Research on hybrid intrusion detection based on improved Harris Hawk optimization algorithm

Abstract

Aiming at the problem of low detection accuracy of network traffic data types by traditional intrusion detection methods, we propose an improved Harris Hawk hybrid intrusion detection method to enhance the detection capability. The improved Harris Hawk optimization algorithm is used as a feature selection scheme to reduce the impact of redundant and noisy features on the performance of the classification model. The algorithm introduces the singer map to initialise the population, uses multi-information fusion to obtain the best prey position, and applies the sine function-based escape energy to execute a prey search strategy to obtain the optimal subset of features. In addition, the original data is preprocessed by the k-nearest neighbour and deep denoising autoencoder (KNN-DDAE) to relieve the imbalance problem of the network traffic data. Finally, a deep neural network (DNN) is used to complete the classification. Simulation experiments are conducted on the dataset NSL-KDD, KDD CUP99, and UNSW-NB15. The results show that our feature selection and data balancing scheme greatly improves the detection accuracy. In addition, the detection performance of this method is better than the current popular intrusion detection schemes.

Keywords:

• Autoencoder
• data imbalance
• deep neural network
• feature selection
• Harris Hawk algorithm

1. Introduction

At present, network attacks occur frequently and threaten the privacy and security of users seriously. According to the Cyber Attack Trends: 2022 Mid-Year Report released by Point (2022), global weekly cyberattacks increased by 42%, which causes great damage to people's daily life. As an important part of major infrastructure, the industrial control system will cause serious consequences such as major economic losses and casualties if it is attacked by the network. How to protect the network from attacks has become an urgent problem to be solved.

Intrusion detection technology has made a significant contribution to network protection, and its essence is to complete the classification of network traffic through data processing and modelling analysis. Scholars apply traditional machine learning algorithms to solve network security problems (Ahmim et al., 2018), such as Decision Tree Algorithm (Kunhare et al., 2020), SVM (Binbusayyis & Vaiyapuri, 2021), Random Forest Algorithm (Alzubi et al., 2022), etc. However, with the change of attack traffic becoming more and more complex, traditional machine learning algorithms perform poorly in extracting high-dimensional features of the data.

Deep learning (Shrestha & Mahmood, 2019) is the product of the further development of machine learning, and the extracted features have stronger generalisation performance, it's widely used in many fields (Diao et al., 2022; Hu et al., 2022; Li et al., 2022; Liang et al., 2021).

Ahmad et al. (2021) show that deep learning is more suitable for intrusion detection than traditional machine learning methods. Such as Andresini, Appice, Malerba et al. (2021) proposed a technology based on convolutional neural network (CNN) that used the combination of nearest neighbour search and clustering algorithm to generate image information of network flow, which retains other categories of potential data that have a significant impact on the results. However, the original information may be lost in the process of converting the features through the autoencoder, which will affect the performance of the model. Kanna and Santhi (2021) learned temporal features of network traffic data by Long Short Term Memory Network (LSTM), spatial features of network traffic data by CNN, and adjusted the hyperparameters of CNN using Lion Swarm Optimization (LSO) algorithm, its excellent intrusion detection performance was demonstrated on the ISCX-IDS and UNSW-NB15 datasets, but the process of optimising CNN networks by hyperparameters can greatly increase the system overhead. Gavel et al. (2022) used mutual information technology to select the important features and used KELM (Kernel Extreme Learning Machine) as a classifier for intrusion detection, and this scheme obtains high detection accuracy.

Deep learning-based intrusion detection shows better results than traditional machine learning, but the problems such as high dimensionality of network traffic data and imbalance of data categories prevent the further improvement of the classification capability of the model. Feature extraction and data balancing operations on the data can resolve these problems, however, the existing feature selection schemes cannot effectively extract the best feature subset. In addition, most researchers address the problem of data imbalance by generating minority class labels without comprehensively considering the overlap of majority class label and minority class label information problems, making it difficult for the model to separate them.

Aiming at the above problems, we propose a hybrid intrusion detection model based on the improved Harris Hawk algorithm. The contributions of this research are summarised as follows:

1. This work proposes an improved Harris Hawk algorithm for feature selection to obtain the optimal feature subset of network traffic data. We compared the original data and the data after feature selection on three benchmark data sets.

2. We upsample and downsample the data using DDAE and KNN algorithm. The classification accuracy of the model is further improved by removing the interference data through the data balancing method.

3. To verify the effectiveness of the model, we use the well-known NSL-KDD, KDD CUP99, and UNSW-NB15 datasets for performance evaluation.

The rest of the paper is organised as follows. In Section 2, we review feature selection and balance processing methods in the field of intrusion detection and briefly introduce the Harris Hawk algorithm. In Section 3, we describe in detail the improved Harris Hawk algorithm and the method for balancing the data. In Section 4, We conduct experiments and analyse the performance of the model. Section 5 summarises the paper and briefly discusses future research directions.

2. Related work

2.1. Data processing for intrusion detection

Most of the datasets used for intrusion detection system evaluation contain a large amount of feature information. Irrelevant and redundant features may lead to degradation of the performance of the intrusion detection system, feature selection is a common method of selecting important features. In the literature on intrusion detection, scholars have used feature selection schemes such as packing methods, embedded methods, and filtering methods to obtain the subset of features which can further improve the performance of intrusion detection systems.

Long et al. (2022) used a random attention-based data fusion method to remove redundant features, and then used a semi-supervised ladder network model for intrusion detection. Talita et al. (2021) used particle swarm optimisation (PSO) for feature selection and validated it with a Naïve Bayesian classifier, the experiment shows that the best classification results are achieved when 38 features are used. However, it is not possible to determine whether the proposed method is representative since it was tested on only one set of data. Li et al. (2020) applied random forest to group the selected features into multiple feature subsets after the AP clustering algorithm, then used the same number of autoencoders as the subsets for training, the results show that this method can speed up the training and testing process. Li et al. (2021) proposed an improved krill swarm (KH) optimisation algorithm for feature selection on the NSL-KKD dataset and CICIDS-2017 dataset, which retained an average of 7 features and an average of 10.2 features on the two datasets, it effectively eliminates redundant features and ensures high detection accuracy. However, the author did not take into account the problem of data imbalance, resulting in low classification accuracy of the model for minority data. Mojtahedi et al. (2022) combined the whale optimisation algorithm (WOA) and genetic algorithm (GA) for feature selection, and classification by KNN, which get a better result than other previous methods. In addition, to address data imbalance, Chuang and Wu (2019) used deep variational autoencoder to generate more minority data, the results demonstrate that the method improves the classification performance of the minority class labels. Huang and Lei (2020) proposed an unbalanced generative adversarial network (IGAN), it introduces an imbalanced data filter and convolutional layers to the typical GAN, which generates more representative data for minority classes. However, network traffic has many characteristics, and these methods do not consider the negative impact of redundant or noisy features on model accuracy. As shown in Table 1, we summarise the works discussed above.

