A. IRELM Based on Sequential Learning

RELM adds a regularization parameter to ELM to adjust the coefficient $\beta $ . The objective function is as follows:\begin{equation*} \min \left \|{ {{ \boldsymbol { H\beta }}-{ \boldsymbol { T}}} }\right \|^{2}+\frac {1}{C}\left \|{ {{ \boldsymbol { \beta }}} }\right \|^{2}\tag{2}\end{equation*} View Source\begin{equation*} \min \left \|{ {{ \boldsymbol { H\beta }}-{ \boldsymbol { T}}} }\right \|^{2}+\frac {1}{C}\left \|{ {{ \boldsymbol { \beta }}} }\right \|^{2}\tag{2}\end{equation*} where ${ \boldsymbol { H}}$ is the hidden layer output matrix; ${ \boldsymbol { \beta }}$ is the output weight matrix;${ \boldsymbol { T}}$ is the objective matrix. Therefore, the output weight can be expressed as:\begin{align*} { \boldsymbol { \beta }}=&{ \boldsymbol { H}}^{\dagger }{ \boldsymbol { T}}=\left({{ \boldsymbol { H}}^{T}{ \boldsymbol { H}}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}{ \boldsymbol { H}}^{T}{ \boldsymbol { T}} \\=&{ \boldsymbol { H}}^{T}\left({{ \boldsymbol { HH}}^{T}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}{ \boldsymbol { T}}\tag{3}\end{align*} View Source\begin{align*} { \boldsymbol { \beta }}=&{ \boldsymbol { H}}^{\dagger }{ \boldsymbol { T}}=\left({{ \boldsymbol { H}}^{T}{ \boldsymbol { H}}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}{ \boldsymbol { H}}^{T}{ \boldsymbol { T}} \\=&{ \boldsymbol { H}}^{T}\left({{ \boldsymbol { HH}}^{T}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}{ \boldsymbol { T}}\tag{3}\end{align*}

When the input data size $n$ is less than the number of neurons in the hidden layer $L$ , because the dimension of $\left({{ \boldsymbol { HH}}^{T}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}$ is $\boldsymbol {n}\times \boldsymbol {n}$ and the dimension of $\left({{ \boldsymbol { H}}^{T}{ \boldsymbol { H}}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}$ is $L\times L$ . Therefore, when $n < L$ , the IRELM is constructed by ${ \boldsymbol { H}}^{T}\left({{ \boldsymbol { HH}}^{T}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}{ \boldsymbol { T}}$ .

Define a recursive hidden layer output matrix ${ \boldsymbol { H}}_{k} $ , where $k$ is 0 or any positive integer, representing the number of sequential updates in the matrix. Assuming that the first output matrix is ${ \boldsymbol { H}}_{0} $ , according to (3), the inverse matrix is obtained as follows:\begin{equation*} { \boldsymbol { K}}_{0}^{-1} =\left({{ \boldsymbol { H}}_{0} { \boldsymbol { H}}_{0}^{T} +\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}\tag{4}\end{equation*} View Source\begin{equation*} { \boldsymbol { K}}_{0}^{-1} =\left({{ \boldsymbol { H}}_{0} { \boldsymbol { H}}_{0}^{T} +\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}\tag{4}\end{equation*} herefore, the output weight matrix ${ \boldsymbol { \beta }}_{0} $ is:\begin{equation*} { \boldsymbol { \beta }}_{0} ={ \boldsymbol { H}}_{0} { \boldsymbol { K}}_{0}^{-1} { \boldsymbol { T}}_{0}\tag{5}\end{equation*} View Source\begin{equation*} { \boldsymbol { \beta }}_{0} ={ \boldsymbol { H}}_{0} { \boldsymbol { K}}_{0}^{-1} { \boldsymbol { T}}_{0}\tag{5}\end{equation*}

