Professional Documents
Culture Documents
Journal of Experimental & Theoretical Artificial Intelligence
Journal of Experimental & Theoretical Artificial Intelligence
Journal of Experimental & Theoretical Artificial Intelligence
To cite this article: Lin Feng (2011): An intrusion detection approach based on multiple rough
classifiers integration, Journal of Experimental & Theoretical Artificial Intelligence, 23:2, 223-231
This article may be used for research, teaching, and private study purposes. Any
substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing,
systematic supply, or distribution in any form to anyone is expressly forbidden.
The publisher does not give any warranty express or implied or make any representation
that the contents will be complete or accurate or up to date. The accuracy of any
instructions, formulae, and drug doses should be independently verified with primary
sources. The publisher shall not be liable for any loss, actions, claims, proceedings,
demand, or costs or damages whatsoever or howsoever caused arising directly or
indirectly in connection with or arising out of the use of this material.
Journal of Experimental & Theoretical Artificial Intelligence
Vol. 23, No. 2, June 2011, 223–231
The study of intrusion detection techniques has been one of the hot spot topics in
the field of network security in recent years. For high-dimensional intrusion
detection data sets and a single classifier’s weak classification ability for data sets
with many classes, a novel intrusion detection approach, termed intrusion
detection based on multiple rough classifiers integration, is proposed. First,
some training data sets are generated from intrusion detection data by random
sampling. By combing rough sets and quantum genetic algorithm, a subset of
attributes is selected. Then, each simplified data set is trained, which establishes a
group of rough classifiers. Finally, the intrusion data classification result is
obtained according to the absolute majority voting strategy. The experimental
results illustrate the effectiveness of our methods.
Keywords: multiple rough classifiers; quantum genetic algorithm; the absolute
majority voting strategy; rough set; intrusion detection techniques
1. Introduction
With the rapid development of computer and Internet technology, network security issues
are becoming more and more important. There are different ways to implement security
which ensures that our computers do not get damaged. As an active-defence technique,
intrusion detection technique has attracted extensive attention by many researchers. Many
new intrusion detection ways are emerging constantly. For example, according to the
relationship between the antibody concentration and the pathogen intrusion intensity,
Li (2005) proposed an immunity-based model for the network security risk estimation.
Combining fuzzy inference system and statistics, Yan, Jiang, and Wu (2005) designed and
developed antibody formation and detection components of network intrusion detection
system based on immune mechanism. Lee and Heinbuch (2001) proposed a new network
intrusion detection method using artificial neural network techniques. Cai, Guan, Shao,
Peng, and Sun (2003) proposed an anomaly detection method based on rough sets theory,
which is used to monitor the process of non-normal behaviour. Rough sets could remove
useless information from incomplete, inaccurate data sets by attribute reduction (Simon,
Miroslav, and Mirko 1995; Skowron and Stepaniuk 2005). Therefore, it has unique
advantage to deal with high-dimensional intrusion detection data.
*Email: scfengyc@126.com
ISSN 0952–813X print/ISSN 1362–3079 online
ß 2011 Taylor & Francis
DOI: 10.1080/0952813X.2010.545998
http://www.informaworld.com
224 L. Feng
Network/host data
database after data filtering. Then, redundant attributes of data sets are reduced by
attributes reduction, and rough classifiers are created by rough decision rules through
value reduction steps. Finally, absolute majority voting stage is adapted to decide the final
classification result. If an intrusion data is identified, then the system sends the messages
to alerter.
IDMRCI is composed of two steps. First, creating multiple rough classifiers. Second,
classifying the intrusion detection data by multiple rough classifiers.
ði , i Þ
0 0 False 0.01 1 1 1 0
0 0 True 0.01 1 1 1 0
0 1 False 0.01 1 1 0 1
0 1 True 0.01 1 1 1 0
Downloaded by [Biblioteca Universidad Complutense de Madrid] at 08:15 24 September 2012
1 0 False 0.01 1 1 1 0
1 0 True 0.01 1 1 0 1
1 1 False 0.01 1 1 0 1
1 1 True 0.01 1 1 0 1
where
" #
cosðÞ sinðÞ
sinðÞ cosðÞ
is called a quantum rotation gate and is called a rotation angle such that ¼ ði , i ÞDi .
ði , i Þ and Di are called the direction and step length of rotation, respectively, where Di
affects the convergence speed and t is the current-evolving generation. The ith bit of
quantum bits in chromosome is
t
i
ti
Huang, Xu and, Yu (2009) point out the drawbacks of quantum rotation gate strategy of
the existing approaches, and a novel strategy of quantum rotation gate is developed, which
is given in Table 1.
Here xi is the ith bit in current chromosome and bi is the ith bit in current, the best
chromosome. And then, the fitness function values of the current individual and the best
individual are denoted by f ðxi Þ and f ðbi Þ, respectively.
1 A C B A C
2 B A C B A
3 C B A C B
j pj j 1
f ð pj Þ ¼ 1 ðC ðDÞp ðDÞÞ ð5Þ
jCj e j
Input: A decision table S, population size n, qubit length m and the maximum number of
iterations maxgen;
Output: An attribute reduction in S.
Step 1: Initialisation: Let P ¼ f p1 , p2 , . . . , pn g be a population size, where
pj ð j ¼ 1, 2, . . . , nÞ is the jth individual of population, which can be denoted as
j1 j2 . . . jm
pj ¼ :
j1 j2 . . . jm
pffiffiffi
Downloaded by [Biblioteca Universidad Complutense de Madrid] at 08:15 24 September 2012
Let ji , ji ði ¼ 1, 2, . . . , mÞ be 1= 2, which denotes all states superposition on the same
probability in initial search. The initial value of evolving generation g is 0.
