# Building an Effective Intrusion Detection System Using the Modified Density Peak Clustering Algorithm and Deep Belief Networks

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## Featured Application

**The model proposed in this paper can be deployed to the enterprise gateway, dynamically monitor network activities, and connect with the firewall to protect the company network from attacks. It can be deployed in cloud computing environment or in software-defined networks to monitor network behavior and alerts in real time.**

## Abstract

## 1. Introduction

## 2. Related Works

## 3. Background

#### 3.1. Modified Density Peak Clustering Algorithm

#### 3.1.1. The Kernel-Based Similarity Measure

#### 3.1.2. Determination of Clustering Categories

Algorithm 1 MDPCA (Modified Density Peak Clustering Algorithm) |

Input: Training dataset $S=\left(\right)open="\{"\; close="\}">\overrightarrow{{x}_{1}},\overrightarrow{{x}_{2}},\cdots ,\overrightarrow{{x}_{N}}$, the number of clusters K, Gaussian Kernel parameter $\sigma $. |

Output: the K subsets ${DC}_{1},{DC}_{2},\cdots ,{DC}_{K}$. |

1: Calculate the distance ${d}_{i,j}$ between data points $\overrightarrow{{x}_{i}}$ and $\overrightarrow{{x}_{j}}$ according to Equation (5). |

2: Assign the cut-off distance ${d}_{c}$. |

3: Calculate the local density ${\rho}_{i}$ of each data point $\overrightarrow{{x}_{i}}$ according to Equation (7). |

4: Calculate the distance ${\delta}_{i}$ of each data point $\overrightarrow{{x}_{i}}$ according to Equation (9). |

5: Calculate ${\gamma}_{i}={\rho}_{i}{\delta}_{i},i\in {I}_{S}$, select the data points corresponding to the K maximum values of ${\{{\gamma}_{i}\}}_{i=1}^{N}$ as the cluster centers $C={\{{C}_{i}\}}_{i=1}^{K}$. |

6: Finally, assign each remaining point to the same cluster as its nearest neighbor of higher density, the training dataset S is divided into K subsets ${DC}_{1},{DC}_{2},\cdots ,{DC}_{K}$. |

7: return the K subsets ${DC}_{1},{DC}_{2},\cdots ,{DC}_{K}$. |

#### 3.1.3. Fuzzy Membership of Test Samples

#### 3.2. Deep Belief Networks

Algorithm 2 BernoulliRBM (Bernoulli Restricted Boltzmann Machine) |

Input: Training dataset $S=\left(\right)open="\{"\; close="\}">{x}^{(1)},{x}^{(2)},\cdots ,{x}^{(N)}$, $RBM({v}_{1},\cdots ,{v}_{m};{h}_{1},\cdots ,{h}_{n})$, m is the number ofvisible units, n is the number ofhidden units; learning rate $\lambda $. |

Output: the RBM weight matrix W; the bias vector $b=({b}_{1},{b}_{2},\cdots ,{b}_{i},\cdots ,{b}_{m})$ of the RBM visiblelayer, the bias vector $c=({c}_{1},{c}_{2},\cdots ,{c}_{j},\cdots ,{c}_{n})$ of the RBM hidden layer. |

1: init: ${W}_{ij}={b}_{i}={c}_{j}=\Delta {W}_{ij}=\Delta {b}_{i}=\Delta {c}_{j}=0,for\phantom{\rule{1.em}{0ex}}i=1,\cdots ,m,j=1,\cdots ,n$. |

2: for $iter=1,2,\cdots ,T$ do |

3: for all ${x}^{(l)}\in S$ do |

4: ${v}^{(0)}={x}^{(l)}$; |

5: for $t=0,1,\cdots ,k-1$ do |

6: for all hidden units $j=1,2,\cdots ,n$, do sample ${{h}_{j}}^{(t)}\sim P({h}_{j}|{v}^{(t)})$; |

7: for all visible units $i=1,2,\cdots ,m$, do sample ${{v}_{i}}^{(t+1)}\sim P({v}_{i}|{h}^{(t)})$; |

