Hybrid Weighted K-Means Clustering and Artificial Neural Network for an Anomaly-Based Network Intrusion Detection System

3.1 K-Means Clustering Algorithm

K-means clustering is a clustering investigation algorithm that combines objects on the basis of their attribute value into K^k disjoint clusters. With the help of the utilization of equivalent values, similar objects can be separated into a cluster. Here, K^k is a positive integer denoting the number of clusters, and has to be specified. The steps of the K-means clustering algorithm are as follows:

1. Define the number of clusters K^k.

2. Initialize the K^k cluster centroids. This can be done by arbitrarily dividing all objects into K^k clusters, computing their centroids (C^c), and verifying that all centroids (C^c) are different from each other. Alternatively, the centroids (C^c) can be initialized to K^k arbitrarily chosen, different objects.

3. Iterate over all objects and calculate the distances to the centroids (C^c) of all clusters. Allocate each object to the cluster with the nearest centroid (C^c).

4. Recalculate the centroids (C^c) of both adapted clusters.

5. Repeat step 3 until the centroids do not change anymore.

The K-means algorithm is very effective if utilized to cluster large information sets; however, its imperfections are also very perceptible, as follows:

• It can only cluster numeric information because of the constraint of Euclidean distance.

• The clustering consequences are connected with the input series of objects and the first clustering centers.

• The K-means algorithm utilizes Euclidean distance to endorse the modification of information via this type of measuring technique. It usually comprises all characteristics of the information and undertakes that each and every characteristic is proportionate to the coldness, so it frequently causes ambiguity, i.e. the so-called curse of dimensionality [5].

• In the K-means algorithm, each information point has equivalent significance in discovering the centroid of the cluster. This method is not lengthier. Consequently, the clustering algorithm has to deliberate a weight accompanying each information point in the calculation of cluster centers. The anticipated allowance to the K-means algorithm is known as the weighted K-means (Figure 1).

Figure 1:

Basic Diagram of Data Clustering.

4.1 WKMC-Based Clustering Module

The main aim of the weighted K-means cluster module is to allocate a particular set of information into clusters. The training set (TR) is gathered into numerous subsets using the clustering module. The authenticity of the size and difficulty of each and every training subset will decrease, and also the effectiveness and efficacy of the succeeding NN modules can be enhanced. WKMC is an information clustering algorithm; in this, all points are subjected to clustering to a proposed degree with the help of a membership grade. It is based on minimization of the below-pointing performance specified in the equation in the clustering module:

where q=(q₁,...q_l,...,q_L)^T indicates the number of cluster centers. dis (ai, ql)=∥welei∥2∥ai−sl∥2 denotes the weighted Euclidean distance among cluster data a_c and the cluster center q_l. Consequently, the objective function O can be assessed as an addition of weighted Euclidean distance that must be diminished in terms of p and q. O is not convex with respect to p and q uninterruptedly; however, when p is fixed, O is convex with reference to q. Thus, the optimum sub-array allocates can be originated with the help of refining correspondingly the grouping vector p and the cluster center q step by step. The detailed iterative process of the proposed technique is as follows:

1. Deliberate the information point and conforming weights:

   a=[a1, a2, …, ai] and w=[w1, w2, …, wi].

2. Fix the maximum number of iterations, t_max. The initial L-partition of R is represented as p⁽⁰⁾, and the set of initial L cluster centers is q(0)=(q1(0), …, ql(0), …, qL(0))T, where the cluster center ql(0) is computed as

   (3)∂O∂ql(0)  =  ∂  [ ∑l=1L ∑pi=l(0)  ‖wi‖2  ‖ ai−ql(0)‖2]

   (4)= 2 ∑l=1L ∑pi=l(0) ‖wi‖2 ql(0)  − 2 ∑l=1L ∑pi=l(0) ‖wi‖2 ai

   = 0.

   It is found that sl(0) has the close form solution of

   ql(0)=∑pi = l(0)∥wi∥2 ai∑pi = l(0)∥wi∥2,i=1, …, N; l=1, …, L.

3. When the group of cluster center q is fixed, the objective performance is minimized over g with the help of grouping the clustering vectors to their adjacent cluster center to minimize dist(a_c, q_l); hence, the membership can be labeled as

   (5)pi(t + 1)=arg min dist(ai, ql(t))l

   (6)=arg min∥wi∥2l ∥ai, ql(t)∥2.

   If dist (ai, ql(t)) is the minimum distance from the cluster center, so that p_c=l, then that signifies the i^th element fits the l^th subgroups.

