Network Anomaly Detection System using Genetic

Algorithm, Feature Selection and Classification

Elif İpek Uysal Gülnur Demircioğlu Gülsade Kale
SAAT Laboratory, Computer SAAT Laboratory, Computer Computer Technologies Department
Engineering Department Engineering Department Kilis 7 Aralık University
Ankara University Ankara University Kilis, Turkey
Ankara, Turkey Ankara, Turkey gkale@kilis.edu.tr
euysal@havelsan.com.tr gulnurrd@gmail.com
Mehmet Serdar Güzel
Erkan Bostanci SAAT Laboratory, Computer Sarmad N. Mohammed
SAAT Laboratory, Computer Engineering Department Computer Science Department
Engineering Department Ankara University Kirkuk University
Ankara University Ankara, Turkey Kirkuk, Iraq
Ankara, Turkey mguzel@ankara.edu.tr sarmad_mohammed@uokirkuk.edu.iq
ebostanci@ankara.edu.tr

Abstract—Networks are dangerous environments with
containing numerous security vulnerabilities and those
vulnerabilities are likely to be used while attacking systems with
the intent of stealing valuable information or stopping the
services. A system should be protected from already-known
types of attacks and also have ability to detect unknown types of
attacks to prevent abduction of the information. Unknown types
of attacks may give harm to the system by stopping the services
that runs effective and stable. For that purpose, it has become
necessary to develop a flexible and adaptable system which can
collect instant data from the network, distinguish between
harmless and harmful behaviors and take measures against
them. The main goal of this work is to explain a network
anomaly detection system that is developed using genetic
algorithm and Weka classification features to fulfill the
purposes stated above. The Genetic Algorithm is used to
generate various individuals with the aim of determining which
attributes of the individual are providing a better result about
learning the behavioral pattern of the network traffic.
Furthermore, Weka classifiers are applied to the train and test
datasets to calculate the best fitness value, and to decide on
individual's attributes that are more effective about finding the
anomaly occurring in a given instant.
Keywords—Network Anomaly Detection System, Genetic
Algorithm, Weka, Feature Selection, Classification
I. INTRODUCTION
Computer networks changed the things that people should
be used to carry out specific activities in an easier and faster
way. Therefore, computer networks are used in many
applications in order to benefit from the advantages of the
Internet. While benefiting from those advantages, networks
are started to face with a growing number of various threats
which are changing and deriving day-by-day.
Network Anomaly Detection Systems (NADS) controls
the existence of the patterns by handling the data acquired by
the network traffic and takes on the task of deciding whether
the input data gotten from there is an anomaly or a normal data
instance. NADS network mentioned in this project uses
Weka’s machine learning algorithms to detect the behavior
that contains an anomaly. In this approach the normal
behavior that is moved to the system previously and the real-
time network behavior data are compared and if there is an
obvious diversion between them the related notification is
created.
The mentioned study here aims to employ genetic
algorithms in order to increase the classification accuracy of a
detection system with the least number of attributes for
deciding the behavior on anomaly testing with the stated data
compiled from KDD99 dataset.
Each chromosome that was occurred by making up a
suitable chromosome structure with genetic algorithm is
estimated how well it expresses the solution. Since genetic
operators are numerous and create chromosomes with
different attributes in these algorithms, a large solution set is
obtained and these solutions have almost optimal values even
in the worst cases.
Weka is an open source data mining software and includes
the tools on machine learning algorithms such as data
preparation, classification, feature selection, regression etc.
Data mining is a method used to obtain information that was
not known previously but potentially important about a
dataset. In this project method, feature selection and
classification, which belongs to Weka, were used.
Feature selection, in other words, attribute selection,
specifies which attribute in a dataset is more effective for the
solution and ensures the attributes to be used while machine
learning. The model created by choosing the correct attributes
has higher accuracy level and less complexity. These
chromosomes that were obtained with the help of this
technical genetic algorithm decides if this gen to be used while
creating the related representing attribute's model according to
gen values in the dataset.
Classification is the operation of organizing similar or
separate data of a dataset in a way that would place them in
same and different categories. This method is to create a
model by using attributes chosen in each chromosome. The
created model is tested with the data in the dataset and
specifies the accuracy value of the model's behavior on the
network according to the correctly categorized instances. With
this accuracy value and used feature number, the fitness value
of the chromosome is estimated. Thus, it is seen how
successful the chromosome to detect the behavior.
A NADS project developed by using these techniques is
presented. The aim of this project is to detect and provide a
notification to take certain precautions in case of an anomaly

