Due to the exponential growth of EBusiness and computing capabilities over the web for a payforuse groundwork, the risk factors regarding security issues also increase rapidly. As the usage increases, it becomes very difficult to identify malicious attacks since the attack patterns change. Therefore, host machines in the network must continually be monitored for intrusions since they are the final endpoint of any network. The purpose of this work is to introduce a generalized neural network model that has the ability to detect network intrusions. Two recent heuristic algorithms inspired by the behavior of natural phenomena, namely, the particle swarm optimization (PSO) and gravitational search (GSA) algorithms are introduced. These algorithms are combined together to train a feed forward neural network (FNN) for the purpose of utilizing the effectiveness of these algorithms to reduce the problems of getting stuck in local minima and the timeconsuming convergence rate. Dimension reduction focuses on using information obtained from NSLKDD Cup 99 data set for the selection of some features to discover the type of attacks. Detecting the network attacks and the performance of the proposed model are evaluated under different patterns of network data.
The field of computer security has turned into an extremely important issue for computer network systems through the fast growing of the computer networks over the web which might be under risk for unauthorized and intrusion process. Intrusion detection is the procedure to perceive all security issues through watching and breaking down the occasions emerging in a PC or system framework and can give a react to the unapproved activities (Yu, Wang, & Xi, 2008). Securing networks from interruptions or assaults is turning out to be more troublesome as the system innovations are expanding rapidly.
Classification, clustering and regression techniques have been used for intrusion detection systems. Several classification and clusteringbased techniques have been studied for the design of intrusion detection system (IDS).
A Multilayer perceptron (MLP) and support vector machine was used in (Tang & Cao, 2009) as different approach for intrusion detection. The Average detection rate for various attacks obtain that the SVM is better than NN. They used KDD CUP'99 data set for their experiments.
Distributed Time Delay artificial neural Network (DTDNN) was selected in (Ibrahim, 2010) as classification techniques for Intrusion Detection. They used KDD CUP'99 data set for their experiments. The classification rate was high accuracy. For intrusion detection, authors use MultiLayer Neural Networks and Naïve Bayes as classification algorithm in (Ibrahim, Badr, & Shaheen, 2012). They used gain ratio as features selection algorithms for select best features in each layer.
A threelayer and Naïve Bayes classifier was used in (Sharma & Mukherjee, 2012) as a classification algorithm for enhance the awareness of the intrusion detection through using the domain knowledge and the Backward Sequential Elimination (BSE) as feature selection technique. They used NSLKDD dataset for their experiments.
In (Wahba, El Salamouny, & El Taweel, 2015) authors proposed an improved approach for intrusion detection based on Correlationbased Feature Selection and Information Gain hybrid as feature selection methods and naïve Bayes as the classification algorithm using reduced NSLKDD dataset.
A hybrid multilevel network was selected in (Majeed, Hashem, & Gbashi, 2013) for intrusion detection system. The system can detect both misuse and anomaly types through using support vector machine and ANN as a multilevel classification methods based on Principle Component Analysis (PCA) as feature selection algorithm on NSLKDD data set.
In (Ahmad, Abdulah, Alghamdi, Alnfajan, & Hussain, 2015) authors proposed a multilayer perceptron (MLP) for classification the intrusion detection system using Genetic Algorithm (GA) for features selection on DD CUP'99 data set. The method is able to reduce the feature numbers and score high detection rate, which act as prime intrusion detection mechanism.
A combination algorithm used the Bayes Net, Naive Bayes, Random Tree, PART, C4.5, and Attribute Selected Classifier in (Parvat & Chandra, 2015) as a Machine Learning algorithm. Used 20% KDD CUP'99 data set for their experiments. The purposed work improved the more accuracy as well as the time complexity.
A simple classification algorithm (nearest neighbor classifier) and feature selection technique (ant colony optimization) was used in (Aghdam & Kabiri, 2016) for intrusion detection system. The general experimental results on the KDD Cup 99 and NSLKDD data sets providing higher accuracy in detecting intrusion attempts and lower false alarm with reduced number of features.
A new hybrid algorithm for classification and features selection was proposed in (Sadek, Soliman & Elsayed, 2013). The neural network based on indicator variable used as classification method, while rough set method used as feature selection. The experiments result on NSLKDD dataset provided high detection accuracy with low false alarm rate as better and robust performance.
The KDD cup 99 dataset has many disadvantages (Kaushik & Deshmukh, 2011) which discovered through different statistical analyses. NSLKDD data set (Brunswick, 2017) is an enhanced version of the KDD data set which contains the main recodes of the all KDD data set. NSLKDD dataset has many advantages :
Att. No.  Attribute Name  Description  Sample data 

