Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 430
ADAPTIVE NEURO FUZZY INFERENCE SYSTEM FOR ATTACK
PREDICTION IN THE NETWORKS
Durairaj. M1, D. Radhika2 1Assistant Professor, Department of Computer Science and Engineering, Bharathidasan
University, Tiruchirappalli – 620 023. Email: [email protected] 2Research Scholar, Department of Computer Science and Engineering, Bharathidasan
University, Tiruchirappalli – 620 023. Email: [email protected].
ABSTRACT
With the rise of the Internet, the number of attacks has skyrocketed, and Intrusion Detection Systems (IDS)
have emerged as a critical component of information security. The aim of an intrusion detection system (IDS)
is to assist computer systems in dealing with attacks. This anomaly detection system builds a database of
regular behavior and deviations from it, which it uses to activate when intrusions occur. IDS is divided into
two types depending on the data source: host-based IDS and network-based IDS. Individual packets flowing
through the network are analyzed in network-based IDS, while activities on a single device or server are
analyzed in host-based IDS. IDS' feature selection aids in the reduction of classification time.In this paper, a
new framework is proposed with Adaptive Neuro Fuzzy Inference System (ANFIS) for an IDS, to find the
risk severity of the attacks. The proposed framework is composed Pre-Processing, Classification and Risk
Severity Prediction. In this research work, the proposed ANFIS network is designed to predict the risk
severity of the attacks in the IDS.
KEYWORDS: Intrusion Detection System, Adaptive Neuro Fuzzy Inference System (ANFIS),
Classification, Feature Selection, Risk Severity Prediction
I. INTRODUCTION
The Internet has recently become an integral part of everyday life. Present internet-based information
management systems are vulnerable to a variety of attacks, resulting in a variety of damages and substantial
losses. As a result, the value of information protection is rapidly increasing. The most fundamental aim of
information security is to create protective information systems that are protected against unauthorized access,
usage, disclosure, disturbance, alteration, or destruction. Furthermore, information protection reduces the risks
associated with the three primary security objectives of confidentiality, integrity, and availability. Various
systems have previously been developed to detect and prevent Internet-based attacks. Intrusion detection systems
(IDS) are the most important systems among them because they effectively resist external attacks. Furthermore,
IDSs serve as a line of protection against attacks on computer systems over the Internet. IDS may be used to
detect various forms of attacks on network communications and computer system use in situations where a
conventional firewall would fail. Intrusion detection is built on the premise that intruders behave differently than
authorized users [1]. Based on their detection methods, IDSs are generally divided into two categories: anomaly
detection systems and misuse detection systems [2][3]. Anomaly intrusion detection decides whether deviations
from standard use habits are intrusions. Misuse detection systems, on the other hand, efficiently detect permission
breaches. Intelligent agents and classification methods may be used to build intrusion detection systems. The
majority of IDSs have two phases: pre-processing and intrusion detection. The intrusions detected by IDSs can be
effectively avoided by implementing an intrusion prevention scheme.
1.1 Intelligent Intrusion Detection System
Intelligent IDSs are intelligent computer programs that observe the environment and function flexibly to achieve
higher detection accuracy [4][5]. They can be found in either a host or a network. These programs compute the
behavior that should be taken in the environment by understanding the environment and firing inference rules [6].
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 431
Intelligent IDSs are capable of making decisions and testing constraints. In most intelligent systems, decision-
making is handled by either rules or agents. Furthermore, to accomplish a single target, a collection of static
agents or a set of mobile and static agents have been used. By proposing intelligent techniques for pre-processing
and effective classification, intelligent intrusion detection systems have been developed. In contrast to other
methods, such IDSs have given a higher detection rate.
1.2 Intelligent pre-processing techniques
Detecting relevant features and discarding irrelevant ones is the task of feature selection (or pre-processing), with
the goal of obtaining a subset of features that accurately represent the given problem with minimal performance
degradation. It has a number of benefits [7], including enhancing the efficiency of machine learning algorithms,
data comprehension, gaining information about the process and assisting with visualization, data reduction,
minimizing storage requirements, and assisting with processing cost reduction. Filter methods and wrapper
methods [8][9] are the two major models for feature selection. While wrapper models select features by
optimizing a predictor, filter models select features by relying on the general characteristics of the training data,
which are independent of any predictor. Wrapper models provide better results than filter models, and this model
is more accurate.
