Journal of Ambient Intelligence and Humanized Computing

https://doi.org/10.1007/s12652-021-03077-0

ORIGINAL RESEARCH

Network intrusion detection using sparse autoencoder

with swish‑PReLU activation Model
Phanindra Reddy Kannari1 · Noorullah C. Shariff2 · Rajkumar L. Biradar3

Received: 5 November 2020 / Accepted: 2 March 2021

© The Author(s), under exclusive licence to Springer-Verlag GmbH Germany, part of Springer Nature 2021

Abstract
In computer networks, the massive amount of data increases the challenges for intrusion detection systems, because of its
high dimensionality. To overcome this problem, a four-phase system is developed for intrusion detection based on encoding
techniques and deep learning. In the first phase, input data are collected from NSL-KDD, Canadian Institute for Cybersecu-
rity-Intrusion Detection System 2017 (CIC-IDS2017), and Aegean Wi-Fi Intrusion Dataset (AWID). The collected data are
converted into the machine-readable form by using label and one hot encoding technique that reduces the human intervention
process and increases the accuracy of data classification. Next, the top percentile and recursive features are selected utiliz-
ing second percentile methodology and recursive feature elimination. The undertaken feature selection techniques; second
percentile method and recursive feature elimination selects the relevant or active features from the pre-processed data that
effectively diminishes the computational time and complexity of the proposed model. In the final phase, sparse autoencoder
with swish-PReLU activation model is proposed to classify the normal and traffic types in the NSL-KDD, CIC-IDS2017, and
AWID datasets. In the experimental phase, the proposed sparse autoencoder with swish-PReLU activation model achieved
effective performance in intrusion detection in light of false alarm rate, detection rate and classification accuracy. From the
experimental result, the proposed model showed the maximum of 4.77% improvement in classification accuracy compared
to the existing models; correlation-based feature selection with bat algorithm, artificial neural network, chi-square and
information gain-random tree, and sequential Search-Bayesian network.

Keywords Intrusion detection · Label encoder · One hot encoder · Recursive feature elimination · Second percentile
method · Sparse autoencoder

1 Introduction

The computer network has pervaded almost all aspects of

human life, due to the rapid internet growth and its world-
* Phanindra Reddy Kannari wide spread (Manimurugan et al. 2020). In recent decades,
[email protected] network systems are used for several online services like
Noorullah C. Shariff online social interactions, online shopping, online educa-
[email protected] tion, internet banking, business transactions, etc. (Liu et al.
Rajkumar L. Biradar 2020). The exponential growth of network size increases
[email protected] the intrusions and attacks, so the detection of attacks from
1
Department of Electronics and Communication Engineering, the networks has turned out to be an emerging task. How-
Rao Bahadur Y Mahabaleswarappa Engineering College, ever, a firewall is a first-line defense process that is utilized
Ballari, India for intrusion detection, which is not robust in detecting and
2
Department of Electronics and Communication Engineering, preventing the intrusions (Prasad et al. 2020a, b; Alma-
SECAB Institute of Engineering and Technology, Vijayapur, soudy et al. 2020). Intrusion Detection System (IDS) is a
India new security technology that protects the network systems
3
Department of Electronics and Telematics Engineering, from illegal external attacks like Distributed Denial-of-
G. Narayanamma Institute of Technology and Science, Service (DDoS) (Chen et al. 2020). By detecting malicious
Hyderabad, India

13
Vol.:(0123456789)
 P. R. Kannari et al.

behaviour, IDS effectively improves the security and reli- to other activation functions. In the experimental phase, the
ability of the systems (Wu et al. 2020; Li et al. 2020). Usu- proposed model performance is evaluated in light of detec-
ally, IDS is divided into two types, such as a signature based tion rate, accuracy and false alarm rate. Compared to the
detection system (misuse detection system) and profile based existing models like correlation-based feature selection with
detection system (anomaly detection system) (Lv et al. 2020; bat algorithm, artificial neural network, chi-square and infor-
Gupta and Agrawal 2020). By monitoring the system activi- mation gain-random tree, and sequential Search-Bayesian
ties, the anomaly detection system detects computer and net- network, the proposed model showed a maximum of 4.77 %
work intrusions, and then classify it as anomalous or normal enhancement in intrusion classification.
based on rules or heuristics. The misuse detection system This research paper is prepared as follows; a few recent
is used to detect the computer attack, where abnormal sys- research papers on “intrusion detection” is surveyed in
tem behaviour is initially defined, and then the remaining Sect. 2. The proposed sparse autoencoder with swish-
behaviors are defined as normal (Rose et al. 2020; Kumar PReLU activation model is briefly explained in Sect. 3.
et al. 2020). Currently, the use of machine learning and Experimental investigation of the proposed sparse autoen-
deep learning techniques in IDS is a growing research area coder with swish-PReLU activation model is denoted in
that analyses and extracts useful information from the data Sect. 4. The conclusion about the present research study is
(Zong et al. 2020; D’hooge et al. 2020). Some of the exist- given in Sect. 5.
ing machine learning and deep learning IDS techniques are
based on the genetic convolutional neural network (Nguyen
and Kim 2020), deep neural networks (RM et al. 2020),
ensemble of discriminant classifiers (Bhati et al. 2020), 2 Literature review
rough set theory (Prasad et al. 2020a, b), etc.
In the prior research works, non-linear characteristics and Zhou et al. (2020) presented a new intrusion detection sys-
higher dimensionality of data make machine and deep learn- tem based on ensemble learning and feature selection tech-
ing techniques unfit to solve multiple classification tasks. niques. In this study, Correlation-based Feature Selection
Hence, feature selection is considered as an essential require- (CFS) with Bat Algorithm (BA) was introduced to select the
ment for the learning techniques that eliminate the redun- optimal subset of features to deal with higher dimensional
dant or irrelevant features in the original data to enhance the and unbalanced network traffics. Next, an ensemble tech-
learning procedure. In this study, an effective feature selec- nique was developed based on random forest, C4.5 and forest
tion and classification technique are proposed to improve by penalizing attributes along with an average of probability
intrusion detection performance. At first, the original data combination rule to construct the classification model. In
are collected from NSL-KDD (Tavallaee et al. 2009), CIC- the experimental section, the developed intrusion detection
IDS2017 (Sharafaldin et al. 2018a, b), and AWID (Aminanto system was investigated using 10-fold cross validation on
et al. 2017) databases to validate the performance of the three online databases such as NSL-KDD, CIC-IDS2017,
proposed model. Next, data pre-processing is accomplished and AWID. The simulation result reveals that the developed
using label encoder, and the use of one hot encoder improves system exhibits effective performance related to the existing
the quality of collected data. The label encoder converts systems under several performance metrics like false alarm
the collected labels into numeric form (machine-readable rate, precision, f-measure, accuracy and attack detection
form), and one hot encoder splits the columns based on the rate. However, the developed system is ineffective in deal-
number of categories for better representation. The data pre- ing with the rare attacks, which are derived from the mas-
processing techniques provide details about how the data sive network traffics. Additionally, Ahmad et al. (2018) used
labels are operating. Then, feature selection is accomplished Extreme Learning Machine (ELM), random forest, Support
using the second percentile method and recursive feature Vector Machine (SVM) to improve the intrusion detection
elimination to select the most relevant features from the pre- rate and to minimize the false alarm rate. Related to random
processed data that significantly reduce the computational forest and SVM techniques, the ELM performs well on large
time of attack detection, and computational complexity of databases that effectively handles an enormous amount of
the proposed model. Finally, the sparse autoencoder with traffic data. In this study, NSL-knowledge discovery and data
swish-PReLU activation model is proposed to classify the mining databases were used to evaluate the intrusion detec-
attack types in NSL-KDD, CIC-IDS2017, and AWID data- tion mechanism. The Extensive experiment showed that
bases. If the data is structured or linear, sparse autoencoder the ELM achieved better performance in intrusion detec-
with swish-PReLU activation model is an effective choice tion related to the existing techniques in terms of accuracy,
for classification. In Autoencoder, swish-PReLU activa- recall, and precision. The experimental results showed that
tion function is used as an activation function that improves the ELM technique was highly suitable to analyse the vast
both classification performance and learning speed related amount of data. In this literature, different traffic types were

