4–7	1	5.8
U2R	5/20	4–8	0.6	5.7
R2L	15/40	12–20	0.5	1.3

As it can be seen from the above table, the genetic neural network algorithm proposed in this paper only needs to iterate 7 times and the time is also the 6 s node has been converged. The traditional algorithm needs to double time and the number of iterations, from this paper can be seen that the proposed algorithm can greatly save the training time and detection efficiency.

In conclusion, the proposed algorithm model can be in intrusion detection, data preprocessing, data attribute reduction and intrusion data detection module. The genetic neural network algorithm is improved, which can reduce the time of system operation, so the efficiency of the algorithm is greatly improved. Therefore, it can be real-time and effective in intrusion detection, so it will be able to further strengthen the network detection.

5 Conclusion

With the network technology development and the current attention to network security, the intrusion detection technology of the network system research has being regarded more important. The previous system intrusion detection section has not been able to meet and adapt to the needs of the current rapid development of the network era. The construction of the framework of intrusion detection system is our primary task. Using the genetic attribute reduction algorithm based on rough set and neural network intrusion detection system simulation analysis to test the quality of service, and finally get the optimal value of the most correct system parameters. Repeated debugging and used in the actual network security management. This research adopts the genetic attribute reduction algorithm based on rough set and neural network intrusion detection system simulation analysis, through the simple computer algorithm and system simulation analysis of intrusion mode simulation model establishment. After many tests and the rationalization of the algorithm model, finally come to an algorithm model that can meet the actual network detection needs. This is also a practical application of the algorithm model, which can provide help for future research. The results show that the study has made great success.

References

El-Alfy

E.S.M.

and Alshammari

M.A.

, Towards scalable rough set based attribute subset selection for intrusion detection using parallel genetic algorithm in MapReduce, Simulation Modelling Practice & Theory Theory64 (2016), 18–29.

Wang

, Compulsory coverage network intrusion detection algorithm based on rough set theory, Journal of Computational & Theoretical Nanoscience9480–9483 (2016).

Suji

R.J.

and Rajagopalan

S.P.

, A novel hybrid system for diagnosing breast cancer using fuzzy rough set and LS-SVM, Research Journal of Applied Sciences Engineering & Technology10(1) (2015), 49–55.

Haiyan

, Jiantao

et al., Intrusion detection based on roughset and artificial immune, High Technology Letters22(4) (2016), 368–375.

Wang

, Du

and Hong

, Mine internet of things data collectionalgorithm based on neural network and rough set, Journal of Computational & Theoretical Nanoscience12(12) (2015), 6304–6308.

Jiao

, Jia

, Ding

et al., Subjective logic application research—Rough set belief rule model and trust evaluation model of the intrusion detection system, Optik - International Journal for Light and Electron Optics126(24) (2016), 5593–5599.

Dai

and Duan

, Research on knowledge acquisition of motorcycleintelligent design system based on rough set, Computer & Computing Technologies in Agriculture V368 (2016), 16–27.

Fetouh

and Zaky

M.S.

, New approach to design SVC-based stabiliser using genetic algorithm and rough set theory, Iet Generation Transmission & Distribution11(2) (2017), 372–382.

Inbarani

H.H.

, Bagyamathi

and Azar

A.T.

, A novel hybrid featureselection method based on rough set and improved harmony search, Neural Computing & Applications26(8) (2015), 1859–1880.

10.

Wang

J.S.

, Song

J.D.

and Gao

, Rough set-probabilistic neural networks fault diagnosis method of polymerization kettle equipment based on shuffled frog leaping algorithm, Information6(1) (2015), 49–68.