OPTIMIZATION ALGORITHMS FOR INTRUSION DETECTION SYSTEM: A REVIEW

With the growth and development of the Internet, the devices and the hosts connected to the Internet have become the target for attackers and intruders. Consequently, the integrity of systems and data has become more sophisticated. Meanwhile, many institutions suffer from money-losing or other losses due to attacks on computer systems. Accordingly, the detection of intrusion and attacks has become a challenge and a vital necessity at the same time. Many different methods were used to build intrusion detection systems (IDSs)


INTRODUCTION
In any information system, intrusions can be defined as activities that break and violate the security policy of that system, intrusions can be identified by intrusion detection [1]. since the evolution of the internet, intrusion detection systems (IDS) are one of the most important types of the security software that has been used to deal with the intrusions [2]. Intrusion detection systems are among the necessary systems within the information security system [3].
IDS are hardware or software that observe the processes of the computer network, waiting for any violation of network management policies, or monitors any change such as modification, files addition, or files deletion on the host device [3]. Intrusion is indicated as any types of unauthorized activity that results in corrupted to the information system. Whereas, any attack that poses a potential threat to the integrity and confidentiality of the information is considered intrusion. For example, When computer services do not respond to legitimate users [4]. In the past and to this day, Cyber criminals have focused on stealing from banks and credit card customers or robbing bank account. Therefore, it is of vital importance to have IDS for detecting various attacks [5]. The goal of IDS is identifying all sorts of different attacks as soon as possible, which a traditional firewall cannot be achieved. Besides, to distinguished between the system activities which are normal and behaviors which be classified as suspicious or intrusions.
To secure important data several methods have been used like encryption and firewall etc. Firewall acts as a defense but it reduces exposure of intrusions instead of monitors or remove the computer systems vulnerabilities [5]. So, it is necessary for finding a detecting and monitoring system to protect important data. For this reason, the methods of introns detection in the computer have attracted the attention of many researchers [6] [3].

TYPES OF INTRUSION DETECTION
IDSs are categorized into two types: Signature-based Intrusion Detection System (SIDS) and Anomaly-based Intrusion Detection System (AIDS). The following is a brief explanation of each one [1] [5].
• Signature intrusion detection systems (SIDS) SIDS is based on the techniques which depend on the principle of matching patterns for finding a known attack; these are also known as Knowledge-based Detection or Misuse Detection. In another meaning, when a signature of an intrusion matches with the intrusion signature which previously existing, the alarm signal is given. • Anomaly-based intrusion detection system (AIDS) This type attracted the attention of many scholars because of its superiority over SIDS in terms of its ability to beat of the limitations of SIDS. In AIDS, using machine learning, a model of normal system behavior is created. Any deviation from the normal behavior of the model is deeming an anomaly. All techniques which use this type assume that any behavior that differs from the typical behavior is considered as intrusion. The classification of the intrusion detection system is showed in " Fig.1"
• User to Root Attack (U2R): The attacker exploits the normal user of the system, where he enters the system with the powers of the regular user by obtaining the password and then exploiting some weaknesses to gain access to the system root.
• Probing: It is an attempt to collect information from a computer device to identify weaknesses in the computer. • Denial-of-Service Attack (DoS): It is for the attacker to do some accounts and make the resources too busy, make the memory full, or prevent legal users from accessing the computers. • Remote to local Attack (R2L): The attacker can send packets to the device through the network without having any account in that device and then exploits the weaknesses to enter that device as a normal user for it.

PRACTICAL SWARM OPTIMIZATION PSO
Authors in [27]proposed an ID approach using k-means clustering algorithm and practical swarm optimization (PSO). PSO has been applied to select the cluster centers. KDD-cup 99 dataset was utilized for evaluating the approach performance. The obtained results showed high detection rate and low false alarm rate, and the method has been achieved faster processing time.
Authors in [30] proposed an approach for ID based on practical swarm optimization (PSO) and support vector machine (SVM). PSO was applied for both selecting the SVM parameters and feature selection. NSL-KDD datasets was used and the method gave good results in term of performance with accuracy rate equal to 81.8%.
While authors in [31] Proposed an approach for IDS based on feature selection using particle swarm optimization (PSO). PSO was used to select the features from the principal components. Simulated dataset was used for evaluating this method and the results showed the ability of the method for detecting intrusion with DR = 99.4% and FAR = 0.6%.
While, in [33] the authors design a new method for IDS based on (MCLP-PSO) multiple criteria linear programming and practical swarm optimization for intrusion detection. KDD datasets has been used. The approach gives good results in term of DR = 0.9913, FAR = 0.01947 and running time.
While, authors in [39] proposed a method based on NN and PSO algorithm for improving the performance of ID. The proposed method seeks to detect various kinds of attacks with high accuracy as possible. The data goes through the feature selection stage in order to keep the appropriate features for ID. This data was used to train and test the neural networks. Then optimal weights have been extracted using PSO in order to classify the data as normal or attacks. The results illustrates that this approach provides high accuracy and performance for detecting various types of attacks.
Authors in [37] proposed an IDS based on fast learning network and particle swarm optimization (FLN-PSO) for improving the intrusion detection. By applying KDD datasets the performance of the method was evaluated. The results illustrate that the accuracy of DoS and Probe attack improved when PSO optimized the parameters of the FLN. While, the accuracy of R2L and U2R attack was low and it is due to the limitation amount of training data.

