Embedded Signal Artificial Neural Network Based Intelligent Non-Dependent Feature Selection for Cyber Attack Classification in Signal-Based Networks

With the exponential growth of the internet, data security has become an increasingly pressing issue. Security refers to how well a system or network is protected from attacks. The three pillars of information security are privacy, data integrity, and data availability [1]. The term intrusion is commonly used to describe network attacks. Intrusion refers to any concerted effort to breach information security measures [2]. Anomaly detection is one of major information security concerns. Intrusion Detection Systems (IDS) help computers fend off malicious intrusion attempts. Network security has come a long way from its early days, when only traditional methods like encryption, firewalls, VPNs, etc. were used. It is impossible to depend fully on static protection measures. This increases the necessity of dynamic technique, which may check network nodes and identify illegal activities in the network [3]. Thus to strengthen the security protocols dynamic technique is proposed and termed as Intrusion Detection Systems [4]. Intrusion detection system takes online data collected from the network then after that observes and analyses this knowledge and partitions it into regular & harmful activities, present the result to network administrator [5]. Due to its limitations in scalability, adaptability, and veracity, data mining finds its most widespread application in IDS [6]. Info sources for IDS include network logs, host data, and more. Data analysis is challenging because of the volume of network traffic. This necessitates combining IDS with various data mining methods for intrusion detection [7].

Cyberattacks pose legitimate safety concerns, necessitating the development of a cutting-edge, malleable, and remarkably effective IDS [8]. An IDS is a framework or method used to detect and differentiate intrusions, attacks, invasions, or breaches of the safety schemes autonomously at the network level and the host level. Network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS) are two types of security infrastructure that classify attacks based on their characteristics [9]. If the architecture is based on network behaviours, it is known as a NIDS. By duplicating the actions of networking equipment like switch, routers, and network taps, network tools collect data that can be used to identify assaults and other threats hiding in network traffic [10]. The term HIDS refers to a framework that uses system workouts in the form of multiple log data acquisition on the local host machine or device to discover malware. These logs are being fetched locally, using sensors of various kinds. In contrast to HIDS's reliance on data from log documents, which may include sensor logs, event logs, application logs, file systems, disc assets, client account details, and a few other elements of each system, NIDS analyses every packet of data relied upon within network traffic streams. In some establishments, HIDS and NIDS are used together [11].

The first line of defense against a security breach is a reliable intrusion detection system. Thus, there has been a lot of focus on security solutions like firewalls, IDSs, UTMs, and IPSs. By collecting data from a wide range of systems and networks and then analysing it, intrusion detection systems can identify potential security breaches and stop them in their tracks. The packet data that traverse a network are analysed in two ways by a network based IDS [12]. The issues with anomaly based intrusion detection are that it needs to cope with unique attack in which there is no previous experience to identify the anomaly [13]. This means that anomaly - based intrusion detection is still a key topic for research. For this reason, experts have been looking at machine learning methods for the past several years in the hopes of giving the system the ability to tell good traffic from bad or to spot anomalies [14]. The IDS model is shown in Figure 1.

1.png

Figure 1. Intrusion detection system

When mining enormous datasets, feature selection is an essential pre-processing step that can dramatically boost the overall system's performance [15]. The final feature subset is generated by the wrapper phase, and the filter phase chooses the features with the maximum information gain and directs the start of the search procedure for that phase [16]. Feature selection's ultimate goal is to narrow down a large pool of candidate features to just those that adequately characterise the target notion. In both theoretical and practical settings, it has been shown to improve learning efficiency, boost predictive accuracy [17], and decrease result complexity [18]. The search space for the best possible feature selection is exponential in E, where E is the number of features. So, it could be excessively expensive and impracticable [19]. The wrapper model differs from the filter model in that feature selection does not rely on a learning process. The filter model's strengths lay in its superior generalizability and cheap computational cost, both of which are independent of the learning algorithms used [20]. The goal of intrusion detection is to uncover illegal actions that could compromise a system's integrity and performance. Differentiating between benign and malicious network activity is difficult in intrusion detection [21]. A machine learning algorithm is used in conjunction with feature selection algorithms to establish which feature set that yield the most significant improvements in accuracy and computational processing times [22]. The generated matrix gives users a heuristic for determining which based on deep learning.

