1 Introduction

The network's IDS has rapidly developed in business and academia regarding the entire cyber-attacks on commercial and government fields worldwide [1]. Moreover, the annual cost of Cybercrime is steadily increasing [2]. The most destructive cybercrimes involve malevolent insiders, denial-of-service (DoS) assaults [3], and web-based malicious events [4]. Organizations employing antivirus software, firewall, and network IDS were utilized effectively [5]. One of the primary areas of interest for promptly resolving cyber-attacks is detecting the attack's vulnerabilities at an earlier stage with the help of the IDS [6]. Moreover, the network IDS is meant to identify harmful activity, such as viruses, worms, and distributed DoS (DDoS) assaults [7]. Anomaly detection techniques can be used to study user behaviors, such as analyzing the programs performed regularly and having access to information unavailable to normal users. Moreover, intrusion detection highly depends on the device's usage [8]. It monitors the security level of the intelligent devices and alerts you if there is any abnormal activity or trend in the connection. The strange system is predicated on the premise that intrusive actions are opposed to non-intrusive ones. The primary benefit of outlier detection is the ability to detect new assaults. Its disadvantages include the requirement for noise training, which results in difficulties following natural variations in the distributions [9]. False alarms can occur due to changes, whereas intrusive behavior that appears to be typical can result in missed observations.

Classifying and naming threats is tough on anomaly-based algorithms. It doesn't detect or report completely new attacks; therefore, it must constantly update itself for correct working, which takes more time. The important success elements for IDS are attack prediction accuracy, speed, and reliability. Furthermore, the IDS are often functioned by neural function and optimization function. In the Machine-Learning (ML) [10] and Deep-Learning (DL) [11] fields, IDS is the hot topic because it is the most required task in all digital applications [12]. The DL has been proficiently employed in predicting and preventing [13]. The availability of deep hyper-parameters in the DL has afforded the finest outcome [14]. Day by day, network facilities and usage have increased rapidly [15]; hence, securing the network is complicated by conventional security models [16]. So, the IDS for the network have attracted many researchers to introduce a new idea about data security [17].

The DL models have gained the finest outcome in predicting a malicious event in network applications [18]. Besides, the optimization procedures have functioned along with DL models to maintain a stable range in the intrusion prediction process. Several IDS have been implemented in past years; some are NetFlow-based features [19], autoencoder [20], etc. But the desired outcome has not been attained, so the present work has aimed to design a novel optimized deep learning model for the IDS. The key contribution of this research work is described as follows,

  • Initially, the Nslkdd and CICIDS 2018 were gathered from the standard site and trained to the system.

  • Consequently, a novel KbDBIF was designed with the required parameters to predict malicious behavior.

  • Moreover, the malicious events were detected by fixing the malicious features in the fitness function of the chimp optimization.

  • Here, incorporating the Krill herd fitness has provided the finest hyper-parameter tuning results.

  • Finally, the robustness of the proposed model has been estimated in terms of accuracy, recall, precision, f-measure, error rate, and execution time.

The presented research article is arranged as follows, the recent associated works are explained in 2nd section, the basic intrusion prediction system with common issues is described in the 3rd section, then the proposed solution is described in 4th section, the outcome of the proposed scheme is elaborated in 5th section. Finally, the 6th section has ended the research arguments.

2 Related Work

Some of the recent literatures related to anomaly intrusion are described as follows:

IDS is the most required tool for network processes to secure data from third parties. Here, the IDS system has been operated with the help of NetFlow-based features, which were designed by Sarhan et al. [19]. Here, the attack features were trained based on the tree structures. Then the errors are removed by the filtering process after the attack prediction function has been performed. Finally, the parameters are validated and compared with other approaches. However, it has taken more time for the forecasting process.

Andresini et al. [20] have described an autoencoder neural model to forecast the present intrusion in the network application. Moreover, the proficient score of the designed model is checked with the benchmark datasets. The mainly predicted attack behavior from the benchmark dataset is network traffic. Hence, the reconstruction communication channel has been implemented with the autoencoder model to avoid network traffic. Finally, it has attained the best attack prediction accuracy. However, it has measured a high error rate.

