**7. Feature association impact scale (FAIS)**

The approach for measuring the proposed feature association support ð Þ *fas* metric considers the network transaction of the training dataset. The feature categorical values used in the network transactions are in the form of two independent sets. These values are used to develop a duplex graph between them.

#### **7.1 Assumptions**

i. A network anomaly-based IDS should reduce the false alarm rate. But, totally mitigating the false alarm is not possible. Developing an intrusion detection system independent of the environment is another challenge task for the

ii. Developing a general methodology or a set of parameters that can be used to evaluate the intrusion detection system is another challenging task [12, 13].

iii. When new patterns are identified in ANIDS, updating the database without

iv. Another task to be addressed is to reduce the computational complexities of data preprocessing in the training phase and also in the deployment phase

v. Developing a suitable method for selecting the attributes for each category of

vi. Identifying a best classifier from a group of classifiers that is nonassociated and unbiased to build an effective ensemble approach for anomaly detection

The preprocessed set of network transactions are partitioned based on its label-

i. Consider the transactions set *ts A*ð Þ*<sup>k</sup>* denoting attack type *Ak* (as an example

ð Þ *Ak* , consider all the values as a set *fi*

*v A*ð Þ*<sup>k</sup>* ∣ is created and fills it based on its coverage as

*v NTS* ð Þ.

iv. The process is applied for all feature values set in network transactions of

canonical correlation is less than the threshold or zero, then the feature

(1)

ð Þ *v*4*;c*<sup>4</sup> *; ::*…………*; fi vj;cj*

*v A*ð Þ*<sup>k</sup>* ∣ denotes the size of the feature values set

*v A*ð Þ*<sup>k</sup>* " toward size and that also represents

*v A*ð Þ*<sup>k</sup>* and *fi*

*v NTS* ð Þ in the

*v A*ð Þ*<sup>k</sup>* . An empty set

*v* of the NTS, such

*v*. If the resultant

ing ("normal" transactions as one set, "DoS" transactions as the other set and

ð Þ *v*3*;c*<sup>3</sup> *; fi*

The procedure for feature optimization for each attack *Ak* is as follows:

resultant normal transactions set (NTS) and its percentage of coverage are:

**6. Feature optimization using canonical correlation analysis**

similar other range of sets). Unique values of each feature value set *fi*

ð Þ *v*2*;c*<sup>2</sup> *; fi*

*v*∣, in which ∣*fi*

*v* is compatible to the "*fi*

the coverage ratio of the values in *fi*

v. Find the canonical correlation between *fi*

iii. The process is used to generate the feature values vector *fi*

network anomaly-based intrusion detection system development

compromise of performance is another challenging task [9, 13].

attack is another important task [9–11].

is another challenge [9–11].

ð Þ *v*1*;c*<sup>1</sup> *; fi*

considers DoS as an attack).

ii. For every feature *fi*

*v* of size ∣*fi*

*v A*ð Þ*<sup>k</sup>* ∣ ffi ∣*fi*

community [9–13].

*Computer and Network Security*

[9, 10].

*fi v* ¼ *fi*

*fi*

∣*fi*

of*fi* ð Þ *Ak* .

that *fi*

attack *Ak*.

**42**

Let *f* 1*; f* 2*; f* 3*; :*……*fn*∀*fi* ¼ *fi v*1*; fi v*2*; :*………*; fi vm* be the set of categorical features values used for forming the set of network transactions *T*. Here *T* is a set of network transaction records of the given training set such as:

$$T = \{t\_1, t\_2, t\_3, \dots, \dots \}
\forall t\_i = \{val(f\_1), val(f\_2), \dots val(f\_i), val(f\_{i+1}), \dots val(f\_n)\}\tag{2}$$

Categorical values of the set of features related to every network transaction shall be considered as transaction value set *tvs* and all transaction value sets are treated as "*STVS*."

In the description above in Eq. 2, *val fi* can be expressed as *val fi* <sup>∈</sup> *fi v*1*; fi v*2*;* ……*; fi vm* . The term "feature" refers to the current categorical value of the feature. The two features "*val fi* " and "*val fj* ," "*val fi* " are connected with "*val fj* " if and only if *val fi ; val fj* <sup>∈</sup>*tvsk*.

#### **7.2 Algorithm for FAIS technique**

**Step 1:** The edge weight between the features *val f* <sup>1</sup> and *val f* <sup>2</sup> is estimated as:

$$w\left(val\left(f\_1\right)\leftrightarrow val\left(f\_2\right)\right) = \frac{ct\nu s}{|STVS|}\tag{3}$$

**Step 2:** The edge weight between transaction value sets and its corresponding set of feature categorical values can be measured as:

$$E = \left\{ (tvs\_i, val\_j) : val\_j \in tvs\_i, tvs\_i \in STVS, val\_j \in v \right\} \tag{4}$$

**Step 3:** Further assuming the transaction value sets of the given duplex graph as pivots and the feature categorical values as pure prerogatives, the pivot and prerogative values are measured.