ARTIFICIAL BEES COLONY (ABC)
Authors in [13] Proposed a method depended on the bees algorithm for improving the IDS. The honeybee approach is consisting of three basic components named, Undesirable-Absent (UA), Desirable-Present (DP), and Filtering-Decision (FD). Predefined attacks were detected using the UA detector. The responsibility of detecting anomalous behaviors lies with DP detector. While the FD was applied for training the UA detector in real time, it is purposed to discover new interventions. Patterns of attacks were learned in the training dataset by NN which trained by the BA to identify the attacks characteristics then classify these characteristics as unwanted characteristics during the test phase. KDD cup 99 dataset has been used for evaluating the method performance. The obtained results showed that the method has been applied successfully and it is able to detect different kinds of attacks and it can be learned the misuse attacks characteristics and determine instances that did not notice during the train phase.
In addition, authors in [24] proposed a novel anomaly network intrusion detection system using ABC algorithms. First for each feature in the datasets, upper bound (UB) and lower bound (LB) has been determined. Then it was used to infer the classification rule. Then the ABC algorithm has been applied to recognize patterns from the network traffic. KDD datasets was used and the obtained results illustrate the ability of the method for retaining the robustness of the system with different population sizes.
Authors in [32] proposed a hybrid IDS based on artificial bee colony (ABC) algorithm and multi-layer perceptron (MLP). ABC algorithm was used for optimizing weights of MLP for getting better results in term of detection rate. NSL-KDD datasets was used and the accuracy obtained by using ABC = 87.27% while error rate= 0.126%.
Authors in [35] proposed an approach to detect Denial-of-Service Attack (Dos) in Cloud computing based on bees algorithm. The work steps are depending on selected the basic feature for each record in datasets then the ABC was applied for constructing a normal profile in training step. In testing phase centroids classifiers was applied to detect the DoS attacks. ABC gives good results for detecting attacks and is useful in handling denial-of-service attacks.
Additionally, the authors in [36] proposed a novel hybrid IDS based on (ABC-AFS) which combining the Artificial Bees Colony and Artificial Fish Swarm for ID the purpose of the approach was distinguished between normal behavior and abnormal. The approach tries to enhancing the accuracy detection of ID by taking advantage of the properties of the two algorithms after they are combined. The proposed method has been applied using UNSW-NB15 and NSL-KDD datasets. Fuzzy C Means (FCM) was used to divide train datasets, whiles for removing the irrelevant features Correlation-based feature selection (CFS) was used. In addition, classification and regression tree (CART) was used as a rules generator to separate normal behaviors from the abnormal. At last the hybrid ABC-AFS identifies the type of attacks. The approach showed good results in terms of performance measures.
Authors in [38] proposed a network ID based on modified Naive Bayes algorithm and Artificial Bee Colony Algorithm (ABC). The approach can effectively improve the network intrusion detection rate, which can well detect different kinds of network intrusion and greatly improve the security performance of the network.

CUTTLEFISH ALGORITHM
Authors in [20] Present an approach for intrusion detection systems which combines the cuttlefish algorithm CFA and Decision Tree (DT). CFA was used as a feature selection method and it searched for the optimal subset of features. The DT classifier was used as a verdict on the selected features that are produced by the CFA. By applying the feature selection using CFA on the KDD Cup 99 datasets, the acquired results were better.
In like manner, authors in [21] proposed a distributed intrusion detection system (DIDS) based on cuttlefish optimization algorithm (CFA) and decision tree DT. The system used an agent called rule and feature generator agent (RFGA) which is used for generating a subset of features by using CFA. CFA produced the best five features, and then it built a decision tree. Generated DT has been used as a judgment on the selected features. KDD dataset has been applied for testing the system. The five selected features performance compared with the completed 41 features performance and the results illustrated that with 5 features, the system performed better than the completed 41 features.
Authors in [2] proposed an intrusion detection system based on feature selection algorithm and clustering algorithm by use filter and wrapper method. The proposed method combines feature grouping based on linear correlation coefficient (FGLCC) and CFA algorithm. FGLCC filter has been applied to ranking the primary features and choose the best one among them. In this proposed system the work goes through several stages, starting with calculating the correlation coefficient between the features and classes to choose the features that have the highest correlation, then the FGLCC calculates the evolution function for the chosen features and introduces the features that have the highest rank to the CFA to start the second stage, which is choosing the best subset of initial features, the groups of features has been selected depending on the high speed of FGLCC and the high accuracy of CFA. CFA dependent on DT as a classifier to classify the features after they were selected. The results show that DR was increased while FPR was reduced.

