Intrusion Detection System Via Evolutionary

Memetic Algorithm
Elaheh Jahani , Reza Azmi
AbstractOne of the efforts has been made to accomplish preserve network security is intrusion detection systems(IDS). In
this paper, an evolutionary memetic algorithm, which uses a local search is proposed for generating rules. In local search two
approaches are used for selecting offspring. The evolutionary memetic algorithm is used variable-length chromosome with a
mask for each feature. In addition, confidence value is defined for each feature which uses in changing mask in micro-mutation
stage, will causes decrease false positive rate. Empirical results clearly shows that the detection rate is improved compared with
traditional intrusion detection approach, and normal, known intrusion and unknown intrusion are distinguished with high
accuracy.
Index TermsIntrusion Detection Systems, Computational Intelligence, Memetic Algorithm.

1 INTRODUCTION
n general, attack or intrusion is an activity is occurred
to contravene one of aspects of network security (con-
fidentiality, integrity, and availability).An intrusion is
An active sequence of related events that deliberately try
to cause harm, such as rendering a system unusable ac-
cessing unauthorized information, or manipulating such
information. This definition refers to both successful and
unsuccessful attempts. [1]
Since Denning first proposed an intrusion detection mod-
el in 1987 [2], many research efforts have been focused on
how to construct detection models effectively and accu-
rately. Between the late 1980s and the early 1990s, a com-
bination of expert systems and statistical approaches were
very popular. Detection models were derived from the
domain knowledge of security experts. From the mid-
1990s to the late 1990s, acquiring knowledge of normal or
abnormal behavior had turned from manual to automatic.
Artificial intelligence and machine learning techniques
were used to discover the underlying models from a set
of training data. Commonly used methods were rule
based induction, classification and data clustering. Fortu-
nately, computational intelligence techniques, known for
their ability to adapt and to exhibit fault tolerance, high
computational speed and resilience against noisy infor-
mation, compensate for the limitations of these two ap-
proaches.
2 RELATED WORK
Some of computational intelligence techniques have been
proposed are such as: Artificial Neural Networks(ANN):
ANNs have the ability of learning-by-example and
generalizion from limited, noisy, and incomplete data;
Radial basis function(RBF)[3], Multilayered feed forward
(MLFF)[4], recurrent network[5], Self-organizing
maps(SOM)[6], Adaptive resonance theory (ART)[7] are
used. Fuzzy sets: Bridges et al. suggested the use of fuzzy
association rules and fuzzy sequential rules to mine nor-
mal patterns from audit data [8]. Evolutionary computa-
tion: EC can be applied on a number of tasks in IDSs like
Optimization [9], Automatic model structure design,
Classifiers. Artificial immune systems [10], Swarm intelli-
gence, Soft computing.
2.1 Using Genetic Algorithm for intrusion detection
system

Chitturs paper [11] presents a novel approach. The GA
provided the necessary population breeding, randomiz-
ing, and statistics gathering functions, from which this
GA was written. The fitness value was dependent upon
how many attacks were correctly detected and how many
normal use connections were classified as attacks. The
system presents that about 97% of attacks were correctly
detected and 0.69% of normal connections were incorrect-
ly classified as attacks.
Li [12] uses GA to generate rules that match only the
anomalous connections. These rules are tested on histori-
cal connections and are used to filter new connections to
find suspicious network traffic. In the researcher imple-
mentation, the network traffic used for GA was a
preclassified data set that differentiates normal network
connections from anomalous ones. The data set was
manually classified based on experts knowledge. And
used for the fitness evaluation during the execution of
genetic algorithm. Fig. 1. shows the structure of this im-
plementation.