1.3 Intelligent classification techniques
Classification [10] is a technique for learning a model called a classifier from a collection of labeled data
instances known as training and then using the learned model to classify a test instance into one of the classes
known as testing. Anomaly detection techniques based on classification work in a similar two-phase method. The
available labeled training data is used to train a classifier in the training process. Using the classifier, the testing
process classifies a test instance as regular or anomalous. Anomaly detection strategies focused on classification
use either a one-class or multi-class classifier. Anomaly detection strategies based on one-class classification
presume that all training instances have only one class mark. Using a one-class classification algorithm, these
techniques learn a discriminative boundary around the usual instances. Anomaly is declared for any test instance
that does not fall within the learned boundary. Anomaly detection techniques focused on multi-class
classification presume that the training data includes classified instances belonging to several normal classes [11].
A classifier can learn to differentiate between each regular class and the rest of the classes using anomaly
detection techniques. If none of the classifiers classify a test instance as natural, it is called anomalous. In this
subcategory, some techniques associate a confidence score with the classifier's prediction. The test instance is
considered anomalous if none of the classifiers is secure in classifying it as natural.
II. RELATED WORKS
Elhag, S., et al [12] Evolutionary Fuzzy Systems now have a complete taxonomy. The authors then went through
a few of the ideas that have been introduced in this research field to solve Intrusion Detection Systems. Finally,
the authors provided a case study that demonstrated the effectiveness of Evolutionary Fuzzy Systems in this
situation.
Elhag, Salma, et al [13] for the creation of a system that can be trained using various metrics, a multi-objective
evolutionary fuzzy system was suggested. More precise solutions are expected to be obtained by expanding the
search space during model optimization. Furthermore, this scheme enables the end user to choose from a wide
range of solutions which is best suited to the current network characteristics.
Selvakumar, K., et al [14] proposed an adaptive IDS based on Fuzzy Rough Sets for attribute selection and
Allen's interval algebra, which is used on network trace datasets to pick a large number of attack data for
successful attack prediction in WSNs. In addition, for successful classification of network trace datasets, this
article proposes a fuzzy and rough collection based nearest neighbour algorithm (FRNN). This model uses a
skewed dataset of 50:50 normal and attack data, as opposed to 80:20 normal and attack data in traditional
datasets. Since biased data is used, the proposed IDS's efficiency is improved.
Pradeep Mohan Kumar, K., et al [15] proposed a new paradigm called hybrid-based intrusion detection
framework (GA-Fuzzy) for managing large volumes of NSL-KDD Dataset in order to efficiently detect attacks
and reduce the rate of misclassification alarms. The Genetic Algorithm (GA) is used to create new patterns (new
characteristics, records) in order to efficiently train the Fuzzy classifier.
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 432
Elisa, Noe, et al [16] proposed a method for computing the three output background values of the Dendritic cell
algorithm (DCA) using the recently proposed TSK+ fuzzy inference system, with the weights always being
optimal for the data set given for a particular application. The proposed method was tested and validated using
the two most common datasets, KDD99 and UNSW NB15.
Sathesh, A [17] To detect intrusions that trigger security issues in social networks, researchers merged soft
computing techniques and framed an improved soft computing approach. The paper's proposed method used an
improved soft computing methodology that combined fuzzy logic, decision trees, K means -EM, and machine
learning in pre-processing, feature reduction, clustering, and classification to build a security strategy that is more
efficient than conventional computations in detecting social network misuse.
Senthilnayaki, Balakrishnan, Krishnan Venkatalakshmi, and ArputharajKannan [18] Using the Maximum
Dependency Maximum Significance algorithm, a new feature selection algorithm is proposed. This algorithm is
used to pick the smallest number of attributes from a data collection of information Discovery and Data (KDD).