IDS development has recently benefited from the application of Artificial Neural Networks (ANN) [23]. ANN's intrinsic speed and the ease with which nonlinear relationships between input and output can be represented are two of its greatest strengths. Incomplete or skewed data wouldn't stop a neural network from processing it [24]. An issue with neural network-based methods is that they struggle to understand the input-output relationship when the input data has a high dimensionality [25]. The primary benefits of ANNs over conventional IDSs lie in their enhanced capacities for learning, classification, rapid data processing, and self-organization. Because of these benefits, Neural Networks can enhance IDS performance [26], and AI methods can boost IDS/IPS potency. The ANN process in analyzing and generating the output is shown in Figure 2.

2.png

Figure 2. Artificial neural networks

Advanced IDSs are defined as host-based or network-based computer programs that monitor their surroundings and behave flexibly to improve detection accuracy [27]. These programs determine what must be done in an environment by learning that setting and then applying inference rules to the data. A smart IDS can make decisions and validate constraints. Most intelligent systems either utilize rules to make decisions or agents to do so. As a result of proposing smart methods for preprocessing and efficient categorization [28], smart intrusion prevention systems have been developed. When compared to other methods, the detection rate offered by such IDSs is superior. In order to acquire a subset of attributes that accurately characterise the given problem with a minimal loss of performance, extraction of features involves identifying the relevant characteristics and rejecting the unnecessary ones [29]. There are many benefits to doing so, including enhancing the efficiency of machine learning algorithms, better comprehending data, learning more about the process through better visualisation, reducing data size, lowering storage needs, and cutting down on processing expenses.

In classification, a classifier is trained from a training set of labelled data instances, and then used to categorize a training set into one of the groups in testing. A classifier is learned during the training phase by ingesting the available labelled training data [30]. In the testing phase, the classifier is used to determine whether a test case is typical or out of the ordinary. Intrusion detection methods that rely on classification can be run with a single-class classifier or several classes. IDS methods based on uni class classifications presume that each training case has a unique class label. These methods use a one-class classification method to learn a racially discriminatory boundary around the typical examples. Any data sample that fails to fit the boundary established by the learning process is flagged as abnormal. In this research, an effective ANN based intellectual non dependant feature selection model is proposed that effectively extracts the signal based cyber attack features and performs feature reduction for accurate detection of signal based cyber attacks to maintain security. The proposed model feature dimensionality reduction reduces the features selected for intrusion detection. The independent features are only considered for training the ANN model that accurately detects the intrusions. The proposed model performs the memory optimization with the reduced feature set and also the time complexity levels are very much reduced than the traditional models.

It is of interest to utilize statistical modeling via computational means to forecast whether unseen observations are signal based cyber attacks and the intensity of those attacks based on data from controlled cyber threat and intrusion exercises, which is essentially participatory simulation. Cyber anomaly and threat detection is a topic of intense research interest nevertheless, doing so requires analyzing a massive amount of data. This would be a Big Data challenge with high data velocity in a real-time setting. In order to enhance response time and data storage, it is necessary to identify a smaller selection of important data elements to monitor. Therefore, this research primary objective is to develop a dimensionality reduction model for cyber security, one that ranks and identifies the most important traits for threat identification. It will be achieved via the creation and implementation of a feature dimensionality reduction strategy based on classifiers.

Although linear discriminant analysis has been used in previous cyber security studies to account for error when evaluating the importance of individual characteristics, this factor was not taken into account when deciding how many features to utilize for classification. In this research, an end-to-end methodology is established for identifying signal based cyber attacks using feature extraction from network traffic data and subsequent feature selection using classifier-based algorithms. While ANNs have been used for cyber intrusion detection before they have not yet been used to estimate the importance of cyber features. Classifier models based on ANNs are utilized to identify relevant information for threat detection. This technique is used to provide insight into what data is most relevant for detecting signal based cyber attacks by combining the classification and feature relevance ranking tasks.