978-1-7281-3789-6/19/$31.00 ©2019 IEEE

that means the actions to be occurred by using the individuals
with the best results.
The rest of this paper is organized as such: Section II will
talk about the recent works on the network anomaly detection
subject, Section III will have information regarding the
methods that were used in this project, Section IV will
mention the project that aims the detection of anomalies in a
network, Section V will show the obtained results and Section
VI will talk about the conclusions obtained by basing this
project.
II. RELATED WORKS
There are two approaches used in intrusion detection. The
first one of these is known as misuse detection and based on
introducing the known attacks and considering the unknown
cases normal. While this approach provides protection against
known attacks easily, it cannot react to this kind of attacks
since it does not have the ability to detect them. In the second
approach, anomaly detection, while regular usual behavior,
introduces to the system, the behavior that has an obvious
diversion to those (outliers) are dealt as anomalies (Denning,
1987). The biggest advantage of this approach is that it detects
the unknown attacks.
When the increase in the computer systems using the
internet and due to that the personal data transferred to these
systems are taken to account, detecting intrusions that can
happen on networks has become an important priority.
Network Anomaly Detection Systems is one of the approaches
developed and researched with this goal. Network anomaly
detection methods are examined in six categories [1]. In this
part, those mentioned categories will be explained and shown
in Figure 1.
1) Statistical-based detection: In statistical-based
detection, a case that is suspected to be partially or
completely unrelated to a model produced by the statistically
stochastic model is observed to be an anomaly.
2) Classification-based detection: This method creates a
model for cases that are expected to happen by a classification
algorithm and thus, classifies traffic patterns of the network.
In this method, while the behavioral pattern is trained, a
labeled dataset is needed. Here data that does not belong to
the normal behavior pattern class is considered to be an
anomaly.
3) Clustering and outlier-based detection: In this
method, data without label are cut into sections and the data
in the same section are to be similar to each other than the
data in the other sections. Outliers are spots that are not
expected to happen in the data model created after clustering.
Thus, these outliers are considered to be an anomaly.
4) Soft Computing: This method is used in the cases that
do not have an obviously known algorithm to reach a result
and in that way it is suitable to use for NAD. Soft Computing
is made of these methods: Genetic Algorithm (GA), Artificial
Neural Network (ANN), Fuzzy Sets, Rough Sets and Ant
Colony algorithms and Artificial Immune Systems (AIS).
a) Genetic algorithm (GA): used to find the optimal
result for search problems. “The approach is to evolve a
population of possible solutions towards a better solution,
which will, in turn, result in better detection rates of
anomalies.” [2]. GA is further explained in Section III.
b) Artificial Neural Networks (ANN): As [3] says
“Systems motivated by the distributed, massively parallel
computation in the brain that enables it to be so successful at
complex control and recognition/classification tasks”. The
human brain can execute calculates faster than the fastest
computer. The neurons inside the brain are interacted to each
other by the connections named synapse. ANN was inspired
by this was created by using great connections to have a good
performance. In Neural Networks, the power of the
connections between neurons that are actively
communicating is provided by updating synapse weights.
c) Fuzzy Sets: Used while detecting specific or general
possibilities created by network intrusion detection systems
via fuzzy rules.
d) Rough Set: A mathematical tool that creates
explainable rules by shrinking the dataset size with feature
extraction while being beneficial for finding hidden patterns
in data and handling indefinite, insufficient data [2] [4].
e) Ant Colony Optimization (ACO): ACO and related
algorithms are techniques trying to mimic how ants search for
food between a nutrition source and their own colonies. These
techniques are used to solve the calculation problems which
can be reformulated to find optimal paths through graphs.
Artificial immune systems (AIS), represent a computational
method inspired by the principles of the human immune
system. The human immune system is adept at performing
anomaly detection [1].
5) Knowledge-Based NAD: Creates pre-defined rules or
attach models to display the unknown attacks generally.
Network or host events are monitored over these, has
examples such as knowledge-based methods expert systems,
rule-based, ontology-based, logic-based and state-transition
analysis [1].
6) Combination Learners: Systems that are created by
using multiple network anomaly detection methods together
can be examined under three headings.
a) Ensemble-based methods and systems: Used for
classification of examples that is not seen previously by
combining multiple individual classifiers [5]. This technique
weights the options obtained from individual classifiers and
combines them to reach the final decision [1].
b) Fusion-based methods and system: “With an
evolving need of automated decision making, it is important
to improve classification accuracy compared to the stand-
alone general decision-based techniques even though such a
system may have several disparate data sources. So, a suitable
combination of these is the focus of the fusion approach.” [1].
Fusion-based techniques are merging data on data level,
feature level and decision level. “Data fusion is efficient in
terms of increasing timeliness of attack identification and
helps reducing false alarm rates. Another advantage would be
that decision level fusion has a high detection rate when given
applicable training data. The downsides of these techniques
are the high consumption of resources as well as the feature
level fusion being a time-consuming task.” [2].
 Network Anomaly Detection Methods
Classification
Statistical Soft Computing
Based
Parametric GA based
Non-Parametric ANN based
Fuzzy Set
Rough Set
Ant Colony
Fig. 1. Classification of network anomaly detection methods (GA-Genetic Algorithm, ANN-Artificial Neural Network, AIS-Artificial Immune System)
(modified from [1])
c) Hybrid methods and system: Most of the intrusion
detection systems use one of the approaches of misuse
detection or anomaly detection. In addition to this, while
misuse detection cannot detect the unknown intrusions,
anomaly detection has a disadvantage of often having a high
false positive rate. In order to handle the disadvantages of the
approach used alone, a hybrid method is created based on
using multiple network anomaly detection approaches
together. “Hybridization of several methods increases
performance of IDSs.” [1] [6]. “These methods benefit using
features from both signature and anomaly-based network
anomaly detection. This leads to being able to handle both
known and unknown anomalies” [2].
The project mentioned in this article is a hybrid system
created by using GA-based soft computing and classification-
based methods. The aim of this system is to detect by using a
labeled dataset including attack types along with the data
which are expressed to be normal behavior. In addition to that,
it tries to detect a new attack type that is not considered normal
and differentiates from the known attack types. While
executing these operations, obtaining high accuracy values
and low false positive rates are targeted for the aimed NADS.
III. METHODS
A. Genetic Algorithm