Furthermore, a new K-Nearest Neighborhood-based algorithm for classifying data sets is proposed. This
proposed feature selection algorithm significantly eliminates unnecessary attributes or functions, and the
classification algorithm effectively determines the form of intrusion.
Ali, Ahmed Hussein [19] to overcome the problem of data redundancy in IDS, the Fuzzy Generalized Hebbian
Algorithm was proposed as a novel data reduction process. In this analysis, two dimensionality reduction
methods (GHA and Fuzzy GHA) were used and compared. This allowed the network's most important traffic
data information to be saved. In addition, the K Nearest Neighbor algorithm was used to divide the test
connections into two groups (attack or normal).
III. PROPOSED RISK SEVERITY PREDICTION OF ATTACKS USING ADAPTIVE NEURO FUZZY
INFERENCE SYSTEM
3.1 Fuzzy Inference System
The Fuzzy Inference System (FIS) is a decision-making process that takes input values and generates fuzzy
output values using logic rules [59, 60]. Real-world observations (which can be crisp or fuzzy values) and fuzzy
logic rules (i.e., IF-THEN rules) are often needed to make decisions [21]. The Mamdani Fuzzy Inference System
and the Takagi-Sugeno Fuzzy Model are two different types of fuzzy inference systems. In this paper, the ANFIS
version of the Takagi-Sugeno Fuzzy Model is used to assess the intensity of attack risk.
3.2 Adaptive Neuro Fuzzy Inference System (ANFIS)
Traditional Fuzzy Inference Systems (FIS) have the downside of requiring users to design the rules, which is
often impractical since the relationship between inputs and outputs in certain decision-making problems is not
straightforward and there are no intuitive methods to design the rules. In the meantime, artificial intelligence-
based approaches are gaining popularity, and the artificial neural network (ANN) is a model that can learn
characteristics and rules from vast amounts of data. The aim of ANN is to reduce performance error by changing
the coefficients in the networks.
Jiang et al. [21] In 1993, Adaptive Neuro-Fuzzy Inference System was introduced, which merged FIS with neural
networks to solve the limitations of FIS (ANFIS). ANFIS is basically a five-layer neural network. Equations (1)
and (2) can be used to display the constructed rules if there are two input parameters, z and y, and one output
parameter, f. (2).
In this case, 𝑀1,𝑀2,𝑁1 and 𝑁2 are fuzzy sets, and 𝑓1 and 𝑓2 are the resultant outputs. When the training phase is
run, the value of design parameters 𝑧𝑖, 𝑦𝑖 and 𝑝𝑖can also be determined. In the following line, the detailed steps of
ANFIS exploitation are clarified. The use of ANFIS is broken down into six steps:
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 433
Step 1:Data collection: The aim of this phase is to gather a dataset for training and testing that includes inputs and
outputs. As input and output variables, the variables from the dataset and one variable (i.e. attackseverity) are
chosen.
Step 2:Construct Fuzzy Sets: ANFIS is a fuzzy inference method in which membership functions and fuzzy sets
should be described during the ANFIS preparation process, as done in this paper to find fuzzy sets for the output
variable (Attack Severity). The triangular membership function is one of the simplest among the other forms and
can be easily extended to the parameters. In this article, the triangular membership function is used as in Equation
(3).
The lower, median, and upper limits of fuzzy sets, which are user parameters, are represented by a, b, and c. Each
input's linguistic variable corresponds to a fuzzy set and has a triangular membership function with various
parameters (i.e., a, b, c). The graph of the triangular membership function is shown in Figure 2.
Figure 1: Triangular Fuzzy Set Membership Function
If the data collected is in the form of linguistic data, each linguistic input must be converted by translating it to
numerical values using the equation (4):
Step 3:Divide the Dataset into Training and Test Datasets: Two datasets, a training set and a test set, are needed
to train the ANFIS model and to evaluate the output of the trained model. These can be found by splitting the
entire dataset into two bits.
Step 4: Train the ANFIS model: This phase is divided into five stages, each of which is required for training the
Sugeno-type FIS, as described below. The rules can be learned by ANFIS using a large amount of training data.
