Abstract
Network flaws are used by hackers to get access to private systems and data. This data and system access may be extremely destructive with losses. Therefore, this network intrusions detection is utmost significance. While investigating every feature set in the network, deep learning-based algorithms require certain inputs. That’s why, an Adaptive Artificial Neural Network Optimized with Oppositional Crow Search Algorithm is proposed for network intrusions detection (IDS-AANN-OCSA). The proposed method includes several phases, including feature selection, preprocessing, data acquisition, and classification. Here, the datas are gathered via CICIDS 2017 dataset. The datas are fed to pre-processing. During pre-processing, redundancy eradication and missing value replacement is carried out with the help of random forest along Local least squares for removing uncertainties. The pre-processed datas are fed to feature selection to select better features. The feature selection is accomplished under hybrid genetic algorithm together with particle swarm optimization technique (GPSO). The selected features are fed to adaptive artificial neural network (AANN) for categorization which categorizes the data as BENIGN, DOS Hulk, PortScan, DDoS, DoS Golden Eye. Finally, the hyper parameter of adaptive artificial neural network is tuned with Oppositional Crow Search Algorithm (OCSA) helps to gain better classification of network intrusions. The proposed approach is activated in Python, and its efficiency is evaluated with certain performance metrics, like accuracy, recall, specificity, precision, F score, sensitivity. The performance of proposed approach achieves better accuracy 99.75%, 97.85%, 95.13%, 98.79, better sensitivity 96.34%, 91.23%, 89.12%, 87.25%, compared with existing methods, like One-Dimensional Convolutional Neural Network Based Deep Learning for Network Intrusion Detection (IDS-CNN-GPSO), An innovative network intrusion detection scheme (IDS-CNN-LSTM) and Application of deep learning to real-time Web intrusion detection (IDS-CNN-ML-AIDS) methods respectively.
Keywords
Introduction
Numerous firms have been exposed to more sophisticated cyber threats in recent years, which prompted the creation of an innovative intrusion detection system (IDS) [1]. The development of IDSs has global implications for both academia and business because every cyber-attack results in financial losses, reputational harm, and legal sequences [2]. Networks must be protected from illegal access, user engagement and data must be safeguarded, also new security flaws must be publicly revealed. [3]. The IDS is a reliable security enhancing tool for identifying and defending against cyber attacks on any network or host [4]. IDSs are in charge of identifying suspicious behaviour, ensuring that the network is adequately protected from attacks and minimizing financial and functional losses [5]. In the literature, IDSs can be categorized as anomaly, signature, or combination of these two. [6]. Signature based intrusion detection scheme (SIDS) termed as Rule IDS, it makes continual tracking of network traffic and inbound network traffic patterns searches that fulfill the signature of attacks [7]. The headers of network packets, source network destination addresses, data series matching the identified malware pattern, data or packet series identified to specific attack can all be used to identify an attack’s signature [8]. By maintaining low failure rates, they work very effectively in the detection of potential known incursions [9]. SIDS can detect intrusions that already present in system database and cannot detect new attacks, as the system’s database must be manually updated by the administrator [10–14]. Anomaly-based intrusion detection systems (AIDS) investigate networks’ typical behaviour by closely monitoring the network for any indications of irregular activity [15]. AIDS can train itself with reinforcement learning algorithms or learn using anomaly detecting algorithms to recognize new types of intrusions. Anomaly based systems display the variation of new threats identification when estimated to the signature-based ones [16]. It is challenging for attackers to specify which intrusion activities won’t be recognized to modify the structural profile of each system. Newly, AIDS enhancement depending on Machine Learning (MLAIDS) is suggested [17]. Through the classification of the processed data into normal or abnormal classifications, these algorithms determine the network state. With different datasets, these approaches train and test AIDS to evaluate AIDS capacities [18]. Even though, many datasets are unbalanced. The hybrid Intrusion Detection System merges the advantages of anomalies together with signature systems; as a result upgrade the identification of known intrusion threats [19]. The recent hybrid intrusion detection schemes are structured by deep learning approaches. The deeply learned anomaly-based intrusion detection scheme is presented due to AIDS advantages in zero-day attacks [20, 21].
