Fast Learning Hyper-Heuristic Framework for Intrusion Detection System

The literature on intrusion detection systems has emerged in recent years. This problem has not been tackled from various perspectives. Some researchers have focused on stream data clustering [13-15]. while others were more interested in the classification models in general, adopting ensemble-based approaches [13, 16, 17]. The first part has been focusing on the evolving aspect of network traffic when it includes attacks or any type of anomaly, which makes it suitable for handling the concept drift. The second part has been focusing on the issues of imbalanced aspects of training data in intrusion detection systems. Other researchers have focused on the high dimensionality issue of Intrusion Detection System (IDS). In the work [18], the dimensionality has been reduced based on feature ranking and correlation in order to identify useful features that are fed into A feed-forward neural network trained utilizing the Levenberg-Marquardt algorithm. This work has the issue of slow iterative training comparing of its neural network comparing with the one-shot training of the extreme learning machine. In the work [19], an intrusion detection system based on integrated backpropagation and extreme learning machine has been proposed in order to avoid the random behaviour of weights initialization in the input and hidden layer, and replace it with gradient-corrected weights provided from back-propagation, while keeping the online nature of the method. The usage of extreme learning machine variants in intrusion detection systems has been found in other approaches. In the work [20], an extreme learning machine with a hybrid kernel function (HKELM). The algorithm has used for optimizing the hyper-kernel parameter using two algorithms, namely, the gravitational search algorithm (GSA) and differential evolution (DE).

A minority of the approaches have proposed a joint handling of the two issues in one framework. In a recent framework developed by us were proposed combining the power of stream clustering with the power of multi-classification for intrusion detection. The framework has included an evolutionary algorithm for communicating the changes desired to the clustering by the classifier to maintain the learned behaviour of the past attacks. The framework has identified us as the hyper-heuristic framework (HH-F). It includes an online extreme learning machine as a core classifier and online-offline core clustering, it has provided superior performance in terms of predicting attacks. However, the synchronization between the classifier and the clustering blocks requires a fast-learning classifier. The usage of an extreme learning machine, which is a single hidden-layer neural network for this purpose is partially adequate. However, its performance requires adjusting the number of hidden neurons to make it suitable for learning, while avoiding under-fitting on one side because of a lower of number of neurons and over-fitting on the other side because of a higher number of neurons. Furthermore, increasing the number of neurons might cause slow learning. The goal of this article is to upgrade HH.F framework from its current single hidden neural network with only single connections between the input-hidden and hidden output layers to parallel connections from both the input-hidden, hidden output, and input-output layer. In addition, we aim to enable an online learning algorithm to allow knowledge update for every new chunk of data. With such a change, the core classification can reach knowledge fitting with a lower number of neurons, which accomplishes better efficiency.

This section outlines the established methodology for achieving the study's objectives. It starts with an overview of the hyper-heuristic framework and pseudocodes in sub-section A. Next, we provide the parallel structure of the single hidden-layer neural network in sub-section B. Next, the prediction and training model is provided in section C. Afterwards, the online learning model is given in sub-section D. Afterwards, the computational complexity of the algorithm is given in sub-section E. Next, we provide the dataset description in sub-section F. Finally, we have provided the evaluation measurement in sub-section G.

4.1 Overview of the hyper-heuristic framework and pseudocodes

The framework of hyper-heuristic is presented in Figure 1. The framework is composed of three distinct blocks, namely, neural network (NN), core-clustering with online and offline phase and genetic algorithm (GA). We add to them a configuration responsible for feeding the GA with an objective value for optimization based on a calculated error and a class prediction responsible for performing the predictions of the classes (normal vs. attack and the type of attacks).

Figure 1. Framework of the hyper-heuristic framework (HH-F) for stream data classification

This framework can operate under one of two variants, namely, hyper 1 and hyper 2, as it is presented in Algorithms 1 and 2, respectively.

Algorithm 1. Pseudocode of hyper-heuristic 1

Algorithm 2. Pseudocode of hyper-heuristic 2

In the first variant, the pseudocode is composed of two phases, namely, the boosting phase and the iterative phase. In the boosting phase, the algorithm receives a labeled boosting chunk for the purpose of initial training to produce the initial neural network NN0. Next, the genetic optimization runs to tune or optimize the parameters of the core clustering, where it uses the difference between the predicted classes by the classifier and the correct ones. Afterwards, the algorithm runs for every newly arrived chunk and performs two sub-phases, namely, prediction based on the last learned classifier and training based on the last labelled chunk. The difference between hyper 1 and hyper 2 is in the correction phase, where the former does not perform an additional optimization step based on the correct values of the classes, like the latter.

4.2 Parallel structure of a single hidden layer neural network

In the original single hidden layer neural network used in hyper-heuristic, there were only connections between the input and hidden layer and connections between the hidden and output layer [21]. The topology of this NN is shown in Figure 2.