Since the rules are encoded in layer 4 of ANFIS, it is necessary to train the coefficients in this layer in order to
represent the rules in ANFIS. Coefficients in layer 4 are initialized with random numbers and inputs in the dataset
provided to ANFIS to calculate an output to train the ANFIS with the training dataset generated in the previous
phase. The estimated output is then compared to the dataset's ground truth output, and the coefficients are
modified based on the output errors calculated by ANFIS. Many methods for modifying coefficients based on
performance errors have been proposed. The least square method and the back propagation algorithm are the two
most commonly used methods. Forward propagation and least squares estimation are used as learning algorithms
for parameters associated with the input and output membership functions, respectively, in this study.
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 434
Figure 2: The ANFIS architecture with two inputs and one output
Layer 1 – Fuzzification Layer
The input values are fuzzified using membership functions in the first layer of ANFIS. This layer's output is used
as the data for layer 2. Equation (5) is used to measure the contribution of the fuzzification layer:
The membership function for input z and linguistic variable𝑀𝑖is 𝜇𝑀𝑖(𝑧).
Layer 2 – Product Layer
This layer measures the rule's firing power (the weight). The membership function weights (𝑤𝑖) is determined
using the equation (6), as shown in Figure 2.
Where 𝑤𝑖 denotes the rule weights, which are used as layer 3's data. The weights of rules in ANFIS are similar to
the weights of biases in conventional ANN [20].
Layer 3 – Normalization Layer
ANFIS uses Equation (7) to normalize the weight values obtained from layer 2 in this layer:
The aim of normalization is to substitute each weight value in the number of all weights with its ratio. The weight
value ranges can be constrained into [0, 1] by normalization.
Layer 4 – De-Fuzzification Layer
The weighted output is computed in the de-fuzzification layer by multiplying the measured normalized weight
(�̅�𝑖) by the product of the linear regression model associated with the current node as equation (8):
The weighted output and output of ithrule are represented by �̅�𝑖𝑓𝑖and 𝑓𝑖, respectively. 𝑚𝑖, 𝑛𝑖 and 𝑝𝑖 are also
related parameters. These coefficients encode the rules and are obtained via the ANFIS training phase.
Layer 5 – Output Layer
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 435
Equation (9) is used to produce the overall performance of ANFIS in this layer:
The outputs from the previous layer are represented by�̅�𝑖𝑓𝑖 (i.e layer 4).
Step 5: Assess the model: The test dataset generated in Step 3 is used in this step to evaluate ANFIS' performance
by comparing the dataset's ground truth output to the output measured by ANFIS. Since the test dataset is
separate from the training dataset, the risk intensity with the test dataset can be used to assess the fuzzy inference
system's generalization capacity.
Step 6: Examine the model's accuracy: Some output indices, such as RMSE (Root Mean Square Error) and
MAPE (Mean Absolute Percentage Error), are used to further check the accuracy of ANFIS prediction.
IV. RESULT AND DISCUSSION
ANFIS is implemented with MATLAB R2019a for the risk severity prediction of attacks detected in the previous
proposed Hybrid classification method. 18 features are selected from the previous feature selection work [20].
Those features are considered in this paper to find the severity of the attack in the network.
4.1 Input Membership Function
Duration:
This variable Duration represents the length (number of seconds) of the connection in the network. Table 1 gives
the fuzzy table for input variable duration and its membership function has given in the figure 3.
Table 1: Fuzzy Table for Input Variable Duration
Input Field Range Linguistic Representation
Duration
0-10Seconds
11-30 Seconds
>30 Seconds
Time 1
Time 2
Time 3
Figure 3: Membership Function Plot for Input Variable “Duration”.X-axis: Input Variable “Duration”, Y-axis: Membership
Degree of “Duration”
Protocol_type:
This variable protocol_type represents the type of the protocol, e.g. TCP, UDP,ICMPetc that to be used in the
network. Table 2 gives the fuzzy table for the input variable protocol_type and its membership has presented in
the figure 4.