Transfer learning was introduced by Deng et al. [21] for the mobile network system to predict intrusions. Predicting malicious events in a movable environment is complicated, considering the regular network. Because the location of the connected users in the network system has varied from time to time. So, to create the attack detection model in different phases, transfer learning has been utilized. However, it is complex in design.

In some cases, the IDS in the network became inefficient because of unknown and harmful attacks. So, Kan et al. [22] have designed the optimized convolution model; the employed optimization in this IDS is particle Swarm. Here, the fitness process of the particle swarm is utilized to regulate the convolutional neural prediction parameters. But, incorporating the optimization model has taken more time to complete. The optimization iteration can repeatedly function until the desired classification accuracy is found.

The deep features have been introduced in the IDS by Wang et al. [23]. Moreover, the kernel learning system has been designed with deep belief parameters for attack detection. Furthermore, the enhanced grey wolf algorithm is executed to regulate the kernel learning parameters. Hence, the designed scheme is checked with the standard datasets, and the performance improvement score has been estimated by describing the comparative analysis model. However, it has required more resources for detection purposes.

Several models have been executed in the past to forecast the intrusion in the network application. But each method has met different issues because of the large database and harmful intrusion features shown in Table 1. Hence, the deep features with optimization have been planned to minimize the design complexity and attain the best prediction score in the malicious perdition. In this present research study, the intrusion features were uploaded in the krill herd memory phases during the prediction process; this memory function has been activated to tune the intrusion prediction process. Hence, this optimal model has been iterated continuously till the suitable optimal output is gained. This function has yielded to gain the proper prediction results. Also, uploading the intrusion features in the krill herd optimization has reduced the intrusion prediction computational time.

Table 1 Research gap analysis
Full size table

3 System Model with Problem

Detection of intrusion in the network application is the most required task for maintaining the privacy range of the communication channel. Hence, IDS has been introduced. But, hacking and malicious technologies have grown like security applications. Therefore, detecting the present malicious event is not an easy task. Some attacks behaved like normal users to track the movement of the network communication function. When it has obtained any password or privacy details, it has been disabled by making traffic or collision difficulties. Moreover, if a collision has occurred in the communication channel, it collapses the entire process. These issues have motivated this research toward IDS for the network application.

The common problems in the IDS are described in Fig. 1. Hence, the inefficient algorithm has risen in severity in forecasting malicious features. Also, the different user environment has maximized the complexity score.

Fig. 1
figure 1

System model with problem

Full size image

4 Proposed KBDBIF for Network Applications

A novel Krill herd-based Deep Belief Intrusion Forecasting (KbDBIF) framework has been introduced for the IDS system in network applications. Initially, the present noise is filtered in the pre-processing module then the error filtered data is entered into the classification process. Consequently, feature extraction and attack detection has been performed. Finally, the attack types have been classified, and the performance metrics have been measured. The proposed architecture is described in Fig. 2. Besides, the Deep belief neural model has Artificial Intelligence features, which is called an intelligent model.

Fig. 2
figure 2

Proposed methodology

Full size image

The planned model is tested with NSL-KDD and CICIDS datasets. Each dataset has unique features; hence, these two datasets were considered to analyze the system's robustness.

4.1 Proposed KbDBIF Layer Design

The proposed scheme has been developed with the principles of the Krill herd [24] and the deep belief model [25]. Moreover, it includes five layers: data importing layer, hidden layer, classification phase, optimal fitness updating layer, and output phase. Hence, the layers of the novel KbDBIF are detailed in Fig. 3.

Fig. 3
figure 3

Layers of KbDBIF

Full size image

Here, the data importing functions were performed in the input layer, noise filtering model proceeded in the hidden layer of the KbDBIF. Then the error-less data is imported into the classification module for feature analysis and the classification purpose. Moreover, the presence of krill fitness in the classification phase has helped to earn the finest classification results.

