WIXLIB

International Journal of Advanced Computer Research (ISSN (print): 2249-7277 ISSN (online): 2277-7970)Volume-4 Number-3 Issue-16 September-2014Intrusion Detection System using Support Vector Machine (SVM) andParticle Swarm Optimization (PSO)Vitthal Manekar1, Kalyani Waghmare2Intrusion prevention techniques, such as userauthentication and information protection viaencryption have been used to protect computersystems as a first line of defense. Intrusion preventionalone is not sufficient because as systems becomemore complex, there are always exploitableweaknesses in the systems due to design andprogramming errors, or various “socially engineered”penetration techniques. Intrusion detection istherefore needed as another wall to protect computersystems. IDS system is only detect the intrusion withthe help of different classification algorithm. Themain functionality in intrusion system is performedby classification algorithm. There are severalalgorithm used with IDS such as PCA with SVM,genetic algorithm with SVM. The accuracy of IDSdepends on these algorithms.so that why PSO is usedalong with SVM to improve IDS.AbstractSecurity and privacy of a system is vulnerable, whenan intrusion happens. Intrusion Detection System(IDS) takes an important role in network security asit detects various types of attacks in the network. Inthis paper, the propose Intrusion Detection Systemusing data mining technique: SVM (Support VectorMachine) and PSO (Particle Swarm Optimization).Here, first PSO performed parameter optimizationusing SVM to get the optimized value of C (cost)and g (gamma parameter). Then PSO performedfeature optimization to get optimized feature. Thenthese parameters and features are given to SVM toget higher accuracy. The experiment is performedby using NSL-KDD dataset.Keywords2. Literature SurveySupport Vector Machine (SVM), Particle SwarmOptimization (PSO), Intrusion Detection System (IDS).There are lots of study to be done to prepare improvemodel for SVM to get maximum accuracy in IDS.Some of these techniques are studied below.1. IntroductionAs network-based computer systems have importantroles in modern society, they have become the targetsof intruders. Therefore, we need to build the bestpossible rules to protect our systems. The security ofa computer system is vulnerable when an intrusiontakes place. An intrusion can be defined as any actiondone that harms the integrity, confidentiality oravailability of the system. There are some intrusionprevention techniques which can be used to preventcomputer systems as a first line of defence. Afirewall is also one of it. But only intrusionprevention is not enough. As systems become morecomplex, there are always exploitable weaknesses inthe systems due to design and programming errors, orvarious penetration techniques. Therefore Intrusiondetection is required as another measure to protectour computer systems from such type ofvulnerabilities.In 2008, Zhou, Jianguo, et al. Proposed system aCulture Particle Swarm Optimization algorithm(CPSO) used to optimize the parameters of SVM. Byusing the colony aptitude of particle swarm and theability of conserving the evolving knowledge of theculture algorithm, this CPSO algorithm constructedthe population space based on particle swarm and theknowledge space. The proposed CPSO-SVM modelthat can choose optimal values of SVM parameterswas test on the prediction of financial distress oflisted companies in China , and M. Maragoudakis et al. suggestedthat the RBF has certain parameter that affects theaccuracy. PSO is used along with RBF artificialneural network it will improve the accuracy. If it isused in IDS it will improves the accuracy ofclassification [6].Manuscript received August 15, 2014.Vitthal Manekar, Department of Computer Engineering,PICT, Pune, India.Kalyani Waghmare, Department of Computer Engineering,PICT, Pune, India.In 2011, Horng, Shi-Jinn, et al. proposed an SVMbased intrusion detection system, which used a808