When $\gamma N_{1} $ number of new samples arrives, $\gamma N_{1} =1,2,3\ldots $ , the new hidden layer output matrix ${ \boldsymbol { H}}_{1} $ becomes:\begin{align*} { \boldsymbol { H}}_{1} =\left [{ {{\begin{array}{cccccccccccccccccccc} {{ \boldsymbol { H}}_{0}} \\ {\gamma { \boldsymbol { H}}_{1}} \\ \end{array}}} }\right]\tag{6}\end{align*} View Source\begin{align*} { \boldsymbol { H}}_{1} =\left [{ {{\begin{array}{cccccccccccccccccccc} {{ \boldsymbol { H}}_{0}} \\ {\gamma { \boldsymbol { H}}_{1}} \\ \end{array}}} }\right]\tag{6}\end{align*} where $\gamma { \boldsymbol { H}}_{1} $ is the $\gamma $ number of output matrix. Similarly, according to (3), the inverse matrix ${ \boldsymbol { K}}_{1}^{-1} $ can be constructed as:\begin{align*} { \boldsymbol { K}}_{1}^{-1}=&\left({{ \boldsymbol { H}}_{1} { \boldsymbol { H}}_{1}^{-1} +\frac {{ \boldsymbol { I}}}{C}}\right)^{-1} \\=&\left [{ {{\begin{array}{cccccccccccccccccccc} {{ \boldsymbol { H}}_{0} { \boldsymbol { H}}_{0}^{-1} +\dfrac {{ \boldsymbol { I}}}{C}} & \quad {{ \boldsymbol { H}}_{0} \gamma { \boldsymbol { H}}_{1}^{T}} \\ {\gamma { \boldsymbol { H}}_{1} { \boldsymbol { H}}_{0}^{T}} &\quad {\gamma { \boldsymbol { H}}_{1} \gamma { \boldsymbol { H}}_{1}^{T} +\dfrac {{ \boldsymbol { I}}}{C}} \end{array}}} }\right]^{-1}\tag{7}\end{align*} View Source\begin{align*} { \boldsymbol { K}}_{1}^{-1}=&\left({{ \boldsymbol { H}}_{1} { \boldsymbol { H}}_{1}^{-1} +\frac {{ \boldsymbol { I}}}{C}}\right)^{-1} \\=&\left [{ {{\begin{array}{cccccccccccccccccccc} {{ \boldsymbol { H}}_{0} { \boldsymbol { H}}_{0}^{-1} +\dfrac {{ \boldsymbol { I}}}{C}} & \quad {{ \boldsymbol { H}}_{0} \gamma { \boldsymbol { H}}_{1}^{T}} \\ {\gamma { \boldsymbol { H}}_{1} { \boldsymbol { H}}_{0}^{T}} &\quad {\gamma { \boldsymbol { H}}_{1} \gamma { \boldsymbol { H}}_{1}^{T} +\dfrac {{ \boldsymbol { I}}}{C}} \end{array}}} }\right]^{-1}\tag{7}\end{align*}

Therefore, the output weight matrix can be expressed as ${ \boldsymbol { \beta }}_{1} ={ \boldsymbol { H}}_{1} { \boldsymbol { K}}_{1}^{-1} { \boldsymbol { T}}_{1} $ . With the successive arrival of block data, the update of ${ \boldsymbol { K}}$ and ${ \boldsymbol { \beta }}$ can be implemented in Algorithm 1.

With the continuous learning, the dimension of ${ \boldsymbol { K}}$ becomes larger and larger. When $n>L$ , the speed advantage brought by $\left({{ \boldsymbol { HH}}^{T}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}$ disappears. Therefore, the update scheme is changed to $\left({{ \boldsymbol { H}}^{T}{ \boldsymbol { H}}+\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}$ . Assuming that $n\ge L$ in step $m$ , ${ \boldsymbol { K}}_{m+1}^{-1} $ can be expressed as:\begin{equation*} { \boldsymbol { K}}_{m+1}^{-1} =\left({{ \boldsymbol { H}}_{m+1}^{T} { \boldsymbol { H}}_{m+1} +\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}\tag{8}\end{equation*} View Source\begin{equation*} { \boldsymbol { K}}_{m+1}^{-1} =\left({{ \boldsymbol { H}}_{m+1}^{T} { \boldsymbol { H}}_{m+1} +\frac {{ \boldsymbol { I}}}{C}}\right)^{-1}\tag{8}\end{equation*} where:\begin{align*} { \boldsymbol { H}}_{m+1} =\left [{ {{\begin{array}{cccccccccccccccccccc} {{ \boldsymbol { H}}_{m}} \\ {\gamma { \boldsymbol { H}}_{m+1}} \\ \end{array}}} }\right]\tag{9}\end{align*} View Source\begin{align*} { \boldsymbol { H}}_{m+1} =\left [{ {{\begin{array}{cccccccccccccccccccc} {{ \boldsymbol { H}}_{m}} \\ {\gamma { \boldsymbol { H}}_{m+1}} \\ \end{array}}} }\right]\tag{9}\end{align*}