4.1.1 Pre-processing Phase

This phase is important for all the ML tasks to gain the desired results and stability range. Moreover, the main reason for this filtering phase is to reduce the computational complexity by reducing the execution time. The noise in the dataset makes the training and testing process as a complex task. So, additional time has been required to execute the process. The dataset initialization process is described in Eq. (1). Here, \(i\) represents all the data present in the database.

$$f(D) = k(1,2,3,4...i)$$
(1)
$$D(n,k) = \frac{1}{2}\left\| {f_{k} (i) - n} \right\|^{2}$$
(2)

Equation has carried out the noise removal function (2). The entire trained database is denoted as \(D\), noise features are determined as \(n\), and normal features are represented as \(k\). Moreover, each file in the trained dataset is described as \(f\) and \(i\) represents a number of files. Hence, the pre-processing and data training formulation has been designed using the formulation of the deep belief networks.

4.1.2 Feature Extraction

Before the feature extraction process, the present features have to be tracked. Hence, the tracking functions were preceded using Eq. (3). Here \(f\) are the meaningful features; it contains malicious or normal behaviors.

$$G = \alpha [f,y(D)]$$
(3)

Once the present features were tracked, the meaningful features were extracted at the maximum possible rate. Here, the extracted features are represented as \(f_{k}\). Here, \(\alpha\) is the best fitness parameter of krill, which is utilized to track and extract the present features in the trained datasets. The feature extraction has been carried out by Eq. (4). The hunting function of the krill is utilized here to extract meaningful features.

$$G = \sum\limits_{j = 1}^{m} {} \alpha f[D(k) - y] = f_{k}$$
(4)

Here, \(\alpha\) is the feature tracking variable, which means fewer features are neglected during the feature tracking process. Hence, the meaningless feature is represented, and the feature extraction process variable is described \(G\).

4.1.3 Classification

After extracting the meaningful features, the malicious and normal features must be specified. Hence, this specification process has functioned in the basis of the best krill selection functions. The function for selecting the best krill function is employed to classify the user's files as benign and malicious.

$$C(f_{k} ) = \left\{ {\begin{array}{*{20}c} {if(f_{k} = 0)} & {Benign} \\ {if(f_{k} \ne 0)} & {malicious} \\ \end{array} } \right.$$
(5)

The ML is flexible for 0 and 1, so it is identified as normal users if the tracked features are zero. Else, if the features are identified as 1, it is the malicious event. Here, the '0' and '1' have been classified by the matching process detailed in Eq. (5). In the primary stage, the normal and malicious features were stored in the KbDBIF memory layer; then, during the testing process, the test data was matched with the stored data, then the labels were specified.

figure g

The designed mathematical model has been written in the pseudo-code format described in algorithm 1.

For the NSL KDD datasets, the attacks files were arranged in a predefined manner, which is the normal files are located in the normal class, DoS files are located in the DoS class, probe files are located in the probe class, R2L files are located in R2L class, and U2R files are located in U2R class. If the tested files are under the probe class during the testing process, it is classified as a probe. Otherwise, if the files are under the normal class, it is classified as normal. Moreover, the flow function of the proposed method is described in Fig. 4.

Fig. 4
figure 4

Flow of proposed KbDBIF

Full size image

5 Results and Discussion

The planned model is implemented in a python environment running in the windows 10 platform. Dual datasets such as CICIDS and NSLKDD were considered in this research to validate the stability range of the presented model in predicting malicious events. The execution parameters are specifically mentioned in Table 2.

Table 2 Execution parameters
Full size table

5.1 Case Study

The case study has been elaborated to check the working performance of the designed novel KbDBIF. Dual datasets are taken to measure the stability in predicting the intrusion with different platforms.

Case 1

CICIDS.


It is a public dataset that is maximum utilized for intrusion prediction applications. Moreover, it contains network entities, protocols, attack features, and user behavior. Some attack features are web attacks, DDoS, brute force, DoS, and heartbleed attacks. In addition, the datasets are widely utilized in the big data security field to validate the stable performance of the security model.

The executed model's ratio has been considered 80% training and 20% testing. The confusion matrix has been validated to measure the intrusion classification efficiency, which is detailed in Fig. 5. Here, the user's files are categorized into dual classes that are benign and malicious.

Fig. 5
figure 5

confusion matrix of CICIDS data

Full size image

Moreover, the misclassification rate has been measured as an error score. Hence, the observed error rate for the CICIDS is 0.00029, and the execution duration is 1.27s. Besides, the gained result for forecasting the intrusion in the CICIDS data is illustrated in Fig. 6.