Table 1. Comparison of intrusion detection schemes.

Model	Reference (year)	Method
		Feature selection	Data balance	Classifier
Machine learning	(Kunhare et al., 2020)	Random Forest	–	DT
	Binbusayyis and Vaiyapuri (2021)	–	CAE	SVM
	Alzubi et al. (2022)	GWO-PSO	–	RF
	Talita et al. (2021)	PSO	–	Naïve Bayes
	Li et al. (2021)	LNNLS-KH		KNN
Deep learning	(Andresini, Appice, Malerba et al., 2021)	–	–	CNN
	Kanna and Santhi (2021)	–	–	CNN-LSTM
	Li et al. (2020)	Random Forest	–	AE
	Chuang and Wu (2019)	–	DVAE	–
	Huang and Lei (2020)	–	IGAN	DNN

According to the above literature, intrusion detection data has the characteristics of high dimensions and extreme imbalance between attack data and normal data. Many intrusion detection methods need feature selection and data balance to reduce the training time of the model and improve classification accuracy. The feature selection and data balance processing scheme proposed in this paper ensures the accuracy of the detection.

2.2. Harris Hawk optimization algorithm

In 2019, Heidari et al. proposed the Harris Hawk optimization algorithm (HHO) (Heidari et al., 2019). The algorithm executes the optimal hunting strategy through the information exchange between Harris Hawks, and finally captures the prey. It consists of three parts: the search phase, the conversion phase between search and development, and the development phase. The specific steps are as follows.

2.2.1. Search phase

In this stage, Harris Hawk randomly inhabit a certain place to search for prey within the range of $[lb,ub]$. Find the prey by formula (1(1) $\begin{array}{rl}{X}_m(t+1)=& \{\begin{array}{l}{X}_{rand}\left(t\right)-r_1\left|X_{rand}\right(t)-2r_{2}X(t\left)\right|,q\ge 0.5\\ \left[X_{rabbit}\right(t)-X_m(t\left)\right]-r_3[lb+r_4(ub-lb\left)\right],q<0.5\end{array}\end{array}$(1) ) and (2(2) $\begin{array}{rl}{X}_m\left(t\right)=& \sum _{k=1}^M{X}_k\left(t\right)/M\end{array}$(2) ), then choose the strategy through q to update the individual position. (1) $\begin{array}{rl}{X}_m(t+1)=& \{\begin{array}{l}{X}_{rand}\left(t\right)-r_1\left|X_{rand}\right(t)-2r_{2}X(t\left)\right|,q\ge 0.5\\ \left[X_{rabbit}\right(t)-X_m(t\left)\right]-r_3[lb+r_4(ub-lb\left)\right],q<0.5\end{array}\end{array}$(1) (2) $\begin{array}{rl}{X}_m\left(t\right)=& \sum _{k=1}^M{X}_k\left(t\right)/M\end{array}$(2) Among them, $X\left(t\right)$ represents the current individual's location, $X_{rand}\left(t\right)$ is the position of an individual randomly selected from the current population, $X_{rabbit}\left(t\right)$ represents the current position of the individual with the best fitness, $X_m\left(t\right)$ is the average position of individuals in the current population, $r_1$,$r_2$,$r_3$,$r_4$,q ∈ (0,1), M is the population size.

2.2.2. Search and development transformation

To ensure the Harris Hawk algorithm can accurately find the optimal solution, it is necessary to enter the local search after the global search. realising the conversion of the two search methods through the prey's escape energy E, the formula is as (3(3) $E=2E_0(1-\frac{t}{T})$(3) ): (3) $E=2E_0(1-\frac{t}{T})$(3) Among them, E represents the energy required for the prey to escape, $E_0$ is a random number in (-1,1), t is the number of iterations of the current population, and T means the population has reached the maximum iteration value.

2.2.3. Development stage

At this stage, the Harris Hawk determines the location of the prey and forms a circle around the prey for executing the strategy of assaulting the prey. In this process, the prey will try different strategies to escape the pursuit after sensing the danger. To hunt more accurately, the Harris Hawk algorithm adopts four strategies chosen by parameter to deal with the escape behaviour of the prey. soft siege strategy: when $0.5\le |E|<1$ and $r\ge 5$, the prey has sufficient energy and tries to get rid of the siege. At this moment, the Harris Hawk updates the position by executing the soft siege strategy, the formula is as (4(4) $X_{(t+1)}=\mathrm{\Delta }X\left(t\right)-E\left|J{X}_{rabbit}\right(t)-X(t\left)\right|$(4) ): (4) $X_{(t+1)}=\mathrm{\Delta }X\left(t\right)-E\left|J{X}_{rabbit}\right(t)-X(t\left)\right|$(4) Among them, $\mathrm{\Delta }X\left(t\right)$ represents the difference between the optimal individual position and the current individual position, and J denotes the random jumping distance during the prey's escape, which is between 0 and 2. hard siege strategy: when $|E|<0.5$ and $r\ge 0.5$, the prey's energy is not enough so that it's hard to get rid of the siege, the Harris Hawk executes a hard siege strategy to update the position, the formula is as (5(5) $X(t+1)=X_{\mathrm{r}\mathrm{a}\mathrm{b}\mathrm{b}\mathrm{i}\mathrm{t}}\left(t\right)-E|\mathrm{\Delta }X\left(t\right)|$(5) ): (5) $X(t+1)=X_{\mathrm{r}\mathrm{a}\mathrm{b}\mathrm{b}\mathrm{i}\mathrm{t}}\left(t\right)-E|\mathrm{\Delta }X\left(t\right)|$(5) Soft encircling strategy of asymptotic rapid dive: when $0.5\le |E|<1$ and r<0.5, the prey has sufficient energy to get rid of the encirclement, the Harris Hawk executes the soft encircling strategy of asymptotic rapid dive to capture prey, the formula is as (6(6) $X(t+1)=\{\begin{array}{l}Y:X_{rabbit}\left(t\right)-E\left|J{X}_{rabbit}\right(t)-X(t\left)\right|,f\left(Y\right)<f\left(X\right(t\left)\right)\\ Z:Y+S^{\ast }LF\left(D\right),f\left(Z\right)<f\left(X\right(t\left)\right)\end{array}$(6) ): (6) $X(t+1)=\{\begin{array}{l}Y:X_{rabbit}\left(t\right)-E\left|J{X}_{rabbit}\right(t)-X(t\left)\right|,f\left(Y\right)<f\left(X\right(t\left)\right)\\ Z:Y+S^{\ast }LF\left(D\right),f\left(Z\right)<f\left(X\right(t\left)\right)\end{array}$(6) Among them, f is the fitness function, S is a randomly generated D-dimensional random vector with a value between 0 and 1, and LF is the Levy flight formula.