When new data is input in Step $i+1$ and $i>m$ , then ${ \boldsymbol { H}}_{i+1} $ is:\begin{align*} { \boldsymbol { H}}_{i+1} =\left [{ {{\begin{array}{cccccccccccccccccccc} {{ \boldsymbol { H}}_{i}} \\ {\gamma { \boldsymbol { H}}_{i+1}} \\ \end{array}}} }\right]\tag{10}\end{align*} View Source\begin{align*} { \boldsymbol { H}}_{i+1} =\left [{ {{\begin{array}{cccccccccccccccccccc} {{ \boldsymbol { H}}_{i}} \\ {\gamma { \boldsymbol { H}}_{i+1}} \\ \end{array}}} }\right]\tag{10}\end{align*}

Therefore, the inverse matrix ${ \boldsymbol { K}}_{i+1}^{-1} $ can be calculated as follows:\begin{align*}&\hspace {-1.4pc} { \boldsymbol { K}}_{i+1}^{-1} \\=&\left [{ {{ \boldsymbol { K}}_{i} +\gamma { \boldsymbol { H}}_{i+1}^{T} { \boldsymbol { I}}\gamma { \boldsymbol { H}}_{i+1}} }\right]^{-1} \\=&{ \boldsymbol { K}}_{i}^{-1} -{ \boldsymbol { K}}_{i}^{-1} \gamma { \boldsymbol { H}}_{i+1}^{T} ({ \boldsymbol { I}}+\gamma { \boldsymbol { H}}_{i+1} { \boldsymbol { K}}_{i}^{-1} \gamma { \boldsymbol { H}}_{i+1}^{T})\gamma { \boldsymbol { H}}_{i+1} { \boldsymbol { K}}_{i}^{-1} \\\tag{11}\end{align*} View Source\begin{align*}&\hspace {-1.4pc} { \boldsymbol { K}}_{i+1}^{-1} \\=&\left [{ {{ \boldsymbol { K}}_{i} +\gamma { \boldsymbol { H}}_{i+1}^{T} { \boldsymbol { I}}\gamma { \boldsymbol { H}}_{i+1}} }\right]^{-1} \\=&{ \boldsymbol { K}}_{i}^{-1} -{ \boldsymbol { K}}_{i}^{-1} \gamma { \boldsymbol { H}}_{i+1}^{T} ({ \boldsymbol { I}}+\gamma { \boldsymbol { H}}_{i+1} { \boldsymbol { K}}_{i}^{-1} \gamma { \boldsymbol { H}}_{i+1}^{T})\gamma { \boldsymbol { H}}_{i+1} { \boldsymbol { K}}_{i}^{-1} \\\tag{11}\end{align*}

When $n>L$ , the sequential updating formula of IRELM can be implemented according to Algorithm 2.

According to Algorithm 1 and Algorithm 2, the advantages of IRELM are as follows:

1. Dimension reduction of inverse matrix. In RELM, the process that consumes the most computing power is the calculation of $({ \boldsymbol { H}}^{T}{ \boldsymbol { H}})^{-1}$ and ${ \boldsymbol { K}}_{i+1}^{-1} $ . In IRELM’s updating scheme, the dimension of inverse matrix ${ \boldsymbol { S}}_{i+1}^{-1} $ is only $\gamma N_{i} \times \gamma N_{i} $ , which is far less than $L\times L$ , avoiding the most complex part of RELM.

2. Calculate the value of ${ \boldsymbol { \beta }}$ if necessary. The calculation of ${ \boldsymbol { \beta }}_{i+1} $ value does not depend on the previous value, so it needs to be updated when necessary, and does not need to be updated when unnecessary, which reduces the calculation cost.

3. The batch learning is replaced by sequential learning, which is more suitable for the actual situation, not only maintains the generalization ability of RELM, but also maintains the efficiency of the algorithm.