Fig. 6
figure 6

Overall Intrusion prediction outcome of CCICIDS datasets

Full size image

Case 2

NSLKDD.


Numerous files are present in the NSL-KDD database for testing and training functions. Hence, this dataset is suitable for evaluating the strength of the presented model in predicting intrusion features. Moreover, the availed file in the database is 22544 columns and rows 125973. Also, the present intrusion features in this NSL-KDD data are DoS, U2R, R2L, probe, and normal. Considering all malicious features, it contains the maximum amount of DoS features.

In the NSLKDD datasets, there are different protocols. Hence, the user files in each protocol are described in Fig. 7. To validate the developed model, the testing function has been introduced. Hence, some files are given in the testing phase; some are normal user files, DoS, probe, and R2L files. Hence, the quantity of those user files is detailed in Fig. 8. Also, the ratio of data employed for the training and testing process is 67:33, which is 67% training and 33% testing.

Fig. 7
figure 7

user counts in different protocol

Full size image
Fig. 8
figure 8

predicted intrusions

Full size image

The loss and accuracy metrics have been considered to measure the effectiveness rate of prediction and possible loss measures. Here, the accuracy parameters have described the highest rate of almost that is 100%, which indicates the designed model is good enough for this intrusion detection purpose described in Fig. 9. Hence, in the testing process, the designed scheme earned the finest detection score of 99.8.

Fig. 9
figure 9

validation of training loss and accuracy

Full size image

The confusion matrix was measured to estimate the classification processed in all predicted classes. The confusion matrix has been validated for the classified user's file types. Hence, the gained confusion matrix value for the NSL-KDD database is elaborated in Fig. 10.

Fig. 10
figure 10

Confusion matrix of NSL-KDD datasets

Full size image

Overall performance in predicting the present intrusion files from the NSL-KDD database is described in Fig. 11.

Fig. 11
figure 11

prediction performance of NSLKDD datasets

Full size image

Here, the proposed novel KbDBIF has gained a prediction score of 99.85, which is stable for all prediction sub-metrics such as precision, F-measure, and sensitivity. This has verified the proficiency score of the developed scheme.

5.2 Comparison Assessment

To measure the improvement score in predicting the intrusion using the proposed model, some recent associated works have been taken such as Software-Defined-Network based Flow ML (SDN-FM) [26], MENSA [27], SDN (NSL-KDD) [28], D-PSM (NSL-KDD) [29], and D-PSM (CICIDS) [29]. These existing approaches were implemented in the same python platform, and the results were compared with the proposed model.

5.2.1 Accuracy and F-measure

The metric's accuracy has been validated to measure the malicious features detection rate. Moreover, the accuracy has been measured based on the correct prediction from the total features.

$$Accuracy = \frac{{A_{p} + A_{n} }}{{A_{p} + A_{n} + Z_{p} + Z_{n} }}$$
(6)

Here, \(A_{p}\) denotes true-positive, true-negative is mentioned as \(A_{n}\), false positive is determined as \(Z_{p}\) and the false-negative score is represented as \(Z_{p}\). Hence, the accuracy of the metric has been measured using Eq. (6). Moreover, the accuracy comparison is described in Fig. 12.

Fig. 12
figure 12

Comparison of Accuracy

Full size image

The F-measure parameter has been validated to find the mean intrusion prediction range. Moreover, it measured the mean average between recall and precision metrics. Hence, the F-measure has been evaluated using Eq. (7), and the performance assessment is defined in Fig. 13.

$$F - score = 2 \times \frac{{{\text{Re}} call \times precision}}{{{\text{Re}} call + precision}}$$
(7)
Fig. 13
figure 13

Assessment of F-score

Full size image

The model SDN-FM has attained an intrusion detection rate of 82% and the F-score of 825; the MENSA scheme has gained an intrusion detection F-score of 98.3% and 99.45 accuracies. Moreover, the SDN model with NSL-KDD has earned the prediction exactness as 99.1% and 84.9% F-score, the approach D-PSM (NSL-KDD) has yielded the most acceptable prediction rate of 98.77% and 95.11% F-score. Also, D-PSM with CICIDS has recorded the forecasting rate as 98.95% and F-measure as 95.81%. Finally, the proposed novel KbDBIF has attained the maximum intrusion detection accuracy as 99.8% and 99.8% F-score for NSL-KDD datasets. Also, the proposed novel KbDBIF has achieved a 99.7% intrusion forecasting rate for CICIDS data and a 99.4% F-score. Hence, compared to other models, the proposed strategy has earned the best outcome.