Hard encircling strategy with asymptotic rapid dive: when $|E|<0.5$ and r<0.5, the energy of the prey is insufficient, but still has a chance to get rid of the pursuit, it executes the hard encircling strategy of asymptotic rapid dive to update the position, the formula is as (7(7) $X(t+1)=\{\begin{array}{l}Y:Y=X_{rabbit}\left(t\right)-E\left|J{X}_{rabbit}\right(t)-X_m(t\left)\right|,f\left(Y\right)<f\left(X\right(t\left)\right)\\ Z:Y+S^{\ast }LF\left(D\right),f\left(Z\right)<f\left(X\right(t\left)\right)\end{array}$(7) ): (7) $X(t+1)=\{\begin{array}{l}Y:Y=X_{rabbit}\left(t\right)-E\left|J{X}_{rabbit}\right(t)-X_m(t\left)\right|,f\left(Y\right)<f\left(X\right(t\left)\right)\\ Z:Y+S^{\ast }LF\left(D\right),f\left(Z\right)<f\left(X\right(t\left)\right)\end{array}$(7) In the iterative process of the population, the objective function used in this paper is shown in Equation (8(8) $\mathrm{F}\mathrm{u}\mathrm{n}=alpha\ast (1-acc)+(1-alpha)\left(\frac{N_{\mathrm{f}\mathrm{e}\mathrm{a}\mathrm{t}}}{M_{\mathrm{f}\mathrm{e}\mathrm{a}\mathrm{t}}}\right)$(8) ): (8) $\mathrm{F}\mathrm{u}\mathrm{n}=alpha\ast (1-acc)+(1-alpha)\left(\frac{N_{\mathrm{f}\mathrm{e}\mathrm{a}\mathrm{t}}}{M_{\mathrm{f}\mathrm{e}\mathrm{a}\mathrm{t}}}\right)$(8) Among them, alpha is assigned 0.999, $N_{feat}$ is the count of selected features, $M_{feat}$ is the total count of features, and acc represents the test accuracy of the currently selected features.

3. A hybrid intrusion detection model based on improved Harris Hawk algorithm

In reality, most of the network traffic data is normal, and some attack traffic has a low number of records. In addition, each sample of network traffic data contains many features, however, not all features contain correct information about the class to which the sample belongs. According to the characteristics of network traffic data, a hybrid intrusion detection method is used to improve detection accuracy. Figure 1 summarises the overall structure of the model. First, we preprocess the original data, then the preprocessed data is selected by the improved Harris Hawk optimization algorithm for feature selection. Meanwhile, the preprocessed data is used by KNN-DDAE to form new data, then apply the best subset of features to the new data, finally, the data is fed into the DNN to train a high-performance classification model.

Figure 1. The hybrid model proposed in this paper.

3.1. Improved Harris Hawk optimization algorithm

In the process of Harris Hawk iteration, there are problems such as falling into local optimal solution easily and convergence speed slowly. Aiming at these problems, we improve the traditional Harris Hawk algorithm in three aspects: population initialisation stage, optimal prey position, and energy function. the improved algorithms can achieve a better balance between global search and local search so that has a greater chance to obtain the optimal solution.

3.1.1. Singer chaos map

In the population initialisation stage, the traditional pseudo-random number initialisation Harris Hawk population has the problem of uneven distribution, which may impact the quality of the optimal solution. We use the Singer chaotic map (Ibrahim et al., 2017) to complete the initialisation of the Harris Hawk population, which generated population has a more symmetrical probability distribution. It often achieves better results in finding the optimal solution, the Singer chaotic map formula is shown in (9(9) $Z_{k+1}=\mu (7.86z_k-23.31z_k^2+28.75z_k^3-13.302875z_k^4)$(9) ): (9) $Z_{k+1}=\mu (7.86z_k-23.31z_k^2+28.75z_k^3-13.302875z_k^4)$(9) Among them, $z_k$ is a control parameter, and the value range is (0,1). when $\mu \in [0.9,1.08]$, Singer maps have chaotic behaviour.

