Stabbing of Intrusion with Learning Framework Using Auto Encoder Based Intellectual Enhanced Linear Support Vector Machine for Feature Dimensionality Reduction

Security breaches and assaults can be detected using intrusion detection systems (IDS). An ID system monitors and analyses network traffic in order to detect any irregularities. Signature-based or anomaly-based intrusion detection can be used [1]. Any deviation from the specified set of criteria is deemed as an intrusion according to the signature-based approach to finding intrusions [2]. This approach has high accuracy and low false alarm rates when recognising known assaults. This approach cannot identify a new type of assault due to the pre-determined rules. Analyzed intrusion detection systems can detect previously unknown or novel threats [3]. According to numerous research models, anomaly-based detection is more accurate, although it has a high percentage of false alarms. The lack of a supervised database for training machine learning models, as well as the difficulties in selecting an optimal feature from the network traffic dataset, make detecting intrusions more difficult. Because assault patterns change over time, it is difficult to discriminate between different types of attacks using the same features [4].

With the help of an IDS, businesses can keep tabs on their entire networks and more easily adhere to security standards. In addition, companies can utilise IDS logs as evidence of having complied with specific regulations. As an added bonus, intrusion detection systems can help authorities react more quickly to threats. Individuals, businesses, and governments all have a vested interest in ensuring that their networked systems are secure. Networked system attacks have expanded tremendously, and the methods employed by those behind them are constantly developing and adapting. One defence against these assaults is intrusion detection. An intrusion detection system's major use is in alerting IT staff to potential attacks or network intrusions. Any data travelling between computers on a network, as well as data coming into and going out of the network, can be spotted by an NIDS. The network IDS keeps an eye on everything going via the network and sends out alerts whenever something looks fishy or when recognised risks are found, allowing IT staff to investigate further and take preventative measures.

IDS are crucial for monitoring networks for malicious activity. An identification system listens for any deviations in the flow of traffic at the gates [5]. Intrusion detection can employ either a signature-based or anomaly-based approach. Intrusion detection systems have specified criteria that they utilise to identify and indicate anomalies in network traffic as potential intrusions [6]. With this method, you can reliably identify specific forms of assault with few false positives. As a result, this approach cannot be used to detect the new type of assaults as the stated principles do not correspond to the unknown patterns. Intrusion detection systems that have been thoroughly examined can identify brand-new or until unseen dangers. Theoretically, anomaly-based detection should be more trustworthy, however several published proofs show that it has a large false alarm rate [7]. Important obstacles to intrusion detection include the lack of supervised data for training machine learning models and the challenge of choosing an optimal feature from the traffic flow dataset. It is challenging to differentiate between different sorts of attacks using the same attributes since attack patterns evolve over time.

The purpose of an IDS is to proactively monitor network traffic for malicious activity or attacks in progress. However, implementing IDS for massive, high-dimensional data streams is a formidable challenge. The efficiency of anomaly-based ID algorithms is heavily influenced by the fact that data streams contain features that are very different from those of statistics databases. These features comprise, but are not restricted to, the interactive nature of streaming data, the curse of dimensionality, small memory capacity, and high complexity, as well as the processing of massive data as it arrives (real-time). As a result, the primary issue in this field of study is to develop effective data-driven ID systems that can efficiently manage data streams while taking into account these unique aspects of traffic.

Given the massive size of modern datasets, it can be challenging to run numerous iterations of processing on the entire dataset at once to get reliable results. Processing or running an entire dataset is impacted significantly by training and computation time. It is feasible to solve this issue by reducing the problem's dimensionality. Once more, it is important to make sure you choose the right dimensionality reduction technique. It is challenging to identify a subset of attributes from an existing dataset that is useful or desirable, often leading to data loss or inappropriate criteria. Poor outcomes could be the result of using irrelevant features.

NIDS have recently been built using autoencoders, a deep-learning approach comprising of an encoder and a decoder [8]. The decoder uses the condensed latent vector as a starting point to recreate the original M-dimensional data from the compressed N-dimensional vector [9]. As long as the training error does not exceed a preset threshold, an input occurrence can be categorised as either normal or an attack [10]. An autoencoder-based NIDS can recognise patterns that deviate from established standards in order to detect new types of assaults. The process of dimension reduction of features is shown in Figure 1.

1.png

Figure 1. Process of dimension reduction

Artificial Neural Networks (ANN), SVMs, Naive Bayes classifiers, Random Forests (RF), and SOMs have all been utilised to develop an anomaly-based intrusion detection technique, as have RFs and RF random forests. They may be taught how to tell the difference between typical and abnormal traffic [11]. Anomaly-based techniques frequently use feature selection tasks to discriminate normal and abnormal traffic. During the feature selection phase, training data is condensed to a smaller dimension and redundant and irrelevant features are removed [12]. Meta-heuristic techniques and Principal Component Analysis (PCA) are just two of the tools available for narrowing down the ideal collection of qualities. The input data is compressed using a deep auto-encoder, and a dense neural network assesses atypical traffic [13].