B. Design PSO Algorithm

Particle swarm optimization [30] is one of the classic heuristic algorithms, and its main idea comes from the predatory behavior of a flock of birds. The core is to make use of the information sharing of individuals in the group so that the movement of the whole group has an evolutionary process from disorder to order in the problem solving space, so as to get the optimal solution of the problem. Suppose that there is a group of particles in a $D$ -dimensional search space, and each particle has an initial velocity $v_{k} $ , initial position $s_{k} $ and fitness value $g_{k} $ . In each iteration, each particle constantly updates its own velocity and position. At the same time, the fitness value is used to determine the optimal position $p_{k} $ of the updated individual and the optimal position $p_{g} $ of the population. Assuming that the optimal position is the initial position of particles in the first iteration, the update formula of the velocity and position of particles in the population are as follows:\begin{align*} v_{kd} (u+1)=&zv_{kd} (u)+c_{1} r_{1} (p_{kd} (u)-s_{kd} (u)) \\&+ c_{2} r_{2} (p_{gd} (u)-s_{kd} (u))\tag{12}\\ s_{kd} (u+1)=&s_{kd} (u)+v_{kd} (u+1)\tag{13}\end{align*} View Source\begin{align*} v_{kd} (u+1)=&zv_{kd} (u)+c_{1} r_{1} (p_{kd} (u)-s_{kd} (u)) \\&+ c_{2} r_{2} (p_{gd} (u)-s_{kd} (u))\tag{12}\\ s_{kd} (u+1)=&s_{kd} (u)+v_{kd} (u+1)\tag{13}\end{align*} where $k$ represents the $k$ th particle in the population; $u$ represents the current iteration times; $z$ is the inertia factor, whose value is nonnegative. When $z$ is large, the global search ability is strong; when $z$ is small, the global search ability becomes weak; $c_{1}$ and $c_{2}$ are the individual learning factors and social learning factors of particles, whose values are nonnegative constants; $r_{1}$ and $r_{2}$ are independent random numbers in the range of [0, 1].

In order to make the parameters of PSO adjust adaptively with the number of iterations, many scholars have proposed a variety of autonomous particle swarm optimization algorithms, which effectively balance the global and local search ability of particles, but still cannot solve the defect that particles are easy to fall into local optimum. Therefore, this paper proposes a Cauchy-Gaussian mutation strategy to make the particles which fall into local optimum get rid of stagnation and continue to search. Secondly, according to Clerc’s idea of shrinkage factor [31], only use a global contraction factor to replace other adaptive parameters. The improved particle velocity update formula and Cauchy-Gaussian mutation strategy are as follows:\begin{align*} v_{kd} (u+1)=&K[v_{kd} (u)+c_{1} r_{1} (p_{kd} (u)-s_{kd} (u)) \\&+ c_{2} r_{2} (p_{gd} (u)-s_{kd} (u))] \tag{14}\\ K=&\frac {2}{\left |{ {2-\varphi -\sqrt {\varphi ^{2}-4\varphi }} }\right |}, \\ where ~\varphi=&c_{1} +c_{2},\quad \varphi >4\tag{15}\\ x_{kd} (u)=&s_{kd} (u) \\&\times \left [{ {1+\lambda _{1} cauchy(0,\sigma ^{2})+\lambda _{2} Gauss(0,\sigma ^{2})} }\right], \\ \tag{16}\\ \sigma=&\begin{cases} 1,&\!\!\!\!\!\! f(s_{best})\! < \!f(s_{kd} (u)) \\ \exp \left ({{\dfrac {f(s_{best})-f(s_{kd})}{\left |{ {f(s_{best})} }\right |}} }\right),&\!\!\!\!otherwise \\ \end{cases} \\{}\tag{17}\end{align*} View Source\begin{align*} v_{kd} (u+1)=&K[v_{kd} (u)+c_{1} r_{1} (p_{kd} (u)-s_{kd} (u)) \\&+ c_{2} r_{2} (p_{gd} (u)-s_{kd} (u))] \tag{14}\\ K=&\frac {2}{\left |{ {2-\varphi -\sqrt {\varphi ^{2}-4\varphi }} }\right |}, \\ where ~\varphi=&c_{1} +c_{2},\quad \varphi >4\tag{15}\\ x_{kd} (u)=&s_{kd} (u) \\&\times \left [{ {1+\lambda _{1} cauchy(0,\sigma ^{2})+\lambda _{2} Gauss(0,\sigma ^{2})} }\right], \\ \tag{16}\\ \sigma=&\begin{cases} 1,&\!\!\!\!\!\! f(s_{best})\! < \!f(s_{kd} (u)) \\ \exp \left ({{\dfrac {f(s_{best})-f(s_{kd})}{\left |{ {f(s_{best})} }\right |}} }\right),&\!\!\!\!otherwise \\ \end{cases} \\{}\tag{17}\end{align*} where $s_{best} $ is the optimal individual position; $x_{kd} (u)$ represents the position of the optimal individual after mutation; $\sigma ^{2}$ is the standard deviation; $\lambda _{1} $ and $\lambda _{2} $ are the dynamic parameters of adaptive adjustment. In the search process, $\lambda _{1} $ is larger in the initial stage, and then gradually decreases, so that the algorithm can explore in a larger range with a larger mutation step; $\lambda _{2} $ is increasing, which is conducive to the algorithm to search the near optimal solution.