5.2.2 Recall and F-measure

The metrics recall has been calculated to measure the sensitivity score in predicting the intrusion files. It was evaluated to measure the prediction range in the presence of true and false rates. Hence, the sensitivity metrics have been validated using Eq. (8).

$${\text{Re}} call = \frac{{A_{p} }}{{A_{p} + Z_{n} }}$$
(8)

To find the most possible positive score in detecting the intrusion function, the parameter precision has been validated using Eq. (9). Moreover, it has measured the mean of total predicted positive cases.

$$\Pr ecision = \frac{{A_{p} }}{{A_{p} + Z_{p} }}$$
(9)

The SDN-FM model has gained the intrusion prediction score of 79% recall and 91% precision. Moreover, the SDN scheme with NSL-KDD has achieved a precision score of 99% and a recall of 74%. The method D-PSM has yielded a recall score of 92.29% and 98.1% precision. The MESA has reported 96% recall and 96% precision. The same D-PSM with CICIDS data has produced a precision rate of 95.8% and 95.85 recall. Finally, the proposed KbDBIF has recorded the precision range as 98.8% and recall as 99.8% for the NSL –KDD database. Also, the proposed KbDBIF has earned 99.95 recall and 98.8% precision. Hence, the recall is defined in Fig. 14 and precision is described in Fig. 15, and overall comparison details are elaborated in Table 3.

Fig. 14
figure 14

Comparison of Recall

Full size image
Fig. 15
figure 15

Precision validation

Full size image
Table 3 Comparison assessment
Full size table

5.3 Discussion

From all the comparison assessments, the present KbDBIF has shown the finest outcome than the compared models. This has verified the robustness of the designed model in network applications for detecting unauthenticated features.

Hence, the overall performance of the designed novel KbDBIF in both datasets is tabulated in Table 4. Compared to CICIDS data, the NSL-KDD data has earned the best forecasting score and recorded less error rate than the CICIDS data. But, the CICIDS data has recorded less execution duration than the NSL-KDD datasets. This is because of fewer features than the NSL-KDD database.

Table 4 overall performance of the KbDBIF model
Full size table

In addition, to confirm the performance of the proposed mechanism, a few other ML and DL models such as Convolution Neural Model (CNM) [30], Recurrent Network (RN) [31], Random Forest (RF) [32], Artificial Neural Network (ANN) [33] and Feedforward Neural Network (FFNN) [34] have been obtained and tested in the same platform. Those outcomes have been described in a tabular way that is described in Table 5.

Table 5 Performance evaluation
Full size table

Hence, the efficiency of the proposed model has been proved by performing the comparison assessment with different DL and ML models.

6 Conclusion

To enrich the intrusion prediction framework in the network application, the present study introduced a novel KbDBIF, which is tested in the python environment with two databases that are NSL-KDD and CICIDS. Moreover, incorporating the krill herd functions has afforded the most satisfactory outcome for detecting the intrusion features. In that proposed novel, KbDBIF has recorded the maximum accuracy as 99.8% for the NSL-KDD dataset; compared to other models, it has improved the intrusion detection score by 1%. Here, this improvement of the detection accuracy has been gained by the fitness feature of the krill herd fitness. It tunes the classification layer of the deep belief networks that earned the best intrusion forecasting exactness score. Also, the recorded sensitivity score is 99.8%; compared to different recent approaches, the proposed KbDBIF has maximized the recall rate by 5%. Also, the recorded execution time for the CICIDS data is 1.57 s, and NSL-KDD data is 5.27 s.

Hence, the designed model is suitable for the network applications, such as system area networks, wireless networks, and storage area networks for forecasting malicious features. In addition, this intrusion detection is applicable to the cloud application for predicting malicious users. In the future, incorporating the prevention module in this present intrusion detection framework has helped to maintain the privacy range of the network user.