Since the known and unknown attacks detect proficiently, ID is a fundamental part of security. Additionally, the intrusion detection scheme is assumed as one of the most important networks security technologies. The existing IDS method raises both the false positive and false negative rate in intrusion detection and does not accurately detect attacks. Deep learning is utilized as a strategy to lessen the difficulty of machine learning. To deal these drawbacks, some solutions require to be put forward. These are prompted to do this research.
The main contributions of this manuscript are summarized below, Adaptive Artificial Neural Network Optimized with Oppositional Crow Search Algorithm is proposed for network intrusions detection (IDS-AANN-OCSA). The presented method comprises data acquisition, classification, preprocessing, feature selection. The datas are gathered via CICIDS 2017 dataset [22]. The datas are fed to pre-processing. During pre-processing, redundancy eradication as well as missing value replacement is performed by random forest and local least squares for removing uncertainties [23]. The pre-processed datas are fed to the process of feature selection to select better features. The feature selection is carried out under GPSO [24]. Then selected features are fed to adaptive artificial neural network (AANN) [25] for classification, which categorizes the data as BENIGN, DOS Hulk, PortScan, DDoS, DoS Golden Eye. Finally, the hyper parameter of adaptive artificial neural network is tuned with Oppositional Crow Search Algorithm (OCSA)[26] helps to gain better classification of network intrusions. The proposed approach is done in Python, its efficiency is assessed under performance metrics. The acquired results are examined with existing IDS-CNN-GPSO [27], IDS-CNN-LSTM [28] and IDS-CNN-ML-AIDS [29] methods.
Remaining manuscript is structured as follows: the literature survey is deliberated in section 2, the proposed methodology is illustrated in section 3, section 4 exemplifies the results with discussion. At last, the conclusion is presented in section 5.
Literature review
Numerous studies have suggested in the literature previously related to network intrusion detection; a certain recent works are expressed here,
Qazi, et al., [27] have suggested One-dimensional CNN based deep learning for the detection of network intrusion. DoS Hulk, DDoS, DoS Goldeneye were some kinds of network intrusions which belongs to active attack type, whereas PortScan belongs to passive attack category. The benchmark CICIDS2017 dataset was used. Network intrusion identification was a category of anomaly identification to categorize network anomalies. It provides high accuracy and low precision.
Kim et al., [28] have presented AI-IDS: application of deep learning to real-time Web intrusion detection. To extract the real-time HTTP traffic features without encryption, scaling entropy, or compression, the best CNN, long short-term memory network, normalized UTF-8 character encoding. AI-IDS can differentiate sophisticated attacks like unknown patterns by training payloads that examined true or false positives with labeling tool. It provides high accuracy and high computation time.
Maseer et al., [29] have presented Benchmarking machine learning for anomaly based intrusion detection scheme in the dataset of CICIDS2017. Where, examines prior research on AIDS utilizing a set of criteria with various datasets and attack kinds to establish benchmark results that disclose the most effective AIDS approaches, parameters, testing criteria. Moreover, 10 successive supervised and unsupervised ML approaches were considered to find out effective ML–AIDS of networks. The time complexity was a significant element in AIDSs, the training and testing time for MLAIDS was also taken into consideration while evaluating their performance effectiveness. It provides high accuracy and low precision.
Aldarwbi et al., [30] have presented the sound of intrusion: An innovative network intrusion detection scheme named “sound of intrusion”. The presented method converts the features of traffic flow as waves, then use advanced audio/speech identification deep-learning-base strategies for detecting intruders. A certain deep-learning-based methods, such as deep belief networks, long short-term memory, convolutional neural networks were used. The presented method was validated under NSLKDD and CIC-IDS2017 datasets. It provides high accuracy and low precision.