IPSO pseudo code is as follows:

C. Intrusion Detection Algorithm Based on IPSO-IRELM

Based on the above analysis and derivation, we introduce IPSO into IRELM algorithm and establish an intrusion detection model based on IPSO-IRELM. The role of IPSO is to find a group of particle swarm positions with the best fitness function, and assign them to the optimal initial weight and deviation of IRELM after the iteration to establish an intrusion detection model. The model description is shown in the Fig. 1:

FIGURE 1.

IPSO-IRELM algorithm intrusion detection framework.

Show All

A. Parameter Setting

Experiment 1: The parameters of classic PSO and its derivative algorithms (MPSO [32], TACPSO [33], AGPSO [34]) compared with IPSO are as follows:

Among them, MPSO is to incorporate an asymmetric time-varying acceleration coefficients adjusting strategy, which maintains the balance between global and local search with the great advantages of convergence property and robustness compared with basic PSO algorithm; In TACPSO, random velocities are added to reinitialize the velocities of particles in order to avoid searching for particles with zero velocity prematurely. Also, to enhance early exploration and later exploitation, exponential time-varying acceleration coefficients are introduced, and the algorithm has a better probability of finding the global optimum and the average optimum than other algorithms; The main idea of the AGPSO algorithm is inspired by the diversity of individuals in bird or insect flocks, using different functions with different slopes, curvatures and intercept points to tune the social and cognitive parameters of the particle swarm algorithm in order to endow the particles with behaviors different from those of the natural population, further alleviating the problem of getting stuck in local minima and slow convergence of high-dimensional problems. The MPSO, TACPSO and AGPSO were chosen for comparison because these three improvement methods are more classical and more effective.

When doing the experiment, the number of particles is set to 30; the number of iterations is 1000. Take the average of 50 runs of the experiment.

Experiment 2-4: The parameters of the IRELM neural network model are: 41—39—1, and the number of iterations is 100. The model parameters of IRELM are determined by the two-classification experiment of GA-IRELM. First, set the number of hidden layer nodes to 10, 20, 30, 40, and 50 respectively. The experimental results show that the model with 40 hidden layer units has the best detection accuracy. Then set the number of hidden layer nodes to 36, 37, 38, 39, 40, 41, 42. The results show that the model with 39 hidden layer units has the best detection accuracy. When the number of hidden layer nodes is increased from 39 to 42, the accuracy of intrusion detection decreases. Keeping the hidden layer nodes unchanged, increasing the number of iterations will only cause overfitting and fluctuate the detection efficiency of the model.

B. IRELM Based on Sequential Learning

Experiment1: We choose 13 benchmark functions for testing, among which F1-F7 are single-peak benchmark functions, and F8-F13 are multimodal benchmark functions [35].

Experiment2: The UCI data sets [36] are as follows:

Experiment3: The NSL-KDD data set [37] is as follows:

Experiment4: The UNSW-NB15 data set [38] is as follows:

C. IPSO Experiment Results

In order to verify that IPSO has a better optimization effect, we use the 13 benchmark functions in Table. 3 to do experiments, and verify whether IPSO is applicable to any dimension from the perspective of low-dimensional and high-dimensional. Fig. 2 shows the images of thirteen benchmark functions and the convergence curves of the algorithms in 30 dimensions. Table. 7 and Table. 8 respectively show the best optimization result, average optimization result and standard deviation of optimization result of unimodal function and multimodal function in low dimension. Table. 9 and Table. 10 respectively show the best optimization result, average optimization result and standard deviation of optimization result of unimodal function and multimodal function in high dimension respectively. The best result represents the optimization ability of the algorithm, and the average result and standard deviation of the optimization results reflect the stability and robustness of the algorithm. For attention, the best values in Table. 7–​10 are marked in bold.

TABLE 2 Updating Strategies

TABLE 3 Benchmark Functions

TABLE 4 UCI Datasets Details

TABLE 5 NSL-KDD Classification Situation

TABLE 6 UNSW-NB15 Classification Situation

TABLE 7 The Experimental Results of Single Peak When Dim = 30

TABLE 8 The Experimental Results of Multimodal When Dim = 30

TABLE 9 The Experimental Results of Single Peak When Dim = 300

TABLE 10 The Experimental Results of Multimodal When Dim = 300

FIGURE 2.