GENETIC ALGORITHM (GA)
Authors in [28] designed an approach for intrusion detection based on genetic algorithm GA to detect different kinds of network intrusions efficiently. The systems work was divided into (1) precalculation (train) phase: depending on train data, groups of chromosomes for each attack and normal types have been made". And in (2) detection (test) phase: initial population for each test data has been made. Then population was compared with each chromosomes prepared in training phase and Portion of population were deleted in order to filter the traffic data. According to this process, the data was classified as normal or attacks. KDD data set was used and the method gave good results in term of ID with DR equal to 0.95 and FPR equal to 0.30.
In like manner, authors in [29] proposed a new IDS (PSO-GA) for malicious traffic by complain particle swarm optimization with genetic algorithm. KDD Cup datasets was used for evaluate the approach. The source of parameters was selected using PSO while GA got the normal and abnormal data from network traffic. The proposed method achieved good results in term ID with very low FAR and High DR.
What is more, authors in [11] proposed an anomaly detection system to discover anomalies in a computer network. This method depends on using retrieved information from IP flows, and it combines the genetic algorithm (GA) and a Fuzzy Logic together for getting better results in term of ID. GA was applied for generating a digital signature of network segment. Network flows extract information to be utilized for predicting the behavior of network traffic. The instances are determined by applying the fuzzy logic scheme to determine if the instance exemplifies an anomaly or not. The proposed approach was applied in real network traffic flows and achieved good results.
At last, authors in [40] developed a hybrid intrusion IDS which able to handle the large volume of NSL-KDD datasets based on the genetic algorithm and Fuzzy (GA-Fuzzy). GA has been used in order to train the Fuzzy classifier in efficient way by generating new rules. Principle Component Analysis (PCA) was used as a feature selection method to get rid of irrelevant features and for choose the appropriate features. Then the dataset was classified as normal or attack efficiently in term of accuracy. The proposed method demonstrated its ability to reduce the time spent detecting intrusion and reduce misclassification alarm rate.
In this review paper, different optimizations algorithms are illustrated and summarized in the term of intrusion detection. Table 1 exemplifies the summarization of the reviewed related works. NSL-KDD datasets was used. The proposed method detects attacks effectively. Added to, reduce the FAR.

DISSCUSION
As shown from the study, there are many optimization algorithms that have been used in the field of intrusion detection, but this study is concerned with ABC, PSO, GA, and CFA and its field for detecting attacks, whether they have been used alone or have been combined with other algorithms to increase the system performance and efficiency. It is clear that all of the mentioned algorithms contributed to the detection of attacks in new and different ways. The PSO algorithm always improves solutions to improve the problem. It can be combined with other algorithms for improving the method performance. But this algorithm does not guarantee an optimal solution. The performance of this algorithm can be affected by time and noise. According to the ABC, ABC algorithm is easy for implementing but it need high amount of evaluation functions and that may affect the ABC accuracy. While CFA was used successfully for feature selection in different study. But CFA is a mathematically complex algorithm. Last the GA is well used in term of optimizing parameters and it can be deal with large amount of datasets but GA may suffer from some restrictions.

CONCLUSION
It is not required that all intrusion detection systems have the same mechanism and operate in the same way. It may use different methods and strategies. Sometimes it may require a lot of monitoring and high effectiveness to reach the desired goal. In this follow up study, we concluded that there are many methods and algorithms used to detect intrusion and that each algorithm has its pros and cons. All algorithms have difficulty dealing with big data, so they always need to be combined with other algorithms or techniques to give a better performance. For this reason, many alone models fail to achieve a high detection rate with reduced false alarm rate. In this paper several optimization algorithms are described for intrusion detection that had been proposed in the past ten years. This review will be helpful to researchers for gaining a basic insight of different approaches for intrusion detection. From previous studies in related work, it is clearly that each algorithm tries to do best in a particular way but there are always some limitations that provide option for researcher to design better algorithm than existing.

SOURCES OF FUNDING
This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.

CONFLICT OF INTEREST
The author have declared that no competing interests exist.
Optimization Algorithms for Intrusion Detection System: A Review