It is hard to achieve an absolute solution in the problems
which have more than one local optima. In such problems, it
is necessary to apply intelligent approaches such as meta-
heuristics [7]. Examples of problems with which these
approaches can be applied are Generator Maintenance
Scheduling [8], Traveling Salesman [9] and Job Scheduling
[10].
The genetic algorithm is a search heuristic inspired by
Charles Darwin’s natural theory of evolution (1859) and its
technique was developed by Holland (1992). “GA abstracts
the process of a population evolving given an environment
condition to adapt and thrive in the scenario. Through the
genetic operators (Selection, Mutation, and Crossover), the
solutions are improved each generation until a stopping
condition is reached.” [7]. The stopping criteria are usually to
reach the end of the number of generations to be created or to
reach the desired fitness value in the solution. The lack of
Knowledge Clustering and Combination
Based Outlier Based Learners
Rule and Expert System Ensemble Based
Ontology and Logic Based Fusion Based
Hybrid
sufficient or no improvement in the fitness values of the
generations is also accepted as stopping criteria.
The process steps of the genetic algorithm are as follows:
• Step 1: Random individuals are created and added to
the population of the first generation.
• Step 2: Fitness values of chromosomes belonging to
individuals are calculated.
• Step 3: The condition of the stopping criteria is
checked. If provided, the processes are completed, and
the most fit individual is considered to be the optimal
solution. If not, processes will be continued from Step
4.
• Step 4: The selection process is applied considering the
fitness values of the most fit individuals to increase the
likelihood of joining the crossover and thus to obtain
fitter generations.
• Step 5: Crossover is applied among selected
individuals. In this way, the diversity of the new
generation will be increased.
• Step 6: With a small value of the mutation rate, a
change in the chromosome can form a different
chromosome which has higher fitness value.
• Step 7: Return to Step 2.
The chromosomes of individuals are generated in the
manner that expresses the solution of the problem. A fitness
function should be determined in accordance with the problem
in order to calculate the fitness of the individuals in the
population. The aim of optimization problems is to maximize
or minimize the value of this function depending on the
problem.
“The genetic operators that GA performs add an aspect of
randomness which helps evade local minimums and maxima
while incrementally improving the initial set of solutions.” [7].
In this project, MOEA Framework is used when
implementing GA. MOEA is a free and open source Java
library which supports genetic algorithms. Genetic processes
were performed by using NSGA-II, PAES and eMOEA
algorithms presented by MOEA.
B. Feature Selection
Success in machine learning is related to the quality of the
dataset used. If the dataset is inadequate, or if it contains
unnecessary and unrelated data, the results generated by
machine learning algorithms may be less accurate. The feature
selection method is used to find unnecessary and irrelevant
attributes within a dataset and to have higher accuracy for the
results obtained by preventing them from participating in the
process during machine learning.
In this study, features are selected depend on the each
chromosome’s genes that have either 1 or 0 binary value. If a
gene has a value of 1 then the feature which is corresponding
to this gene will be removed from the dataset, and if it has a
value of 0 then this feature will be used when creating the
model.
C. Classification with Weka
“Classification is the process of building a model of
classes from a set of records that contain class labels.” [11].
Weka includes Java implementations of many classification
algorithms.
In this project, Weka's J48, AdaBoostM1 and Bagging
classifiers were selected to obtain the models with highest
accuracy which is using the least feature after feature
selection.
J48 is the implementation of C4.5 algorithm written in
Java by Weka and generates a decision tree. “Decision Tree
Algorithm is to find out the way the attributes-vector behaves
for a number of instances. The additional features of J48 are
accounting for missing values, decision trees pruning,
continuous attribute value ranges, derivation of rules, etc.”
[12].
AdaBoostM1 (Adaptive Boosting), is a machine learning
meta-algorithm which has an effect to boost the performance
of any machine learning algorithm.
Bagging, is an ensemble method which creates a new train
dataset with randomly selected instances from the train dataset
and retrains the learner using this new train dataset.
IV. NETWORK ANOMALY DETECTION SYSTEM
The NADS presented here follows the steps shown in
Figure 2.
The chromosomal structure expressing the solution is
determined in a way that has 41 genes representing 41
attributes in KDD99 dataset used in learning process.
At the beginning of the train stage, a certain number of
chromosomes created, and each gene belonging to a
chromosome is assigned with a random 1 or 0 binary value.
These chromosomes are diversified by the use of MOEA
Framework’s algorithms; NSGA-II, PAES and eMOEA. The
fittest chromosomes which use least feature and have highest
accuracy are printed out by this framework at the end of the
execution.
In the Feature selection stage, the corresponding attribute
with a value of 1 will not participate in the classification
operation and will be removed. The remaining attributes are
selected, and the classification operation is completed with
these attributes.
Fig. 2. Steps applied by the system to find best feature subset to achieve
best anomaly-detecting solution combining Genetic Algorithm and
classification methods.
In the classification stage, Weka's J48, AdaBoostM1 and
Bagging classifiers were used to perform the classification
process. The accuracy value of the generated model and the
number of attributes participating in the classification process
are taken into consideration and the fitness value of the
chromosome is calculated.
The fitness function used in this work is:
0.8 0.2 (1)
where fi is fitness of the chromosome i, ai is the accuracy
of the model implemented by using the chromosome i, and mi
is the number of the selected, attributes.
When the program stops working, the most fit individuals
obtained from these iterations are recorded and stored for use
at the anomaly detection stage. Here, the most fit individuals
are the optimal solution for the determination of the anomaly
in the KDD99 dataset, which has the lowest number of
features as possible and the highest accuracy value of the
classification result.
All solutions obtained from these 9 executions are brought
together and the test process is performed with a KDD99 test
dataset. In the test stage, all of the models were reconstructed
by using the recorded chromosomes and the most successful
models for the detection of anomalies in the network were
determined by reclassification using a separate KDD-99 test
dataset. The results obtained from this work will be shown in
the Results section.
V. RESULTS
Models with the least feature number and highest accuracy
were selected as the best results. These model’s accuracy rates
and the number of features that have been removed from the
models with the best results are shown in Figure 3. According
to the Figure 4, NSGA-II algorithm with J48 classifier has the
most accurate value with %91,099 and chooses the least
number of attributes as 22.
Similarly, results for the training of the best models with
the train dataset are shown in Figure 4. According to the
Figure 5, NSGA-II algorithm with J48 classifier has the most
accurate value with %97,032 and chooses the least number of
attributes as 22.