13
Network intrusion detection using sparse autoencoder with swish‑PReLU activation Model

required to model several network attacks that were expen- Multilayer Perceptron (MLP). In this literature, the MLP
sive and complex. technique was utilized to identify normal and abnormal net-
Shone et al. (2018) introduced an unsupervised feature work traffic packets. Further, the ABC algorithm was used
learning technique; Non-Symmetric Deep Autoencoder to optimize the value of biases and linkage weights in MLP
(NDAE) for intrusion detection. The novel classification that improves the testing and training performance. The
model was built by utilizing random forest and stacked developed system performance was evaluated on NSL-KDD
NDAEs. The Two benchmark databases; NSL-KDD and database in light of root mean square error and mean abso-
KDD Cup 99 were used for experimental evaluation, where lute error, which was better related to the existing systems.
the developed technique achieved promising results in intru- However, the computational overhead of MLP is higher that
sion detection. The performance metrics like precision, was considered as a major concern in this study.
accuracy, recall, false alarm and f-score were utilized to Asad et al. (2020) used feed forward backpropagation
evaluate the effectiveness of NDAE technique over other algorithm to classify the network flows as normal flows or
deep learning techniques. However, the developed technique attack. The developed deep learning algorithm protects the
is ineffective in handling the zero-day attacks that degrade services from application-layer DDoS attacks by determin-
the performance of intrusion detection. Further, Ghasemi ing malicious behaviour. In this literature study, a new mali-
et al. (2020) developed a Genetic Algorithm (GA) (Maulik cious pattern was used to detect the malicious behaviour
and Bandyopadhyay 2000) and Kernel ELM (KELM) for from packets, which serve as a secondary database to train
optimal feature selection and classification. In this literature the deep learning algorithm. In the experimental phase, the
study, NSL-KDD and KDD Cup 99 databases were used developed algorithm performance was evaluated on CIC-
for experimental analysis. The simulation outcome showed IDS 2017 database for DDoS detection through recall,
that the developed model achieved better performance in f-score, and precision. The developed deep learning algo-
intrusion detection, but the normal records were not detected rithm is ineffective in imbalanced data problem, and also it
appropriately by the GA-KELM model, which was a signifi- is not feasible in the DDoS scenario. Thanthrige et al. (2016)
cant drawback in this study. Cavusoglu (2019) developed developed a two-phase system for intrusion detection. In the
a hybrid layered intrusion detection system using different first phase, chi-square and information gain were used to
machine learning techniques. The main objective of this lit- determine the relevant features, which has an effect on the
erature study was to establish a system that performs attack accuracy of intrusion detection and also improves the speed
detection with lower error rates related to the existing stud- of classification. In the second phase, the random tree clas-
ies. Initially, the normalization technique was used for data sifier was applied to classify the finer-grained and higher
pre-processing, and then CfsSubsetEval (Chou et al. 2008) level class distributions. The extensive experiment showed
and WrapperSubsetEval feature selection algorithms were that the developed system achieved effective performance
used for optimal feature selection. The machine learning in intrusion detection on AWID using accuracy, detection
techniques such as naive Bayes, random forest, J-48, and rate and false alarm rate. During classification, the random
random tree were used for traffic classification. The devel- tree is sensitive to the outliers and the parameters and also
oped system performance was evaluated on NSL-KDD has a higher computational burden. Zhang and Wang (2013)
database in light of detection rate, f-measure, and overall developed an effective wrapper feature selection algorithm
accuracy. Based on the attack types, run-time and process- on the basis of the Bayesian network for intrusion detec-
ing time of the system were evaluated, where processing tion. In the experimental section, the developed algorithm
time was very high in user to root attack type, because of its performance was tested on NSL-KDD database to validate
stacking structure. its effectiveness. The Empirical results showed that the
Gu et al. (2019) developed an intrusion detection sys- developed algorithm significantly increased the classifica-
tem based on feature augmentation with SVM classifier. In tion accuracy and decreased the time to detect the attacks,
this study, a better quality transformed training data were where network security was a widely concerned issue in this
achieved by applying logarithm marginal density ratio trans- literature study. To address the issues mentioned above the
formation in the original features. Compared to the existing sparse autoencoder with swish- PReLU activation model is
systems, the developed system achieved effective perfor- proposed to improve the performance of intrusion detection.
mance on NSL-KDD, KDD’99 and Kyoto 2006 + data-
bases in light of detection rate, false alarm rate, accuracy,
and training speed. The developed system is ineffective 3  Methodology
in solving the problems like handling of the huge volume
of data, and high dimensionality features. Hajimirzaei, In computer networks, it is necessary to develop a robust
and Navimipour (2019) presented a new intrusion detec- IDS to monitor the activities of network traffics. The IDS
tion system based on the Artificial Bee Colony (ABC) and is a security management system that collects and analyses