8: end for |

9: for $i=1,2,\cdots ,m,j=1,2,\cdots ,n$ do |

10: $\Delta {W}_{ij}=\Delta {W}_{ij}+\lambda \xb7\left(\right)open="("\; close=")">P({h}_{j}=1|{v}^{(0)})\xb7{v}_{i}^{(0)}-P({h}_{j}=1|{v}^{(k)})\xb7{v}_{i}^{(k)}$; |

11: end for |

12: for $i=1,2,\cdots ,m$ do |

13: $\Delta {b}_{i}=\Delta {b}_{i}+\lambda \xb7\left(\right)open="("\; close=")">{v}_{i}^{(0)}-{v}_{i}^{(k)}$; |

14: end for |

15: for $j=1,2,\cdots ,n$ do |

16: $\Delta {c}_{j}=\Delta {c}_{j}+\lambda \xb7\left(\right)open="("\; close=")">P({h}_{j}=1|{v}^{(0)})-P({h}_{j}=1|{v}^{(k)})$ |

17: end for |

18: end for |

19: $W=W+\Delta W$ |

20: $b=b+\Delta b$ |

21: $c=c+\Delta c$ |

22: end for |

23: return network parameters $\theta =(W,b,c)$. |

## 4. The Proposed Hybrid Approach for Intrusion Detection

#### 4.1. Data Collection

#### 4.2. Data Preprocessing

#### 4.2.1. Feature Mapping

#### 4.2.2. Data Normalization

#### 4.3. Training Classifier

#### 4.4. Attack Recognition

Algorithm 3 MDPCA-DBN (Modified Density Peak Clustering Algorithm and Deep Belief Networks) |

Input: Dataset S, cluster number K, Gaussian kernel parameter $\sigma $. |

Output: the final classification results. |

1: Data collection: a training dataset and a testing dataset. |

2: Data preprocessing: feature mapping and data normalization. |

3: According to Algorithm 1, MDPCA is used to divide the original training dataset into K subsets ${DC}_{1},{DC}_{2},\cdots ,{DC}_{K}$. |

4: According to Algorithm 2, each training subset ${DC}_{i}$ is used to train the corresponding classifier ${DBN}_{i}$. |

5: Caculate the fuzzy membership matrix U of test samples according to Equation (14). |

6: Test sample ${x}_{j}$ is tested on each trained ${DBN}_{i}$ classifier. The predictions of these ${DBN}_{i}$ classifiers are fuzzy aggregated according to Equation (28), and the final classification results are output. |