Step 2: Quantum superposition observation state R, R ¼ fa1 , a2 , . . . , an g, could be
constructed according to the individual probability amplitude of P, where
aj ð j ¼ 1, 2, . . . , nÞ is a binary string with m length (i.e. aj ¼ b1 b2 . . . bm ), which denotes
each individual observation. The value of bk ðk ¼ 1, 2, . . . , mÞ is ‘0’ or ‘1’. The specific
process of observation generated by probability is given as follows: for probability
amplitude
t
i
ði ¼ 1, 2, . . . , n mÞ
ti
of each qubit in P, random number r in the range [0,1] is generated. If r 5 ji j2 , then
the corresponding observation value b is ‘0’. Otherwise, the corresponding observation
value b is ‘1’.
Step 3: According to formula (5), the fitness function f ð pj Þ is adopted to evaluate each
individual of population.
Step 4: If some individuals have the better fitness function values, then put the higher
probability into next generation.
Step 5: Combining quantum gate and all crossinterferences of quantum to update each
chromosome.
Step 6: g ¼ g þ 1, if g satisfies maxgen, then output an attributes reduction; otherwise, go
to Step 2.
4.1. Experiment 1
The purpose of Experiment 1 is to compare the classification performance of single rough
classifier method with multiple rough classifiers method. The evaluation criteria are the
true positive (TP) rate and the false positive (FP) rate. In the experiment, we use
the Nguyen improved greedy algorithm to discrete continuous-valued attributes and the
general attribute value reduction to generate decision rules. The minority priority
matching strategy is adopted for testing data. In QGA algorithm, initial population size
and the evolving generation are 100 and 1500, respectively. The experimental results are
given in Table 4.
4.2. Experiment 2
The purpose of Experiment 2 is to compare the performance of QGA with the GA under
the condition of multiple rough classifiers. Relative runtime is used to evaluate the
effectiveness of two algorithms. Parameter values of QGA algorithm is the same as
Experiment 1. In GA, the population size, the single-point crossover probability and the
basic mutation probability are 100, 0.5 and 0.0005, respectively. The hardware parameter
values of computer are listed as: Intel 2.2 GHz, 2 GB and Windows XP. The results are
given in Table 5.
The results of Experiments 1 and 2 show that multiple rough classifiers method are the
higher TP rate and the lower FP rate than single classifier method. Consequently, multiple
rough classifiers have better performances for the complex intrusion detection data
classification problems. On the other hand, QGA has a lesser value of runtime than GA
230 L. Feng
for detecting attack types. So, IDMRCI could meet the real-time demand of intrusion
detection system.
5. Conclusions
In this article, we proposed an attribute reduction algorithm, which combines rough sets
and QGA. Next, a novel intrusion detection frame IDMRCI is developed. The
experimental results illustrate that multiple rough classifiers method has higher TP rate
and lower FP rate than single rough classifier method. These methods could meet the
demand of accuracy of real-time for an intrusion detection system, especially for the
complex intrusion detection data classification problems with many classes.
Acknowledgements
This study is supported by the Scientific Research Fund of Sichuan Provincial Education
Department under Grant No. 09ZC079 and the Key Research Foundation of Sichuan Normal
University, respectively.
References
Cai, Z.M., Guan, X.H., Shao, P., Peng, Q.K., and Sun, G.J. (2003), ‘A New Approach to Intrusion
Detection Based on Rough Set Theory’, Chinese Journal of Computers, 26, 361–366.
Han, K.H., and Kim, J.H. (2002), ‘Quantum-Inspired Evolutionary Algorithm for a Class of
Combinatorial Optimization’, IEEE Transactions on Evolutionary Computation, 6, 580–593.
Huang, L.M., Xu, Y., and Yu, R.Q. (2009), ‘Improved Quantum Genetic Algorithm and its
Application’, Computer Engineering and Design, 30, 1987–1990.
Journal of Experimental & Theoretical Artificial Intelligence 231
Lee, S.C., and Heinbuch, D.V. (2001), ‘Training a Neural-Network Based Intrusion Detector to
Recognize Novel Attacks’, IEEE Transactions on Systems, Man, and Cybernetics – Part A:
Systems and Humans, 31, 294–299.
Li, T. (2005), ‘Risk Detection about Network Security Based on Immune System’, Science in China
Series E: Information Sciences, 8, 798–816.
Li, T.R., Ruan, D., Geert, W., Song, J., and Xu, Y. (2007), ‘A Rough Set Based Characteristic
Relation Approach for Dynamic Attribute Generalization in Data Mining’, Knowledge-Based
Systems, 20, 485–494.
Simon, P., Miroslav, K., and Mirko, D. (1995), ‘A Rough Set Approach to Reasoning under
Uncertainty’, Journal of Experimental and Theoretical Artificial Intelligence, 7, 175–193.
Downloaded by [Biblioteca Universidad Complutense de Madrid] at 08:15 24 September 2012
Skowron, A., and Stepaniuk, J. (2005), ‘Hierarchical Modeling in Searching for Complex Patterns:
Constrained Sums of Information Systems’, Journal of Experimental and Theoretical Artificial
Intelligence, 17, 83–102.
Yan, Q., Jiang, Y., and Wu, J.P. (2005), ‘Antibody Generation and Antigen Detection
Component in Immune-Based Network Intrusion Detection System’, Chinese Journal of
Computers, 28, 1601–1607.
Yu, H.Y., and Fan, J.L. (2009), ‘Generalized Fuzzy Entropy Threshold Based on Quantum Genetic
Parameter Optimization’, Pattern Recognition and Artificial Intelligence, 22, 305–311.
Zhang, G.X., Li, N., Jin, W.D., and Hu, L.Z. (2004), ‘A Novel Quantum Genetic Algorithm and its
Application’, Acta Electronica Sinica, 32, 476–479.