13
 P. R. Kannari et al.

NSL-KDD database is an improved version of the KDD

cup 1999 database that is extensively utilized in intrusion
detection experiments. NSL-KDD database reasonably
alters the number of records for testing and training and
also resolves the inherent redundant records problems in
KDD cup 1999 database. NSL-KDD database consists of
KDD-Test+, KDD-Train+, and KDD-Test-21 sets to make
a better comparison with different models. As shown in
Table 1, NSL-KDD database includes four types of abnor-
mal records (DoS, U2R, R2L and probe attack) and a normal
record (Gurung et al. 2019; Su et al. 2020). In this study,
KDD-Test + set comprises of 22,544 instances that include
9,711 normal instances and 12,833 traffic instances. Also,
KDD-Train + set contains 125,973 instances in that 67,343
instances are normal traffic, and 58,630 instances are attack
traffic. As a subset of KDD-Test + set and KDD-Train + set,
Fig. 1  The workflow of the proposed system
KDD-Test-21 set includes 11,850 instances. The list of
attacks presented in NSL-KDD database is given in Table 2.
information from computer and networks to check the abnor- AWID database comprises of both intrusive and normal
mal behaviors of the system (Almiani et al. 2020; Alazzam data, which are collected from a real network environment.
et al. 2020; Davahli et al. 2020). In this article, the sparse In the AWID database, each record includes a vector of 155
autoencoder with swish- PReLU activation model is pro- attributes, and every attribute has nominal and numerical
posed to improve the classification performance of intru- values (Lopez-Martin et al. 2020; Thang and Pashchenko
sion detection. The proposed intrusion detection system 2019). AWID database is sub-divided into two sets; AWID-
includes four phases; data collection: NSL-KDD, AWID ATK and AWID-CLS based on the number of target classes.
and CIC-IDS2017, data pre-processing: label encoder, and AWID-ATK has seventeen target classes and AWID-CLS
one hot encoder, feature selection: second percentile method, groups the instances into four major classes like injection,
and recursive feature elimination and classification: sparse flooding, normal, and impersonation. The data statistics of
autoencoder with swish- PReLU activation model. The AWID-CLS database is denoted in Table 3.
workflow of the proposed system is presented in Fig. 1. The CIC-IDS2017 database contains up-to-date attacks
and the results of network traffic analysis with labelled
3.1 Data collection and pre‑processing flows based on the source and destination internet proto-
cols and time stamp. The CIC-IDS2017 database is the
In this research study, the proposed sparse autoencoder with advanced intrusion detection database that covers impor-
swish-PReLU activation model performance is validated tant criteria with updated attacks like Botnet, SQL injec-
on NSL-KDD, AWID, and CIC-IDS2017 databases. The tion, port scan, DDoS, brute force, infiltration and XSS.

Table 1  Data statistics of NSL- Sets Total Normal DoS Probe R2L U2L
KDD database
KDD-Test+ 22,544 9711 7458 2421 2754 200
KDD-Train+ 125,973 67,343 45,927 11,656 995 52
KDD-Test-21 11,850 2152 4342 2402 2754 200

Table 2  List of attacks presented in NSL-KDD database

Attack category Attack name

U2R Httptuneel, Perl, buffer-overflow, load module, Ps, rootkit, SQL attack, and Xterm
DoS Back, UDP-storm, Teardrop, Pod, Apache-2, Process-table, Smurf, land, Neptune, and mail-bomb
Probe Ip-sweep, M-scan, Satan, N-map, Saint, and Port-sweep
R2L Snmp-guess, X-lock, X-snoop, worm, Snmp-get-attack, send-mail, spy, phf, multi-hop, named,
Ftp-write, Imap, warez-master, guess-password, and warez-client