1  Duration  Time connection duration  0 
2  Protocol type  Protocol used in connection  TCP 
3  Service  Destination network services  FTP_data 
4  Flag  Status of the connection  SF 
5  Src bytes  Amount of data transferred from source to destination  491 
6  Dst bytes  Amount of data transferred from destination to source  0 
7  Land  Status 1(source, destination, port equal) 0 (else)  0 
8  Wrong fragment  Wrong fragment number  0 
9  Urgent  Urgent packet numbers (bit activated)  0 
Att. No.  Attribute Name  Description  Sample data 

10  Hot  Enter system & execute program  0 
11  Num failed logins  Attempts login filed number  0 
12  Logged in  Status 1(Success) 0 (failed)  0 
13  Num compromised  No. of negotiated conditions  0 
14  Root shell  Status 1(done) 0 (failed)  0 
15  Su attempted  Status 1(done) 0 (failed)  0 
16  Num root  No. of operations in connection  0 
17  Num file creations  No. of file creation in connection  0 
18  Num shells  No. of shell prompts  0 
19  Num access files  No. of operations access control  0 
20  Num outbound cmds  No. of outbound command in ftp session  0 
21  Is hot login  Status 1(hot login) 0 (otherwise)  0 
22  Is guest login  Status 1(guest login) 0 (otherwise)  0 
Att. No.  Attribute Name  Description  Sample data 

23  Count  Amount of connections (same destination)  2 
24  Srv count  Amount of connections (same services + same port)  2 
25  Serror rate  Percentage of connections ( active flag ) in count  0 
26  Srv serror rate  Percentage of connections ( active flag 4) in Srv count  0 
27  Rerror rate  Percentage of connections ( active flag ) in count  0 
28  Srv rerror rate  Percentage of connections (active flag 4) in Srv count  0 
29  Same srv rate  Percentage of connections (same services)  1 
30  Diff srv rate  Percentage of connections (different services)  0 
31  Srv diff host rate  Percentage of connections (different destination)  0 
Att. No.  Attribute Name  Description  Sample data 