3.1.2. Multi-Information fusion

In the process of population iteration in the Harris Hawk algorithm, the optimal prey position only considers the information of the current optimal individual, ignoring the information of other individuals may also have an important impact on the results. Due to the singleness of its information sources, the algorithm is prone to lack of population diversity, which ultimately leads to poor quality of the optimal solution. According to the change rule of the objective function in the iterative process, this paper introduces two strategies for fusing non-optimal individual information to ensure the convergence accuracy of the algorithm, and execute the relevant strategies on the basis of different conditions to change the current prey location, the equation is as (10(10) $\begin{array}{rl}& X_{rabbit}^{\mathrm{\prime }}\left(i\right)=\mu x_m+(1-\mu )x_n,m,n\in (2,\hat{N})\end{array}$(10) )–(12(12) $\begin{array}{rl}& X_{rabbit}\left(i\right)=w_2\ast X_{rabbit}\left(t\right)+(1-w_2)X_{\mathrm{r}\mathrm{a}\mathrm{b}\mathrm{b}\mathrm{i}\mathrm{t}}^{\mathrm{\prime }}\left(i\right),|fit\left[t\right]-fit[t-1]|<m\end{array}$(12) ): (10) $\begin{array}{rl}& X_{rabbit}^{\mathrm{\prime }}\left(i\right)=\mu x_m+(1-\mu )x_n,m,n\in (2,\hat{N})\end{array}$(10) (11) $\begin{array}{rl}& X_{\mathrm{r}\mathrm{a}\mathrm{b}\mathrm{b}\mathrm{i}\mathrm{t}}\left(i\right)=w_1^{\ast }{X}_{\mathrm{r}\mathrm{a}\mathrm{b}\mathrm{b}\mathrm{i}\mathrm{t}}\left(t\right)+(1-w_1)X_{\mathrm{r}\mathrm{a}\mathrm{b}\mathrm{b}\mathrm{i}\mathrm{t}}^{\mathrm{\prime }}\left(i\right),fit\left[t\right]<fit[t-1]\end{array}$(11) (12) $\begin{array}{rl}& X_{rabbit}\left(i\right)=w_2\ast X_{rabbit}\left(t\right)+(1-w_2)X_{\mathrm{r}\mathrm{a}\mathrm{b}\mathrm{b}\mathrm{i}\mathrm{t}}^{\mathrm{\prime }}\left(i\right),|fit\left[t\right]-fit[t-1]|<m\end{array}$(12) Among them, $X_{rabbit}^{\mathrm{\prime }}\left(i\right)$ indicates the two population individuals with non-optimal fitness are fused according to different weights to form a new i-th population individual position. $X_{rabbit}\left(t\right)$ stands for the position of the current optimal individual, which is the current prey position. m, n represent the index corresponding to the individuals of the population, which are non-repeating random integers between 2 and $\hat{N}$, where $\hat{N}=N/2-1$. $fit\left[t\right]$ represents the best fitness value of the t th iteration, $\omega 1\in (0.3,0.4)$, $\omega 2\in (0.5,0.7)$, $\mu \in$ (0,1), $X_{rabbit}\left(i\right)$ is the fusion of various information to form a new optimal prey position. The best prey position is updated when the best fitness value of the current round is less than the best fitness value of the previous round, or the difference between the best fitness values of the two rounds is less than the threshold, otherwise, the multi-information fusion strategy is not implemented.

3.1.3. Escape energy based on sine function

In the standard HHO algorithm, the escape energy factor E manipulates algorithm to performdifferent search strategies and is fully converted to a local search in the later iterations. In the middle and late iteration of the traditional escape energy factor, the proportion of local search is greatly increased, which makes the algorithm easily sink into a local optimum. We propose an escape energy factor $E^{\mathrm{\prime }}$ based on the sine function to overcome the shortcomings of the algorithm in the middle and late iterations. Where $r_1$, $r_2$ are random numbers between 0 and 1, and T, t represent the current iteration number and the highest iteration number respectively. The energy factor update equation is shown in Equation (13(13) $E^{\mathrm{\prime }}=\frac{(-1.5(T-t)+r_1)\sin \left(2\right(T-t)+r_2)}{T}$(13) ): (13) $E^{\mathrm{\prime }}=\frac{(-1.5(T-t)+r_1)\sin \left(2\right(T-t)+r_2)}{T}$(13) The escape energy based on the sine function used in this paper is shown in Figure 2.

Figure 2. Escape energy based on sine function.

We used the NSL-KDD dataset to compare the fitness between the original Harris Hawk algorithm and the improved Harris Hawk algorithm. Figure 3 shows the specific results, the improved Harris Hawk algorithm converges faster than the original Harris Hawk algorithm and obtains smaller fitness values. The pseudocode of the improved Harris Hawk optimization algorithm is described as Algorithm 1.

Figure 3. Comparison between improved HHO and original HHO.

3.2. KNN data downsampling

Data imbalance processing includes data upsampling and downsampling. Random downsampling is done by randomly removing a portion of the data to achieve balance. However, category-balanced data can also produce poor classification performance because the method does not take into account the problem of partially different categories of data overlapping each other under the same space. Some researchers transform the original data through feature mapping to increase the distance between different categories, but this scheme may have the risk of losing the original data information.

According to the characteristics of intrusion detection datasets, this paper performs KNN downsampling on majority class data to solve the above problems. When the neighbours around the minority class data belong to a certain majority class, the current majority class data is deleted. By processing the majority class data, the overlapping rate of different class data is reduced, and the minority class data can be expressed more accurately, which easier to distinguish them by the classifier.

Based on the nature of the KNN algorithm. For a given set of data $D\{x_1,x_2,\dots ,x_i\}$, the Minkowski distance formula is used to find the nearest K instances of the sample to be tested, let the current sample be categorised as the category that accounts for the highest proportion of the K nearest neighbour samples according to the majority voting principle. Among them, the Minkowski distance formula of samples is shown in (14(14) $d_{xy}=\sqrt[p]{\sum _{k=1}^n{|x_k-y_k|}^2}$(14) ): (14) $d_{xy}=\sqrt[p]{\sum _{k=1}^n{|x_k-y_k|}^2}$(14) The pseudocode of under-sampling is described as Algorithm 2.

3.3. Deep denoising autoencoder

Autoencoder (AE) is an unsupervised learning model that is widely used in data dimensionality reduction and data denoising because it does not require data labels. In addition, it is a typical generative model which achieves good results in the fields of image generation and data enhancement. AE includes an input layer, encoding layer, and decoding layer. The weight and bias of each layer are adjusted by the back-propagation algorithm so that the decoded data is as consistent as possible with the original data. The denoising autoencoder (DAE) is based on the optimisation and improvement of the auto-encoder, the model is shown in Figure 4. For a given matrix $X=\{x_1,x_2,\dots x_n\}$, where $x_i\in R^n$. Convert the original data X to $X^{\mathrm{\prime }}=\{x_1,x_2,\dots x_n\}$ by adding Gaussian noise. In the encoding stage, the vector is transformed into the corresponding low-dimensional vector $x_k\in R^d$, where d represents the dimension of the corresponding low-dimensional vector. In the decoding stage, the low-dimensional vector is converted into a vector with the same dimension as the input vector. The output matrix is represented as Y.

Figure 4.  Denoising autoencoder.

The whole denoising autoencoder training process is as follows.

For a given matrix $X=\{x_1,x_2,\dots x_n\}$, where $x_i\in R^n$. It is necessary to add noise to the original data, which can be obtained by formula (15(15) $X^{\mathrm{\prime }}=X+\mathrm{N}\mathrm{o}\mathrm{i}\mathrm{s}\mathrm{e}$(15) ). (15) $X^{\mathrm{\prime }}=X+\mathrm{N}\mathrm{o}\mathrm{i}\mathrm{s}\mathrm{e}$(15) Among them, the added noise needs to meet the standard Gaussian distribution, which $\mu =0$, $\sigma =1$. In addition, the randomly generated noise is limited in the range of [0, 1] through the upper and lower boundaries, which avoids the problem of too large or too small noise.

