Real-Time Intrusion Detection with Fuzzy Genetic Algorithm P. Jongsuebsuk + , N. Wattanapongsakorn + , C. Charnsripinyo * + Department of Computer Engineering King Mongkut’s University of Technology Thonburi, Bangkok, Thailand naruemon@cpe.kmutt.ac.th * National Electronics and Computer Technology Center 112 Phahonyothin Road, Klong Luang, Pathumthani, Thailand chalermpol@nectec.or.th Abstract — In this work, we consider network intrusion detection using fuzzy genetic algorithm to classify network attack data. Fuzzy rule is a machine learning algorithm that can classify network attack data, while a genetic algorithm is an optimization algorithm that can help finding appropriate fuzzy rule and give the best/optimal solution. In this paper, we consider both well- known KDD99 dataset and our own network dataset. The KDD99 dataset is a benchmark dataset that is used in various researches while our network dataset is an online network data captured in actual network environment. We evaluate our IDS in terms of detection speed, detection rate and false alarm rate. From the experiment, we can detect network attack in real-time (or within 2-3 seconds) after the data arrives at the detection system. The detection rate of our algorithm is approximately over 97.5%. Keywords—Fuzzy genetic algorithm; intrusion detection; real-time detection; network security I. INTRODUCTION Nowadays, Internet grows rapidly but network vulnerability is still an important issue that causes cyber-attacks. For example, an active denial of service (DoS) is one type of cyber attacks that can immediately cause system down. Therefore, it is necessary to detect network attacks before they damage the whole system. Generally, Intrusion detection system can be deployed to detect network threats. There were research works previously proposing intrusion detection techniques based on various classification algorithms. Most classification techniques for intrusion detection can be classified into two groups, which are supervised learning (signature-base) approach and unsupervised learning approach. In supervised learning approach, the instances consist of input attributes and desirable output and the algorithm would produce an inferred function, which is called a classifier or regression function. This approach has high accuracy, low false- alarm with fast computing time. In 2006, J. Gómez and E. León [1] proposed fuzzy and genetic algorithm to classify behavior of intrusion. The input data is KDDCup99 dataset which consists of 42 features. The fuzzy rule is automatically adapted using evolutionary technique and genetic algorithm. The algorithm can classify the data into 5 classes including DoS, Probe, R2L, U2R and Normal. This algorithm has 98.28 % of detection rate. Similarly, in 2008, T.P. Fries [2] proposed a fuzzy genetic algorithm approach. In the preprocessing phase, they used clustering algorithm and genetic algorithm to find significant attributes in KDD99 dataset. In the detection phase, they used fuzzy GA algorithm. The detection rate is 99.6 %. Besides, the algorithm has high performance in terms of speed, memory consumption and robust for large problems. R. Ensafi et al. [3] proposed a soft computing technique (fuzzy logic and swarm intelligence) for intrusion detection system. The KDD99 dataset was used in order to evaluate the algorithm. The detection rate is greater than 95 %. This algorithm can also identify attack types including DoS, R2L, U2R and Probe. This technique is computationally inexpensive in terms of memory and CPU time. However, it has high false alarm rate. In 2009, T. Komviriyavut et al [4] proposed a method to preprocess dataset in actual network environment within 2 seconds. The preprocessed data has 12 attributes. Then, they used a decision tree algorithm to classify data (output classes are DoS, Probe and Normal). The result showed that this algorithm has 97.5 % of detection rate. This technique is efficient to be used in actual network environment. M.-Y. Su et al. [5] proposed a Real-time IDS for large-scale attacks by using fuzzy association rules. The technique preprocessed packet header into 16 attributes from opened network environment in every 2 seconds (the network that connects to internet and allow every packets flow through it). Then, each record will be sent to another computer in order to update new rule. However this technique does not show the detection rate and is able to detect only DoS attack. In 2011, N. Ngamwitthayanon and N. Wattanapongsakorn [6] proposed a Fuzzy-Adaptive Resonance Theory (ART) for network anomaly detection with feature-reduction dataset. They reduced number of attribute of KDD99 dataset to 14 attributes. This approach has 98.96% of detection rate. However, this algorithm is time consuming. While, P. Kachurka and V. Golovko [7] proposed a neural network approach to real-time network intrusion detection, they collected the network traffic by using an open source intrusion detection system (Bro IDS). This technique is able to detect 978-1-4799-0545-4/13/$31.00 ©2013 IEEE