13
Network intrusion detection using sparse autoencoder with swish‑PReLU activation Model

Table 3  Data statistics of Classes Number of 3.2 Feature selection

AWID-CLS database attributes
After pre-processing the data, second percentile method
Normal 530,785
and recursive feature elimination technique are used to
Injection 16,682
select the relevant features for network intrusion detection.
Flooding 8097
By selecting the optimal features, computational complex-
Impersonation 20,079
ity of the system is extremely reduced. The second per-
Total 575,643
centile methodology is a modified version of the K-best
feature selection technique, where top f ( f = 70 ) percen-
tiles of the best scoring features are selected from the total
features F (attributes). The selected top percentiles fea-
Table 4  Data statistics of CIC- Classes Number of
IDS2017 tures f are given as the input to recursive feature elimina-
attributes
tion technique to select the recursive feature vectors x by
Normal 439,683 considering smaller sets of features. Initially, an estimator
DoS slowloris 5796 is trained on the selected top percentiles features f , and
DoS slowhttptest 5499 the importance of every feature is obtained using feature
DoS hulk 230,124 importance or coefficient attributes. Next, the least impor-
DoS goldeneye 10,293 tant features are eliminated from the selected top percen-
Heartbleed 11 tiles features f , where 10% of the important features are
Total 691,406 selected. This mechanism is repeated recursively on the
eliminated feature sets until the desired number of features
x are selected eventually. After obtaining the recursive
features x , selected features are fed to sparse autoencoder
The CIC-IDS2017 database consists of 2,830,743 records, with swish- PReLU activation model for intrusion attack
where each record includes 78 features with its label. In classification, where the selected features are determined
this research, Wednesday working hour set is considered below;
for experimental analysis to maintain a similar order of
magnitude for every database (Khammassi and Krichen Features selected for DoS [‘logged_in’, ‘count’, ‘serror_
2020; Sharafaldin et al. 2018a, b). The Wednesday work- rate’, ‘srv_serror_rate’, ‘same_srv_rate’, ‘dst_host_count’,
ing hours set comprises of 691,406 instances that belong ‘dst_host_srv_count’, ‘dst_host_same_srv_rate’, ‘dst_host_
to six categories, as detailed in Table 4. serror_rate’, ‘dst_host_srv_serror_rate’, ‘service_http’,
After data collection, pre-processing is accomplished ‘flag_S0’, ‘flag_SF’]
by utilizing label encoding and one hot encoding tech-
niques to reduce the system complexity. Label encoding Features selected for Probe [‘logged_in’, ‘rerror_rate’, ‘srv_
is a simple technique which converts every value in a cat- rerror_rate’, ‘dst_host_srv_count’, ‘dst_host_diff_srv_rate’,
egorical column (label) into a nominal or numerical value ‘dst_host_same_src_port_rate’, ‘dst_host_srv_diff_host_
(machine-readable form) (Mottini and Acuna-Agost 2016). rate’, ‘dst_host_rerror_rate’, ‘dst_host_srv_rerror_rate’,
The Label encoding technique converts every category ‘Protocol_type_icmp’, ‘service_eco_i’, ‘service_private’,
of a specific feature with a value between 0 and n − 1, ‘flag_SF’]
where n is denoted as the number of distinct categories
of the feature (Shahriar et al. 2020). Label encoding is Features selected for R2L [‘src_bytes’, ‘dst_bytes’, ‘hot’,
an important pre-processing technique in the structured ‘num_failed_logins’, ‘is_guest_login’, ‘dst_host_srv_count’,
database in supervised learning. Besides, one hot encoding ‘dst_host_same_src_port_rate’, ‘dst_host_srv_diff_host_
technique is utilized to convert categorical features into rate’, ‘service_ftp’, ‘service_ftp_data’, ‘service_http’, ‘ser-
numerical values (Cerda et al. 2018; Tang et al. 2020). In vice_imap4’, ‘flag_RSTO’]
one hot encoding technique, a new variable is created for
each level of categorical features, where each category Features selected for U2R [‘urgent’, ‘hot’, ‘root_shell’,
is mapped with a binary variable containing either 0 or ‘num_file_creations’, ‘num_shells’, ‘srv_diff_host_rate’,
1. Particularly, each categorical attribute is stated as a ‘dst_host_count’, ‘dst_host_srv_count’, ‘dst_host_same_
binary value; for instance; the protocol type feature has src_port_rate’, ‘dst_host_srv_diff_host_rate’, ‘service_ftp_
three attributes in NSL-KDD database like ICMP, TCP, data’, ‘service_http’, ‘service_telnet’].
and UDP. One hot encoding technique converts the fea-
tures into binary values like [0,0,1], [1,0,0] and [0,1,0].

13
 P. R. Kannari et al.

3.3 Classification the lower-level representation of the selected features (input

data) under sparse constraint. Though, sparsity is introduced
After selecting the optimal features, intrusion attack clas- by regularizing the cost function, where ̂
pi is denoted as aver-
sification is carried out utilizing sparse autoencoder with age activation of neurons in the hidden layer, and it is math-
swish-PReLU activation model. The Autoencoder is a type ematically defined in Eq. (4).
of artificial neural network that reflects its input at the out- N
put, and it primarily comprises of a decoder and an encoder. E=
1∑ 2
x + x� i (3)
The selected features are fed into a deep network for training N i=1 i
by using the input layer of the encoder. Autoencoder learns
from the low-level representation of the selected features n
1∑ ( )
(input data), and then it deformed back for projecting the ̂
pi = z x (4)
n j=1 i j
original data. In this scenario, encoder maps the selected
features into a new data representation, and then the data
where N is represented as the number of input samples, I is
representation is decoded at the output end to reconstruct
indicated as ith neuron, n is represented as number of train-
the input data x′ based on the Eqs. (1) and (2).
ing samples, j is represented as jth training samples and the
Z = h(Wx + b) (1) average activation function ̂ pi value is constant, which is
closer to zero. Here, Kullback-Leibler (KL) divergence is
utilized for regularizing the cost function to achieve spar-
X � = g(W � z + b� ) (2)
sity that is mathematically defined in Eq. (5). The Kullback-
where z is denoted as new data representation, x is indi- Leibler (KL) divergence architecture is graphically stated in
cated as input data, W ′ and W are denoted as weight matri- Fig. 3 (Qi et al. 2017).
ces, b′ and b are represented as decoder and encoder d
bias vector, g is indicated as output layer neurons, and h
( ) ( )
∑ p 1−p
Ωsparsity = plog + (1 − p)log (5)
is denoted as activation function of hidden layer neu- i=1 ̂
pi 1−̂
pi
rons. In this article, the swish-PReLU activation function
is used to select the optimal number of hidden neurons, where d is represented as the number of neurons in the layer
because several hidden neurons result in over fitting. The and p is indicated as sparsity proportion. Then, L2 regulari-
hybrid swish-PReLU activation function slightly showed zation is included in the cost function to control the weights
better performance related to ReLU, and it is graphically and to prevent the overfitting problem, and it is mathemati-
depicted in Fig. 2. The proposed swish-PReLU activa- cally defined in Eq. (6). L2 regularization forces the weight
tion function includes a few advantages like easy to com- towards zero, but it does make the weights exactly zero. So,
pute, unsaturated and does not cause a vanishing gra- L2 regularization acts like a force, which eliminates small
dient problem. General equation of swish and PReLU percentage of weights at each iteration. In addition, choos-
activation function are swish = f (x) = max(𝛽 × x, x) × x and ing an optimal value for 𝜆 is important. If 𝜆 is set to zero,
PReLU = Max(0, x) + 𝛼 × Min(0, x).
The reconstruction error function E between the recon-
structed data x′ and the original input data x is calculated using
the Eq. (3). In this study, sparse autoencoder is used to obtain