Table 2: Fuzzy Table for Input Variable Protocol_Type
Input Field Range Linguistic Representation
Protocol_Type
0-3
3-6
5-9.5
TCP
UDP
ICMP
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 436
Figure 4: Membership Function Plot for Input Variable “Protocol_Type”.X-axis: Input Variable “Protocol_Type”, Y-axis:
Membership Degree of “Protocol_Type”
Service:
This variable Service represents the network service on the destination, e.g., HTTP, FTP, TELNET, etc. Table 3
depicts the fuzzy table for input variable service and figure 5 gives its representation of the membership function.
Table 3: Fuzzy Table for Input Variable Service
Input Field Range Linguistic Representation
Service
0-2
2-4
4-8
HTTP
FTP
Telnet
Figure 5: Membership Function Plot for Input Variable “Service”.X-axis: Input Variable “Service”, Y-axis: Membership
Degree of “Service”
Flag:
This variable Flag represents the normal or error status of the connection. Table 4 depicts the fuzzy table for
input variable flag and figure 6 gives its representation of the membership function.
Table 4: Fuzzy Table for Input Variable Flag
Input Field Range Linguistic Representation
Flag
0-3
3-6
6-9
Flag1 (Normal)
Flag2 (Abnormal)
Flag3 (Error)
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 437
Figure 6: Membership Function Plot for Input Variable “Flag”.X-axis: Input Variable “Service”, Y-axis: Membership
Degree of “Flag”
Source_Bytes:
This input variable Source_Bytes represents the number of data bytes from source to destination. The following
ranges are used to describe the source_bytes size during transmission in the network. Table 5 gives the fuzzy
table for input variable source_bytes and its membership has represented in the figure 7.
Table 5: Fuzzy Table for Input Variable source_bytes
Input Field Range Linguistic Representation
Source_Bytes
0-15000 bytes
15000-28000 bytes
28000-100000 bytes
Range 1
Range 2
Range 3
Figure 7: Membership Function Plot for Input Variable “src_bytes”.X-axis: Input Variable “Service”, Y-axis: Membership
Degree of “src_bytes”
Destination_Bytes:
This input variable Destination_Bytes is used to represent the number of data bytes from destination to source.
The following ranges are used to describe the destination_bytes size during transmission in the network. Table 6
gives the fuzzy table for the input variable destination_bytes and its representation of membership has depicted in
the figure 8.
Table 6: Fuzzy Table for Input Variable Destination_bytes
Input Field Range Linguistic Representation
Destination_Bytes
0-15000 bytes
15000-28000 bytes
28000-100000 bytes
Range 1
Range 2
Range 3
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 438
Figure 8: Membership Function Plot for Input Variable “dst_bytes”.X-axis: Input Variable “Service”, Y-axis: Membership
Degree of “dst_bytes”
Land:
This input variable Land is used to represent the 1 if connection is from/to the same host/port; 0 otherwise. Table
7 gives the fuzzy table for the input variable Land and its representation of membership has depicted in the figure
9.
.Table 7: Fuzzy Table for Input Variable Land
Input Field Range Linguistic Representation
Land 0
0.1-1
Different host/port
Connection from same host/port
Figure 9: Membership Function Plot for Input Variable “Land”.X-axis: Input Variable “Service”, Y-axis: Membership
Degree of “Land”
Su_attempted:
This input variable Su_attempted is used to represent the 1 if ``su root'' command attempted; 0 otherwise. Table 8
gives the fuzzy table for the input variable su_attempted and its representation of membership has depicted in the
figure 10.
Table 8: Fuzzy Table for Input Variable su_attempted
Input Field Range Linguistic Representation
Su_Attempted 0
0.1-1
No (Su_root command not attempted)
Yes (su_root command attempted
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 439
Figure 10: Membership Function Plot for Input Variable “su_attempted”.X-axis: Input Variable “Service”, Y-axis:
Membership Degree of “su_attempted”
Num_root:
This input variable Num_root is used to represent the number of “root” accesses. Table 9 gives the fuzzy table for
the input variable num_root and its representation of membership has depicted in the figure 11.