32  Dst host count  No. of connections ( same destination)  150 
33  Dst host srv count  No. of connections ( same port)  25 
34  Dst host same srv rate  Percentage of connections ( same services) in 32  0.17 
35  Dst host diff srv rate  Percentage of connections (different services) in 32  0.03 
36  Dst host same src port rate  Percentage of connections ( same source) in 33  0.17 
37  Dst host srv diff host rate  Percentage of connections (different destination) in 33  0 
38  Dst host serror rate  Percentage of connections (active flag 4) in 32  0 
39  Dst host srv serror rate  Percentage of connections (active flag 4) in 33  0 
40  Dst host rerror rate  Percentage of connections (active flag 4 REJ) in 32  0.05 
41  Dst host srv rerror rate  Percentage of connections (active flag 4 REJ) in 33  0 
The process of getting and accessing small and suitable data from collection of large data is called features selection which has a unique interest inside the data mining field. It’s significant part to get more performance and accurate results for selected data. Feature choosing, as a process of selecting related depended features for novel features based on some defined conditions, which may be considered as a decrease technique for data mining. Feature selection process contains four primary operations: subset generation, subset estimation, stopping criteria, and final results testing and verification.
GA is a general random search method, able to discovering large search spaces efficiently, which used basically for attribute selection. Genetic algorithms (GA) search from a population of points to find a global maximum or minimum of a function. Unlike many other local search techniques, there is always a chance of escaping from local maxima or minima.
Weka (Waikato Environment for Knowledge Analysis) is a freeware tool designed for machine learning and preprocessing tools such as classification, regression, clustering, association rules, and visualization (Dhanjibhai Serasiya & Chaudhary, 2012).
The feature selection algorithm contains many steps to select the best related features based on GA algorithm as shown in Figure. 1.
The selected attributes are (15): service, flag, src_bytes, dst_bytes, logged_in, num_root, num_shells, serror_rate, srv_serror_rate, same_srv_rate, diff_srv_rate, srv_diff_host_rate, dst_host_same_src_port_rate, dst_host_srv_diff_host_rate, dst_host_serror_rate.
Neural networks have been ended up being fruitful in mapping input patterns to specific yields. Finding a legitimate arrangement of weights and topology for a system to deliver a craved element can be viewed as an optimization problem.
Evolutionary algorithms (EAs) have been appeared to be great at optimization problem solving (Rahmani, 2008). The artificial neuron is charchterized by inputs, having some weights associated with them; an input function which calculates the total net input signal to a neuron coming from all its inputs; and an activation function, which determines the activation level of a neuron as a function of its input. An output signal equal to the activation value is produced through the output of the neuron.
Where:
The position of the particle is updated using Equation (2) as follows
Where:
Xi (t+1) New position of particle i in the dimension n.
Xi (t) Old or previous position for particle i at time t.
Vi (t) Denotes the old velocity of particle i in the dimension n.
PSO starts in a random way by placing the particles in a search space related to a specific problem. At each iteration step, the velocities of particles are calculated using Equation (1). The positions of particles are calculated by Equation (2) after the velocities are defined. This process is repeated until stopping criteria is accomplished. The main steps of PSO algorithm are indicated in Figure 2 above.
Gravitational Search Algorithm is a new experiential optimization method which inspired from Newton’s theory that states: “Every particle in the universe attracts every other particle with a force that is directly proportional to the product of their masses and inversely proportional to the square of the distance between them” (Newton, 1729).
By generations, all the GSA masses which related to the objective function value are attracted to each other through the gravity forces, and the heavier mass close to the global optimum attract.
The GSA algorithm parameters begin at random by setting all the agents in the search space. Throughout iterative procedure, the gravitational forces from agent
Where:
G(t) is gravitational constant at time t,
The G(t) is computed by Equation (4):
Where
In a search space with the dimension
Where
Baesd on the law of motion, the acceleration of an agent is proportional to the result force and inverse of its mass, therefore the acceleration of all agents can be calculated using Equation (6):
Where t is a specific time and Mi is the mass of object i.
The velocity and position of agents are calculated as follows Equation (7) & (8):
Where
All masses in GSA are initialized with basic values, then the velocities values for all masses are determined by (7), while the gravitational constant, total forces, and accelerations values are obtained using relations (4) and (5) independently one by one at the same time. The positions of masses are determined by (8). Lastly , the GSA will not stop until the end criteria are accomplished. The steps of the GSA algorithm are described in Figure 3.
A hybrid PSO with GSA are used using lowlevel coevolutionary heterogeneous method’s. The basic idea of PSOGSA is to combine the ability of social thinking (gbest) in PSO with the local search capability of GSA using Equation (9).
Where
ac_{i}(t): is the acceleration of agent I at iteration t, and
The positions of particles are updated on each iteration, using Equation (10):
All agents in PSOGSA are randomly initialized. Then the Gravitational force, gravitational constant, and resultant forces, among agents are determined by Equation (3), (4), and (5), and the accelerations of particles are determined by Equation (6). At each iteration, the best solution only will be updated and the velocities values of all agents are determined by (9). At last, the positions of all agents are calculated using Equation (10).