The gathered traffic's attributes are compared to those of typical traffic, and any discrepancies are flagged by the anomaly-based intrusion detection system. Statistical learning, traditional machine learning, and deep learning are the three main categories of intrusion detection algorithms [14]. Statistical learning-based detection methods have been ruled out due to the requirement for data sharing. As AI has developed, machine learning systems have become more precise. Because of the data's multidimensionality and quantity, the data flow may be incredibly extensive and complicated [15]. When employing conventional machine learning algorithms, feature extraction must be performed by hand. Only very simple and superficial learning can profit from these methods. Artificial intelligence can be trained to automatically learn complex features from data using deep learning algorithms that construct a deep hierarchical network. By adopting the proposed method, new features can be generated rapidly [16].

In machine learning challenges, high-dimensional features contribute to lengthy categorisation processes [17]. Low-dimensional elements can be used to reduce the amount of time it takes to complete certain tasks. Because the classification of network traffic data contains unequal class distributions [18], most well-known classifiers, that assume usually balanced classification performance and equal miss-classification costs, have been considerably impeded [19]. Additional research is needed to solve the problem of uneven class distributions. An unequal distribution of classes in the classification of network traffic is something that past studies on intrusion detection systems have not addressed. There is also the possibility that the classifier's performance cannot be accurately assessed if the data is unbalanced [20].

The introduction section briefly discuss about the need of IDS and the significance of IDS using dimensionality reduction model [21]. The section 2 briefly provides the literature survey on various IDS models and the feature dimesionality reduction models, section 3 discuss the proposed model and the process of feature dimesionality reduction and section 4 presents the results section in which the proposed model is compared with the exisitng model and section 5 concludes the research.

The autoencoder method and its deep version have been very successful in traditional dimensionality reduction methods due to neural networks' powerful representability. They, however, do not capture the underlying functional manifold structure and instead use each instance to replicate itself rather than explicitly modelling the data relation [22]. This study reduced dimensionality through manifold learning by iteratively investigating data linkages and then leveraging those relationships to look for manifold structure [23]. A neural net's basic framework consists of an input layer, a hidden layer, and an outer layer. Deep neural networks are those with more than two hidden layers of connections [24]. Backpropagation, which takes advantage of the neural architecture's hidden layers, is used by neural networks to modify the weights and biases associated with a given neuron [25].

In a neural network, the autoencoder learns from its inputs and outputs how to be the same. The input can be reconstructed into output using two fundamental mathematical functions in the neural network. Both the encoding and decoding functions are given by x=f(g). Input g is translated to output p using the internal representation x. The network can learn the most useful aspects of the raw dataset by producing approximation replicas of input. Autoencoder neural networks have a bottleneck layer with fewer nodes than the other layers because the x is typically a smaller-dimensional subspace of the g.

As an unsupervised neural network, Autoencoder is capable of rebuilding input vectors. Noise removal and intrusion detection techniques are just two examples where it exhibits impressive nonlinear generalisation skills. Here, the Autoencoder's hierarchy structure is shown in Figure 2. In an Autoencoder, the encoder and decoder are separate components. Encoders use a function named x=f0 to map input data to a feature space (g). It is useful to interpret the decoder as the function x=g0 for the generation and restructuring of the input vector (g).

2.png

Figure 2. Structure of the autoencoder

In contrast to signature-based NIDS, autoencoder-based NIDS can identify previously undiscovered attack vectors by spotting deviations from regular traffic patterns. Autoencoders are useful for filtering out irrelevant information from datasets. Autoencoders let you narrow your focus to the most important aspects of your data by compressing it, encoding it, and afterwards recreating it as an output. To achieve certain effective techniques of training networks to acquire normal behaviour, autoencoders make use of a neural network's property in a unique way. As soon as an anomalous data point is introduced, the auto-encoder becomes ineffective. It picked up representations for patterns that weren't present in the data set.

A compressed representation of input from a high-dimensional space is encoded and is used by the decoder, as well as the input to the encoder is recreated using the compressed representation. Progress is made gradually in the tuning of encoder and decoder weights during the training phase. Reconstruction errors should be kept to a minimum. When a collection of training cases is given, a feature vector with dimension di can be calculated as X=(x1, x2,..., xm). An input vector of d dimensions is transformed into a hidden vector representation by the encoder layers of the Ae. An efficient Intelligent Intrusion Detection System using Auto Encode with Efficient LSVM is proposed for feature dimensionality reduction.

