# I. Introduction nterconnecting systems via computer networks has been a necessity seen the 21st century. These net works are subjects to many attacks. Intrusion detection systems are a security mechanism that allows to detect attacks which has not been identified by the firewall. An intrusion being each action that can threaten confidentiality, integrity and resources availability in an information system. The intrusion detections systems that use neural networks as classification scheme has been widely studied by many authors [1]. Most of the solution proposed in the literature have the problem of pertinence and reliability. One of the problems major of the NIDS with neuronal networks is that the performance is governed by an only big system which takes care to detect either the types, or the categories of attacks. In this work, we have proposed a modular architecture and we have presented the efficiency. In this paper, we will explore the path of selecting attributes in order to improve the efficiency of this architecture that means to obtain a good approximation function, an acceptable false positive and negative rate and a recognition rate that is not far from the ideal one. It consists on displaying relevant attributes for each normal packet and for each type of attack. The Learning quality of a scheme based on neural networks is linked to the quality of data that we submit to the classifier [2]. Data submitted to the classifier can influence it in many manners [3,4]: -the recognition rate -The time required for the learning stage to obtain a satisfying recognition rate -The number of sample data necessary to obtain a satisfying recognition rate -The identification of relevant attributes -Reduce the complexity of the classifier and the execution time. Relevant attributes selection can lead to build a normal profile of a user or a particular type of attack. Input data characterization has a significant impact on many aspects of the classifier. The follow-up of our work is organized as following: in section 2, we present the basics elements of attributes selection; in section 3, we will briefly present neural networks and their importance compared to other classifiers. In section 4 we will show some works related to attributes selection; in section 5 we will describe our attributes selection approach and algorithm, in section 6, we will present the dataset used and the preprocessing done, then in section 7 we'll present the results obtained and their analysis. We will end this work with a conclusion and prospects in section 8. # II. Attributes Selection Relevant attributes selection is a difficult problem. Attributes selections consist on identifying a subset of attributes that allows to better the performances of detection system. It helps to remove non relevant attributes, redundant or noised ones. We will in the following subsection present the elements that help to implement an efficient selection process. # a) Basics Elements of Selection According to [5], the main procedure follows these four steps: a-Generation procedure: allows to explore the search space in order to find relevant subsets. [6] regroups them in three categories:-complete generation that consists on exhaustively search in the whole dataset, which is done in O(2 N ). -Sequential generation which consists on incrementally generate the relevant subset on the whole dataset. -Heuristic generation which is similar to the complete generation with a predefined maximum number of iterations. The optimal subset is evaluated using an evaluation criteria [7]. b-Evaluation: It takes as input a subset of attributes and outputs a numeric value. It allows to evaluate the examined subset. The aim of the search algorithm is to maximize the evaluation function. [5,8] consider many types of evaluation functions: The distance measure, the information measure, the dependency measure, the classifier recognition rate, the consistency criteria, and the precision measure. c-Stopping criteria: It allows to know when the learning algorithm should stop since the optimum number of variables is unknown in advance. d-Validation method: allows to make sure that the selected attributes subset is valid, to determine the number of relevant attributes, to choose different parameters and to test global performances of the system [8]. # b) Selection Method Based On Neural Networks Three main approach has been proposed in the literature to implement this procedure [4,5]. We have the filter approach, the wrappers approach and the embedded approach. The filter approach selects attributes regardless of the classifier. The wrapper approach uses the classifier to validate the subset of relevant attributes. It uses for this purpose two strategies: the for ward selection which consists to gradually add attributes and the backward selection which consists to gradually remove the attributes. The embedded approach makes attributes selection in parallel to the classification process. # III. Neural Networks Neural networks are strongly linked networks made of elementary processors functioning in parallel and linked by weighs. These connections weighs chair the network functioning. Each elementary processor computes a unique output based on information taken as inputs. Neural networks has many advantages in implementing an intrusion detection system. They are really efficient and fast in the classification task. They are able to learn and easily identify new threats which are submitted to them. Neural networks are able to handle incomplete data, imprecise and from various sources. The