The value of solutions (fitness) in PSOGSA is updating and the agents near by appropriate solutions attempt to induce the other agents in the search problem. The agents move very slowly when they are near the good solution. PSOGSA use a memory (gBest) to save the best solution has found so far. By correcting the
In this paper, both particle swarm optimization (PSO) and gravitational search algorithm (GSA) were
The objective function can be described as follows:
The neural network FFNN has three layers (1 input with n nodes , 1 hidden with h nodes, and 1 output layer with h nodes). The output of each hidden node at each epoch of learning process is given by Equation (11) , (12):
for j=1,2,….,h
Where (n) value is the number of the input nodes,(wij)value is the connection weight from the ith node in the input layer to the jth node in the hidden layer, bj is the bias (threshold) of the jth hidden node, and xi is the ith input. After calculating outputs of the hidden nodes, the final output can be defined in Equation (13):
Where (wkj) value is the connection of weight from the (jth) hidden node to the (kth) output node, and (bk) is the bias (threshold) value of the (kth) output node. The learning error
Where (q) value is the number of training samples, (dik) value is the desired output of the ith input item when the (kth)vlaue is used, and (yik) is the real output value of the ith input item when the( kth)value is used.So, the fitness function of the (ith) training example using Equation (15):
Setting the position value of (
for i=1,2,....,N
X_{i} represents value the positions of the i_{th} agent in the d_{th} dimension, while
Calculating the best and worst fitness for all agents at each iteration for minimization problems so that to achieve the fitness evolution value by Equation (17), (18):
j=1,....,N
The
The gravitational constant value
Where : (
The gravitational and inertia masses values for each agent are at iteration (
The active and passive gravitational masses values are M_{ai} and M_{pi}, and the inertia mass value of the i_{th} agent (Miiis), and the mass value of object i is M_{i}. Acceleration of agents is obtained by determining the values of
Where
Acceleration of the ithagents a_{i} at iteration t is obtained from Equation (26):
Determining the speed and the position of the agents at the next iteration
Social thinking capability (gbest) of PSO algoirhtm and local search capability of GSA were grouped together in PSOGSA. All agents are initialized randomly, then the values of gravitational force, gravitational constant, and resultant forces are calculated . The accelerations of elements are defined in Equation (20).At each iteration, the best solution is updated and the velocities values of all agents are calculated using Equation (27). At last, the agents positions are updated using Equation (28). Updating the value of velocities and the positions will stop when conditions are met.
Exermienatl reuslts was run on Matlab 2015a environment using core
Table 5 show the training results of the feedforward neural network with the opmtiziation techqniue GSA and PSO for the intrusion detection process based on 16626 record of training NSLKDD dataset samples. The reuslts are measured by the mean square error (MSE) and the classification rate. With many number of iterations the neural network structure of FFNN for both PSO and GSA are as follows: 2layers input neural network with 71 neurons, hidden layer with 8 neurons, and output layer with 10 neurons. At the start of trainig neural network the weights are initialized randomly, which may casue corrupt recognition that improved after number of iteration. By increasing the number of iterations, the MSE decreases, the classification rate increases and the time consumed increases. Increasing the swarm size and the number of masses enhances the classification rate.
Table 5 illustrates the test accuracy of the classification model with and without the GA feature selection technique. The combination of GSAPSO feed forward algorithm has the best recognition rate against other algorithms with GA feature selection, while FNN PSO algorithm has the best result without the GA feature selection. It should be noted that, dealing with 15 features is better than dealing with 41 features in classification, MSE error, and processing time.
Classification 
Test Accuracy (%) with 41 Features  Test Accuracy (%) with 15 Features 










94.0667  0.0060613  2237  96.9333  0.053256  895 

81.675  0.093597  2500  97.2  0.042981  1000 

90 .5  0.13776  3367  98.966  0.00091032  1347 
The intrusion detection systems are utilized to distinguish the attacks coming towards the basic information of the client. An introduced optimized neural network model is based on studying the intrusion detection features and select the most important features only which creating an optimal intrusion detection system. This system is based on combination of GSA and PSO with feed forward neural network FFNN classifier with feature selection. The classification proposed system is established by three different optimization algorithms with certain GA as feature selection method in WEKA program. Getting the optimum performance for the classification process is our major goal, which has been done. The best algorithm performance based on GA feature selection is FNN GSAPSO classifier with an actuary of 98.96 % and The process time is 1347 sec. for the model. While FNN GSAPSO without any feature selection algorithm has the lowest average error 0.13776compared to others. Generating an intelligent agent fire toward the infected packet with other new different classification algorithms in a real time environment will be our future work.
1. Aghdam, M. H., & Kabiri, P. (2016). Feature Selection for Intrusion Detection System Using Ant ColonyOptimization. International Journal of Network Security, 18(3), 420432.