7: return the final classification results. |

## 5. Experimental Results and Analysis

#### 5.1. Performance Evaluation

#### 5.2. Description of the Benchmark Datasets

#### 5.2.1. NSL-KDD Dataset

#### 5.2.2. UNSW-NB15 Dataset

#### 5.3. Experimental Setup

#### 5.4. Results and Discussion

#### 5.5. Comparative Study

#### 5.6. Additional Comparison

## 6. Conclusions and Future Work

## Author Contributions

## Funding

## Acknowledgments

## Conflicts of Interest

## References

- Hajisalem, V.; Babaie, S. A hybrid intrusion detection system based on ABC-AFS algorithm for misuse and anomaly detection. Comput. Netw.
**2018**, 136, 37–50. [Google Scholar] [CrossRef] - Al-Yaseen, W.L.; Othman, Z.A.; Nazri, M.Z.A. Multi-level hybrid support vector machine and extreme learning machine based on modified K-means for intrusion detection system. Expert Syst. Appl.
**2017**, 67, 296–303. [Google Scholar] [CrossRef] - Aljawarneh, S.; Aldwairi, M.; Yassein, M.B. Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. J. Comput. Sci.
**2018**, 25, 152–160. [Google Scholar] [CrossRef] - Karami, A. An anomaly-based intrusion detection system in presence of benign outliers with visualization capabilities. Expert Syst. Appl.
**2018**, 108, 36–60. [Google Scholar] [CrossRef] - Moustafa, N.; Creech, G.; Slay, J. Anomaly Detection System Using Beta Mixture Models and Outlier Detection. In Progress in Computing, Analytics and Networking; Springer: Berlin, Germany, 2018; pp. 125–135. [Google Scholar]
- Syarif, A.R.; Gata, W. Intrusion detection system using hybrid binary PSO and K-nearest neighborhood algorithm. In Proceedings of the 2017 11th International Conference on Information & Communication Technology and System (ICTS), Surabaya, Indonesia, 31 October 2017; pp. 181–186. [Google Scholar]
- Kuttranont, P.; Boonprakob, K.; Phaudphut, C.; Permpol, S.; Aimtongkhamand, P.; KoKaew, U.; Waikham, B.; So-In, C. Parallel KNN and Neighborhood Classification Implementations on GPU for Network Intrusion Detection. J. Telecommun. Electron. Comput. Eng. (JTEC)
**2017**, 9, 29–33. [Google Scholar] - Kabir, E.; Hu, J.; Wang, H.; Zhuo, G. A novel statistical technique for intrusion detection systems. Future Gener. Comput. Syst.
**2018**, 79, 303–318. [Google Scholar] [CrossRef][Green Version] - Manzoor, I.; Kumar, N.; Akashdeep. A feature reduced intrusion detection system using ANN classifier. Expert Syst. Appl.
**2017**, 88, 249–257. [Google Scholar] - Moon, D.; Im, H.; Kim, I.; Park, J.H. DTB-IDS: An intrusion detection system based on decision tree using behavior analysis for preventing APT attacks. J. Supercomput.
**2017**, 73, 2881–2895. [Google Scholar] [CrossRef] - Aburomman, A.A.; Reaz, M.B.I. A survey of intrusion detection systems based on ensemble and hybrid classifiers. Comput. Secur.
**2017**, 65, 135–152. [Google Scholar] [CrossRef] - Resende, P.A.A.; Drummond, A.C. A Survey of Random Forest Based Methods for Intrusion Detection Systems. ACM Comput. Surv. (CSUR)
**2018**, 51, 48. [Google Scholar] [CrossRef] - Yadahalli, S.; Nighot, M.K. Adaboost based parameterized methods for wireless sensor networks. In Proceedings of the 2017 International Conference On Smart Technologies For Smart Nation (SmartTechCon), Karnataka, India, 17–19 August 2017; pp. 1370–1374. [Google Scholar]
- Roy, S.S.; Krishna, P.V.; Yenduri, S. Analyzing Intrusion Detection System: An ensemble based stacking approach. In Proceedings of the 2014 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT), Noida, India, 15–17 December 2014; pp. 000307–000309. [Google Scholar]
- Hinton, G.E. Deep belief networks. Scholarpedia