Figure 2. Neural network for a single hidden layer

In the new topology, we are inspired by the study [22] where direct connections between the input and output layer are added, which enables more capability of embedding knowledge with a lower number of neurons in the hidden layer. The topology of the new structure is given in Figure 3.

Figure 3. Parallel structure of a single hidden layer neural network (add the red connections between the input and output to reduce the number of neurons)

As shown in Figure 3, the red connections is the newly added connections as parallel links incorporated into the neural network structure, which are designed to increase internal connectivity without increasing the number of neurons. This connection provides more flexibility in adapting to changes in the data and improves the model's efficiency in performing incremental learning.

The weights between the input and hidden layer are denoted by $W_{i h}$ ,which is represented in a matrix with size of $n \times \widetilde{N}$ and it is given as it is shown in Eq. (1).

$W_{i h}=\left[\begin{array}{ccc}w_{11} & w_{12} & w_{1 \widetilde{N}} \\ w_{21} & w_{22} & w_{2 \widetilde{N}} \\ \cdot & \cdot & \cdot \\ \cdot & \cdot & \cdot \\ w_{n 1} & w_{n 2} & w_{n \widetilde{N}}\end{array}\right]$          (1)

where,

$n$ denots the number of inputs or features.

$\widetilde{N}$ denotes the number of hidden neurons.

The weights between the hidden layer and the output are denoted by $W_{h o}$, which is represented in the matrix $\widetilde{N} \times m$ and it is given as it is shown in Eq. (2).

$W_{h o}=\left[\begin{array}{ccc}w_{11} & w_{12} & w_{1 m} \\ w_{21} & w_{22} & w_{2 m} \\ \cdot & \cdot & \cdot \\ \cdot & \cdot & \cdot \\ w_{\widetilde{N} 1} & w_{n 2} \cdot & w_{\widetilde{N} m}\end{array}\right]$          (2)

The weights between the input and output (which represents the parallel weights) are given as $W_{i o}$ with the size $n \times m$ and it is given as it is shown in Eq. (3).

$W_{i o}=\left[\begin{array}{ccc}w_{11} & w_{12} & w_{1 m} \\ w_{21} & w_{22} & w_{2 m} \\ \cdot & \cdot & \cdot \\ \cdot & \cdot & \cdot \\ w_{n 1} & w_{n 2} & \cdot w_{n m}\end{array}\right]$          (3)

In addition to the weights, we have the biases that are introduced as additive terms to the neurons in the hidden layer, and they are given as it is shown in Eq. (4).

$b=\left[\begin{array}{c}b_1 \\ b_2 \\ \cdot \\ \cdot \\ b_{\widetilde{N}}\end{array}\right]$          (4)

4.3 Prediction and training model

Assuming that we know the weights of the neural network $W^{o i}, W_k^{o h}, W_k^{i n}$ where, $W^{o i}$ represents the weights of the input output layer, $W_k^{o h}$ represents the weights of the hidden layer with the output for neuron $k, W_k^{i n}$ is the weights of input layer with the hidden neuron $k$ and assuming that we have samples $x_j$ where $j= 1, \ldots N$. The predicted output of $x_j$ is given in $y_j$. It is given as it is presented in Eq. (5).

$\begin{gathered}y_j=f\left(W^{o i} x_j+c+\sum_{k=1}^m W_k^{o h} g\left(W_k^{i n} x_j+b_k\right)\right), \\ j=1,2, \ldots, N\end{gathered}$          (5)

The equation can be represented in compact form as it is shown in Eqs. (6) and (7).

$Y=f\left(W^{o i} X+W^{o h} G+c\right)=f\left(\left[W^{o i} W^{o h} c\right][G]^X_I\right)=f\left(W[G]^X_I\right)$          (6)

$G=g\left(W^{i n} X+b\right)$          (7)

where,

$W^{o i}$ denotes the input-output weights.

$W^{o h}$ denotes the hidden output weights.

$b$ denotes the biases of the hidden layer.

$I$ denotes vector of ones and length of $N$.  

$c$ denotes the bias of the output layer.

$g$ denotes the first activation function.

$f$ denotes the second activation function.

$G$ denotes the output of the input layer.

The training model is responsible of calculating the weight matrices $W^{o i}$, $W^{o h}$, $b$. It assumes that we have $X$. Next, $W^{i n}$ is calculated randomly and we use it to calculate $G$ while $W^{o i}$ and $W^{o h}$ are calculated based on the Eqs. (8) and (9).

$\widehat{w}=T H^{\dagger}$          (8)

$H=\left[\begin{array}{l}X \\ G\end{array}\right]$          (9)

In the remainder of the article, we denote the single weights model as (HS), and it has two variants, H1S and H2S for hyper 1 and hyper 2, respectively. Similarly, we denote the model of parallel weights as (HP), and it has two variants, H1P and H2P for hyper 1 and hyper 2, respectively.