Table 9: Fuzzy Table for Input Variable num_root
Input Field Range Linguistic Representation
num_root 0
0.1-1
No (No root access)
Yes (Root access)
Figure 11: Membership Function Plot for Input Variable “num_root”.X-axis: Input Variable “Service”, Y-axis: Membership
Degree of “num_root”
Count:
This input variable Count is used to represent the number of connections to the same host as the current
connection in the past two seconds. Table 10 gives the fuzzy table for the input variable count and its
representation of membership has depicted in the figure 12.
Table 10: Fuzzy Table for Input Variable count
Input Field Range Linguistic Representation
Count
1-150
151-300
301-511
Range1
Range2
Range3
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 440
Figure 12: Membership Function Plot for Input Variable “count”.X-axis: Input Variable “Service”, Y-axis: Membership
Degree of “count”
Synchronization Error Rate (serror_rate):
This input variable Synchronization Error Rate represents that the % of connections that have ``SYN''Errors in
the network. Table 11 presents the fuzzy table for the input variable serror_rate and its membership function has
presented in the figure 13.
Table 11: Fuzzy Table for Input Variable “serror_rate”
Input Field Range Linguistic Representation
serror_rate
0-10%
11-30%
31-100%
Type 1
Type 2
Type 3
Figure 13: Membership Function Plot for Input Variable “serror_rate”. X-axis: Input Variable “serror_rate”, Y-axis:
Membership Degree of “serror_rate”
Srv_count:
This input variable srv_countrepresents that the number of connections to the same service as the current
connection in the past two seconds. Table 12 presents the fuzzy table for the input variable serror_rate and its
membership function has presented in the figure 14.
Table 12: Fuzzy Table for Input Variable “srv_count”
Input Field Range Linguistic Representation
srv_count
1-150
151-300
301-511
Type 1
Type 2
Type 3
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 441
Figure 14: Membership Function Plot for Input Variable “srv_count”. X-axis: Input Variable “srv_count”, Y-axis:
Membership Degree of “srv_count”
rerror_rate(Response Error rate):
This input variable Response Error Rate represents that the % of connections that have “Response''Errors in the
network. Table 13 represents the fuzzy table for input variable error_rate and figure 15 gives the membership
function for the given input variable.
Table 13: Fuzzy Table for Input Variable “rerror_rate”
Input Field Range Linguistic Representation
rerror_rate
0-25%
25-50%
50-100%
Type 1
Type 2
Type 3
Figure 15: Membership Function Plot for Input Variable “rerror_rate”. X-axis: Input Variable “rerror_rate”, Y-axis:
Membership Degree of “rerror_rate”
Diff_srv_count:
This input variable Diff_srv_count represents that the number of connections to different Services. Table 14
represents the fuzzy table for input variable Diff_srv_count and figure 16 gives the membership function for the
given input variable.
Table 14: Fuzzy Table for Input Variable “Diff_srv_count”
Input Field Range Linguistic Representation
Diff_srv_count
1-150
151-300
301-511
Type 1
Type 2
Type 3
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 442
Figure 16: Membership Function Plot for Input Variable “Diff_srv_count”. X-axis: Input Variable “Diff_srv_count”, Y-
axis: Membership Degree of “Diff_srv_count”
Dst_host_count:
This input variable Dst_host_countrepresents that the count for destination host. Table 15 represents the fuzzy
table for input variable Dst_host_count and figure 17 gives the membership function for the given input variable.
Table 15: Fuzzy Table for Input Variable “Dst_host_count”
Input Field Range Linguistic Representation
Dst_host_count
1-75
76-150
151-225
Type 1
Type 2
Type 3
Figure 17: Membership Function Plot for Input Variable “Dst_host_count”. X-axis: Input Variable “Dst_host_count”, Y-
axis: Membership Degree of “Dst_host_count”
Num_file_creations:
This input variable Num_file_creationsrepresents that the number of file creation operations. Table 16 represents
the fuzzy table for input variable num_file_creations and figure 18 gives the membership function for the given
input variable.