**2009**, 4, 5947. [Google Scholar] [CrossRef] - Hinton, G.E.; Osindero, S.; Teh, Y.W. A fast learning algorithm for deep belief nets. Neural Comput.
**2006**, 18, 1527–1554. [Google Scholar] [CrossRef] [PubMed] - Wang, Z. Deep Learning-Based Intrusion Detection With Adversaries. IEEE Access
**2018**, 6, 38367–38384. [Google Scholar] [CrossRef] - Xin, Y.; Kong, L.; Liu, Z.; Chen, Y.; Li, Y.; Zhu, H.; Gao, M.; Hou, H.; Wang, C. Machine Learning and Deep Learning Methods for Cybersecurity. IEEE Access
**2018**, 6, 35365–35381. [Google Scholar] [CrossRef] - Huda, S.; Miah, S.; Yearwood, J.; Alyahya, S.; Al-Dossari, H.; Doss, R. A malicious threat detection model for cloud assisted internet of things (CoT) based industrial control system (ICS) networks using deep belief network. J. Parallel Distrib. Comput.
**2018**, 120, 23–31. [Google Scholar] [CrossRef] - Ambusaidi, M.A.; He, X.; Nanda, P.; Tan, Z. Building an intrusion detection system using a filter-based feature selection algorithm. IEEE Trans. Comput.
**2016**, 65, 2986–2998. [Google Scholar] [CrossRef] - UNB. NSL-KDD Dataset. Available online: https://www.unb.ca/cic/datasets/nsl.html (accessed on 10 December 2018).
- Dhanabal, L.; Shantharajah, S. A study on NSL-KDD dataset for intrusion detection system based on classification algorithms. Int. J. Adv. Res. Comput. Commun. Eng.
**2015**, 4, 446–452. [Google Scholar] - Lopez-Martin, M.; Carro, B.; Sanchez-Esguevillas, A.; Lloret, J. Conditional variational autoencoder for prediction and feature recovery applied to intrusion detection in iot. Sensors
**2017**, 17, 1967. [Google Scholar] [CrossRef] - Rodriguez, A.; Laio, A. Clustering by fast search and find of density peaks. Science
**2014**, 344, 1492–1496. [Google Scholar] [CrossRef][Green Version] - ACCS. UNSW-NB15 Dataset. Available online: https://www.unsw.adfa.edu.au/unsw-canberra-cyber/cybersecurity/ADFA-NB15-Datasets/ (accessed on 10 December 2018).
- Moustafa, N.; Slay, J. UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In Proceedings of the 2015 IEEE Military Communications and Information Systems Conference (MilCIS), Canberra, Australia, 10–12 November 2015; pp. 1–6. [Google Scholar]
- Moustafa, N.; Slay, J. The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf. Secur. J. Glob. Perspect.
**2016**, 25, 18–31. [Google Scholar] [CrossRef] - Cha, Y.J.; Wang, Z. Unsupervised novelty detection–based structural damage localization using a density peaks-based fast clustering algorithm. Struct. Health Monit.
**2018**, 17, 313–324. [Google Scholar] [CrossRef] - Li, L.; Zhang, H.; Peng, H.; Yang, Y. Nearest neighbors based density peaks approach to intrusion detection. Chaos Solitons Fractals
**2018**, 110, 33–40. [Google Scholar] [CrossRef] - Ma, T.; Wang, F.; Cheng, J.; Yu, Y.; Chen, X. A Hybrid Spectral Clustering and Deep Neural Network Ensemble Algorithm for Intrusion Detection in Sensor Networks. Sensors
**2016**, 16, 1701. [Google Scholar] [CrossRef] [PubMed] - Thing, V.L. IEEE 802.11 network anomaly detection and attack classification: A deep learning approach. In Proceedings of the 2017 IEEE Wireless Communications and Networking Conference (WCNC), San Francisco, CA, USA, 19–22 March 2017; pp. 1–6. [Google Scholar]
- Naseer, S.; Saleem, Y. Enhanced Network Intrusion Detection using Deep Convolutional Neural Networks. KSII Trans. Internet Inf. Syst.
**2018**, 12. [Google Scholar] [CrossRef] - Tang, T.; Zaidi, S.A.R.; McLernon, D.; Mhamdi, L.; Ghogho, M. Deep Recurrent Neural Network for Intrusion Detection in SDN-based Networks. In Proceedings of the 2018 IEEE International Conference on Network Softwarization (NetSoft 2018), Montreal, ON, Canada, 25–29 June 2018. [Google Scholar]
- Shone, N.; Ngoc, T.N.; Phai, V.D.; Shi, Q. A deep learning approach to network intrusion detection. IEEE Trans. Emerg. Top. Comput. Intell.
