Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection

In this paper, an adaptive network intrusion detection method using fuzzy rough set-based feature selection and GA-GOGMM-based pattern learning is presented. Based on the fuzzy rough set theory, the optimal attribute subset of network connection records is achieved by the information gain ratio criterion in advance. A greedy algorithm-based global optimal Gaussian mixture model (GMM) clustering method, termed GA-GOGMM, is introduced, to extract the intrinsic structure of network instances to achieve highly-discernable and stable normal and intrusion pattern libraries for the subsequent network intrusion detection (NID). GA-GOGMM-based pattern learning can achieve the optimal GMM of network traffic instances for the pattern clustering while avoiding the negative effect of the empirical initialization of clustering numbers and random initialization of clustering centers with a low computational complexity. An adaptive model updating mechanism is further introduced for the online updating of normal and intrusion pattern libraries to ensure the adaptability of the NID model. Extensive validation and comparative experiments, conducted on a benchmark dataset NSL-KDD and a self-built Nidsbench-based network simulation platform, show that the proposed ANID approach leads to a significant improvement in detection accuracies with low false alarms and missing reports on both known and unknown attacks. It can effectively adapt to the dynamic changing network environments with high detection accuracy and low false alarm rate as well as low missing reporting rate, which has significant application prospects. (C) 2019 Elsevier Ltd. All rights reserved.