Convergence curve.

Show All

According to Table. 7–​10, when the dimension of the benchmark function is 30, first, IPSO obtains 11 minimum values of 13 benchmark functions except F8 and F9. Secondly, 8 average optimal values are obtained in 13 benchmark functions. At the same time, IPSO’s standard deviation of the optimal results is also significantly better than other algorithms. When the dimension of benchmark function is 300, IPSO obtains 6 minimum values, 3 average optimal values and 2 standard deviations of optimal results, while PSO obtains 5 minimum values, 8 average optimal values and 7 standard deviations of optimal results. This shows that through the comparison of Table. 7 and Table. 8, IPSO can obtain better optimization results in low-dimensional benchmark functions, but the effect on multimodal functions is not as good as that of unimodal functions; through the comparison of Table. 9 and Table. 10, in high-dimensional benchmark functions, other improved PSO algorithms are inferior to the original PSO, and in the improved PSO, the comprehensive effect of IPSO is relatively the best; through the comparison of Table. 7 and Table. 9, the comparison of Table. 8 and Table. 10, we can conclude that the higher the dimensionality of the benchmark function, the worse the optimization effect. Therefore, the original PSO has a better effect on the high-dimensional benchmark function, and other improved PSOs are slightly inferior.

D. UCI Data Set Experimental Results

In order to verify the effectiveness of the proposed algorithm on the real classification data set, IPSO-IRELM was compared with PSO-IRELM, GA-IRELM, IRELM and RELM on the UCI data set. The performance evaluation indexes of each algorithm are listed in Table. 11–​13, and the detection results of each algorithm are given in Fig. 3. It can be seen intuitively from Fig. 3 that whether it is the Iris data set or the Wine data set, the predicted value of IPSO-IRELM coincides perfectly with the true value, and the classification accuracy rate reaches 100%. It can be seen from Table. 11–​13 that the performance evaluation indicators of other comparison algorithms are better, but not as good as IPSO-IRELM. This is because the two selected data sets are balanced data sets, so the detection results are better. IPSO-IRELM has the best performance evaluation index, which indicates that IPSO has better optimization ability than PSO and GA algorithm, and the necessity of introducing IPSO into IRELM; it also verifies that IPSO-IRELM algorithm has better classification performance. Therefore, it is further used in network intrusion detection to verify the feasibility of IPSO-IRELM.

TABLE 11 Accuracy of Each Algorithm on UCI Dataset (%)

TABLE 12 Performance Evaluation Index of Each Algorithm on Iris Dataset

TABLE 13 Performance Evaluation Index of Each Algorithm on Wine Dataset

FIGURE 3.

The detection results of each algorithm on UCI datasets.

Show All

E. NSL-KDD Data Set 2-Element Classification Experiment Results

We merged the four types of attacks in the NSL-KDD dataset into Abnormal and denoted as 2 and Normal as 1. The experiment changed from a multi-classification problem to a two-element classification problem. The experimental results of each algorithm are shown in Table. 14 and Table. 15. Fig. 4 is a comparison diagram of the confusion matrix and ROC curve of the binary classification results. From Table. 14, compared with other algorithms, IPSO-IRELM has the highest accuracy rate of up to 91.13%, but the NSL-KDD data set is an unbalanced data set. Therefore, in addition to the accuracy rate, the precision, the true positive rate (TPR), the false positive rate (FPR), the F-score, and the area under curve (AUC) are used to evaluate the classification [39]. It can be seen from Table. 15 that for category 1, the TPR of SVM, ELM, RELM, IRELM, and GA-IRELM is better, reaching more than 97%, while the TPR of PSO-IRELM and IPSO-IRELM is a little worse. This is because the first five algorithms misjudge a large amount of attack data as normal data, so for category 2, their TPR is very low compared to IPSO-IRELM, and IPSO-IRELM’s TPR can reach 94.24%. Looking at the F-score and AUC, IPSO-IRELM is the best. In terms of precision, for category 2, IPSO-IRELM is a bit worse than other algorithms, but the difference is not big.

TABLE 14 Accuracy of Each Algorithm on NSL-KDD Dataset (%)

TABLE 15 Performance Evaluation Index of Each Algorithm on NSL-KDD Dataset

FIGURE 4.