**2018**, 2, 41–50. [Google Scholar] [CrossRef] - Muna, A.H.; Moustafa, N.; Sitnikova, E. Identification of malicious activities in industrial internet of things based on deep learning models. J. Inf. Secur. Appl.
**2018**, 41, 1–11. [Google Scholar] - Tamer Aldwairi, D.P.; Novotny, M.A. An evaluation of the performance of Restricted Boltzmann Machines as a model for anomaly network intrusion detection. Comput. Netw.
**2018**, 144, 111–119. [Google Scholar] [CrossRef] - Li, C.; Wang, J.; Ye, X. Using a Recurrent Neural Network and Restricted Boltzmann Machines for Malicious Traffic Detection. NeuroQuantology
**2018**, 16. [Google Scholar] [CrossRef] - Imamverdiyev, Y.; Abdullayeva, F. Deep Learning Method for Denial of Service Attack Detection Based on Restricted Boltzmann Machine. Big Data
**2018**, 6, 159–169. [Google Scholar] [CrossRef] - Nguyen, B.; Morell, C.; De Baets, B. Supervised distance metric learning through maximization of the Jeffrey divergence. Pattern Recognit.
**2017**, 64, 215–225. [Google Scholar] [CrossRef] - Hinton, G.E.; Salakhutdinov, R.R. Reducing the dimensionality of data with neural networks. Science
**2006**, 313, 504–507. [Google Scholar] [CrossRef] [PubMed] - Hinton, G. A practical guide to training restricted Boltzmann machines. Momentum
**2010**, 9, 926. [Google Scholar] - Fischer, A.; Igel, C. Training restricted Boltzmann machines: An introduction. Pattern Recognit.
**2014**, 47, 25–39. [Google Scholar] [CrossRef][Green Version] - Swersky, K.; Chen, B.; Marlin, B.; De Freitas, N. A tutorial on stochastic approximation algorithms for training restricted Boltzmann machines and deep belief nets. In Proceedings of the 2010 Information Theory and Applications Workshop (ITA), San Diego, CA, USA, 31 January–5 February 2010; pp. 1–10. [Google Scholar]
- Hinton, G.E. Training products of experts by minimizing contrastive divergence. Neural Comput.
**2002**, 14, 1771–1800. [Google Scholar] [CrossRef] [PubMed] - Tieleman, T. Training restricted Boltzmann machines using approximations to the likelihood gradient. In Proceedings of the 25th international conference on Machine Learning, Helsinki, Finland, 5–9 July 2018; ACM: New York, NY, USA, 2008; pp. 1064–1071. [Google Scholar][Green Version]
- KDDCup. KDD Cup Dataset. Available online: http://archive.ics.uci.edu/ml/datasets/kdd+cup+1999+data (accessed on 10 December 2018).
- Tavallaee, M.; Bagheri, E.; Lu, W.; Ghorbani, A.A. A detailed analysis of the KDD CUP 99 data set. In Proceedings of the 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, Canada, 8–10 July 2009; pp. 1–6. [Google Scholar]
- Creech, G. Developing a High-Accuracy Cross Platform Host-Based Intrusion Detection System Capable of Reliably Detecting Zero-Day Attacks. Ph.D. Thesis, University of New South Wales, Canberra, Australia, 2014. [Google Scholar]
- Song, J.; Takakura, H.; Okabe, Y.; Eto, M.; Inoue, D.; Nakao, K. Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation. In Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg, Austria, 10–13 April 2011; pp. 29–36. [Google Scholar]
- Shiravi, A.; Shiravi, H.; Tavallaee, M.; Ghorbani, A.A. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur.
**2012**, 31, 357–374. [Google Scholar] [CrossRef] - Sharafaldin, I.; Lashkari, A.H.; Ghorbani, A.A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In Proceedings of the ICISSP 2018: 4th International Conference on Information Systems Security and Privacy, Funchal, Portugal, 22–24 January 2018; pp. 108–116. [Google Scholar]
- Maas, A.L.; Hannun, A.Y.; Ng, A.Y. Rectifier nonlinearities improve neural network acoustic models. Proc. ICML
**2013**, 30, 3. [Google Scholar] - Javaid, A.; Niyaz, Q.; Sun, W.; Alam, M. A deep learning approach for network intrusion detection system. In Proceedings of the 9th EAI International Conference on Bio-Inspired Information and Communications Technologies (formerly BIONETICS), New York, NY, USA, 2–5 December 2016; pp. 21–26. [Google Scholar]
- Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M. Deep learning approach for network intrusion detection in software defined networking. In Proceedings of the 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), Fez, Morocco, 26–29 October 2016; pp. 258–263. [Google Scholar]
- Yin, C.; Zhu, Y.; Fei, J.; He, X. A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access
**2017**, 5, 21954–21961. [Google Scholar] [CrossRef] - Baig, M.M.; Awais, M.M.; El-Alfy, E.S.M. A multiclass cascade of artificial neural network for network intrusion detection. J. Intell. Fuzzy Syst.
**2017**, 32, 2875–2883. [Google Scholar] [CrossRef]