4.4 Online learning model

The issue with the parallel classifier that is adopted is that it is not suitable to be incorporated directly into the hyper-heuristic framework. The reason is that it does not support online learning according to the previous training equation. Hence, we further develop it to support online learning as follows.

We assume that the data is given as $\mathrm{X}=\left\{\left(X_i, t_i\right) \mid X_i \in\right. \left.R^{n_i \times n}, t_i \in R^{n_i \times m}, i=1, \ldots, N\right\}$.

where, $n_i$ denotes the number of records in the chunk $i$ and $n$ denotes the number of columns. $X_i$ denotes a chunk of data and $m$ denotes the number of classes.

(1) Phase 1: The boosting phase

1)-Generate randomly the input weights $w_0{ }^{i n}$.

2)-Calculate the hidden layer output matrix $G_0$.

3)-Calculate the output weight matrix using Moore-Penrose.

4)-Extract the two weights matrices $w_0{ }^{o i}$  and $w_0{ }^{o h}$. 

(2) Phase 2: Sequential learning phase

For each further coming chunk $\left(X_i, t_i\right)$, where $X_i \in R^{n_i \times n}$ and $t_i \in R^{n_i \times m}$.

$i=1,2, \ldots N C$ where $N C$ denotes the number of chunks:

1-Compute the output matrix of the hidden layer $G_k$.

2-Determine the most recent output matrix $\widehat{w}^{(k+1)}$ using Eqs. (10) and (11).

$M_{k+1}=M_k-\frac{M_k\left[_{G_k}^{X_k}\right]+\left[{ }_{G_k}^{X_k}\right]_{k+1}^T M_k}{1+\left[{ }_{G_k}^{X_k}\right]_{k+1}^T M_k\left[_{G_k}^{X_k}\right]_{k+1}}$          (10)

$\widehat{w}^{(k+1)}=\widehat{w}^{(k)}+M_{k+1} H_{k+1}\left(t_i^T-H_{k+1}^T \widehat{w}^{(k)}\right)$          (11)

Extract the two weights matrices $W_{k+1}{ }^{o i}$ and $W_{k+1}{ }^{o h}$ from $\widehat{w}$

$k=k+1$

The boosting phase of algorithm training embodies the following steps: the generation of input weights $w_0{ }^{i n}$ randomly, the calculation of the hidden layer output matrix $G_0$, the computation of the output weight matrix with Moore-Penrose where two weights matrices input-output $w_0{ }^{o i}$ and hidden-output $w_0{ }^{o i}$ are extracted. The steady sub-phase (the sequential learning phase) includes processing each for chunks $\left(X_i, t_i\right)$, so in the earlier iterations we compute the hidden layer output matrix $G_k$ and after the latest output matrix at this iterative step, extract the two weights matrices $W_{k+1}{ }^{o i}$ and $W_{k+1}{ }^{\text {oh }}$, which is how we modified the offline version of the parallel scheme, which exists in the literature.

The recursive learning is supported because the Eqs. (10) and (11) enable updating the weights of the neural network $\widehat{W}^{(k+1)}$ based on the previous weights $\widehat{W}^{(k)}$.

In this work, the problem of class imbalance in the data streams was not resolved with intent of retaining the realism of intrusion detection systems in which attack instances are considerably infrequent compared to normal traffic. Rebalancing the data artificially by oversampling the minority classes or undersampling the majority class creates a distribution that would not exist in reality and would put the model’s generalizability at risk.

The model evaluation, instead, is done with the inherent imbalance of KDD99 or NSL-KDD datasets which provides a more realistic appraisal of model evaluation in real-world scenarios. The goal of this decision is to emulate an operational IDS for which unknown attacks would be seen as large and benign traffic would be seen as surreptitious and unpredictable.

We do understand that class imbalance is an important problem in the design of IDS. In future work, we intend to investigate adaptive approaches that are imbalanced-aware by default in unstable environments and respond to the degree of imbalance without destroying the flow of data.

4.5 Computational complexity

The difference between single hidden layer training with and without parallel weights is calculated by using Moore-Penrose computational complexity which is given as $\mathrm{O}\left(\mathrm{n} \widetilde{\mathrm{N}}^2\right)+\mathrm{O}\left(\widetilde{\mathrm{N}}^3\right)$ for a matrix $H$ of size $\mathrm{n} \times \widetilde{\mathrm{N}}$ or it is given as $\mathrm{O}(\mathrm{n} \tilde{\mathrm{N}})+\mathrm{O}\left(\tilde{\mathrm{N}}^2\right)$ by using the approach of the study [23].