4. Affording to the memberships p^(t+1) obtained in step 3, the novel cluster center ql(t + 1) will be computed using Eq. (7):

   (7)ql(t + 1)=∑pi = l(t + 1)∥wi∥2∑pi = l(t + 1)∥wi∥2,i=1, 2, …, N; l=1, 2, …, L.

5. Repeat step 3 and step 4 until the cluster center is firmly converged or the iteration index t>t_max. When the first cluster is designated arbitrarily, the processing cannot assure a global optimum; henceforth, it is required to implement various numbers of times with dissimilar initial clusters, and at that time select the optimal subgroup partition according to the minimum excitation matching error.

Subsequent to the clustering processes, we accomplish the K_C number of clusters on the basis of the centroid. This K_C number of clusters specifies the K_C number of ANNs. In Figure 3, the flow diagram of the proposed WKMC algorithm is portrayed.

Figure 3:

Flow Diagram of the Proposed WKMC Algorithm.

4.2 ANN-Based Intrusion Detection Module

Each obtained output cluster from the WKMC algorithm is trained using K_C numbers of ANN classifier. The current IDS suffers from low detection accuracy and insufficient system robustness for new and rare security breaches. To improve the efficiency of the IDS after the clustering process, we utilize the classification process. Here, the numbers of cluster and neural networks are identical. The ANN module is characteristic of the feature of each subset. Actually, the ANN indicates the physically intensified type of distributed assessment. The network unites the input layer and an output layer with one or more unseen layers in between the input and the output layers. Every established consequence cluster from the WKMC is practiced with the help of K_C numbers of ANN classifier, as specified in Figure 4.

Figure 4:

Structure of the Neural Network Training Stage.

The ANN module is chiefly utilized to study the arrangement of each and every subset. ANN is a physically stimulated outlet of disseminated calculation. It is linked to simple processing units and a mixture of them. In this paper, we employ classic feed-forward neural networks trained with the back-propagation algorithm to predict intrusion. A feed-forward neural network holds an input layer, an output layer, and one or more unseen layers among the input and output layers. The ANN performances are as follows.

Each node x in the input layer has information I_x as the network’s input, multiplied with the help of a weight value among the input layer and the unseen layer. Each node y in the unseen layer obtains the data H_y, as follows:

and is then passed through the bipolar sigmoid activation functions given in Eq. (9):

The output of the activation function f(In(y)) is then to broadcast all of the neurons to the output layer:

where θ_y and θ_k are the biases in the unseen layer and the output layer. The output value will be associated with the target; in this paper, we utilized the mean absolute error as an error function:

where n represents the number of training patterns, Y_k represents the output value, and T_k represents the target value. In this, if the obtained error value is maximum, the weight value is updated until the minimum error value is obtained. The weight value is adjusted based on Eq. (12):

where t represents the number of epochs and η represents the learning rate. To speed up the convergence of the error in the learning process, the momentum with the momentum gain β is incorporated into Eq. (12):

Here, the value for β is between 0 and 1. In a particular stage, we obtain the minimum error. That ANN structure weight value is stored, and this value is given to the testing process.

4.3 Testing Phase

After the training phase, we accomplish the testing procedure. At this point, initially we have provided the testing information into the preprocessing stage. The preprocessed information is then provided to the clustering procedure. At this point, the information is assembled on the basis of the WKMC procedures. Thereafter, the clustered information is delivered to the consistent neural network. The trained conforming neural network weights are allocated to the testing procedures. On the basis of the weight, we attain the score value. As a final point, we check whether the provided information is intruded or not on the basis of the threshold value. A score value beyond the threshold means the information is intruded and the information is normal. Therefore, the obtained score value is measured with Eq. (14) for classifying the information:

5.1 Dataset Description

The KDD CUP 99 dataset is chiefly utilized to inspect and assess the procedure of the anticipated technique. The form of the unique 1998 DARPA intrusion recognition assessment program is utilized here for KDD CUP 99. It also one of the publically available information sets that have actual attacks [16]. Thus, at this time, for design and scrutiny of our intrusion detection scheme, we used this dataset. For a period of 9 weeks, the KDD CUP 99 dataset was analyzed from TCP dump information. The assortment of data of network traffic activities comprise both standard and malicious relations that include five million reports as training information and two million reports as test data. Forty-one landscapes were identified using each case that is clear as either normal or an attack. From both training and testing information, the total attacks were originated. These attacks can be categorized as four kinds: PROBE, remote to local, denial of service, and consumer to root [28]. The KDD CUP 99 datasets are available in three different files. They are the KDD full dataset that has 4,898,431 occurrences, the KDD CUP 10% dataset that has 494,021 instances, and the KDD modified dataset that has 311,029 instances. The analysis used 38 continuous or discrete arithmetic attributes and three categorical attributes, for a total of 41 attributes. Each illustration is obvious as either normal or one exact attack. The dataset comprises one normal and 22 various attacks, for a total of 23 class labels. The 22 attacks can be categorized into four categories of the aforementioned attacks [12]. The KDD CUP 99 dataset is huge in size and very sensitive to experimental procedures. Consequently, we utilized only 10% of the KDD CUP 99 dataset for our experimentation.