Fig. 2  Graphical depiction of the swish-PReLU activation function Fig. 3  Architecture of kullback-leibler (KL) divergence

13
Network intrusion detection using sparse autoencoder with swish‑PReLU activation Model

then regularization is completely removed (higher risk of The Pseudocode of sparse autoencoder with swish-PReLU
overfitting). activation is given as follows;
L N K (
1 ∑ ∑ ∑ (I) • Input: Training matrix.
)
Ωweights = wji (6)
2 I j i • Output: Autoencoder parameters.
• Initialize the parameters: Swish PReLU activation
where K is represented as the number of features in the sam- function for the hidden layer h , p is a sparsity param-
ple and L is denoted as the number of hidden layers. Further, eter,W and W ′ are weight matrices, and b and b′are
include the weight attenuation units in the cost function, encoder and decoder bias vector.
where an Eq. (3) is updated, as shown in Eq. (7). • Obtain the error function using Eq. (3).
N K
• By adding the sparse regularity parameter, the cost func-
E=
1 ∑∑ 2
xkn ) + 𝜆 × Ωweights + 𝛽 × Ωsparsity (7)
(x + ̂ tion is updated using Eq. (7).
N n=1 k=1 kn • Further, Adam optimizer is applied in Autoencoder to
realize the dynamic adjustments of parameters using the
Three optimization parameters are used in this study such Eqs. (8) and (9).
as 𝜆, 𝛽, and p, 𝜆 is a coefficient of L2 regularization that • Train the sparse encoder model.
prevents the overfitting problem, 𝛽 is a sparsity regulariza- • Predict the sparse encoder model.
tion parameter, and p is a sparsity proportion that controls the • Def swish-PReLU ( x, 𝛽, p, and 𝛼):
sparsity level. Hence, the optimization parameter values are
fixed as 𝜆 = 0.0001, 𝛽 = 0.01 and p = 0.5. Furthermore, the swish = f (x) = max(𝛽 × x, x) × x
adam optimization algorithm is used to realize the dynamic andPReLU = Max(0, x) + 𝛼 × Min(0, x)
adjustments of parameters with the help of gradient 1st and
2nd order moment estimates mt and vt , which is defined in
the Eqs. (8–10). 4 Experimental analysis
mt = 𝛽1 mt−1 + (1 − 𝛽1 ) × gt (8)
In this research, the proposed model is simulated using ana-
conda navigator 3.5.2.0 (64-bit), python 3.7 environment on
vt = 𝛽2 vt−1 + (1 − 𝛽2 ) × g2t (9) the Windows 10 (64 bit) OS, with a RAM of 16GB, and Intel
Core i7 processor as the system specifications. The proposed
(10) model performance is related with a few benchmark models
( )
gt ← ∇𝜃 Jt 𝜃t−1
like CFS-BA (Zhou et al. 2020), Artificial Neural Network
where 𝛽1 and 𝛽 2 are represented as 1st and 2nd order (ANN) (Asad et al. 2020), chi-square and information gain-
exponential damping decrement, gt is stated as gradient random tree (Thanthrige et al. 2016) and sequential Search-
parameters at time step t in the cost function E . By using Bayesian network (Zhang and Wang 2013) to validate its
the Eqs. (11), (12), and (13), calculate bias corrected for efficiency. In this research work, the proposed sparse autoen-
mt and vt. coder with swish- PReLU activation model performance
mt is investigated through detection rate, accuracy and False
m�t = (11) Alarm Rate (FAR). In detection rate, accuracy and FAR are
1 − 𝛽1t
mathematically stated in the following Eqs. (14–16),
vt TP
v�t = (12)
Detectionrate = × 100 (14)
1 − 𝛽2t TP + FP

Updated parameters; TP + TN
Accuracy = × 100 (15)
𝛾 TP + TN + FP + FN
𝜃t+1 = 𝜃t − √ m�t (13)
�
vt + 𝜁
FP
FAR = × 100 (16)
where 𝛾 is denoted as updated step size and 𝜁 is stated as a FP + TN
constant value that stops the denominator value from becom- Where True Positive is indicated as TP, True Negative is
ing zero. The parameter setting of a sparse autoencoder with represented as TN , False Positive is stated as FP, and False
swish- PReLU activation is given as follows; the number of Negative is denoted as FN .
hidden layers is 32, the learning rate is 0.0025, the batch
size is 64, epochs is 10, 𝜆 = 0.0001, 𝛽 = 0.01 and p = 0.5.

13
 P. R. Kannari et al.

Table 5  Performance evaluation of sparse autoencoder with swish- models such as ANN, simple Autoencoder, and the sparse
PReLU activation model on NSL-KDD database Autoencoder. From the experimental investigation, sparse
Database Classifiers Accuracy (%) Detec- FAR (%) autoencoder with swish-PReLU activation model achieved a
tion rate maximum accuracy of 99.95%, the detection rate of 99.82 %,
(%) and minimum FAR value of 0.05 %. The proposed sparse
NSL-KDD ANN 90.66 98.58 9.34 autoencoder with swish-PReLU activation model showed a
Simple autoen- 90.86 98.80 9.14 maximum of 9.29% and a minimum of 1.66% improvement
coder in intrusion traffic classification. The graphical comparison
Sparse autoen- 98.29 98.55 1.71 of a sparse autoencoder with swish-PReLU activation model
coder on NSL-KDD dataset in light of FAR, detection rate, and
Sparse autoen- 99.95 99.82 0.05 accuracy is represented in Figs. 4 and 5.
coder with
In Table 6, the performance of a sparse autoencoder with
swish-PReLU
activation swish-PReLU activation model is analysed on the AWID
database using detection rate, accuracy, and FAR. By ana-
lysing Table 6, the proposed sparse autoencoder with swish-
4.1 Quantitative investigation PReLU activation model showed better intrusion traffic clas-
sification performance related to the comparative models
In this section, the performance of a sparse autoencoder like ANN, simple Autoencoder, and the sparse Autoencoder.
with swish-PReLU activation model is analysed in light of In this scenario, 575,643 attributes are used for experimental
detection rate, accuracy and FAR on NSL-KDD database. investigation with 80% training and 20% testing of data. In
Here, 22,544 data attributes are used for testing, and 125,973 the AWID database, the proposed sparse autoencoder with
data attributes are used for training. By inspecting Table 5, swish-PReLU activation model achieved a maximum accu-
the proposed sparse autoencoder with swish-PReLU activa- racy of 99.89%, a detection rate of 99.54% and minimum
tion model performance is compared with a few benchmark FAR value of 0.11 %. The graphical comparison of a sparse