Test Result Positive (Predicted as an Attack) | Test Result Negative (Predicted as a Normal Record) | |
---|---|---|

Actual positive class (Attack record) | True positive (TP) | False negative (FN) |

Actual negative class (Normal record) | False positive (FP) | True negative (TN) |

Categories | Description | Examples |
---|---|---|

Normal | include data with no attack. | normal |

Probe | include attacks in which attackers try to scan the computer networks with the purpose of collecting information and finding out vulnerabilities. | ipsweep, nmap, portsweep, satan, saint, mscan |

DoS | include attacks in which attackers try to prevent legitimate users of a service from using the service | back, land, neptune, pod, smurf, teardrop, apache2, mailbomb, udpstorm, processtable |

U2R | include attacks in which attackers have local access to the victim target machine and try to get super user privileges. | perl, rootkit, loadmodule, buffer_overflow, httptunnel, ps, sqlattack, xterm |

R2L | include attacks in which attackers do not have a local account and try to gain access by sending packets to the target host over the internet. | ftp_write, guess_passwd, multihop, phf, imap, spy, warezclient, warezmaster, named, xsnoop, xlock, sendmail, worm, snmpgetattack, snmpguess |

Category | Training Dataset | Testing Dataset | |
---|---|---|---|

KDDTrain+_20Percent | KDDTest+ | KDDTest-21 | |

Normal | 13,449 | 9711 | 2152 |

Probe | 2289 | 2421 | 2402 |

DoS | 9234 | 7458 | 4342 |

U2R | 11 | 200 | 200 |

R2L | 209 | 2754 | 2754 |

Total | 25,192 | 22,544 | 11,850 |

Category | Training Dataset | Testing Dataset |
---|---|---|

UNSW_NB15_Training-Set 20% | UNSW_NB15_Testing-Set 20% | |

Normal | 11,200 | 7400 |

Generic | 8000 | 3774 |

Exploits | 6679 | 2226 |

Fuzzers | 3637 | 1212 |

DoS | 2453 | 818 |

Reconnaissance | 2098 | 699 |

Analysis | 400 | 135 |

Backdoor | 349 | 117 |

Shellcode | 227 | 76 |

Worms | 26 | 9 |

Total | 35,069 | 16,466 |

**Table 5.**Detection accuracy (%) with optimal parameters K and $\sigma $ for NSL-KDD (KDDTest+) and NSL-KDD (KDDTest-21) datasets.

Dataset | K | $\mathit{\sigma}$ | Normal | Probe | DoS | U2R | R2L | Accuracy |
---|---|---|---|---|---|---|---|---|

NSL-KDD (KDDTest+) | 2 | 250 | 97.38 | 73.94 | 81.09 | 6.5 | 17.25 | 82.08 |

NSL-KDD (KDDTest-21) | 2 | 250 | 86.94 | 63.2 | 68.75 | 6. | 34.93 | 66.18 |

K | $\mathit{\sigma}$ | Normal | Generic | Exploits | Fuzzers | DoS | Reconnaissance |
---|---|---|---|---|---|---|---|

2 | 50 | 82.85 | 96.93 | 83.51 | 44.39 | 23.72 | 76.68 |

Analysis | Backdoor | Shellcode | Worms | Accuracy | |||

0.00 | 0.85 | 39.47 | 11.11 | 90.21 |

Normal | Probe | DoS | U2R | R2L | |
---|---|---|---|---|---|

Normal | 9457 | 186 | 55 | 5 | 8 |

Probe | 443 | 1790 | 174 | 13 | 1 |

DoS | 906 | 96 | 6048 | 69 | 339 |

U2R | 181 | 0 | 0 | 13 | 6 |

R2L | 2255 | 13 | 1 | 10 | 475 |

Normal | Probe | DoS | U2R | R2L | |
---|---|---|---|---|---|

Normal | 1871 | 217 | 61 | 2 | 1 |

Probe | 703 | 1518 | 158 | 1 | 22 |

DoS | 1076 | 58 | 2985 | 0 | 223 |

U2R | 178 | 1 | 1 | 12 | 8 |

R2L | 1770 | 12 | 4 | 6 | 962 |

Normal | Generic | Exploits | Fuzzers | DoS | Reconn | Analysis | Backdoor | Shellcode | Worms | |
---|---|---|---|---|---|---|---|---|---|---|

