A Hybrid Convolution Neural Network with Binary Particle Swarm Optimization for Intrusion Detection Hamza Turabieh Department of Information Technology,Taif University, Taif, Saudi Arabia h.turabieh@tu.edu.sa Abstract—Many companies start using could systems and services to increase their productivity and decrease the cost by migrating their applications, infrastructures, and data to external cloud platforms. Using cloud systems leads to raise the number of attacks on such systems. Protecting these cloud platforms from different attacks becomes an essential task using Intrusion detection systems (IDS). In general, IDS is used to detect normal or abnormal network traffic packets. In this paper, we proposed a hybrid intelligent IDS system based on a one- dimensional Convolution Neural Network (1D-CNN) and Binary Particle swarm Optimization (BPSO). BPSO is employed as a wrapper feature selection to determine the most valuable features and reduce the high dimensionality of collected data. While 1D- CNN is employed as a binary classifier. We adopted a real dataset called UNSW-NB15 to evaluate the proposed hybrid IDS. The obtained results show the proposed system can detect normal and abnormal packets with an accuracy equals 94.3%. I. I NTRODUCTION Several companies start using cloud computing systems to operate their applications and manipulate their data over the internet. All could activities are accessed remotely over the internet. In general, could computing systems help compa- nies and end users from several issues related to installing, maintaining, and securing their applications, infrastructures and data [1], [2]. Protecting cloud computing systems from abnormal traffic is needed. Several Cloud Service Providers (CSP) start developing intelligent IDS to prevent illegitimate entry to cloud computing systems. In simple, the main task of IDS is to distinguish normal and abnormal traffics [3]. There are two types of IDS: Host intrusion detection sys- tems (HIDS) and network intrusion detection systems (NIDS) [4]. HIDS control all kind of attacks inside a local network (e.g., LAN) by monitoring and analyzing all traffics comes from local machines in order to detect abnormal traffic or behavior [5]. While NIDS monitors all traffic comes from outside network (e.g. WAN). Both types reports all abnormal behaviors and illegitimate activity to the system administrator and execute a set of protection activities to stop such attacks or abnormal behaviors [3]. To keep cloud computing systems healthy and protected, IDS examine each packet and classify it to normal or abnormal one [6]. In general, IDS works in two methods: Anomaly and misuse (signature)-based detection. Anomaly method tries to detect any abnormal traffic that is deviates from the normal one. While misuse method tries to detect any abnormal traffic based on previous patterns of abnormal traffic patterns [7]. Building IDS is a complex process since the process of detecting intrusion is considered as NP-Hard problem [8], [9]. As a result, building intelligent IDS based on Machine Learning (ML) methods and Soft Computing (SC) is needed. Each IDS should have three attributes to secure any sys- tem which are: Data confidentiality, Data integrity, and Data availability [10]. Data confidentiality means that sensitive data cannot be accessed by untrusted user. Data integrity means that the data should be consistent and not tampered while transmission process. Data availability means that the data can be accessed any where any time securely. Figure 1 explores the detection and response processes that is proposed by Denning [11]. The detection process cannot be directly executing based on the data available when the main task of IDS it to classify all activity happen on the network due to several reasons such as: huge amount of traffic data, unequal distribution of data, shortage of available knowledge to recognize new types of attacks, and shortage of stability [11]. In addition to that, IDS did not have the ability to control a large number of alarms, which needs more computational time and reduce the detection rate [12]. Therefore, it is important to reduce the data dimensionality before building IDS. To achieved this, FS methods can reduce the data dimensionality and enhance the overall performance of IDS. Several exits IDS try to build an intelligent classification system based on a set of historical data. Since network traffic data is considered a high dimensionality data, several researcher employed Feature Selection (FS) methods to en- hance the data quality and reduce the dimensionality [13]. For example, Sarvari et al. [14] employed a modified Cuckoo Search Algorithm (CSA) as a wrapper FS and Evolutionary Neural Network (ENN) as a classification method. Thakkar and Lohiya [15] applied seven different ML classifiers(i.e., Support Vector Machine (SVM), Na¨ ıve Bayes (NB), Decision Tree (DT), Random Forest (RF), k-nearest neighbours (kNN), Logistic Regression (LR), and Artificial Neural Networks (ANN)) to classify intrusions. The authors employed two FS methods (i.e., Chi-Square, Information Gain (IG), and Recursive Feature Elimination (RFE)). Almomani [16] applied four warpper feature selection methods (i.e., particle swarm optimization (PSO), grey wolf optimizer (GWO), firefly op- timization (FFA) and genetic algorithm (GA)) to select the most valuable features from intrusion detection dataset called UNSW-NB15. The author applied two ML classifiers (i.e., SVM and J48). The motivation of this paper is to investigate the perfor- International Journal of Computer Science and Information Security (IJCSIS), Vol. 18, No. 12, December 2020 https://doi.org/10.5281/zenodo.4427210 128 https://sites.google.com/site/ijcsis/ ISSN 1947-5500