Fig. 4  Graphicalcomparison of
sparse autoencoder with swish-
PReLU activation model on
NSL-KDD databasein light of
detection rate and accuracy

Fig. 5  Graphicalcomparison
of sparse autoencoder with
swish-PReLU activation model
on NSL-KDD databasein terms
of FAR

13
Network intrusion detection using sparse autoencoder with swish‑PReLU activation Model

Table 6  Performance evaluation of sparse autoencoder with swish- is analysed on CIC-IDS2017 database using detection
PReLU activation model on AWID database rate, accuracy, and FAR value. In this scenario, 691,406
Database Classifiers Accuracy (%) Detec- FAR (%) attributes are used for experimental investigation with 80%
tion rate training and 20% testing of data. Similar to the other two
(%) databases, the proposed sparse autoencoder with swish-
AWID ANN 92.56 92.48 7.44 PReLU activation model achieved effective performance
Simple autoencoder 91.78 92.85 8.22 in intrusion detection related to the comparative models
Sparse autoencoder 99.43 98.99 0.57 like ANN, simple Autoencoder, and sparse Autoencoder.
Sparse autoencoder 99.89 99.54 0.11 By inspecting Table 7, the proposed sparse autoencoder
with swish-PReLU with swish-PReLU activation model showed a maximum
activation of 9.05% and a minimum of 0.47% improvement in intru-
sion traffic classification. The proposed sparse autoen-
coder with swish-PReLU activation model has decreased
autoencoder with swish-PReLU activation model on AWID overfitting problem, which results in higher classification
database through FAR, detection rate and accuracy are indi- accuracy related to the comparative models. The graphical
cated in Figs. 6 and 7. comparison of a sparse autoencoder with swish-PReLU
Correspondingly in Table 7, the performance of a activation model on CIC-IDS2017 database in light of
sparse autoencoder with swish-PReLU activation model FAR, detection rate and accuracy are denoted in the Figs. 8
and 9.

Fig. 6  Graphicalcomparison
of sparse autoencoder with
swish-PReLU activation model
on AWID databasein terms of
detection rate and accuracy

Fig. 7  Graphicalcomparison of
sparse autoencoder with swish-
PReLU activation model on
AWID databasein terms of FAR

13
 P. R. Kannari et al.

Table 7  Performance evaluation Database Classifiers Accuracy (%) Detection rate FAR (%)
of sparse autoencoder with (%)
swish-PReLU activation model
on CIC-IDS2017 database CIC-IDS2017 ANN 91.17 91.75 8.83
Simple autoencoder 90.88 91.43 9.12
Sparse autoencoder 99.46 99.86 0.08
Sparse autoencoder with swish- 99.93 99.96 0.07
PReLU activation

Fig. 8  Graphical comparison of

sparse autoencoder with swish-
PReLU activation model on
CIC-IDS2017 database in light
of detection rate and FAR

Fig. 9  Graphical comparison of

sparse autoencoder with swish-
PReLU activation model on
CIC-IDS2017 database in terms
of FAR

4.2 Comparative investigation validated on NSL-KDD, CIC-IDS2017 and AWID data-

bases. The extensive experiment showed that the devel-
In this section, Table 8 represents the comparative investi- oped CFS-BA system achieved 99.81% of accuracy, 0.08%
gation of the proposed and the existing models. Zhou et al. of the FAR value, and 99.80 % of detection rate on NSL-
(2020) developed a new intrusion detection system based KDD database. In addition, the developed CFS-BA system
on ensemble learning and feature selection techniques. In obtained 99.52% and 99.89% of accuracy, 0.15% and 0.12%
this literature, CFS-BA was introduced to select the opti- of FAR, and 99.5% and 99.9% of detection rate on AWID
mal feature sub-sets to deal with unbalanced network traf- and CIC-IDS2017 databases respectively.
fics and higher dimensional. The ensemble techniques like Additionally, Asad et al. (2020) presented a feed forward
C4.5, random forest, and forest by penalizing attributes backpropagation algorithm; ANN to classify the network
were combined with the average of probability combination flows. In this study, a new malicious pattern was introduced
rule to construct the classification model. In this literature, to detect malicious behaviour from the packets. The exten-
the developed intrusion detection system performance was sive experiment showed that the developed method achieved

13
Network intrusion detection using sparse autoencoder with swish‑PReLU activation Model

Table 8  Comparative investigation of proposed and existing models

Methods Database Accuracy (%) False alarm Detection rate (%)

rate (%)

CFS-BA ( Zhou et al. 2020) NSL-KDD 99.81 0.08 99.8

Sequential search- Bayesian network ( Zhang and Wang 2013) 98.98 0.60 –
Sparse auto encoder with swish-PReLU activation 99.95 0.05 99.82
CFS-BA ( Zhou et al. 2020) AWID 99.52 0.15 99.5
Chi-square and information gain-random tree (Thanthrige et al. 2016) 95.12 0.538 92
Sparse auto encoder with swish-PReLU activation 99.89 0.11 99.54
CFS-BA ( Zhou et al. 2020) CIC-IDS2017 99.89 0.12 99.9
ANN (Asad et al. 2020) 98.694 1.882 98.694
Sparse auto encoder with swish-PReLU activation 99.93 0.07 99.96