Ravi et al., [31] have presented recurrent deep learning-base feature fusion ensemble meta-classifier method for smart network intrusion detection scheme. The end-to-end mode was presented for network attack identification with classification utilizing deep learning-base recurrent modes. The presented method extracts the hidden layers of recurrent modes features, then utilize kernel-based principal component analysis feature selection to find out the better features. An ensemble meta-classifier was used to categorize data by fusing the best features of recurrent modes. It provides high accuracy and low precision.
Proposed methodology
This manuscript proposes an Adaptive Artificial Neural Network Optimized with Oppositional Crow Search Algorithm for network intrusions detection (IDS-AANN-OCSA). Figure 1 depicts the block diagram of proposed IDS-AANN-OCSA technique. The comprehensive illustration about Adaptive Artificial Neural Network Optimized with Oppositional Crow Search Algorithm for intrusion detection is given below,

Block diagram of proposed IDS-AANN-OCSA technique.
This research work is depending on the benchmark intrusion dataset CICIDS-2017, since it has a variety of features and satisfies the criteria. This dataset is favorable as it manages more network attacks. This dataset was invented by New Brunswick University and Canadian Institute of cyber security. This dataset includes normal, abnormal network traffics, here benign as normal and abnormal network traffic refers to various types of attacks which are obtained by capture the datas of five continual days. The obtained data is separated as eight files. Eight separate files are combined into a single file, and this single file served as the foundation for the entire work. There are 2,830,743 samples involved in 5 classes. Table 1 tabulates the count of instances per class.
Classes of CICIDS-2017
Classes of CICIDS-2017
This section discusses a pre-processing utilizing random forest along local least squares. In general, the imputation of local least squares emulates 2 phases: (i) Pearson correlation coefficient (PCC) is applied for lessening duplicate with redundant data at the dataset. The PCC output is given to next stage, here, replace the missing values depends on deterioration along estimation. Consider d1 record contains m features and x missing values. For recovering the overall amount of x in any position, initially, identify the closest neighbour record vector for d1. The x modules for every record containing similar positioning of missing values in d1 neglects while detecting same records processing. Build M ∈ Sp*(l-x) matrix, herein, M denotes 2D matrix, from this, identify which rows count equals with nearest neighbors count of p i where{ i = 1, 2, . . . . , 7 }. The number of columns is equal to number of entire features l less the number of columns contains missing values x.
Build N ∈ Sp*x matrix, where, N implies 2 dimensional matrix by which the rows count is equal to the count of closest neighbors p
i
where { i = 1, 2, . . . . , 7 }. The columns count is equal to columns count containing missing values x. Construct y = S (l - x) *1 vector, herein, 1 dimensional matrix denotes y, the columns count is equivalent to number of entire features l less the columns count having missing values x. The M including N matrices, vector y, least square problem is labelled in Equation (1)
The vector a = (α1, αα2, α3, . . . . , α
x
)
T
of x missing value is determined through Equation (2),
Let n p represents p th closer neighbor, the regression coefficients is parallel to neighbor implies q p . From this, it neglects the classifier to bias towards higher recurrent records. This pre-processing stage exterminates each superfluous data, then replace missing values in dataset.
This section discuss the feature selection utilizing genetic particle swarm optimization (GPSO) based feature selection. Feature selection is the procedure of selecting valuable features. It contributes exact identification results. The major aims using this feature selection processes is for decreasing over fitting, training period and enhancing accuracy identification. GPSO utilizes reduced feature sets selection from the intrusion datasets. The inappropriate features having lesser correlation with the class are selected with the help of GPSO.
Stepwise procedure for hybrid genetic and particle swarm optimization technique (GPSO) based feature selection
In this section, stepwise process of GPSO algorithm is discussed for feature selection.