Fig. 1. Architecture of applying GA into intrusion detection [12]

1 E.Jahani is with Department of Computer Engineering , Alzahra Universi-
ty , Tehran,Iran
2 R.Azmi is with Department of Computer Engineering , Alzahra University
, Tehran,Iran

I
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG 92


Abraham [13] investigated the suitability of linear genetic pro-
gramming (LGP) technique to model fast and efficient
intrusion detection systems. The performance and accu-
racy of the LGP was compared to results obtained by
ANN and regression tree methods.
Zhao et al [14] is proposed a novel approach of using
clustering genetic algorithms is put forward to solve the
computer network intrusion detection problem. This al-
gorithm includes two steps which are clustering step and
genetic optimizing step. The final model produced had
an overall accuracy level of 95%,, only about 0.71% of
normal connections were classified as attacks; a very low
false positive rate.
Gong et al [15] are proposed genetic algorithm based ID
approach contains two modules where each works in dif-
ferent stage. Training stage, GA used in an offline envi-
ronment. In the ID stage, the generated rules are used to
classify incoming network connections in the real-time
environment. Once the rules are generated, the ID is sim-
ple and efficient.
Diaz-Gomea et al [16] used for evolution process set of
possible solutions were generated randomly. In the popu-
lation each chromosome evaluated using fitness function
and gives better score to the fittest as maximum. The
main ideas of this algorithm are the following: to per-
form misuse detection by comparing the users behavior
against a matrix of known attacks, to explain the data
contained in the audit trail by hypothesizing the occur-
rence of one or more attacks, and to use a heuristic
method, genetic algorithms, to solve it because explaining
the data is an NP-complete problem.
A.T.Haghighat et al. [17] investigated recently hybrid
FuzzyGenetic Algorithm. They have designed three
hybrid algorithms for solving the intrusion detection
problem. The algorithms were a combination of genetic
algorithm and SFL and PSO as three evolutionary algo-
rithms which try to introduce efficient solutions for com-
plex optimization problems by patterning from natural
treatments.
3 PROPOSED METHOD
GA can be used to evolve simple rules for intrusion detec-
tion; these rules are used to differentiate normal records
from attacks, the rule used in form of (If <condition> then
<act>) where the condition refers to a match between cur-
rent data and the rules in IDS.
3.1 Chromosomes with variable length
In papers often used chromosomes with fixed length, in
this paper proposes the use of variable length chromo-
some representation to represent rules. This representa-
tion would provide the flexibility however the number of
parameters within each rule is fixed by the number of
input features. Each rule is made up of three parts (Fig.2.):
Boundary: Each feature has two boundaries. The low-
er boundary for the ith feature is denoted by L
I
and
the upper boundary by 0
I
. These values define margin
of feature values.
Mask: This part demonstrates of feature selection ef-
fect. If ith position is zero, then feature ith doesn't in-
fluence in condition. If ith position is one, then feature
ith influence in condition.
Operators: Four operators be used for applying on
the boundary. greater than x L
I
, less than
x 0
I
, within a range L
I
x 0
I
, less
than or greater than x L
I
oi x 0
I
.

Fig. 2.Representation of a rule

3.2FitnessFunction
So far different factors for evaluating rules in IDS are
presented. The fitness of an individual was dependent
uponhowmanyattackswerecorrectlydetectedandhow
many normal records were classified as attacks. Good
ruleshavehighcorrectdetectionrate(CDR)andlowfalse
positiverate(FPR).
CBR =
u
A
(1)
FPR =
[
B
(2)
whereoisthenumberofcorrectlydetectedattacks,Athe
number of total attacks, [ the number of false positives,
andBthetotalnumberofnormalconnections.
The fitness function developed for this experiment, F1, of
specificindividualRiis:
F
1
(R

) = w
1
CR - w
2
FPR (3)
Thesecondfitnessfunctionusedinthisexperiment,F2:
F
2
(R

) =
w
1
CR
w
2
PPR
(4)
3.3Memeticalgorithmoverview
Fig. 3. shows the flowchart of the algorithm. The algo
rithm first initializes a population of rules and evaluates
theirfitness.Thenparentselectedwhichare20%offitter
chromosomesofpopulationineachgeneration.Offspring
iscreatedinlocalsearchandnewgenerationisacopyof
old generation that chromosome with low fitness replaced
with offspring.
Rule
L
111
U
11
L
1n1