Binary classification confusion matrix and ROC curve comparison diagram.

Show All

The confusion matrix is used to summarize the records in the data set according to the actual results and prediction results to realize visualization. As can be seen from Fig. 4, IPSO-IRELM has the best performance in predicting category 2. At the time, the value corresponding to the second quadrant is the largest, which also corresponds to the TPR value of IPSO-IRELM corresponding to category 2 in Table. 15. ROC curve is a curve reflecting the relationship between TPR and FPR. The curve divides the graph into two parts, and the part below the curve is expressed as AUC, which is used to illustrate the accuracy of prediction. It can be seen from Fig. 4 that the AUC of IPSO-IRELM is the highest in both category 1 and category 2, which fully indicates the excellent performance of IPSO-IRELM and verifies that IPSO-IRELM has better binary classification detection effect than other algorithms. Overall, IPSO-IRELM has the best performance.

F. NSL-KDD Data Set Multivariate Classification Experiment Results

Divide Normal, Dos, Probe, U2R, and R2L into five categories, denoted as 1, 2, 3, 4, and 5 respectively. The experiment has changed from two classifications to multiple classifications. The experimental results are shown in Table. 16–​21. The confusion matrix and ROC curve diagram of multiclass classification are given in Fig. 5.

TABLE 16 Accuracy of Different Algorithms (%)

TABLE 17 Performance Evaluation Index of Each Algorithm on Normal

TABLE 18 Performance Evaluation Index of Each Algorithm on Dos

TABLE 19 Performance Evaluation Index of Each Algorithm on Probe

TABLE 20 Performance Evaluation Index of Each Algorithm on U2R

TABLE 21 Performance Evaluation Index of Each Algorithm on R2L

FIGURE 5.

Multiple classification confusion matrix and ROC curve comparison diagram.

Show All

From Table. 16, IPSO-IRELM has the highest accuracy rate of 85.58%. Since the NSL-KDD multi-classification data set is still an unbalanced data set, the intrusion detection capabilities of each algorithm are further analyzed in terms of precision, TPR, FPR, F-score and AUC.

It can be seen from Table. 17 that for the Normal type data, the TPR of each algorithm is better, all above 97%. For other performance indicators, the precision, FPR, F-score and AUC of IPSO-IRELM are the highest among the comparison algorithms, indicating that IPSO-IRELM has better classification performance for Normal type data.

It can be seen from Table. 18 that for DOS data, IPSO-IRELM has the highest precision, TPR and F-score, but FPR is a little worse than SVM, ELM, RELM and IRELM. This is because in IPSO-IRELM, other types of data are predicted to have too many DOS data, resulting in slightly poor FPR. For AUC, IPSO-IRELM is second only to IRELM. In general, IPSO-IRELM has a strong ability to identify DOS type attacks.

From Table. 19, for Probe type data, the TPR of IPSO-IRELM is the highest, but the FPR is also the highest. This is because in addition to the better detection ability of IPSO-IRELM for Probe type data, other types of data will also be mistakenly detected as Probe type data, resulting in the highest FPR and low precision, but the F-score and AUC are still the highest.

It can be seen from Table. 20 that for U2R data, there are only 11 training data and 200 test data, so SVM, ELM, RELM, IRELM, GA-IRELM and PSO-IRELM all have poor recognition effect for U2R data. Although the TPR of IPSO-IRELM is only 5%, it is still the best, and the F-score and AUC are also the highest, with an precision rate of 76.92%, which other algorithms cannot do, indicating that IPSO-IRELM also has a certain ability to detect a few types of data, but it needs to be improved.

From Table. 21, for R2L type data, SVM and GA-IRELM still cannot recognize R2L data because it is still a minority type of data. Other algorithms have recognition capabilities, but they are still not prominent. IPSO-IRELM’s TPR, F-score and AUC are second only to RELM, but the precision rate is higher than RELM. This is because RELM recognizes that other types of data are more R2L data during classification, which leads to a higher TPR than IPSO-IRELM, but the accuracy rate is not as good as IPSO-IRELM.

Through the analysis of Table. 17–​21, we can conclude that in the multivariate classification problem, it is not only necessary to consider some performance indicators. When the TPR conflicts with the precision rate, the comparison between models is relatively complicated. The F-score just reconciles the TPR and precision rate. In Table. 17–​21, the F value is better, indicating that IPSO-IRELM has a better classification effect than other algorithms.