5.2 Evaluation Metrics

The evaluation metrics utilized in our proposed technique are true positive (TP), true negative (TN), false positive (FP), and false negative (FN). At this time, TP indicates the amount of an appropriately classified attack. A TP is a symbol of correctly perceiving the incidences of attacks in an intrusion detection scheme. TN indicates the number of valid records that are appropriately classified. A TN stipulates that the IDS has not made an error in noticing a normal circumstance. FP refers to records that were erroneously categorized as attacks, while in fact, they are valid occurrences. An FP stipulates the wrong detection of a specific attack with the help of IDS. An FP is frequently produced because of lost recognition conditions, and it characterizes the accuracy of the detection scheme. FN indicates the records that were wrongly classified as valid activities, while in fact, they are attacks. An FN specifies that the IDS is incapable of noticing the intrusion after a specific attack has transpired. The function of our intrusion detection scheme is appraised using: (i) accuracy, (ii) sensitivity, (iii) specificity, (iv) map, (v) root mean square error (RMSE), (vi) mean absolute deviation (MAD), and (vii) mean square error (MSE) on the basis of TP, TN, FP and FN.

• Accuracy

  The accuracy of our scheme is obtained by using the expression below:

  Accuracy=TP+TNTP+TN+FP+FN.

  Accuracy means the probability in which our proposed scheme can promptly predict positive and negative examples.

• Sensitivity

  Sensitivity means the probability that the algorithms can correctly predict positive examples:

  Sensitivity=TPTP+FN.

• Specificity

  Specificity means the probability that the algorithms can properly foresee negative examples:

  Specificity=TNTN+FP.

5.3 Comparative Analysis

Our proposed method is distinguished from the prevailing methods like the K-means clustering+ANN method in this section. At this point, the accuracy, specificity, sensitivity, mean absolute percentage error (MAPE), and MAD of the anticipated WKMC+ANN and the prevailing method is engaged for different cluster sizes like 10, 15, 20, 25, and 30 shows in Table 1.

We established that the accuracy of our anticipated technique is 88% for cluster size 10 and 89% for cluster size 15 from Table 1, and that it is superior to the accuracy of the available process that has 78% accuracy for cluster size 10 and 81% for cluster size 15, etc. In Table 1, we obtain a maximum accuracy of 92%. Similarly, the sensitivity of occurrence from our anticipated technique is 80% for cluster size 10 and 83% for cluster size 15, i.e. better than the available scheme that has 76% sensitivity for cluster size 10 and 74% for cluster size 15. Similarly, the value of the specificity of our proposed method is greater than the specificity of the existing method.

5.3.1 Comparative Analysis of Other Important Measures

In this section, we compare our proposed work with the existing work based on the following metrics: MAPE, MSE, and RMSE. This comparison is also used to prove the effectiveness of the approach.

MSE:

MSE=1N∑t = 1N(Pt−Dt).

MAPE:

MAPE=1N ∑t = 1N|Pt−DtPt.|

RMSE:

RMSE=∑t = 1N (Pt−Dt)2N.

Figure 5 shows the performance comparison of MAPE plots by varying cluster counts. From Figure 5, the MAPE of our proposed method is 0.16 for cluster size 10 and 0.22 for cluster size 15, whereas the values are 0.22 and 0.25 for the existing approach. Likewise, Figure 6 shows the performance comparison of RMSE plots by varying cluster counts. The RMSE of our proposed method is 0.08 for cluster size 10 and 0.12 for cluster size 15, which are lower than those of the existing method: 0.16 for cluster size 10 and 0.19 for cluster size 15. Likewise, the values for the MSE of our proposed method is lesser than the specificity of the existing method, which indicates that our proposed method is better than the existing IDS (Figure 7).

Figure 5:

Performance Comparison of MAPE Plots by Varying Cluster Counts.

Figure 6:

Performance Comparison of RMSE Plots by Varying Cluster Counts.

Figure 7:

Performance Comparison of MSE Plots by Varying Cluster Counts.