Algorithm IIDS-AE-ELSVM

{

Input: Intrusion Dataset {IDSET}

Output: Feature Subset Vector {FSV}

Step-1: The intrusion dataset is considered for analysis and the records are extracted from the dataset for deep analysis. The data set records loading and analysis is performed as:

$\operatorname{RecV}=\sum_{i=1}^M$ getValue $(\operatorname{IDSET}(i))+$ getattr $(i) \epsilon I D S E T$         (1)

Step-2: The artificial neural networks using ELSTM (linear long short-term memory) are common in intelligent machines and deep learning. ELSTM has feedback connections, unlike feed forward neural networks. Classifying and forecasting intrusions, both known and unknown, can be accomplished using ELSTM. The ELSTM components are initialized as

Forget gate$\rightarrow$“ft”

Candidate layer $\rightarrow$“Ct”

Input gate$\rightarrow$“It”

Output gate$\rightarrow$“Ot”

Hidden state $\rightarrow$“Ht”

Memory state $\rightarrow$“Mt”

Forget gate:

$a_f=W_f \cdot Z_t+b f \quad f_t=\operatorname{sigmoid}\left(a_f\right)$

Input gate: $a_i=W_i \cdot Z_t+b_i \quad i_t=\operatorname{sigmoid}\left(a_i\right)$

                   : $a_c=W_c \cdot Z_t+b_c \quad \widetilde{c}_t=\tanh \left(a_c\right)$

Output gate: $a_o=W_o \cdot Z_t+b_o \quad o_t=\tanh \left(a_o\right)$

Cell state:       $C_t=f_t \otimes C_{t-1} \oplus i_t \otimes \widetilde{c}_t$

Hidden state:       $h_t=o_t \otimes \tanh \left(c_t\right)$

Output equations:     $V_t=W_v \cdot h_t+b_t$

                            $\hat{y}_t=\operatorname{softmax}\left(V_t\right)$

$L(i, j)=\frac{1}{V_t} \sum_{i=1}^m\left\|C_t-h_t\right\|^2+W_c * W_0$         (2)

Step-3: The encoder and decoder functions are considered for performing auto encoding and decoding operations. The encoder and decoder sub-models make up an auto encoder. When the input is encoded, the encoder compresses it, and the encoder's decoder tries to re-create it from the encoded version. It is saved as an encoder model after training, and the decoder is thrown away after training. The encoding and decoding process is performed as:

$E_k=f_\theta\left(g_c\right)$

$=h\left(\sum_{i=1}^{m_1} W_i . b_i+h_i\right)+V_t-\min (L(i, j))+M t$          (3)

$D_k=g_{\theta^{\prime}}\left(f_c\right)$

$=O\left(\sum_{i=1}^m y_i . c_i+b_t\right)-V_t+\max (L(i, j))-M t$          (4)

Step-4: Functions that define how the weighted sum of input is turned into an output from a layer of the network are known as activation functions. A neuron's activation function determines whether or not it will be triggered and passed on to the next layer, making it a critical component of a neural network. Just to be clear: This means that the network will make a judgement call about whether or not the neuron's input is significant to its prediction. The activation function is initiated as:

$A f_i^{(W)}=f\left(Y_i^{(h)}\right)$

$=f\left(\sum_{i=1}^n W_i^{(L-1)} \cdot a_L^{(V-E)}+b_L^{(V-D)}\right)$            (5)

Step-5: Feature extraction can be used to reduce the size of the data collection by removing extraneous information. That means that the model can be built more rapidly and with less machine effort, allowing for faster progress through the training and generalisation phases. The feature extraction process is performed as:

$F V_W=\frac{1}{2} \sum_{i=1}^n L\left(\max \left(A f_i^{(W)}, A f_i^{(h)}\right)+\min (C, V)\right.$          (6)

Step-6: Transformation of high-dimensional data into low-dimensional space in order to retain certain significant properties in the lower-dimensional representation, ideally near to its intrinsic dimension. The dimensionality reduction process is performed as:

$I s e t=\frac{F V^{(W)}-C\left[V^{(E)}\right]}{\sqrt{\operatorname{Var}\left[W^{(L)}\right]}}$           (7)

$\operatorname{FSV}\left[\operatorname{Iset}^{(k)}\right]=\frac{1}{V} \sum_{i=1}^n\left(\max \left(\operatorname{Iset}_i^{(h)}-L\left[W^{(C)}\right]\right)^2+\max \left(A f_i, A f_{i+1}\right)\right.$                   (8)

}