Normal | 6131 | 2 | 158 | 906 | 18 | 128 | 48 | 0 | 9 | 0 |

Generic | 1 | 3658 | 97 | 6 | 3 | 6 | 0 | 0 | 3 | 0 |

Exploits | 37 | 12 | 1859 | 45 | 230 | 20 | 6 | 0 | 14 | 3 |

Fuzzers | 284 | 0 | 205 | 538 | 79 | 80 | 0 | 2 | 24 | 0 |

DoS | 7 | 6 | 589 | 14 | 194 | 4 | 0 | 0 | 4 | 0 |

Reconn | 10 | 0 | 134 | 4 | 14 | 536 | 0 | 0 | 1 | 0 |

Analysis | 0 | 0 | 81 | 1 | 52 | 1 | 0 | 0 | 0 | 0 |

Backdoor | 1 | 0 | 67 | 3 | 43 | 1 | 0 | 1 | 1 | 0 |

Shellcode | 3 | 1 | 16 | 10 | 2 | 14 | 0 | 0 | 30 | 0 |

Worms | 0 | 0 | 7 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |

Model | Normal | Probe | DoS | U2R | R2L | Accuracy | Recall | Precision | F1-Score | FPR |
---|---|---|---|---|---|---|---|---|---|---|

KNN | 92.78 | 59.4 | 82.25 | 3.5 | 3.56 | 76.51 | 64.19 | 92.16 | 75.68 | 7.22 |

MultinomialNB | 96.03 | 82.61 | 37.1 | 0.5 | 22.22 | 78.73 | 65.64 | 95.62 | 77.85 | 3.97 |

RF | 97.37 | 58.53 | 80.24 | 0.50 | 7.55 | 76.49 | 60.69 | 96.84 | 74.62 | 2.63 |

SVM | 92.82 | 61.71 | 74.85 | 0.00 | 0.00 | 72.28 | 56.73 | 91.26 | 69.97 | 7.18 |

ANN | 93.68 | 58.65 | 83.51 | 0.50 | 13.25 | 77.61 | 65.45 | 93.19 | 76.89 | 6.32 |

DBN | 97.04 | 69.85 | 83.11 | 5.50 | 12.56 | 80.82 | 68.53 | 96.84 | 80.26 | 2.96 |

MDPCA-DBN | 97.38 | 73.94 | 81.09 | 6.50 | 17.25 | 82.08 | 70.51 | 97.27 | 81.75 | 2.62 |

Model | Normal | Probe | DoS | U2R | R2L | Accuracy | Recall | Precision | F1-Score | FPR |
---|---|---|---|---|---|---|---|---|---|---|

KNN | 68.49 | 59.08 | 69.81 | 3.50 | 3.56 | 55.5 | 52.62 | 88.27 | 65.93 | 31.51 |

MultinomialNB | 83.32 | 82.81 | 38.12 | 0.5 | 22.22 | 60.08 | 54.93 | 93.69 | 69.25 | 16.68 |

RF | 88.38 | 60.45 | 66.08 | 0.50 | 10.42 | 56.84 | 49.84 | 95.08 | 65.39 | 11.62 |

SVM | 68.26 | 61.41 | 56.79 | 0.00 | 0.00 | 47.38 | 42.74 | 85.85 | 57.07 | 31.74 |

ANN | 67.24 | 56.45 | 50.41 | 0.00 | 0.00 | 45.0 | 40.06 | 84.64 | 54.38 | 32.76 |

DBN | 71.75 | 58.33 | 71.72 | 0.50 | 13.25 | 57.45 | 54.28 | 89.65 | 67.62 | 28.25 |

MDPCA-DBN | 86.94 | 63.20 | 68.75 | 6.00 | 34.93 | 66.18 | 61.57 | 95.51 | 74.87 | 13.06 |

Class | KNN | MultinomialNB | RF | SVM | ANN | DBN | MDPCA-DBN |
---|---|---|---|---|---|---|---|