Feature selection is crucial in the detection of signal based cyber attacks. It has been demonstrated that learning algorithms' efficacy might be negatively impacted by redundant and/or irrelevant features. There is currently no accessible automatic and efficient feature selection approach that can help capture the primary properties of the data across a variety of operational settings. Conventional forward feature selection based on feature ranking is commonly employed in data processing. Gain in knowledge is a popular statistic used to rank characteristics. Information gain has one major drawback: it requires joint probability distribution functions of characteristics and target classes. Training data is typically used to get the necessary information to learn these functions. When there are many classes and features to choose from, the learning process slows down. In addition, if the sample sizes of the various classes are not roughly equal, the estimation will be off.

Convolutional, pooling, and fully connected layers make up convolutional neural network (CNN) architecture that is applied on this research. The three layers that make up CNN are the convolutional layer, the pooling layer, and the fully connected layer. This group of neural networks is used to analyse information using a grid structure. In a CNN, the convolution layer performs the bulk of the processing. After applying K filters towards the input volume, K 2-dimensional activation maps are generated. The output volume is the result of stacking K activation maps all along hidden layers of intrusion data records. The fully connected (FC) layer couples every input to every neuron in the network. After that, the squished vector travels through some more FC layers, which is often where the mathematical functions operations are carried out. At this stage, the process of categorising the data is performed as normal or intrusion. If a CNN design includes an FC layer, it is usually the last layer in the network that predicts the intrusions in the network.

It is possible to keep monitoring on the entire network because the IDS module is installed on the network IDS. By scanning all data packets that traverse the network, this Intrusion Detection System can uncover any suspicious behavior. That is because the IDS host installs its module on every client in the network. Selecting and ranking features is a crucial challenge in intrusion detection. Eliminating unnecessary features improves IDS performance by increasing detection accuracy and reducing computation time. The effectiveness of the learning algorithm is affected by the uniqueness of the features and the number of features used during training. Selecting suitable training settings and a strong subset of features are crucial concerns for enhancing the IDS's accuracy and overall performance. In this research, an effective ANN based Intellectual Non Dependant Feature Selection Model is proposed that effectively extracts the signal based cyber attack features and performs feature reduction for accurate detection of signal based cyber attacks to maintain security.

Algorithm ANN-INDFSM:

do

Input: Intrusion Detection Dataset {INDT_SET}

Output: Intrusion Prediction List {IPL}

The intrusion detection dataset is considered and the data set undergoes pre processing. The term data preparation refers to the steps used to clean and organize data before it is analyzed. Since raw data is not used for analyzing, the pre processing process is equally crucial for machine learning. The pre processing is performed as

$D T_{S E T}=\sum_{i=1}^M g e t V(i)+avg V(M-i, i)-G(i)$

$I N D T_{S E T}=\frac{\operatorname{Max}\left(D T_{\text {set }}(i+1)\right)-G(i)}{\sqrt{\sum_{i=1}^M\left(\max \left(D T_{\text {set }}(i+1)\right)\right)-\min \left(D T_{\text {set }}(i)\right)}}\quad+T(i)$

Here G is the function that extracts the special symbols in the dataset. avgV() function is used to find the mean average value for every 2 records in the dataset. The removed values are filled with the threshold value T in the cleaned dataset.