In the analysis of Table. 17–​21, we found that when the classification error occurs, only looking at the precision rate and TPR can potentially see which category is more, which category is less. We do not know how many types of specific errors are classified into. Therefore, we still use the confusion matrix to show the difference of the data with its color difference, brightness, etc., which is easy to understand. The dark area indicates that the true value and the predicted value overlap more, and the light area is the opposite. It can be seen from Fig. 5 that the dark areas of the first three categories of each algorithm are concentrated on the diagonal, and the latter two categories are concentrated on the lower left corner, which is caused by the imbalance of the data. Because the latter two types of data are too small, the algorithm’s recognition ability is not sufficient for high-level recognition, which leads to the recognition result tends to the category 1. From the comparison between the algorithms, for category 1, the classification accuracy of each algorithm is not much different. For category 2 and category 3, the good classification performance of the IPSO-IRELM algorithm is reflected, which is the best among all the comparison algorithms. As for the minority categories 4 and 5, IPSO-IRELM also has a certain recognition ability, while the recognition ability of other algorithms is basically zero.

The ROC curve has a huge advantage. When the distribution of positive and negative samples changes, its shape can remain basically unchanged. Therefore, the ROC curve can reduce the interference caused by different test sets and more objectively measure the performance of the model itself. It can be seen from Fig. 5 that IPSO-IRELM has the best AUC for Normal, Dos, Probe and U2R. For R2L type, it is second only to RELM with a difference of 0.00472.

In summary, on the UCI balanced data set, the performance of IPSO-IRELM is better than that of IRELM and the traditional RELM algorithm, which shows the necessity of the improved method. On the NSL-KDD binary classification and multivariate classification data sets, it is also verified that the IPSO-IRELM algorithm has better classification performance.

G. UNSW-Nb15 Data Set Multivariate Classification Experiment Results

The UNSW-NB15 dataset contains new patterns of modern network features with nine types of attacks, so this paper also uses the UNSW-NB15 dataset to verify whether the proposed algorithm can have a better classification effect in the current network environment. Since the UNSW-NB15 dataset is also a non-equilibrium dataset, neither the proposed algorithm nor the comparison algorithms can identify the four attacks: Analysis, Backdoor, shellcode and Worms in the experiment, so the final experimental results are shown in Table. 22–​28 and Fig. 6.

TABLE 22 Accuracy of Different Algorithms (%) and time(s)

TABLE 23 Performance Evaluation Index of Each Algorithm on Normal

TABLE 24 Performance Evaluation Index of Each Algorithm on Dos

TABLE 25 Performance Evaluation Index of Each Algorithm on Exploits

TABLE 26 Performance Evaluation Index of Each Algorithm on Fuzzers

TABLE 27 Performance Evaluation Index of Each Algorithm on Generic

TABLE 28 Performance Evaluation Index of Each Algorithm on Reconnaissance

FIGURE 6.

UNSW-NB15 dataset multiple classification confusion matrix.

Show All

From Table. 22, it is concluded that IPSO-IRELM has the highest accuracy rate of 88.53%. Also, IRELM has the shortest training time, which indicates that IRELM is more efficient. The training time of IPSO-IRELM increases due to the optimization of IPSO, but it does not increase compared with GA-IRELM and PSO-IRELM, which indicates that our improvement of PSO does not increase its complexity. Similarly, since the UNSW-NB15 multiclassification dataset is also an unbalanced dataset, the intrusion detection capability of each algorithm is further analyzed in terms of precision, TPR, FPR, F-score, and AUC.

From Fig. 6, a portion of the Exploits data is mistaken for Dos; a portion of the Fuzzers data is mistaken for Exploits; and a portion of the Normal data is mistaken for Fuzzers in the final classification results obtained by all algorithms, which leads to the low precision rates in Table. 24–​26. For Generic data, as in Table. 27, each algorithm can detect it well, but IPSO-IRELM has the smallest FPR, indicating that IPSO-IRELM can detect Generic while not mistaking Generic for other classes. For Normal data, as shown in Table. 23, the TPR, F-value and AUC of IPSO-IRELM are the highest, which indicates that IPSO-IRELM has better classification performance for Normal data. In summary, IPSO-IRELM not only has the highest accuracy rate, but also the training time does not increase. Although some classifications are not recognized for the UNSW-NB15 dataset, it has the best classification results for the remaining six classifications, indicating that IPSO-IRELM still has better classification ability in modern network environments as well.