In the encoding stage, $X^{\mathrm{\prime }}$ is used as the input of DAE, where $x_j\in R^n$ corresponds to the jth vector of the matrix $X^{\mathrm{\prime }}$. An encoding layer with neurons is obtained by formula (16(16) $h^{\left(i\right)}=g_f(W_i^T{X}^{\mathrm{\prime }}+b_i)$(16) ). (16) $h^{\left(i\right)}=g_f(W_i^T{X}^{\mathrm{\prime }}+b_i)$(16) Among them, $g_f$ is the introduced nonlinear activation function, such as the sigmoid function and the relu function. $W_i$ represents the weight matrix of the i-th layer, and $b_i$ denotes the bias vector of the layer.

The data of the coding layer is decoded to obtain the decoded data Y. The formula is shown in (17(17) $Y=g_f(W_i^T{h}^{\left(i\right)}+b_i)$(17) ). (17) $Y=g_f(W_i^T{h}^{\left(i\right)}+b_i)$(17) The denoising autoencoder automatically adjusts the weight matrix and bias vector so that the error between $X^{\mathrm{\prime }}$ and Y is minimised, and the minimisation loss function is shown in Equation (18(18) ${\mathcal{L}}_{DAE}=\frac{1}{m}\sum _{i=1}^m{(X_i^{\mathrm{\prime }}-Y_i)}^2$(18) ). (18) ${\mathcal{L}}_{DAE}=\frac{1}{m}\sum _{i=1}^m{(X_i^{\mathrm{\prime }}-Y_i)}^2$(18) To improve the performance of the denoising autoencoder, we combine multiple denoising autoencoders into a deep denoising autoencoder (DDAE), the model structure is shown in Figure 5. The deep denoising autoencoder of the first layer is trained, and its output is taken as the next layer's input of the network in turn, finally, we finish the training of the entire deep denoising autoencoder.

Figure 5. Deep denoising autoencoder.

In this paper, we use DDAE to generate minority class data including setting the number of neurons d for each noise reduction encoder, the nonlinear activation function, and the additive noise factor f. The minority class data X is fed as the input of the first layer denoising autoencoder for training, and after layer-by-layer training, the generated minority class data Y is finally obtained.

4. Experiments and results

The experiments were conducted on R5-3500H CPU 2.10.HZ, 16GB RAM, and Windows 11. The whole program was run in python 3.7 environment, as well as the deep neural network was run on TensorFlow version 2.0. NSL-KDD, UNSW-NB15 and KDD CUP99 datasets were used in the experiment. In the NSL-KDD dataset, KDDTraining+ is used for model training, and KDDTest+ is used for model testing. In the KDD CUP99 dataset, 10_percent_corrected is used for model training, and corrected is used for model testing. In the UNSW-NB15 dataset, a partition from this dataset is used for model training and testing.

4.1. Benchmark datasets and data preprocessing

KDD CUP99 (Tavallaee et al., 2009) is the dataset used for the KDD CUP competition, the original data is the network connection data of the simulated US Air Force LAN for 9 weeks. NSL-KDD dataset solves some of the problems of the KDD dataset, including redundant data, duplicate records, etc. Scholars still experiment with these datasets for intrusion detection because the data are valid, even though they were generated far back in time. Both datasets contain 5 categories, Normal represents normal traffic data, DoS is a denial of service attack, Probe is a kind of attack which attempts to obtain information from the network, and U2R represents unauthorised local superuser privileged access, R2L indicates unauthorised access from a remote host. In the NSL-KDD dataset, the size of the training set is 125973, and the size of the test set is 22544. In the KDD CUP99 dataset, the size of the training set is 494021, and the size of the test set is 311029. The feature of data includes basic features, content features, time traffic features, and host traffic features.

The UNSW-NB15 (Moustafa & Slay, 2015) dataset comes from the Cyber Range Lab of UNSW Canberra. This data set contains current common attack traffic and normal traffic, which can truly reflect modern network traffic scenarios. We conduct experiments using a partition of this dataset, each with a total of 43 features, including 39 numerical features, 3 discrete features, and 1 categorical feature. There are 175341 records in the training set and 82332 records in the test set.

Data preprocessing includes three parts: numericalization, normalisation, and one-hot encoding, as follows:

1. Numericalization: Converting text data to numerical data before training the model. In the experimental dataset, the protocol_type feature, the service feature, and the flag feature belong to text data. We use continuous numbers to represent the discrete attributes of these features.

2. Normalization: The value of each feature of the data is not in the same order of magnitude. To reduce the large difference between the features, normalise feature data values to between 0 and 1. The conversion formula is shown in (19(19) $X^{\mathrm{\prime }}=\frac{x_{ij}-\mathrm{Min}}{\mathrm{Max}-\mathrm{Min}}$(19) ): (19) $X^{\mathrm{\prime }}=\frac{x_{ij}-\mathrm{Min}}{\mathrm{Max}-\mathrm{Min}}$(19) Where $x_{ij}$ represents the data in row i and column j, Min represents the minimum value of the column where the data is located, Max represents the maximum value of the column where the data is located, $x^{\mathrm{\prime }}$ is the normalised data.

3. One-hot encoding: There is no logical relationship between the numerical text data, one-hot encoding is used to solve the problem of data discreteness. For example, there are 3 different attributes in the protocol_type feature, which are respectively processed into [1 0 0], [0 1 0], [0 0 1]. The same processing method is also used for the service and flag features, finally, the 41-dimensional feature data is mapped to 122-dimensional feature data.

4.2. Performance metrics

For the classification problem, there are two cases for the results of each category, the article takes the normal traffic data as a reference. The classification details are shown in Table 2.

Table 2. Confusion matrix for intrusion detection.