After cleaning the data, the features are extracted from the dataset to initiate the training of the model. The features of the dataset are completely extracted where the process is performed as

$\operatorname{FSet}\left(\operatorname{INDT}_{\mathrm{SET}}(\mathrm{r})\right)=\frac{\max \left(I N D T_{S E T}\right)}{\operatorname{len}\left(I N D T_{S E T}\right)} * \sum_{\mathrm{i}=1}^{\mathrm{M}} \operatorname{len}(\mathrm{G})+\left(\operatorname{maxValue}(i+1)-\frac{\operatorname{minValue}(\mathrm{i})}{2}\right)+\left[\sum_{i=1} mean(i+1)+\frac{maxVal(i)-minVal(i-1)}{\operatorname{count}(i)}\quad\right]$

The features extracted are considered for allocation of weights. The weights are allocated based on the features dependency and non dependency levels. The weight allocation process is performed as

$WeFset(F \operatorname{Set}[M])=\sum_{i=1} \sum_{j=i+1} \max (Fset(getValue(i)))-\min (Fset(getValue(j)))+\log \left(\max _{1 \leq \mathrm{i}, \mathrm{j} \leq \mathrm{M}} \operatorname{Fset}(\mathrm{i})+\operatorname{simm}(\mathrm{i}, \mathrm{j})\right)$

Here WeFset is the set that contains weights that are allocated to the features. Each features is allocated a weight based on the correlation value.

The non dependant feature selection process is performed to generate the final feature subset. The feature subset features will be used to train the models. Instead of considering all features, the feature subset will consider the best and most useful features for the intrusion detection model. The proposed model framework is shown in Figure 3.

An artificial neural network is a network in which computational elements or neurons are connected in a predetermined structure. It can generalize from sparse, imperfect data and learn from examples. ANN has been used well in many types of data-heavy programs. An input layer, several hidden layers, and a output layer make up a neural network. An equal number of neurons can be found in each successive layer. A neural network receives data at its input layer, processes it at its hidden layers, and returns the result at its output layer. Figure 4 depicts a common type of neural network model that includes a hidden layer.

3.png

Figure 3. Proposed model framework

4.png

Figure 4. Neural network model

In order to increase accuracy level, a deep learning model is employed with layers representing features for intrusion detection. Weighted features are divided by a permutation layer by estimating the presence of the layer. If extracted feature mappings sets like map D and map E are created by summing their convolutions, various convolution kernels can be identified. It is standard procedure to input the attributes, add up the weighted features to make the final prediction set. The hidden layer processing is performed by providing the required inputs and the process is performed as:

$HLayer(I, O, F, L) =\sum_{i=1, j=i+1}^M \max (W e Fset(F(i)))-\frac{\min (W e Fset(F(j)))}{\mathrm{L}} * count(F Set)+\frac{\max (F(i+1, j+1))+\sum_{j=j+1}^M \max (W e Fset(F(j+1)))}{\min (W e Fset(F(j-1)))}\quad+T$

Here I is the input, O is the output, F is the features allocated with weights and L is the length of the features selected.

Each neuron in this network receives input from M different sources, and the weights assigned to these sources add up to a total. B_i is the bias value that is multiplied by the activation function's input. First, we define the inputs to a neuron as B1, B2, B3,..., B_M, the weights as We1, We2, We3,..., WeM, the bias as B_i, and the output of the neuron as O, where an is the result of solving for B. where F is the activation function utilized to obtain the layer's output for use as input to the following layer. An artificial neural network consists of nodes and weights that must be learned based on the existing patterns. The activation function and the hidden layer analysis and output generation of final feature subset is performed as

$a F=F\left(\sum_{i=0}^M W e_i * I_i+B_i\right)$

$a F$ is the activation function applied on feature subset.

The final feature subset is used for intrusion detection in the cyber network. The intrusions are detected and the prediction list is generated that indicates nodes causing intrusions in the network. The prediction list is generated as

$PredSet(W e F \operatorname{set}[M])=\max (H Layer(F Set(i)))-\sum_{i=1} \frac{\max (\mathrm{aF}(\mathrm{i}))}{\min \left(\mathrm{I}_{\mathrm{i}}\right)} * \mathrm{~B}_{\mathrm{i}}+\min ($HLayer $(\mathrm{Fset}(\mathrm{i}+1)))$

Done