Table 16: Fuzzy Table for Input Variable “Num_file_creations”
Input Field Range Linguistic Representation
Num_file_creations 0
0.1-1
No (No files created)
Yes (files created)
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 443
Figure 18: Membership Function Plot for Input Variable “Num_file_creations”. X-axis: Input Variable
“Num_file_creations”, Y-axis: Membership Degree of “Num_file_creations”
Num_access_file:
This input variable Num_access_file represents that the number of operations on access control files. Table 17
represents the fuzzy table for input variable Num_access_file and figure 19 gives the membership function for
the given input variable.
Table 17: Fuzzy Table for Input Variable “Num_access_file”
Input Field Range Linguistic Representation
Num_access_file 0
0.1-1
No (no access on control files)
Yes (access on control files)
Figure 19: Membership Function Plot for Input Variable “Num_access_file”. X-axis: Input Variable “Num_access_file”, Y-
axis: Membership Degree of “Num_access_file”
Num_shell:
This input variable Num_shell represents that the number of shell prompts. Table 18 represents the fuzzy table
for input variable Num_shell and figure 20 gives the membership function for the given input variable.
Table 18: Fuzzy Table for Input Variable “Num_shell”
Input Field Range Linguistic Representation
Num_shell 0
0.1-1
No (No shell prompts)
Yes (shell prompts)
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 444
Figure 20: Membership Function Plot for Input Variable “Num_shell”. X-axis: Input Variable “Num_shell”, Y-axis:
Membership Degree of “Num_shell”
4.2 Output Membership Function
This output variable “Severity” is used to mention the risk severity of the attack in the network. This severity can
be classified into three stages, Low, Mild and High. These stages represent the severity suspicious of the node.
Table 19 gives the fuzzy table for the output variable severity and its membership function has presented in the
figure 21.
Table 19: Fuzzy Table for Output Variable “Severity”
Input Field Range Linguistic Representation
Severity
0-25%
26-40%
41-100%
LOW
MILD
HIGH
Figure 21: Membership Function Plot for Output Variable “Severity”. X-axis: Input Variable “Severity”, Y-axis: Membership
Degree of “Severity”
Figure 22 depicts the graphical representation of the rule view of proposed ANFIS structure. Based on the rule
sets, the severity of the attacks can be predicted. 73 rules are generated with the triangular membership for the
given 18 input features for predicting the attack severity.
Figure 22: Rule View of the proposed ANFIS model for attack severity prediction
V. CONCLUSION
The challenge is to identify a suspicious node severity based on several factors in the KDDCUP 99 dataset, which
contains the attacks data, since these factors can contribute to a node being malicious or not. The results show
that the proposed method can be used to infer fuzzy rules from data while maintaining a reasonable balance of
accuracy and readability. Primary prevention is recommended for encouraging good nodes for routing in
networks by improved knowledge and consciousness, as well as a method to predict the likelihood of a network
cut for prevention. It will consider re-routing based on the severity of the attacks on the node. It will boost the
network's data processing speed, reliability, and service quality.
Turkish Journal of Physiotherapy and Rehabilitation; 32(3)
ISSN 2651-4451 | e-ISSN 2651-446X
www.turkjphysiotherrehabil.org 445
REFERENCE
1. Buczak, Anna L., and ErhanGuven. "A survey of data mining and machine learning methods for cyber security intrusion detection." IEEE Communications surveys & tutorials 18.2 (2015): 1153-1176.
2. Buczak, Anna L., and ErhanGuven. "A survey of data mining and machine learning methods for cyber security intrusion detection." IEEE Communications surveys & tutorials 18.2 (2015): 1153-1176.
3. Sahani, Roma, et al. "Classification of intrusion detection using data mining techniques." Progress in computing, analytics and networking.Springer, Singapore, 2018.753-764.
4. Kaja, Nevrus, Adnan Shaout, and Di Ma. "An intelligent intrusion detection system." Applied Intelligence 49.9 (2019): 3235-3247.
5. Depren, Ozgur, et al. "An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks." Expert systems with Applications 29.4 (2005): 713-722.