Step 1: Initialization
Initial population of particle as ϑ (m pop × mdims) to initialize a position vector, the (n population × n dimensions) step vector for the swarm agents.
Step 2: Random Generation
The input parameters for genetic and particle swarm optimization are arbitrarily selected. It has pbest and gbest identified via entire swarm for updating velocity including position. In this step, great fitness values are chosen depends on pbest and the gbest values.
Step 3: Determination of Fitness function
The random solution is generated from the values of initialization. This solution is evaluated, then the objective function signifies that parameter values optimization of generator module and select the optimal parameters is shown in Equation (6)
Step 4: Search Behavior of GPSO
The investigation of GPSO performance uses the multimodal Schwefel function and unimodal Sphere functions, which have been introduced for the supplementary file. Convergence of average fitness value is derived by canonical PSO along global topology (GPSO) for comparison. Furthermore, D-value has the mean variation in-between the fitness of exemplars and particles in GLSO.
Step 5: Termination
Stop the process after attaining the optimum solution via the initial resolution. If attains the optimum solution, then repeat step 3 iteratively until the halting criteria is met. GPSO select 15 ideal features, these features raises the speed of classification, lessens the calculation and running time. Table 2 displays the selected 15 features.
Features selected using GPSO
The selected features are fed to Adaptive Artificial Neural Network (AANN) for categorization, which categorizes the data as Benign, DoS Hulk, PortScan, DDoS and DoS Golden Eye. AANN are useful for jobs involving not enough data sets, fuzzy or unclear information, also highly complex and ill-defined problems, where intuition based humans make decisions. They can solve non-linear issues and learn from examples. They are strong and fault-tolerant. AANN could not handle higher accuracy with precision as in logic, arithmetic. ANN is successfully employed in various fields. Adaptive Artificial Neural Network (AANN) is chosen, because it tackles more flaws that rise from the existing models. Since addressing issues arising from real-world word classification difficulties, AANN is selected as the preferred classification model. AANN is approximate 10 times faster than existing models. AANN has benefit of parallel processing that utilizes every cores of machine it is working on. AANN’s portability makes it easy and convenient. Therefore, the feasibility provided by AANN is immense and not tied to a particular platform; so, the attack type classification utilizing AANN is platform independent. Regularization is a noteworthy aspect of AANN, because it averts data overriding problems.
The approximate signal on network x (l) is modeled using Equation (7),
So, a vector v has i components v
j
forms input layer of RBF, hidden layer has h neurons and output layer; the output layer is expressed in Equation (8),
Then the energy function can be calculated using Equation (10),
To decrease E, steepest descent approach is used that needs the gradients for updating the incremental modifications to every specific parameter. Gradients of E are computed using Equation (11),
Each parameter’s incremental changes are simply the inverse of their gradients. Each coefficient of the network is updated in accordance using Equation (12),
In this study, the Adaptive Artificial Neural Network (AANN) classifier can be strengthened by oppositional crow search algorithm (OCSA) to find the ideal parameters. Here, the OCSA is utilized to fine-tune the Adaptive Artificial Neural Network hyper parameters. For constraint construction, certain methods are typically used, such as grid exploration, manual exploration, and random exploration. However, these investigations have an uncommon weakness with regard to repetition time, and there is no known inquiry created through deceit. To overcome this problem, the oppositional crow search algorithm is employed. The stepwise process of oppositional crow search algorithm are given below,
Oppositional Crow search algorithm (OCSA) is an innovative meta-heuristic algorithm. In general, crows are considered to be among the smartest and most intellectual birds. On the basis of brain-to-body ratio, its brain is somewhat smaller than a human brain. They possess special abilities like self-awareness and the capacity to make tools. They employ tools to remember where their food has been hidden for certain months. Every crow follows other crows’ hiding spots and stole their food while the owner isn’t looking. As a result, every crow takes additional measures to store its food in safe location. Also, they alter their course to prevent other crows from locating where the food is by feeling threatened by them. The step-by-step procedure is discussed to get the best optimal values of Adaptive Artificial Neural Network (AANN) classifier depending on deep learning utilizing OCSA. Initially, OCSA optimizes the weight parameter E of Adaptive Artificial Neural Network classifier. The optimal solution is updated through the Oppositional Crow search approach. The flowchart of oppositional crow search algorithm is shown in Fig. 2. The stepwise process is deliberated below,
Step 1: Initialization

Flowchart for Oppositional Crow search algorithm to optimize AANN.
