**8. Analysis of experimental results**

The total number of records chosen for the test is 25% of the actual dataset, that is, 34,361. The combination of test records chosen is from various categories such as Probe, DoS, U2R, R2L, and Normal. The difference between CC average and standard deviation of CC is called as lower bound of CC threshold. The sum of CC average and standard deviation of CC is called as upper bound of CC threshold.

The records that identified to be normal are 19.8% of the total test data records, with observations of 4.7% of it as "false negatives" and 15.1% of it as "true negatives." The cumulative number of records that are detected as "intruded transactions" is 80.2%, with 75.3% of them being "truly intruded transactions" of test data records and the "false positive" percentage of 4.9% of test data records.

As per the results obtained, the proposed model is found to be accurate up to 90.4%. The experiments are conducted on the same dataset using "anomaly-based network intrusion detection through assessing Feature Association Impact Scale (FAIS)" [14]. The results depict that the proposed model is also scalable and

*Anomaly-Based Intrusion Detection System DOI: http://dx.doi.org/10.5772/intechopen.82287*

**Step 3.2:** Transpose the matrix A as *A*<sup>0</sup>

*fas fi vj* � � <sup>¼</sup> ∑∣*STVS*<sup>∣</sup>

*fais tvs* ð Þ¼*<sup>i</sup>* <sup>1</sup> � <sup>∑</sup>*<sup>m</sup>*

**Step 7:** Calculate the standard deviation as:

*sdvfaist* ¼

*tvsi* is estimated as:

and Step 8.2:

**44**

**8. Analysis of experimental results**

A and V.

*Computer and Network Security*

.

**Step 3.4:** Calculate original pivot weights using matrix multiplication between

*<sup>k</sup>*¼<sup>1</sup> *u tvs* ð Þ*<sup>k</sup>* : *fi*

∑∣*STVS*<sup>∣</sup> *<sup>k</sup>*¼<sup>1</sup> *u tvs* ð Þ*<sup>k</sup>*

**Step 5:** the Feature Association Impact Scale *fais* for every transaction value set

**Step 6:** The Feature Association Impact Scale threshold *faist* can be measured as:

*<sup>i</sup>*¼<sup>1</sup> *fais tvs* ð Þ*<sup>i</sup>*

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi

*<sup>i</sup>*¼<sup>1</sup> *fais tvs* ð Þ�*<sup>i</sup> faist*<sup>2</sup> � � ð Þ j*STVS*j � 1

*faist* <sup>¼</sup> <sup>∑</sup>∣*STVS*<sup>∣</sup>

∑∣*STVS*<sup>∣</sup>

**Step 8.1:** Calculate lower threshold of *faist* as *faistl* ¼ *faist* � *sdvfaist*. **Step 8.2:** Calculate higher threshold of *faist* as *faisth* ¼ *faist* þ *sdvfaist*.

records and the "false positive" percentage of 4.9% of test data records.

As per the results obtained, the proposed model is found to be accurate up to 90.4%. The experiments are conducted on the same dataset using "anomaly-based network intrusion detection through assessing Feature Association Impact Scale (FAIS)" [14]. The results depict that the proposed model is also scalable and

**Step 8:** The Feature Association Impact Scale range can be explored as Step 8.1

The total number of records chosen for the test is 25% of the actual dataset, that is, 34,361. The combination of test records chosen is from various categories such as Probe, DoS, U2R, R2L, and Normal. The difference between CC average and standard deviation of CC is called as lower bound of CC threshold. The sum of CC average and standard deviation of CC is called as upper bound of CC threshold. The records that identified to be normal are 19.8% of the total test data records, with observations of 4.7% of it as "false negatives" and 15.1% of it as "true negatives." The cumulative number of records that are detected as "intruded transactions" is 80.2%, with 75.3% of them being "truly intruded transactions" of test data

*<sup>j</sup>*¼<sup>1</sup> *fas valj*∃*valj* <sup>∈</sup>*<sup>V</sup>* � � � � : *valj*⊂*tvsi* � � � �

*vj* as:

<sup>∣</sup>*tvsi*<sup>∣</sup> (6)

<sup>∣</sup>*STVS*<sup>∣</sup> (7)

vuut (8)

(5)

*vj* ! *tvsk* � � 6¼ <sup>0</sup> � �

**Step 3.3:** Calculate prerogative weights by multiplying *A*<sup>0</sup> with u.

**Step 4:** Calculate the feature categorical value *fas* of *fi*

effective for detecting the scope of intrusion from a network transaction. Despite the fact that the FAIS model proposed shows 88% accuracy, the major limitation is process complexity in training the system. Such process complexities of designing the scale using FAIS are due to the number of features selected for assessing the scale. The issue of selecting the optimal features for training the Intrusion Detection System using Association Impact Scale is significantly addressed in the FCAAIS [15] model.