State	Judged as normal	Judged as an attack
normal flow	TP	FP
attack flow	FN	TN

TP indicates the amount of normal data predicted to be normal, TN represents the amount of attack data predicted as attack data, and FP indicates the amount of normal data predicted as attack data. FN represents the amount of attack data predicted as normal. Among them, FP and FN are called false positives. The accuracy, precision, and F1 score of the evaluation metrics obtained based on the above parameters are usually used to measure the actual performance of the model. Therefore, we use them as evaluation metrics for the experimental results. These formulas are as follows: (20) $\begin{array}{rl}& \mathrm{A}\mathrm{c}\mathrm{c}\mathrm{u}\mathrm{r}\mathrm{a}\mathrm{c}\mathrm{y}=\frac{TP+TN}{TP+TN+FP+FN}\end{array}$(20) (21) $\begin{array}{rl}& \mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}=\frac{TP}{TP+FP}\end{array}$(21) (22) $\begin{array}{rl}& \mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}=\frac{TP}{TP+FN}\end{array}$(22) (23) $\begin{array}{rl}& F1=\frac{2\ast \mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\ast \mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}}{\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}+\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}}\end{array}$(23)

4.3. Feature selection and data balance processing

In the feature selection stage of the intrusion detection field, two groups of classification accuracy are used to evaluate the fitness value to ensure the selected features have excellent performance in both binary classification and multi-classification. One group uses multi-classification accuracy, the other group uses binary classification accuracy. Finally, the two groups of feature selection results are combined to form the final optimal feature subset. In the experiment, 10 populations are initialised, and each test population is iterated 50 times. Table 3 shows the feature subsets obtained in two rounds of experiments and the final feature subsets used. Table 4 shows the best subset of features selected by this paper and other feature selection methods, such as NSGA2-LR (Khammassi & Krichen, 2020), RF (Kunhare et al., 2020), GA-FCM (Nguyen & Kim, 2020), MCMIFS (Gavel et al., 2022), Sigmoid PIO (Alazzam et al., 2020), GLCC (Mohammadi et al., 2019).

Table 3. Feature selection on three datasets.

	NSL-KDD dataset	Total number
HHO-Bin	2,3,4,5,6,14,22,23,24,25,27,30,31,32,34,37,38,40	18
HHO-Multi	2,3,7,8,9,11,12,13,17,18,23,25,27,29,30,34,36,37,38,39,40	21
HHO-Bin ∪ HHO-Multi	2,3,4,5,6,7,8,9,11,12,13,14,17,18,22,23,24,25,	29
	27,29,30,31,32,34,36,37,38,39,40
	KDD CUP99 dataset	Total number
HHO-Bin	1,4,5,6,7,11,13,14,15,17,18,22,25,27,29,30,32,34,39	19
HHO-Multi	1,2,4,6,13,14,17,19,28,30,32,34,40	13
HHO-Bin ∪ HHO-Multi	1,2,4,5,6,7,11,13,14,15,17,18,19,22,25,	23
	27,28,29,30,32,34,39,40
	UNSW-NB15 dataset	Total number
HHO-Bin	1,2,4,5,9,10,11,13,18,20,22,24,26,27,30,31,33,36,39,41	20
HHO-Multi	3,4,5,7,9,10,12,13,16,17,19,20,21,22,24,26,27,28,30,31,	26
	32,33,37,38,39,41
HHO-Bin ∪ HHO-Multi	1,2,3,4,5,7,9,10,11,12,13,16,17,18,19,20,21,22,24,	31
	26,27,28,30,31,32,33,36,37,38,39,41

Table 4. Comparison of feature selection results.

Dataset	Method	Selected features	Total number
	NSGA2-LR	1,2,3,4,7,8,9,10,11,12,13,14,17,18,19,21,	27
		22,25,27,28,29,30,32,33,35,36,37
NSL-KDD	RF	3,5,6,12,23,25,33,35,36,38	10
	GA-FCM	1,2,3,4,5,6,7,8,10,11,13,15,16,17,18,19,	28
		21,22,25,26,27,29,32,33,34,35,36,40
	Ours	2,3,4,5,6,7,8,9,11,12,13,14,17,18,22,23,	29
		24,25,27,29,30,31,32,34,36,37,38,39,40
	MCMIFS	2,3,5,6,7,8,23,26,27,28,29,32,33,34	14
KDD CUP99	Sigmoid PIO	3,4,6,11,13,18,23,36,37,39	10
	GLCC	4,6,10,13,22,23,24,27,29,30,32,35,36,39,40,41	16
	Ours	1,2,4,5,6,7,11,13,14,15,17,18,19,22,25,	23
		27,28,29,30,32,34,39,40
	NSGA2-LR	1,2,3,4,9,10,11,27,28,36,41,42	12
UNSW-NB15	Sigmoid PIO	3,8,9,11,12,23,26,27,28,31,38,39,40,43	14
	Ours	1,2,3,4,5,7,9,10,11,12,13,16,17,18,19,20,21,	31
		22,24,26,27,28,30,31,32,33,36,37,38,39,41

In the stage of processing unbalanced data, KNN is used to downsample the majority class data. After repeated experiments, for NSL-KDD dataset, 1000 neighbour nodes around each sample to be tested are used for evaluation for Normal type data, and 10 neighbour nodes around each sample to be tested are used for evaluation for Dos and Probe data types. Thus, the downsampling of the training set is completed by these parameters. DDAE is used to upsample the data, through many experiments, the epoch is set to 20, the batch size is set to 64, and the hidden layer is set to [80, 50, 30, 20] to achieve the best-generated data. For classes with only a few samples, we do not upsample. Such as the number of U2R is small and the generated data may have a negative impact on the classification performance due to its unrepresentative nature, so only R2L is used for data generation. The hyperparameter settings of DDAE are shown in Table 5. The data processed by KNN and DDAE are combined into new training data, and the details are shown in Table 6.

Table 5. DAE hyperparameter settings.

Input	Hidden layer	Function	Batch size
None,122	[80,50,30,20]	Relu	64

Table 6. Preprocessed data.

Dataset	Category	Before processing	After processing
NSL-KDD	Normal	67343(53.46%)	51175(39.73%)
	Dos	45927(36.46%)	45334(35.19%)
	Probe	11656(9.25%)	11352(8.81%)
	R2L	995(0.79%)	20895(16.22%)
	U2R	52(0.04%)	52(0.04%)
	Total	125973	128808
KDD CUP99	Normal	97278(19.69%)	86991(16.82%)
	Dos	391458(79.24%)	391259(75.65%)
	Probe	4107(0.83%)	3991(0.77%)
	R2L	1126(0.23%)	34906(6.75%)
	U2R	52(0.01%)	52(0.01%)
	Total	494021	517199
UNSW-NB15	Normal	56000(31.94%)	38655(17.72%)
	Generic	40000(22.81%)	37526(17.21%)
	Exploits	33393(19.04%)	31861(14.61%)
	Fuzzers	18184(10.37%)	18184(8.34%)
	Dos	12264(6.99%)	12264(5.62%)
	Reconnaissance	10491(5.98%)	10491(4.81%)
	Analysis	2000(1.14%)	24278(11.13%)
	Backdoor	1746(0.99%)	22702(10.41%)
	Shellcode	1133(0.65%)	22005(10.09%)
	Worms	130(0.07%)	130(0.06%)
	Total	175341	218096

In the training stage of the DNN classifier, we set 4 hidden layers and use ReLU as the activation function of each layer to extract features more effectively. In addition, using the Dropout layer to discard a part of nodes, which can avoid overfitting. Table 7 shows the specific parameters of the DNN model. Figure 6 shows the changes of loss during DDAE and DNN training on NSL-KDD dataset.