Initialize the numbers of crows (Flock size), dimension of the environment (dimension of the problem) using Equation (13),
here xi,iter specifies position if crow in specific
Step 2: Random Generation
After the process of initialization, the weight parameters E of Adaptive Artificial Neural Network classifier randomly generated for classifying the attacks accurately.
Step 3: Fitness Function
Create the random solution through the values of initialization. This solution is evaluated and objective function signifies parameter optimization of E from Adaptive Artificial Neural Network classifier which is expressed in Equation (14),
Step 4: Generate New Location within the Search Space for optimizing E of Adaptive Artificial Neural Network classifier.
Awareness probability of crow is other crucial factor that affects the searching capacity of crows. Crows search for a local area and, with less awareness, are more likely to locate a good solution in their existing local area is identified using Equation (15),
Step 5: Updating the Position of Crow
In OCSA, the location of crow is upgraded by an arbitrary location, and the accurate state can be defined using Equation (16) as follows,
Step 6: Termination
The oppositional crow search algorithm (OCSA) are used to optimize weight parameter E of Adaptive Artificial Neural Network classifier which accurately classifies the attack types as Benign, DoS Hulk, PortScan, DDoS and DoS Golden Eye which repeat step 3 iteratively until fulfill the halting criterion X = X + 1. Finally, Adaptive Artificial Neural Network classifier (AANN) accurately categorizes the attack types by using oppositional crow search algorithm (OCSA).
This section illustrates the Adaptive Artificial Neural Network Optimized with Oppositional Crow Search Algorithm for network intrusions detection. The simulation is carried out in Python-Tensor flow in core i7 CPU. To verify the performance of proposed approach, the performance metrics is examined. The proposed approach is estimated with other different existing approaches, like IDS-CNN-GPSO, IDS-CNN-LSTM and IDS-CNN-ML-AIDS methods respectively.
Performance metrics
To scale the performance metrics, the following confusion matrix is required. True Positive (CP): Normal properly identified into Normal. True Negative (CN): Anomaly properly identified into Anomaly. False Positive (WP): Anomaly improperly identified into Normal. False Negative (WN): Normal improperly identified into Anomaly.
Accuracy
It calculates the proportion of precise forecasts to the overall number of proceedings in the dataset. It is computed by Equation (17),
This is described as classifier’s capacity to compute usual data in all circumstances. This is determined by Equation (18),
This is the real positives count that is properly predictable. It is calculated by Equation (19),
It is called true negative rate scaled by Equation (20)
This is the harmonic mean of recall, precision computed through Equation (21),
This is described as the ratio of number of records that are correctly categorized to the number of all modified events. It is determined by Equation (22),
Tables 3–7 shows the performance metrics. The performance is analyzed to the existing IDS-CNN-GPSO [27], IDS-CNN-LSTM [28] and IDS-CNN-ML-AIDS [29] models.