98.694% of classification accuracy, 1.882% of the FAR value classification accuracy compared to ANN, simple Autoen-
and 98.694% of detection rate on CIC-IDS 2017 database. coder, and sparse Autoencoder. From the simulation result,
Thanthrige et al. (2016) utilized chi-square and informa- the proposed sparse autoencoder with swish-PReLU acti-
tion gain to determine the relevant feature subsets. Then, the vation model showed a maximum of 4.77% and minimum
obtained feature sub-sets were fed to a random tree classifier of 0.04% improvement in classification accuracy related
to classify the finer-grained and higher level class distribu- to the existing models like correlation-based feature selec-
tions. The simulation outcome showed that the developed tion with bat algorithm, chi-square and information gain-
system achieved 95.12% of classification accuracy, 0.538% random tree, and sequential Search-Bayesian network. In
of the FAR value, and 92% of detection rate on AWID data- future work, a new clustering algorithm can be included
base. Zhang and Wang (2013) introduced a wrapper feature in the proposed model to further enhance the performance
selection technique based on Bayesian network for intrusion of intrusion detection and still need to concentrated on
detection. From the experimental analysis, the developed overfitting and data sparsity problems.
technique achieved 98.98% of classification accuracy and
0.6% of the FAR value on NSL-KDD database. Compared to Dataset links:
these existing works, the proposed sparse autoencoder with NSL-KDD: https://​www.​kaggle.​com/​hassa​n06/​nslkdd
swish-PReLU activation model achieved significant perfor- AWID: http://​icsdw​eb.​aegean.​gr/​awid/
mance in intrusion detection employing FAR, detection rate CIC-IDS2017: https://w​ ww.u​ nb.c​ a/c​ ic/d​ atase​ ts/i​ ds-2​ 017.​
and classification accuracy. html

5  Conclusions Funding We haven’t received any funding from any sources.

Declaration
In this research paper, a new intrusion detection model;
sparse autoencoder with swish-PReLU activation model Conflict of interest On the behalf of all the authors corresponding au-
is proposed to deal with high dimensional data and un- thor declares that there is no conflict of interest.
balanced network traffic. Initially, the second percentile
method and recursive feature elimination technique are Ethical approval This article does not contain any studies with human
participants or animals performed by any of the authors.
developed to select the optimal feature subsets from the
pre-processed data to reduce the computational complexity
of the model. In this research study, data pre-processing is
accomplished by using label and one hot encoding tech-
nique. Finally, a new deep learning model named sparse References
autoencoder with swish-PReLU activation model is pro-
posed to classify the normal and attack traffic in the NSL- Ahmad I, Basheri M, Iqbal MJ, Rahim A (2018) Performance compari-
son of support vector machine, random forest, and extreme learn-
KDD, CIC-IDS2017 and AWID databases. In the experi- ing machine for intrusion detection. IEEE Access 6:33789–33795
mental section, the proposed sparse autoencoder with Alazzam H, Sharieh A, Sabri KE (2020) A feature selection algorithm
swish-PReLU activation model attained better intrusion for intrusion detection system based on pigeon inspired optimizer.
detection performance in terms of FAR, detection rate and Expert Syst Appl 148:113249