Figure 6. The change of loss with the increase of epoch during DDAE and DNN training. (a) DDAE training (b) DNN training.

Table 7. DNN structure for NSL-KDD.

Layers	Type	Output size	Parameter
1	Dense_1	(None, 512)	56320
2	Drop-out(0.2)	–	0
3	Dense_2	(None, 256)	131328
4	Drop-out(0.2)	–	0
5	Dense_3	(None, 128)	32896
6	Drop-out(0.2)	–	0
7	Dense_4	(None, 64)	8256
8	Drop-out(0.3)	–	0
9	Dense_5	2 for binary	130
		5 for muti	325

4.4. binary classification task

We analyse each stage to prove the effectiveness of the proposed hybrid detection model. The original data, the data after feature selection, and the data after data balance processing are used for comparison. Figure 7 shows the confusion matrix of the proposed model in the binary classification, and Table 8 shows the specific experimental data.

Figure 7. Confusion matrix for binary classification. (a) NSL-KDD, (b) KDD CUP99, and (c) UNSW-NB15.

Table 8. Binary classification experiment results (%).

Dataset	Method	Accuracy	Precision	F1 score
NSL-KDD	DNN	80.19	80.66	81.02
	HHO-DNN	84.32	83.68	85.41
	DDAE-KNN-DNN	87.77	88.62	89.34
	SMOTE-DNN	86.38	88.96	87.89
	Final	93.31	92.88	94.21
KDDCUP99	DNN	93.13	94.67	93.51
	HHO-DNN	94.53	95.63	94.76
	DDAE-KNN-DNN	93.61	99.41	95.89
	SMOTE-DNN	93.41	99.32	95.75
	Final	94.89	99.38	96.74
UNSW-NB15	DNN	85.90	80.51	88.46
	HHO-DNN	87.21	82.41	89.36
	DDAE-KNN-DNN	86.63	81.72	87.02
	SMOTE-DNN	86.29	80.98	87.29
	Final	89.34	85.52	90.94

The data in the table show that the feature selection and data preprocessing in the experiment are valid, which can improve the classification performance. For NSL-KDD, the accuracy after feature selection is 4.13% higher than the DNN, and the final integrated model is 13.12% higher than the original model. In addition, the precision increased by 12.22%, and F1 Score increased by 13.19%. For KDD CUP99, the data classification accuracy after feature selection is 1.4% higher than the original model, The final integrated model improves by 1.76% accuracy, 4.71% precision, and 3.32% F1 score to the original DNN. For UNSW-NB15, we finally achieved the accuracy of 89.34%, the precision of 85.52% and the F1 Score of 90.94%. The result shows that the feature subset selected by the improved Harris Eagle algorithm proposed in this paper removes redundant and noisy features and improves the classification ability of the DNN model, it also shows that all performance metrics are improved after dealing with the imbalance of the dataset, and DDAE-KNN outperforms the SMOTE method on the dataset.

In addition, we plotted the Receiver Operating Characteristics (ROC) at different stages of the model. As shown in Figure 8, the results show that the proposed model has excellent classification performance.

Figure 8. ROC curves.

Table 9 shows the results of this approach compared to other advanced intrusion detection methods, such as LightGMB-AE (Tang et al., 2020), OCSVM (Khraisat et al., 2020), MAGENETO-GAN (Andresini, Appice, De Rose et al., 2021), MLP (Lopez-Martin et al., 2019).

Table 9. Binary classification performance comparison (%).

Dataset	Method	Accuracy	Precision	F1 score
NSL-KDD	DNN (Vinayakumar et al., 2019)	80.10	69.20	80.70
	AIDA (Alazzam et al., 2020)	92.41	94.52	93.24
	Sigmoid_PIO (Alazzam et al., 2020)	86.90	–	86.40
	Cosine_PIO (Alazzam et al., 2020)	88.30	–	88.20
	LightGMB-AE (Tang et al., 2020)	89.82	91.81	90.98
	OCSVM (Khraisat et al., 2020)	83.24	–	–
	Ours	93.31	92.88	94.21
KDD CUP99	DNN (Vinayakumar et al., 2019)	93.30	99.80	95.50
	MAGENETO-GAN (Andresini, Appice, De Rose et al., 2021)	93.29	–	95.66
	CLAIRE (Andresini, Appice, Malerba et al., 2021)	93.58	–	95.90
	Sigmoid_PIO (Alazzam et al., 2020)	94.7	–	–
	Ours	94.89	99.38	96.74
UNSW-NB15	MLP (Lopez-Martin et al., 2019)	86.60	–	88.90
	CASCADE-ANN(Xu et al., 2020)	86.40	86.74	89.94
	HAM (Sharafaldin et al., 2018)	87.19	–	–
	Ours	89.34	85.52	90.94

According to the data described in the table, the accuracy of the model is 93.12% on NSL-KDD, 94.87% on KDD CUP99, and 89.34% on UNSW-NB15. It outperforms other excellent intrusion detection models, indicating that this method has better performance on binary classification tasks.

4.5. Multi-classification task

Security personnel analyse the data and need detailed data types, so it is necessary to distinguish specific types of attack traffic. In this study, all categories were detected and judged in the test dataset. Figure 9 shows the confusion matrix of the proposed model in the multi-classification, and Table 10 shows the specific experimental data.

Figure 9. Confusion matrix for multi-classification. (a) NSL-KDD, (b) KDD CUP99, and (c) UNSW-NB15.

Table 10. Multi-classification tasks for datasets (%).