Normal | 74.81 | 62.0 | 76.85 | 58.36 | 63.89 | 72.12 | 82.85 |

Generic | 96.63 | 96.24 | 96.4 | 96.21 | 95.55 | 96.08 | 96.93 |

Exploits | 74.48 | 42.81 | 77.63 | 75.52 | 87.74 | 91.02 | 83.51 |

Fuzzers | 42.33 | 33.25 | 51.32 | 69.31 | 68.98 | 43.32 | 44.39 |

DoS | 19.44 | 73.84 | 17.6 | 0.00 | 5.13 | 2.32 | 23.72 |

Reconnaissance | 58.94 | 36.34 | 76.68 | 0.00 | 63.38 | 70.67 | 76.68 |

Analysis | 1.48 | 0.0 | 3.7 | 0.00 | 0.00 | 0.00 | 0.00 |

Backdoor | 2.56 | 0.0 | 5.13 | 0.00 | 0.00 | 0.00 | 0.85 |

Shellcode | 14.47 | 0.0 | 51.32 | 0.00 | 0.00 | 0.00 | 39.47 |

Worms | 11.11 | 0.0 | 11.11 | 0.00 | 0.00 | 0.00 | 11.11 |

Accuracy | 85.38 | 76.75 | 87.56 | 79.36 | 83.29 | 86.02 | 90.21 |

Recall | 94.01 | 88.78 | 96.29 | 96.49 | 99.12 | 97.36 | 96.22 |

Precision | 82.05 | 74.11 | 83.6 | 73.95 | 77.08 | 81.06 | 87.3 |

F1-score | 87.63 | 80.78 | 89.5 | 83.73 | 86.72 | 88.46 | 91.54 |

FPR | 25.19 | 38.0 | 23.15 | 41.64 | 36.11 | 27.88 | 17.15 |

**Table 13.**Comparison results based on NSL-KDD and UNSW-NB15 datasets (N/A means no available results, * Ranked first, ** Ranked second).

Method | Dataset | Accuracy(%) | DR(%) | FPR(%) |
---|---|---|---|---|

SCDNN [30] | NSL-KDD (KDDTest+) | 72.64 | 57.48 | N/A |

STL [53] | NSL-KDD (KDDTest+) | 74.38 | 62.99 ** | 7.21 ** |

DNN [54] | NSL-KDD (KDDTest+) | 75.75 | N/A | N/A |

Gaussian–Bernoulli RBM [38] | NSL-KDD (KDDTest+) | 73.23 | N/A | N/A |

RNN-IDS [55] | NSL-KDD (KDDTest+) | 81.29 ** | N/A | N/A |

MDPCA-DBN | NSL-KDD (KDDTest+) | 82.08 * | 70.51 * | 2.62 * |

SCDNN [30] | NSL-KDD (KDDTest-21) | 44.55 | 37.85 | N/A |

STL [53] | NSL-KDD (KDDTest-21) | 57.34 | 52.73 ** | 15.06 ** |

RNN-IDS [55] | NSL-KDD (KDDTest+) | 64.67 ** | N/A | N/A |

MDPCA-DBN | NSL-KDD (KDDTest-21) | 66.18 * | 61.57 * | 13.06 * |

CASCADE-ANN [56] | UNSW-NB15 | 86.40 ** | 86.74 ** | 13.1 * |

EM Clustering [27] | UNSW-NB15 | 78.47 | N/A | N/A |

DT [27] | UNSW-NB15 | 85.56 | N/A | N/A |

MDPCA-DBN | UNSW-NB15 | 90.21 * | 96.22 * | 17.15 ** |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Yang, Y.; Zheng, K.; Wu, C.; Niu, X.; Yang, Y.
Building an Effective Intrusion Detection System Using the Modified Density Peak Clustering Algorithm and Deep Belief Networks. *Appl. Sci.* **2019**, *9*, 238.
https://doi.org/10.3390/app9020238

**AMA Style**

Yang Y, Zheng K, Wu C, Niu X, Yang Y.
Building an Effective Intrusion Detection System Using the Modified Density Peak Clustering Algorithm and Deep Belief Networks. *Applied Sciences*. 2019; 9(2):238.
https://doi.org/10.3390/app9020238

**Chicago/Turabian Style**

Yang, Yanqing, Kangfeng Zheng, Chunhua Wu, Xinxin Niu, and Yixian Yang.
2019. "Building an Effective Intrusion Detection System Using the Modified Density Peak Clustering Algorithm and Deep Belief Networks" *Applied Sciences* 9, no. 2: 238.
https://doi.org/10.3390/app9020238