13
 P. R. Kannari et al.

Almasoudy FH, Al-Yaseen WL, Idrees AK (2020) Differentialevolu- Lv L, Wang W, Zhang Z, Liu X (2020) A novel intrusion detection sys-
tion wrapper feature selection for intrusion detection system. Proc tem based on an optimal hybrid kernel extreme learning machine.
Comput Sci 167:1230–1239 Knowl Based Syst 195:105648
Almiani M, AbuGhazleh A, Al-Rahayfeh A, Atiewi S, Razaque A Manimurugan S, Majdi AQ, Mohmmed M, Narmatha C, Varatharajan
(2020) Deep recurrent neural network for IoT intrusion detection R (2020) Intrusiondetection in networks using crow search opti-
system. Simul Model Pract Theory 101:102031 mization algorithm with adaptiveneuro-fuzzy inference system.
Aminanto ME, Choi R, Tanuwidjaja HC, Yoo PD, Kim K (2017) Deep Microprocess  Microsyst 79:103261
abstraction and weighted feature selection for Wi-Fi impersona- Maulik U, Bandyopadhyay S (2000) Genetic algorithm-based cluster-
tion detection. IEEE Trans Inf Forensics Secur 13:621–636 ing technique. Pattern Recogn 33:1455–1465
Asad M, Asim M, Javed T, Beg MO, Mujtaba H, Abbas S (2020) Deep- Mottini A, Acuna-Agost R (2016) Relative label encoding for the
Detect: detection of distributed denial of service attacks using prediction of airline passenger nationality. In: 2016 IEEE 16th
deep learning. Comput J 63:983–994 international conference on data mining workshops, pp 671–676
Bhati BS, Rai CS, Balamurugan B, Al-Turjman F (2020) An intrusion Nguyen MT, Kim K (2020) Genetic convolutional neural network
detection scheme based on the ensemble of discriminant classi- for intrusion detection systems. Future Gener Comput Syst
fiers. Comput Electr Eng 86:106742 113:418–427
Cavusoglu U (2019) A new hybrid approach for intrusion detection Prasad M, Tripathi S, Dahal K (2020a) An efficient feature selection
using machine learning methods. Appl Intell 49:2735–2761 based Bayesian and Rough set approach for intrusion detection.
Cerda P, Varoquaux G, Kégl B (2018) Similarity encoding for learn- Appl Soft Comput 87:105980
ing with dirty categorical variables. Mach Learn 107:1477–1494 Prasad M, Tripathi S, Dahal K (2020b) Unsupervised feature selection
Chen J, Qi X, Chen L, Chen F, Cheng G (2020) Quantum-inspired ant and cluster center initialization based arbitrary shaped clusters for
lion optimized hybrid k-means for cluster analysis and intrusion intrusion detection. Comput Secur 99:102062
detection. Knowl Based Syst 203:106167 Qi ZF, Liu QQ, Wang J, Li JX (2017) Battle damage assessment based
Chou TS, Yen KK, Luo J (2008) Network intrusion detection design on an improved Kullback-Leibler divergence sparse autoencoder.
using feature selection of soft computing paradigms. Int J Comput Front Inf Tech Electron Eng 18:1991–2000
Intell 4:196–208 Rose T, Kifayat K, Abbas S, Asim M (2020) A hybrid anomaly-
Davahli A, Shamsi M, Abaei G (2020) Hybridizing genetic algorithm based intrusion detection system to improve time complexity in
and grey wolf optimizer to advance an intelligent and lightweight the Internet of Energy environment. J Parallel Distrib Comput
intrusion detection system for IoT wireless networks. J Amb Intell 145:124–139
Humaniz Comput 11:5581–5609 Shahriar MH, Haque NI, Rahman MA, Alonso M Jr (2020) G-IDS:
D’hooge L, Wauters T, Volckaert B, De Turck F (2020) Inter-dataset Generative Adversarial Networks Assisted Intrusion Detection
generalization strength of supervised machine learning methods System. arXiv preprint arXiv:2006.00676
for intrusion detection. J Inf Secur Appl 54:102564 Sharafaldin I, Lashkari AH, Ghorbani AA (2018a) A detailed analysis
Ghasemi J, Esmaily J, Moradinezhad R (2020) Intrusion detection of the cicids2017 data set. In: International conference on infor-
system using an optimized kernel extreme learning machine and mation systems security and privacy, pp 172–188
efficient features. Sādhanā 45:1–9 Sharafaldin I, Lashkari AH, Ghorbani AA (2018b) Toward generating
Gu J, Wang L, Wang H, Wang S (2019) A novel approach to intru- a new intrusion detection dataset and intrusion traffic characteriza-
sion detection using SVM ensemble with feature augmentation. tion. In ICISSP, pp 108–116
Comput Secur 86:53–62 Shone N, Ngoc TN, Phai VD, Shi Q (2018) A deep learning approach
Gupta AR, Agrawal J (2020) The multi-demeanor fusion based robust to network intrusion detection. IEEE Transactions on Emerging
intrusion detection system for anomaly and misuse detection in Topics in Computational Intelligence 2:41–50
computer networks. J Amb Intell Humaniz Comput, pp 1–17 Sp RM, Maddikunta PKR, Parimala M, Koppu S, Reddy T, Chowdhary
Gurung S, Ghose MK, Subedi A (2019) Deep learning approach on CL, Alazab M (2020) An effective feature engineering for DNN
network intrusion detection system using NSL-KDD dataset. Int using hybrid PCA-GWO for intrusion detection in IoMT archi-
J Comput Netw Inf Secur 11:8–14 tecture. Comput Commun 160:139–149
Hajimirzaei B, Navimipour NJ (2019) Intrusion detection for cloud Su T, Sun H, Zhu J, Wang S, Li Y (2020) BAT: Deep Learning Meth-
computing using neural networks and artificial bee colony opti- ods on Network Intrusion Detection Using NSL-KDD Dataset.
mization algorithm. ICT Expr 5:56–59 IEEE Access 8:29575–29585
Khammassi C, Krichen S (2020) A NSGA2-LR wrapper approach for Tang C, Luktarhan N, Zhao Y (2020) An Efficient Intrusion Detec-
feature selection in network intrusion detection. Comput Netw tion Method Based on LightGBM and Autoencoder. Symmetry
172:107183 12:1458
Kumar P, Gupta GP, Tripathi R (2020) A distributed ensemble design Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed analy-
based intrusion detection system using fog computing to protect sis of the KDD CUP 99 data set. In: 2009 IEEE symposium on
the internet of things networks. J Ambient Intell Humaniz Com- computational intelligence for security and defense applications,
put. pp 1–18 pp 1–6
Li X, Chen W, Zhang Q, Wu L (2020) Buildingauto-encoder intrusion Thang VV, Pashchenko FF (2019) Multistage System-Based Machine
detection system based on random forest featureselection. Comput Learning Techniques for Intrusion Detection in WiFi Network. J
Secur 95:101851 Comput Netw Commun. https://​doi.​org/​10.​1155/​2019/​47082​01
Liu J, Zhang W, Tang Z, Xie Y, Ma T, Zhang J, Zhang G, Niyoyita Thanthrige USKPM, Samarabandu J, Wang X (2016) Machine learn-
JP (2020) Adaptive intrusion detection via GA-GOGMM-based ing techniques for intrusion detection on public dataset. In: 2016
pattern learning with fuzzy rough set-based attribute selection. IEEE Canadian conference on electrical and computer engineer-
Expert Syst Appl 139:112845 ing, pp 1–4
Lopez-Martin M, Carro B, Sanchez-Esguevillas A (2020) Application Wu Z, Wang J, Hu L, Zhang Z, Wu H (2020) A network intrusion
of deep reinforcement learning to intrusion detection for super- detection method based on semantic Re-encoding and deep learn-
vised problems. Expert Syst Appl 141:112963 ing. J Netw Comput Appl 164:102688

13
Network intrusion detection using sparse autoencoder with swish‑PReLU activation Model

Zhang F, Wang D (2013) An effective feature selection approach for Publisher’s note Springer Nature remains neutral with regard to
network intrusion detection. In: 2013 IEEE eighth international jurisdictional claims in published maps and institutional affiliations.
conference on networking, architecture and storage, pp 307–311
Zhou Y, Cheng G, Jiang S, Dai M (2020) Building an efficient intrusion
detection system based on feature selection and ensemble classi-
fier. Comput Netw 174:107247
Zong W, Chow YW, Susilo W (2020) Interactive three-dimensional
visualization of network intrusion detection data for machine
learning. Future Gener Comput Syst 102:292–306

13