Accuracy (%) analysis for the dataset of CICIDS 2017
Accuracy (%) analysis for the dataset of CICIDS 2017
Precision (%) analysis for the dataset of CICIDS 2017
F-measure (%) analysis for the dataset of CICIDS 2017
Sensitivity (%) analysis for the dataset of CICIDS 2017
Execution time analysis for the dataset of CICIDS 2017
Table 3 depicts the Accuracy analysis for the dataset of CICIDS 2017. The proposed IDS-AANN-OCSA method attains 15.55%, 18.28% and 21.68% higher accuracy for BENIGN attack; 18.88%, 22.11% and 23.95% higher accuracy for DoS Hulk; 17.71%, 16.87% and 20.86% higher accuracy for Port scan; 17.67%, 22.86% and 19.56% higher accuracy for DDoS; 16.66%, 18.87% and 19.98% higher accuracy for DoS Golden Eye are compared with existing IDS-CNN-GPSO, IDS-CNN-LSTM and IDS-CNN-ML-AIDS models.
Table 4 depicts the precision analysis for CICIDS 2017 dataset. Here the proposed IDS-AANN-OCSA method attains 19.91%, 20.15% and 25.16% higher precision for BENIGN attack; 18.85%, 20.34% and 22.33% higher precision for DoS Hulk; 19.57%, 16.47% and 20.59% higher precision for Port scan; 17.33%, 23.28% and 18.37% higher precision for DDoS; 20.15%, 19.94% and 23.58% higher precision for DoS Golden Eye are compared with existing IDS-CNN-GPSO, IDS-CNN-LSTM and IDS-CNN-ML-AIDS models.
Table 5 tabulates the F-measure analysis for the dataset of CICIDS 2017. The proposed IDS-AANN-OCSA method attains 18.92%, 21.84% and 27.36% higher F-measure for BENIGN attack; 17.36%, 20.91%, 21.61% better F-measure for DoS Hulk; 18.32%, 18.93% and 27.25% higher F-measure for Port scan; 15.68%, 22.57%, 19.26% better F-measure for DDoS; 21.98%, 28.57%, 19.18% better F-measure for DoS Golden Eye are compared with existing IDS-CNN-GPSO, IDS-CNN-LSTM and IDS-CNN-ML-AIDS models.
Table 6 depicts the Sensitivity analysis for CICIDS 2017 dataset. The proposed IDS-AANN-OCSA method attains 18.78%, 25.76% and 12.67% higher sensitivity for BENIGN attack; 16.67%,19.67% and 27.89% higher sensitivity for DoS Hulk; 20.78%, 13.78% and 28.87% higher sensitivity for Port scan; 23.87%, 14.67% and 11.89% higher sensitivity for DDoS; 16.66%, 18.87% and 19.98% higher sensitivity for DoS Golden Eye are compared with existing IDS-CNN-GPSO, IDS-CNN-LSTM and IDS-CNN-ML-AIDS models.
Table 7 depicts the Execution time (%) comparison for the dataset of CICIDS 2017. The proposed IDS-AANN-OCSA method attains 18.43%, 29.56% and 17.89% lower execution time are compared with existing IDS-CNN-GPSO, IDS-CNN-LSTM and IDS-CNN-ML-AIDS methods.
Adaptive Artificial Neural Network Optimized with Oppositional Crow Search Algorithm is implemented successfully for network intrusions detection. The dataset of CICIDS 2017 is applied to assess the proposed method performance. The proposed IDS-AANN-OCSA attains better precision 89.58%, 87.34%, 87.25%, and 86.34% better F-Measure 91.48%, 90.12%, 98.16% and 95.14% analyzed with existing IDS-CNN-GPSO, IDS-CNN-LSTM and IDS-CNN-ML-AIDS methods respectively. Future research will analyze deep learning base intrusion detection scheme under various data sets and classifiers. IoT gets concentration in-between the organization and individual user. Because there are several operational and security challenges, switch to IoT platform is not a simply process. The security assurance to the data outsourced in IoT is vital owing to huge data storage in IoT. Hence, the proposed Adaptive Artificial Neural Network Optimized with Oppositional Crow Search Algorithm based IDS contributes a significant role. Future work will focus on creating the safe IDS for blockchain-based anomaly detection as well as a powerful defense system for IDS nodes against sophisticated insider attacks.