Fig. 3. Test stage’s graphic of the accuracy values and the removed feature
numbers that are obtained from the best models.
neighbour. International Journal of Computing and ICT Research,
2008. 2(1): p. 60-66.
[5] G. Folino and P. Sabatino, Ensemble based collaborative and
distributed intrusion detection systems: A survey. Journal of Network
and Computer Applications, 2016. 66: p. 1-16.
[6] A. M. Karim, M. S. Guzel, M. R. Tolun, H. Kaya, and F. V. Celebi, A
new framework using deep auto-encoder and energy spectral density
for medical waveform data classification and processing.
Biocybernetics and Biomedical Engineering, 2019. 39(1): p. 148-159.
[7] A. H. Hamamoto, L. F. Carvalho, L. D. S. Sampaio, T. Abrao, and M.
L. Proenca Jr, Network anomaly detection system using genetic
algorithm and fuzzy logic. Expert Systems with Applications, 2018.
92: p. 390-402.
[8] S. Baskar, P. Subbaraj, M. Rao, and S. Tamilselvi, Genetic algorithms
solution to generator maintenance scheduling with modified genetic
operators. IEE Proceedings-Generation, Transmission and
Distribution, 2003. 150(1): p. 56-60.
[9] S. Wang and A. Zhao, An improved hybrid genetic algorithm for
traveling salesman problem. in Computational Intelligence and
Software Engineering. 2009.
[10] Y. Xing, Z. Chen, J. Sun, and L. Hu, An improved adaptive genetic
algorithm for job-shop scheduling problem. in Third International
Conference on Natural Computation (ICNC 2007). 2007. IEEE.
[11] I. H. Witten, E. Frank, M. A. Hall, and C. J. Pal, Data Mining: Practical
machine learning tools and techniques. 2016: Morgan Kaufmann.
[12] G. Kaur and A. Chhabra, Improved J48 classification algorithm for the
prediction of diabetes. International Journal of Computer Applications,
2014. 98(22).