U
1n
M
12
M
11

M
1n
O
12
O
11

O
1n
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG 93


Fig. 3.Memetic algorithm overview
3.4Mutation
Mutation involves the addition or deletion of rules. Rules
have low fitness value replace with new chromosomes.
The number of them is RuleNo * P_Mutation.
3.5Localsearch
EA have the ability of escaping from local optima due to
their inherent global search capability. Fig 4 shows over-
view of local search. At the first a pair of parents is select-
ed randomly, then children are created by choosing ran-
dom points for crossovering among the two parent rules.
To prevent separating the lower and upper boundaries,
the allowed crossover point are at the intersection of an
feature. Fig. 5 shows rules i and j are selected for cross-
over and crossover point is between feature 2 and 3. By
using the mutation, the algorithm is able to explore new
areas of the search space and has the possibility of getting
a better solution. As expressed each rule consists of three
parts. The mutation details are given as:
3.5.1 Boundary:
A random value between [-0.1,0.1] is added to lower and
upper boundaries. If the value isnt between [0,1],
changed by (5).
B
i
= 1, if B
i
> 1 ; 0, if B
i
< 0 (5)
3.5.2 Mask
If this field is 0, mutated to 1 and vice versa.
3.5.3 Operator
Mutation on an operator would cause that it changes any
of the other three types of operators.
This process continues until the overall stopping criterion
is met, which is the maximum number of generations
allowed. When it is finished, two approaches are consid-
ered for selecting offspring.
First approach: After generating offspring, fitness val-
ue of each offspring compare with parent. If it is fitter,
was selected as offspring.
Second approach: In multi thread processes,
parents generate offspring, then offspring compares
with each other and was selected best offspring. (Fig. 6.)



Fig 4.Local search overview

4 EXPERIMENTAL EVALUATION
Algorithms parameters are demonstrated in table 1.The algo-
rithm was run for different number of generations and individu-
als. Fifty was accepted number for number of generations and
rules.
To evaluate the proposed system we use call system data gath-
ering in [18]. First data includes 56739 records which 27173
records are normal and 29566 records are attack.
We preprocessed data to normalize (Data is between [0,1]) and
omit repetitive.

TABLE 1
ALGORITHMS PARAMETERS
Value Parameters
50 No. of Rule
20% of RuleNo No. of Parenet
50 Generations
0.2 Mutation probability


JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG 94



















Fig. 5.Genetic crossover process






Fig. 6.Second approach to select offspring
Table 2 is shown relation between accuracy rate and rate per-
centage of train and test set. This result was achieved by apply-
ing fitness function in Equation 3. Using fitness function in
Equation 4 would cause accuracy rate increase up to 5%.


TABLE 2
ACCURACY RATE

Mean of
accuracy rate
Percentage
of test set
Percentage
of train set
93.9% 50% 50%
93.7% 75% 25%
85.6% 90% 10%

To make less FPR in running experiment, the number of

maskscouldbezerowashalfofallfeatures.Definingcon
fidencevalueforeachfeaturewouldprovidetheflexibil
ity.Consideringmaskhowmuchhasvalueoneingenera
tion;probabilityofchangingmaskinmicromutationop
eratorisdefined.Resultsshowfalsepositiveratedecreas
es down to 1%. A window is defined to use confidence
valueas (6).
Confiuence
R

F
]
gn
=
Hsto
RF
wndowwdth
(6)

Step of reserving the state of mask in generation as below:
1.Foreachchromosomeinthepopulation
2.Foreachfeatureinthechromosome
3.WriteMaskofrulesfeatureofthisgeneration
4.Endfor
5.Endfor
5 CONCLUSIONS
The result of algorithm is acceptable if the percentage of
training set is more than 10% of total data.Results show
proposed algorithm yielded good detection rate and low
falsepositiverate.
A problem of this algorithm like other metaheuristic al
gorithmsisinstability.

