Abstract—Feature selection has been used in many fields such as classification, data mining and object recognition and proven to be effective for removing irrelevant and redundant features from the original dataset. In this paper, a new design of distributed intrusion detection system using a combination feature selection model based on bees and decision tree. Bees algorithm is used as the search strategy to find the optimal subset of features, whereas decision tree is used as a judgment for the selected features. Both the produced features and the generated rules are used by Decision Making Mobile Agent to decide whether there is an attack or not in the networks. Decision Making Mobile Agent will migrate through the networks, moving from node to another, if it found that there is an attack on one of the nodes, it then alerts the user through User Interface Agent or takes some action through Action Mobile Agent. The KDD Cup 99 dataset is used to test the effectiveness of the proposed system. The results show that even if only four features are used, the proposed system gives a better performance when it is compared with the obtained results using all 41 features. Keywords—Distributed intrusion detection system, mobile agent, feature selection, Bees Algorithm, decision tree. I. INTRODUCTION ITH the development of the Internet and its wide applications in all domains of people’s life, intrusion detection has become a critical process in computer network security. An Intrusion Detection System (IDS) is defined [1] as a component that analyzes system and user operations in computer and network systems in terms of activities which are considered as undesirable from security perspectives. IDSs can be categorized into two methodologies as anomaly detection and misuse detection. Anomaly detection techniques [2] identify any unacceptable deviation from the expected behavior of an individual user or an application. The expected behavior is defined in advance for developed profiles by manually or automatically. This is then compared with the current activities of the user or the application. An uncharacteristic deviation would be an indication of an intrusion. On the other hand, misuse intrusion detection [3] refers to the analysis of certain well-defined patterns of attacks that exploit weaknesses in the system and the application software. For example, packets of network traffic could be analyzed for a series of characters, which could represent a Adel Sabry Eesa is with the Department of computer science in Zakho University, Duhok City, KRG-Iraq (e-mail: adelsabryissa@gmail.com). Adnan Mohsin Abdulazeez Brifcani is Presidency of Duhok Polytechnic University, Duhok City, KRG-Iraq (e-mail: president@dpu.ac). Zeynep Orman is with the Department of Computer Engineering, Faculty of Engineering, Istanbul University, 34320, Avcilar, Istanbul, Turkey (e-mail: ormanz@istanbul.edu.tr). signature of an attack sequence. This mechanism requires the knowledge of unacceptable behavior to detect an intrusion as opposed to anomaly detection which is based on the identification of normal behavior. Recently, new approaches for developing Distributed Intrusion Detection Systems (DIDSs) which is based on Mobile Agents (MAs) are presented by many researchers [4]- [8]. MAs are particular software agents that have the capability to move from one host to another. MAs may offer unique features that can be used to improve the methods that are used for the design, development and deployment of the intrusion detection systems in the network. Feature Selection (FS) has been a fertile field of computer science research and development since 1970's, and it is also used successfully in IDSs domain [9]-[16]. FS is a process of selecting an optimal subset of features among the existing features and it does not involve any feature transformation. Given a feature set of size n, the FS problem finds a minimal feature subset of size m (m < n) and still retains a suitably high accuracy for representing the original features. The objective of FS is to simplify a dataset by reducing its dimensionality and identify the relevant underlying features without sacrificing from the predictive accuracy. By doing that, it also reduces redundancy in the information provided by the selected features [17]. This paper presents a new design of DIDS based on a combination feature selection approach. In this approach, BA and DT are used as a basis for the feature selection process. BA is proposed to find the optimal subset of features, whereas DT is proposed as a judgment for the selected features. The performance of the presented system is evaluated by using KDD Cup 99 dataset, the benchmark dataset commonly used by IDS researchers. The organization of this paper is as follows: Section II presents a background of bees algorithm and decision tree. The proposed DIDS and its architecture, the rule generator and feature selection approach are discussed in Section III. Section IV details the evaluation criteria to test the performance of the proposed approach. Section V reports the experimental results of the proposed system and a brief discussion on the obtained results. Finally, the conclusion is stated in Section VI. II. BEES ALGORITHM AND DECISION TREES A. Bees Algorithm The Bees algorithm is a population-based optimization algorithm inspired by the foraging behavior of bees and is developed in 2005 [18]. Bees search for food by using scouts to explore sites deemed most likely to produce favorable A New DIDS Design Based on a Combination Feature Selection Approach Adel Sabry Eesa, Adnan Mohsin Abdulazeez Brifcani, Zeynep Orman W World Academy of Science, Engineering and Technology International Journal of Computer and Information Engineering Vol:9, No:8, 2015 1921 International Scholarly and Scientific Research & Innovation 9(8) 2015 scholar.waset.org/1307-6892/10002184 International Science Index, Computer and Information Engineering Vol:9, No:8, 2015 waset.org/Publication/10002184