In our case, the number of rows in the matrix represents the number of samples $\mathrm{n}$ and the number of columns in the matrix represents the number of neurons in the hidden layer $\tilde{\mathrm{N}}$. Assuming that we reduced the number of neurons for the parallel model with percentage of $1 / R$, the calculated complexity of the parallel model is $O\left(n \frac{1}{R^2} \widetilde{N}^2\right)+O\left(\frac{1}{R^3} \widetilde{N}^3\right)$ or $\mathrm{O}\left(\mathrm{n} \frac{1}{R} \widetilde{\mathrm{~N}}\right)+\mathrm{O}\left(\frac{1}{R^2} \widetilde{\mathrm{~N}}^2\right)$.

The theoretical complexity of the proposed model was already analyzed as O(n/N²) but, as far as the actual runtime results are concerned, it is important to confirm empirically such claim. To this end, we measured the CPU time of the model with different input sizes and settings.

Experimental Setup:

• Hardware: Intel Core i7-12700K 32 GB RAM

• Software: MATLAB 2022a

• Dataset: NSL-KDD and KDD99

• Chunk sizes tested: 1000, 2000, 5000, 10,000 samples

Results from the runtime analysis indicate that the system keeps a sublinear increase in execution time with increase in input size, particularly when the number of neurons N is scaled down proportionately, aligning with the theoretical assumption of O(n/N²). This verification shows that the expected application of parallel connectivity, along with incremental updates does effectively reduces computational costs, thus adapting the model to be more efficient for online learning in real-world settings.

4.6 Dataset description

This part explains the evaluation datasets to be utilized. Three real datasets are chosen for evaluating the work: KDD’99, NSL-KDD, and Landsat.

(1) KDD’99

KDD’99 [24] may be the famous complete dataset for testing and analysis anomaly detection techniques. This dataset derives from the DARPA’98 IDS data structure which encompasses many numerous gigabytes of compressed raw (binary) TCP dump data on networks over the period of seven weeks, in addition to 5 million connection of records reached to be around 100 bytes each. Furthermore, the dataset contains around 2 million connection of records. Each record has 41 fields which are marked as normal, DoS, U2R, R2L, or probing along with some graded level attacks.

(2) NSL-KDD

Multiple studies have come across challenges regarding workplace productivity, which are linked to the KDD’99 dataset [24]. NSL-KDD was proposed, in which they eliminated duplicated entries from the training and testing data; furthermore, they also set the level of certain groups to be negatively correlated to the percentage of records contained within the original KDD’99 dataset. There were 21 unique attacks that were included in the training dataset out of the 37 available in the test dataset. Some of the known attacks are incorporated into the training data, while some unknown attacks are also some of the attacks not included in the training data.

(3) Landsat satellite

This dataset contains a total of 4,435 objects that come from remote-sensing satellite images. Each object pertains to a region and is subdivided into sub-regions based on four intensity captures at different wavelengths. The dataset has a total of 36 attributes. This dataset is used by the study [25].

4.7 Evaluation measurement

This part describes the measures that used to evaluate the effectiveness of HH-F and how it stacks up against the best-known approaches in the domain. TP is true positives, TN is true negatives, FP is false positives, and FN is false negatives.

(1) Accuracy

Accuracy is defined as the ratio of correct predictions to the total number of predictions made [26]. This calculation is expressed in Eq. (12).

$A C C=\frac{T P+T N}{T P+T N+F P+F N}$          (12)

(2) Precision (PPV)

PVV According to PVV refers to the number of positive identifications that were actually correct. This reflects the number of true positive predictions made by the classifier in the relation of a total count of records predicted as positive. In this case, records containing confirmed positive examples included in the data set [27]. This calculation is expressed in Eq. (13).

$\mathrm{PPV}=\frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}$          (13)

(3) Recall (TPR)

TPR signifies the ratio of true positives predicted by the classifier to the actual positive records on the dataset [28]. The calculation is expressed in Eq. (14).

$T P R=\frac{T P}{T P+F N}$          (14)

(4) Specificity (TNR)

TNR indicates the proportion of true negatives predicted by the classifiers relative to all negative records that were evaluated (tested) [29]. This calculation is presented in Eq. (15).

$T N R=\frac{T N}{N}$          (15)

(5) NPV

This metric refers to negative predicted value which is calculated from the ratio of predictive true negatives to the total value of negative cases as explained in the study [30]. The calculation is expressed in Eq. (16).

$N P V=\frac{T N}{T N+F N}$          (16)

(6) G_mean

This metric is determined by forming the combination of precision and recall [27]. This calculation is presented in Eq. (17).

$G_{-}mean=\frac{T P}{\sqrt{(T P+F P)(T P+F N)}}$          (17)

(7) F_Measure

The F_Measure denotes the harmonic mean of both precision and recall. This calculation is presented in Eq. (18).

$F_{-}measure =\frac{2 \times{ precision } { × recall }}{ { precision }+  { recall }}$          (18)