References
[1] C.Endorf, E.Schultz, and J.Mellander. "Intrusion Detection & Preven-
tion". (McGraw-Hill),2004.
[2] D.E. Denning, "An intrusion detection model", IEEE Transactions on
Software Engineering 13 (2) (1987) 222232 (Special issue on Com-
puter Security and Privacy).
[3] A. Rapaka, A. Novokhodko, D. Wunsch, "Intrusion detection using
radial basis function network on sequence of system calls", in: Pro-
ceedings of the International Joint Conference on Neural Networks
(IJCNN03), vol. 3, Portland, OR, USA, 2024 July 2003, IEEE Press,
2003, pp. 18201825
[4] K. Tan, "The application of neural networks to unix computer securi-
ty", in:Proceedings of IEEE International Conference on Neural
Networks, vol. 1, Perth,WA, Australia, November/December 1995,
IEEE Press, 1995, pp. 476481.
[5] E. Cheng, H. Jin, Z. Han, J. Sun, "Network-based anomaly detection
using an elman network", in: X. Lu, W. Zhao (Eds.), Networking and
Mobile Computing, volume 3619 of Lecture Notes in Computer Sci-
ence, Springer, Berlin/Heidelberg, 2005,pp. 471480.
[6] W. Wang, X. Guan, X. Zhang, L. Yang, "Profiling program behavior
for anomaly intrusion detection based on the transition and frequen-
cy property of computer audit data", Computers & Security 25 (7)
(2006) 539 550.
[7] Y. Liao, V.R. Vemuri, A. Pasos, "Adaptive anomaly detection with
evolving connectionist systems", Journal of Network and Com-
Offspring
Parent
Rule
i
L
i1
Rule
j
U
i1
L
i2
U
i2
L
i3
U
i3
M
i1
M
i2
M
i3
O
i1
O
i2
O
i3
L
j1
U
j1
L
j2
U
j2
L
j3
U
j3
M
j1
M
j2
M
j3
O
j1
O
j2
O
j3
Rule
i
L
i1
Rule
j
U
i1
L
i2
U
i2
L
j3
U
j3
M
i1
M
i2
M
j3
O
i1
O
i2
O
j3
L
j1
U
j1
L
j2
U
j2
L
i3
U
i3
M
j1
M
j2
M
i3
O
j1
O
j2
O
i3
Offspring Population
Local Search
Local Search
Local Search
Evaluate Offspring
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG 95

puter Applications 30 (1) (2007) 6080 (Special Issue on Network and
Information
[8] S.M. Bridges, R.B. Vaughn, "ntrusion detection via fuzzy data min-
ing", in: Proceedings of the 12th Annual Canadian Information Tech-
nology Security Symposium,2000, pp. 111121.
[9] M. Dass, "LIDS: A Learning Intrusion Detection System". Master of
Science, The University of Georgia, Athens, Georgia, 2003
[10] J. Kim, P. Bentley, U. Aickelin, J. Greensmith, G. Tedesco, J.
Twycross, "Immune system approaches to intrusion detection
a review", Natural Computing: An International Journal 6 (4) (2007)
413466.
[11] A. Chittur, "Model Generation for an Intrusion Detection System
Using Genetic Algorithms", Ossining High School, Ossining NY,
2001.
[12] W. Li,"Using Genetic Algorithm for Network Intrusion Detection",
Proceedings of the United States Department of Energy Cyber Securi-
ty Group, 2004.
[13] A.Abraham, Evolutionary Computation in Intelligent Network
Management, in Evolutionary Computing in Data Mining, Springer,
pp. 189-210, 2004.
[14] J. L. Zhao, J. F. Zhao, and J. J. Li, "Intrusion Detection Based on Clus-
tering Genetic Algorithm", International Conference on Machine
Learning and Cybernetics IEEE, Guangzhou, 2005, pp. 3911-3914.
[15] R.H.Gong , M.Zulkerninr , and Purang, A software implementation
of a Genetic Algorithm Based Approach to Network
IntrusionDetection,SNPD/SAWN05,IEEE, 2005
[16] P. A. Diaz-Gomez, and D. F. Hougen, "Three Approaches to Intru-
sion Detection Analysis and Enhancements", VI National Computer
and Information Security Conference ACIS, Colombia,2006.
[17] A.T.Haghighat, M.Esmaeili, A.Saremi, V.R.Mousavi, Intrusion
Detection via Fuzzy-Genetic Algorithm Combination with Evolu-
tionary Algorithms, in ICIS 2007, IEEE, 2007.
[18] N. Almasian, R. Azmi S. B. Ardestani ," AIDSLK :an Anomaly based
Intrusion Detection System in Linux Kernel", Third International
Conference on Information Systems, Technology and Management
(ICISTM-09).

JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617
https://sites.google.com/site/journalofcomputing
WWW.JOURNALOFCOMPUTING.ORG 96