Dataset	Method	Accuracy	Precision	F1 score
NSL-KDD	DNN	78.71	78.43	78.68
	HHO-DNN	80.32	80.56	80.76
	DDAE-KNN-DNN	82.63	83.19	82.73
	SMOTE-DNN	82.81	82.49	82.40
	Final	86.79	89.46	87.56
KDDCUP99	DNN	92.45	92.54	93.43
	HHO-DNN	93.03	94.16	91.03
	DDAE-KNN-DNN	92.89	93.25	92.87
	SMOTE-DNN	92.74	93.42	92.66
	Final	94.03	93.78	92.24
UNSW-NB15	DNN	75.36	80.97	75.50
	HHO-DNN	78.60	81.02	77.93
	DDAE-KNN-DNN	78.27	80.26	77.80
	SMOTE-DNN	77.68	80.51	77.14
	Final	81.92	82.75	81.63

Table 10 shows the effectiveness of our method. For NSL-KDD, the data accuracy rate of feature selection is 1.61% higher than the original DNN, and the final integrated model is 8.08% higher than the original DNN. For KDD CUP99, the data accuracy after feature selection is 0.58% higher than the original DNN, and the final integrated model is 1.58% higher than the original DNN. For UNSW-NB15, the accuracy of the proposed model is 81.92%, which is 6.56% higher than the original DNN.

The proposed method is compared with other advanced intrusion detection schemes for multi-classification tasks to show its superior performance, such as DAE-DNN (Khraisat et al., 2020), CNN-BiLSTM (Jiang et al., 2020), DAE-DNN (Kunang et al., 2021), BAT-MC (Su et al., 2020), Adaptive Ensemble (Gao et al., 2019), AE-DBN (Li et al., 2015), US-CCI (Prasad et al., 2020), Multi-level ELM (Al-Yaseen et al., 2017), AE (Choi et al., 2019), MGWO (Alzaqebah et al., 2022).

Table 11 shows the results of the comparison between the proposed model and other excellent models. From the table, the accuracy rate reaches 86.79% on NSL-KDD, the accuracy rate reaches 94.03% on KDD CUP99, and the accuracy rate reaches 81.92% on UNSW-NB15. In addition, the result also shows our method has great advantages in multi-classification tasks in terms of precision and F1 score.

Table 11. Multi-classification performance comparison (%).

Dataset	Model	Accuracy	Precision	F1 score
NSL-KDD	DAE-DNN (Kunang et al., 2021)	83.34	86.02	82.04
	IDAN-IDS (Huang & Lei, 2020)	84.45	–	84.17
	AESMOTE (Zhang et al., 2021)	82.09	84.11	82.43
	RANet-A (Zhang et al., 2022)	83.23	–	82.57
	CNN-BiLSTM (Jiang et al., 2020)	83.58	85.82	85.14
	BAT-MC (Su et al., 2020)	84.25	–	–
	Adaptive Ensemble (Gao et al., 2019)	85.2	86.5	84.9
	Ours	86.79	89.46	87.56
KDDCUP99	AE-DBN (Li et al., 2015)	92.10	92.20	–
	US-CCI (Prasad et al., 2020)	93.07	84.70	–
	Multi-level ELM (Al-Yaseen et al., 2017)	93.83	93.15	–
	Autoencoder (Choi et al., 2019)	91.70	84.68	90.71
	Ours	94.03	94.78	92.24
UNSW-NB15	MGWO (Alzaqebah et al., 2022)	80.93	–	–
	ID-CVAE (Wang et al., 2021)	80.10	–	79.08
	CNN-BiLSTM (Kasongo & Sun, 2020)	77.16	81.25	–
	Ours	81.92	82.75	81.63

4.6. Time complexity

Time complexity can calculate the time required to process tasks and analyse the execution speed of the algorithm, which is an important indicator to evaluate the performance of the algorithm. The method proposed in this paper includes three parts: feature selection, data processing, and model training. We measured the runtime of multi-classification, Table 12 shows the time consumed for training and testing on the dataset using different methods.

Table 12. Comparison of running time of different methods (sec).

Dataset	State	RF	DT	XGboost	LSTM	CNN	Ours
NSL-KDD	Train	17.64	2.31	3.57	125.59	131.76	183.19
	Test	0.39	0.034	0.071	1.32	1.29	1.08
KDD CUP99	Train	33.89	5.91	14.42	335.87	365.73	405.24
	Test	3.09	0.075	0.26	15.22	15.74	14.93
UNSW-NB15	Train	47.15	5.54	13.41	221.19	239.68	283.76
	Test	2.14	0.11	0.23	4.25	4.15	4.18

From Table 12, it can be seen that traditional machine learning can complete the test quickly, and the deep learning algorithm has a large number of parameters that consume more time to run than machine learning. In addition, the test time difference between our proposed method and the currently popular deep learning methods is small, yet our method achieves much better performance, which proves that the method is competent for intrusion detection.

5. Conclusion

According to the characteristics of network traffic data, we propose a hybrid intrusion detection framework based on DNN. The improved Harris Hawk algorithm is used to select the optimal features, the algorithm uses a reasonable energy factor and multi-information fusion of prey locations, and it solves the problem of easily falling into local optima in the process of population iteration. In addition, we use KNN-DDAE to perform imbalance processing on the preprocessed data, which to some extent alleviates the problem of imbalanced data causing the model to be biased towards the majority class. Experiments are conducted on three common datasets to validate the performance of the proposed model. We compare the data without any processing, data with feature selection, and data with feature selection and data imbalance processing experimentally to ensure that each part of the processing is valid. Finally, we compare with other excellent intrusion detection models, our model always performs better at accuracy, precision, and F1 score.

In recent years, graph neural networks have made achievements in social networks, traffic networks, and protein networks. There are potential correlations between network traffic and graphs can be built based on such correlations. Therefore, the next work will consider combining graph neural networks for intrusion detection.

Abbreviations

The following abbreviations are used in this manuscript:

SVM	=	Support Vector Machines
LSTM	=	Long Short Term Memory
CNN	=	Convolutional Neural Network
HHO	=	Harris Hawk Optimization
KNN	=	K-Nearest Neighbor
DDAE	=	Deep Denoising Autoencoder
DNN	=	Deep Neural Network
LSO	=	Lion Swarm Optimization
PSO	=	Particle Swarm Optimization
WOA	=	Whale Optimization Algorithm
GAN	=	Generative Adversarial Network
KELM	=	Kernel Extreme Learning Machine
GA	=	Genetic Algorithm
KH	=	Krill Swarm Optimization Algorithm
DAE	=	Denoising Autoencoder
AE	=	Autoencoder

Disclosure statement

No potential conflict of interest was reported by the author(s).

Additional information

Funding

This work was supported by the National Natural Science Foundation of China, ‘Research on High-frequency Blockchain Data Access Control and Autonomous Authentication’ [project number 62072170].