**Table 1** indicates the comparison of performance metrics such as precision, recall/sensitivity, specificity, accuracy, and F-measure of FCAAIS over FAIS. **Figure 4** indicates that the accuracy of FCAAIS with optimal features is 91%, whereas the FAIS accuracy with all features is 88%. The precision of the FCAAIS model with optimal features and FAIS with all features is 92%. The other performance metrics such as sensitivity, specificity, and F-measure is calculated on FCAAIS over FAIS. The sensitivity, specificity, and F-measure are 96, 49, and 95%, respectively, for FCAAIS, whereas sensitivity, specificity, and F-measure are 95, 46, and 91%, respectively, for FAIS.


#### **Table 1.**

*Comparison of performance metrics of FCAAIS and FAIS.*

**Figure 4.** *The performance metrics observed for FCAAIS over FAIS.*

According to the results, the accuracy of FCAAIS (selected feature set using canonical correlation) minimized the process complexity of designing the scale using FAIS (**Figure 5** and **Table 2**).

The observed time complexity is adaptable, as the completion time is not directly related to the ratio of features count, which is due to the higher CC threshold as shown in **Figure 6**. Hence it is obvious to conclude that the applying canonical correlation toward optimized attribute selection is significant improvement to the FAIS model (shown in **Figure 6**).

It is observed that applying canonical correlation toward optimized attribute selection results in 3% improvement in the accuracy of FAIS [14]. **Table 3** indicates precision, recall, and F-measure values calculated under divergent canonical correlation threshold values (**Figure 7**).

**9. Conclusion**

**Figure 7.**

*value.*

**47**

**Table 3.**

*Anomaly-Based Intrusion Detection System DOI: http://dx.doi.org/10.5772/intechopen.82287*

and 91%, respectively, for FAIS.

It is desirable for anomaly-based network intrusion detection system to achieve high classification accuracy and reduce the process complexity of extracting the rules from training data. In this chapter, a canonical correlation analysis is proposed to optimize the features toward designing the scale to detect the intrusions. The selection of optimal features simplifies the process of FAIS. The experiments were conducted using a benchmark NSL-KDD dataset. The results indicate that the accuracy of FCAAIS with optimal features is 91%, whereas the FAIS accuracy with all features is 88%. The precision of the FCAAIS model with optimal features and FAIS with all features is almost close to 92%. It is observed that applying canonical correlation toward optimized attribute selection has 3% improvement in the accuracy of FAIS. The other performance metrics such as sensitivity, specificity, and Fmeasure is calculated on FCAAIS over FAIS. The sensitivity, specificity, and Fmeasure are 96, 49, and 95%, respectively, for FCAAIS, whereas they are 95, 46,

*Performance analysis of the prediction accuracy of FCAAIS under divergent canonical correlation threshold*

Less than the upper bound of CC threshold 0.989 0.987998988 0.987 Less than the lower bound of CC threshold 0.98 0.984974619 0.99 Less than the CC threshold 0.985 0.985 0.985

*Precision, recall, and F-measure values calculated under divergent canonical correlation threshold.*

**Precision F-measure Recall**

#### **Figure 5.**

*The process computational time observed for FCAAIS over FAIS.*


#### **Table 2.**

*Process computational time of FCAAIS and FAIS.*

**Figure 6.** *The FCAAIS consumption of time under divergent canonical correlation thresholds.*

*Anomaly-Based Intrusion Detection System DOI: http://dx.doi.org/10.5772/intechopen.82287*


**Table 3.**

According to the results, the accuracy of FCAAIS (selected feature set using canonical correlation) minimized the process complexity of designing the scale

The observed time complexity is adaptable, as the completion time is not directly related to the ratio of features count, which is due to the higher CC threshold as shown in **Figure 6**. Hence it is obvious to conclude that the applying canonical correlation toward optimized attribute selection is significant improvement to

It is observed that applying canonical correlation toward optimized attribute selection results in 3% improvement in the accuracy of FAIS [14]. **Table 3** indicates precision, recall, and F-measure values calculated under divergent canonical corre-

**Number of transactions FCAAIS (s) FAIS (s)** 0.397 0.527 0.611 0.714 0.723 0.882 1.012 1.139 1.275 1.439 16,000 1.578 1.703 25,000 1.891 2.031

using FAIS (**Figure 5** and **Table 2**).

*Computer and Network Security*

the FAIS model (shown in **Figure 6**).

lation threshold values (**Figure 7**).

*The process computational time observed for FCAAIS over FAIS.*

*Process computational time of FCAAIS and FAIS.*

*The FCAAIS consumption of time under divergent canonical correlation thresholds.*

**Figure 5.**

**Table 2.**

**Figure 6.**

**46**

*Precision, recall, and F-measure values calculated under divergent canonical correlation threshold.*

**Figure 7.**

*Performance analysis of the prediction accuracy of FCAAIS under divergent canonical correlation threshold value.*