Fig. 4. Train stage’s graphic of the accuracy values and the removed feature
numbers that are obtained from the best models.

As a result, this project can discover the most effective

feature subset with the help of the genetic algorithm and it can
detect the anomalies with a high accuracy rate.
VI. CONCLUSION
In this work, a NADS is created to identify behaviors that
express an attack in network traffic. In the creation of this
system, feature selection was performed in KDD99 dataset
using genetic algorithm and an optimal feature subset was
tried to be acquired in anomaly determination by using the
selected features. The best results were obtained using NSGA-
II algorithm with J48 classifier.
According to the results obtained after the completion of
the train and test phases of the project, it was observed that the
developed NADS could find the most effective features in
detecting the attacks from the datasets with the help of
chromosomes obtained by genetic algorithm. It is shown that
the models, which are created by using the selected features,
were able to detect attacks with high accuracy and less latency.
REFERENCES
[1] M. H. Bhuyan, D.K. Bhattacharyya, and J.K. Kalita, Network anomaly
detection: methods, systems and tools. Ieee communications surveys &
tutorials, 2013. 16(1): p. 303-336.
[2] A. T. Tran, Network anomaly detection. Future Internet (FI) and
Innovative Internet Technologies and Mobile Communication (IITM)
Focal Topic: Advanced Persistent Threats, 2017. 55.
[3] M. H. Hassoun, Fundamentals of artificial neural networks.
Proceedings of the IEEE, New York, 1996.
[4] A. O. Adetunmbi, S. O. Falaki, O. S. Adewale, and B. K. Alese,
Network intrusion detection based on rough set and k-nearest