6. Muthukumar, Balasundaram, and Praveen Kumar Rajendran. "Intelligent intrusion detection system for private cloud environment." International Symposium on Security in Computing and Communication.Springer, Cham, 2015.
7. Bilalli, Besim, et al. "Intelligent assistance for data pre-processing." Computer Standards & Interfaces 57 (2018): 101-109.
8. Jović, Alan, Karla Brkić, and Nikola Bogunović. "A review of feature selection methods with applications." 2015 38th international convention on information and communication technology, electronics and microelectronics (MIPRO).Ieee, 2015.
9. Durairaj, M., and T. S. Poornappriya. "Why Feature Selection in Data Mining Is Prominent? A Survey." International Conference on Artificial Intelligence, Smart Grid and Smart City Applications.Springer, Cham, 2019.
10. Ganapathy, Sannasi, et al. "Intelligent feature selection and classification techniques for intrusion detection in networks: a survey." EURASIP Journal on Wireless Communications and Networking 2013.1 (2013): 1-16.
11. Chauhan, Himadri, et al. "A comparative study of classification techniques for intrusion detection." 2013 International Symposium on Computational and Business Intelligence.IEEE, 2013.
12. Elhag, S., et al. "Evolutionary fuzzy systems: a case study for intrusion detection systems." Evolutionary and swarm intelligence algorithms. Springer, Cham, 2019.169-190.
13. Elhag, Salma, et al. "A multi-objective evolutionary fuzzy system to obtain a broad and accurate set of solutions in intrusion detection systems." Soft Computing 23.4 (2019): 1321-1336.
14. Selvakumar, K., et al. "Intelligent temporal classification and fuzzy rough set-based feature selection algorithm for intrusion detection system in WSNs." Information Sciences 497 (2019): 77-90.
15. Pradeep Mohan Kumar, K., et al. "Intrusion detection system based on GA‐fuzzy classifier for detecting malicious attacks." Concurrency and Computation: Practice and Experience (2019): e5242.
16. Elisa, Noe, et al. "Dendritic cell algorithm enhancement using fuzzy inference system for network intrusion detection." 2019 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE).IEEE, 2019.
17. Sathesh, A. "Enhanced soft computing approaches for intrusion detection schemes in social media networks." Journal of Soft Computing Paradigm (JSCP) 1.02 (2019): 69-79.
18. Senthilnayaki, Balakrishnan, Krishnan Venkatalakshmi, and ArputharajKannan. "Intrusion detection system using fuzzy rough set feature selection and modified KNN classifier." Int. Arab J. Inf. Technol. 16.4 (2019): 746-753.
19. Ali, Ahmed Hussein. "Fuzzy generalized Hebbian algorithm for large-scale intrusion detection system." International Journal of Integrated Engineering 12.1 (2020): 81-90.
20. Durairaj. M, D. Radhika. (2020). A CLASSIFICATION MODEL WITH OPTIMIZATION BASED FEATURE SELECTION METHOD FOR INTRUSION DETECTION SYSTEM. PalArch’s Journal of Archaeology of Egypt / Egyptology, 17(6), 9318-9334.
21. Karaboga, Dervis, and Ebubekir Kaya. "Adaptive network based fuzzy inference system (ANFIS) training approaches: a comprehensive survey." Artificial Intelligence Review 52.4 (2019): 2263-2293.
22. Sushita, K., Shanmugasundaram, N.“Performance and comparative analysis of bldc motor with pi and pid controllers” Annals of the Romanian Society for Cell Biology, 2021, 25(3), pp. 219–228
23. Shanmugasundaram, N., Sushita, K., Kumar, S.P., Ganesh, E.N.“Genetic algorithm-based road network design for optimising the vehicle travel distance” International Journal of Vehicle Information and Communication Systems, 2019, 4(4), pp. 355–374 7
24. Pradeep Kumar, S., Shanmugasundaram, N. “Pin number theft recognition and cash transaction using sixth sense technology in ATM/CDM”International Journal of Engineering and Technology(UAE), 2018, 7(2), pp. 178–180