**Step 3.1:** Consider matrix u, which denotes pivot initial value as 1.

**Step 3.2:** Transpose the matrix A as *A*<sup>0</sup> .

**Step 3.3:** Calculate prerogative weights by multiplying *A*<sup>0</sup> with u.

**Step 3.4:** Calculate original pivot weights using matrix multiplication between A and V.

**Step 4:** Calculate the feature categorical value *fas* of *fi vj* as:

$$fas\left(f\_{i}v\_{j}\right) = \frac{\sum\_{k=1}^{|\text{STVS}|}\left\{u\left(tvs\_{k}\right) : \left(f\_{i}v\_{j} \to tvs\_{k}\right) \neq \mathbf{0}\right\}}{\sum\_{k=1}^{|\text{STVS}|}u\left(tvs\_{k}\right)}\tag{5}$$

effective for detecting the scope of intrusion from a network transaction. Despite the fact that the FAIS model proposed shows 88% accuracy, the major limitation is process complexity in training the system. Such process complexities of designing the scale using FAIS are due to the number of features selected for assessing the scale. The issue of selecting the optimal features for training the Intrusion Detection System using Association Impact Scale is significantly addressed in the

**Table 1** indicates the comparison of performance metrics such as precision, recall/sensitivity, specificity, accuracy, and F-measure of FCAAIS over FAIS. **Figure 4** indicates that the accuracy of FCAAIS with optimal features is 91%, whereas the FAIS accuracy with all features is 88%. The precision of the FCAAIS model with optimal features and FAIS with all features is 92%. The other performance metrics such as sensitivity, specificity, and F-measure is calculated on FCAAIS over FAIS. The sensitivity, specificity, and F-measure are 96, 49, and 95%, respectively, for FCAAIS, whereas sensitivity, specificity, and F-measure are 95, 46,

Total number of records tested 34,361 34,361

**FCAAIS FAIS**

29,379 27,889

1968 2752

1901 2375

1113 1345

0.951646837 0.91131588

FCAAIS [15] model.

and 91%, respectively, for FAIS.

*Anomaly-Based Intrusion Detection System DOI: http://dx.doi.org/10.5772/intechopen.82287*

TP (true positive) The number of transactions identified as normal, which are actually normal

FP (false positive) The number of transactions identified as normal, which are actually intruded

(PRECISION + RECALL)

intruded, which are actually intruded

intruded, which are actually normal

Precision TP/(TP + FP) 0.937218873 0.910185699 Recall/sensitivity TP/(TP + FN) 0.963498623 0.953991927 Specificity TN/(FP + TN) 0.491341432 0.46323386 Accuracy (TP + TN)/(TP + TN + FP + FN) 0.910334391 0.880765985

TN (true negative) The number of transactions identified as

FN (false negative) The number of transactions identified as

F-measure 2 (PRECISION RECALL)/

*Comparison of performance metrics of FCAAIS and FAIS.*

*The performance metrics observed for FCAAIS over FAIS.*

**Table 1.**

**Figure 4.**

**45**

**Step 5:** the Feature Association Impact Scale *fais* for every transaction value set *tvsi* is estimated as:

$$fai(tvs\_i) = 1 - \frac{\sum\_{j=1}^{m} \{ fas\left(\{val\_j \exists val\_j \in V\}\right) : (val\_j \subset tvs\_i)\}}{|tvs\_i|}\tag{6}$$

**Step 6:** The Feature Association Impact Scale threshold *faist* can be measured as:

$$f\_{\text{fatst}} = \frac{\sum\_{i=1}^{|\text{STVS}|} f\_{\text{is}}(t\nu s\_i)}{|\text{STVS}|} \tag{7}$$

**Step 7:** Calculate the standard deviation as:

$$sdv\_{fat} = \sqrt{\frac{\left(\sum\_{i=1}^{|STVS|} fai(tvs\_i) - faist^2\right)}{\left(|STVS| - 1\right)}}\tag{8}$$

**Step 8:** The Feature Association Impact Scale range can be explored as Step 8.1 and Step 8.2:

**Step 8.1:** Calculate lower threshold of *faist* as *faistl* ¼ *faist* � *sdvfaist*. **Step 8.2:** Calculate higher threshold of *faist* as *faisth* ¼ *faist* þ *sdvfaist*.