International Journal of Advanced Computer Research (ISSN (print): 2249-7277 ISSN (online): 2277-7970)Volume-4 Number-3 Issue-16 September-2014hierarchical clustering algorithm, leave one out, andthe SVM technique. The hierarchical clusteringalgorithm provided the SVM with fewer, abstracted,and higher-qualified training instances that arederived from the KDD Cup 1999 training set. It wasable to greatly minimize the training time, andimprove the performance of SVM. The simplefeature selection procedure (leave one out) wasapplied to eliminate unimportant features from thetraining set so the obtained SVM model couldclassify the network traffic data more accurately [1].single connection vector) in the database has 41attributes.B. Conversion of datasets to LibSVMformat:Pre-processed datasets are converted to LibSVMformat. In this process, first categorical features fromboth training and testing datasets are converted to anumeric value and then we have to determine targetclasses for classification phase. Here, conversion andscaling function determined two target classes: class„zero‟ for normal instance and class „one‟ for attackor intrusion [7]. Then it saved target class and featurevalues of each instance in LibSVM format.In 2012, Gaspar, Paulo, Jaime Carbonell, and JoséLuís Oliveira et al. gave the review on strategies thatare used to improve the classification performance interm of accuracy of SVMs and perform someexperimentation to study the influence of features andhyper-parameters in the optimization process, usingkernels function. Huang et al provide a study on thejoint optimization of C and g parameters (using theRBF kernel), and feature selection using Grid searchand genetic algorithms [2].LibSVM format is:[Label] [Index 1]:[value 1] [index 2]:[value 2] Where,„Label‟ is target „classes‟ of classification.Usually put integers here. [0, 1] target class„Index‟ is the ordered index. Usually continuousinteger.„Value‟ is the input data for training. Usually lots ofreal (floating point) numbers. Input dataset to theproblem we are trying to solve involves lots of'features' or 'attributes', so the input will be a set (orvector/array).After this step, we have to perform linear scaling ofLibSVM format datasets and store these scaleddatasets for further use. Linear scaling of datasets isdone to improve the performance of SVMclassification.In 2014, Ahmad, Iftikhar, et al. proposed a geneticalgorithm to search the genetic principal componentsthat offers a subset of features with optimalsensitivity and the highest discriminatory power. Thesupport vector machine (SVM) is used forclassification. The results show that proposed methodenhances SVM performance in intrusion detection[3].3. Optimization of SVM using PSOC. Optimization using SVM and PSO:The NSL-KDD dataset in LibSVM format is scaledin [0, 1]. The scaling is the method used to reduce theimpact of bigger value on small value. It improvesthe performance of SVM. Here we are usingLibSVM. Jar for implementation SVM algorithm.The SVM is statistical machine learning algorithmtakes the data input in the form of numeric value andprepare the model or build the model forclassification. There are four type of kernel functionusing SVM for classification. Kernel function is usedto map the dataset into higher dimension. These arelinear, RBF, Polynomial. There are severalparameters used in SVM. In RBF Kernel type ofSVM, there are two parameter C (Cost) and g(gamma). The accuracy of the SVM for RBF typedepends on these two parameters. Optimized value ofthis parameter and features increases the accuracy ofSVM. PSO uses to optimized features andparameters. PSO is dynamic clustering algorithmThere are four steps used in this system. These are asbelow:A. Data Pre-Processing:The training dataset of NSL-KDD consist ofapproximately 4,900,000 single connection vectors[13]. Each connection contains 42 features includingattacks or normal. From these labeled connectionrecords, we need to map the labels to numeric valuesso as to make it suitable to be the input of ourmachine learning algorithm: SVM. Also assign targetclass to the connections according to class labelfeature, which is the last feature in the connectionrecord. By considering this, we have assigned a targetclass „zero‟ for „normal connection‟ and a „one‟ forany deviation from that (i.e. if that is an attack).In this step, some useless data will be filtered andmodified. For example, some text items need to beconverted into numeric values. Every process (i.e.809

International Journal of Advanced Computer Research (ISSN (print): 2249-7277 ISSN (online): 2277-7970)Volume-4 Number-3 Issue-16 September-2014based social interaction [8]. It has fast convergenceability [11]. It works better in integration of SVM [9].The Formula for RBF Kernel Optimization functionExp (-g * Xi -Xj 2)Eqn (1) [12]Finding vectors from training data is formulated asMinimize w 2 CEqn (2)D. Classification Using SVM :The SVM uses a portion of the data to train thesystem, finding several support vectors that representthe training data. These support vectors will form aSVM model. According to this model, the SVM willwork with PSO for C and g (mention in Eqn(1) andEqn(2)) optimization and feature subset selection.And it improves the SVM model. After that SVM isused to classify a given unknown dataset. A basicinput data format and output data domains are listedas followsw, b,4. Experiment ResultIn this Experiment, PSO optimizes the parameters ofSVM (RBF) using SVM and also reduces the featuresof the training set. It reduces he noisy feature fromthe training set. Training set contains 25149 recordsand testing set contains 11850 records. Thealgorithms used in experiment are given below.(Xi, Yi) (Xn, Yn)WhereDuring this Experiment, comparison of Differentkernel unction of SVM with feature selection withaccuracy. The measure of accuracy is givenconfusion matrix [10]. The kernel function used hereare Linear, Gaussian, RBF, Polynomial. The resultsshow that RBF Kernel function with optimizedfeatures gives highest accuracy.X Rm and Y {0, 1}Where (Xi, Yi) . (Xn, Yn) is training datarecords, n is the numbers of samples m is the inputsvector, and y belongs to category of class „0‟ or class‟1‟ respectively. On the problem of linear, a hyperplane can be divided into the two categories as shownin Figure. The hyper plan formula is:(w . x) b 0The category formula is:(w. x) b 0 if Yi 1Table 1: Comparison of accuracy and time ofDifferent kernel function of SVMAlgorithmSVM(RBFwithparameter and featureselectionSVM (RBF withoutFeature Selection)SVM(LinearWithfeature selection)SVM(Gaussianwithfeature selection)(w. x) b 0 if Yi 0AccuracyTime(in 1.986Figure 1: Hyper-Plane of SVMA classification task usually involves with trainingand testing data which consist of some data instances.Each instance in the training set contains one “targetvalue" (class labels: Normal or Attack) and several“attributes" (features).The goal of SVM is to producea model which predicts target value of data instancein the testing set which is given only attributes. Toattain this goal there are four different kernelfunctions.in this experiment RBF kernel function isusedFigure 2: Comparison of Accuracy SVM withDifferent Kernel Function810