natural speed of neural networks help to reduce damages when a threat is detected [10]. Neural networks usage helps to extract nonlinear relationships that exist between different fields of a packet and to timely-detect complex attacks [11]. Neural networks, after having correctly learnt, have a good generalization ability, which means that they are able to compute with precision corresponding outputs even for data which have not been learnt. The flexibility that offer neural networks is also one of the asset of intrusion detection [9]. # IV. Some Works Related to Attributes Selection Relevant variables selection help to improve the classifier efficiency. [12] are the first to use neural networks for selecting attributes with the KDD dataset. They select relevant attributes by attack categories and use only one precision criteria from [13]. [14] uses selective analysis in their work to select relevant variables. They then use this set to classify attacks. [15] Uses information gain to determine the attributes which allow to better distinguish each type of attack. [16] Proposes a combination of approaches for network intrusion detection. They use for this purpose the genetic algorithm for attributes selection and SVM (Support Vector Machine) for classification. [17] Proposes a new selection method based on the total mean of each field's class. The selected subset is evaluated using the decision tree classifier. Attributes selection help to find out among a set of attributes, the most relevant and those which help to better the efficiency and the performance of the classifier for a given problem. Each selection depending on the system architecture, we will first present the architecture of our solution proposed in [22]. Then we will present in this section the approach that we use and the selection algorithm that we have designed. # a) Proposed Architecture The architecture that we have used in our works is the one shown in [22],on which performances have been studied. As shown in Figure 1, it is a modular architecture organised in four stages. We have called this architecture MAMBiM: Multiple Attack Multiple Binary MLP. # Global Journal of Computer Science and Technology Volume XVII Issue I Version I In this four-level architecture, the first level helps to preprocess data. The second one discriminate normal packets from abnormal ones. If the packet analyzed is abnormal, the nit it is thrown to other models (third level) to determine the type of attack. Element A (fourth level) in this architecture stands as a referee which will decide which type of attack it is. Each module is a neural network with one entry stage, one hidden stage and one output stage. To better the results obtained with our architecture in [22], we have chosen the heuristic approach bas -ed on neural network to select relevant attributes. # b) Selection Approach Used Evaluation criteria that we have used are presented in [2]. The generation procedure is a heuristic. The approach that we use is the one based on using neural model to select relevant attributes. We have proposed a relevance measure inspired from entropy. This measure is presented in (a). We will also present the measure having zero order given in [2] to evaluate the efficiency of our precision measure. This measure is described in diagram (b). The contribution formula that we propose in our work to evaluate an attribute contribution compared to the others is described in (c). Our approach implies a comparative study of the architecture performances in accordance with different precision measures chosen. ?? determines the influence of input neurons weighs on the hidden layer. ; -the last part ?? ?? = ? ?? ??? ???? ? ? ??? ???? ? ?? ??=1 ?log ? ??? ???? ? ? ??? ???? ? ?? ??=1 ??? * ??? ?? ? ? |?? ?? | ? ??=1 ? ? ?? =1 (a) ?? ?? = ? ? ??? ???? ? ? ??? ???? ? ?? ??=1 ??? ?? ? ? |?? ?? | ? ??=1 ? ? ?? =1 (b) ?? ?? = ?? ?? ? ??? ?? ? ?? ?? =1(??? ?? ? ? |?? ?? | ? ??=1 determines the influence of output neurons on the target. ?? ?? determines the influence of the variable i on the final decision. ? Evaluate the pertinence of each attribute using formulas (a) or (b) ; ? Evaluate the contribution of each variable using formula (c) ; ? Choose a contribution criteria of our choice : a threshold ? ; ? select the variable which satisfy the threshold (?? ?? ? ?) as relevant, we obtain a set E' with size N-P, P being the number of variables that do not satisfy the condition ; ? Dynamically look for the number of neurons from hidden layer, which gives the best performance with this set of chosen variables ; ? Evaluate the network using this set and compare the performances with performances of networks with no variables selection; ? Repeat until the choice of the threshold (3) matches with the performance targeted in terms pf false positive, false negative and recognition rate. # VI. Test Dataset and Preprocessing Since 1999, KDD Cup 99 is used as sample dataset in behavioural intrusion detection systems. Each packet from the KDD Cup 99 dataset is made of 41 fields and is labeled as a normal or an abnormal packet with types of attacks. Amidst these fields, 37 are of type numeric and 4 are of type non numeric. KDD99 combine 37 types of attacks. These attacks are subdivided in four major classes: DOS, U2R, R2L and Probes [19,20]. ? DOS (Denial of service attacks): they are attacks that target to threaten availability of services by overloading computers resources, servers or target networks. These attacks succeeded in networks have as consequence to freeze network traffic. ? Probes: attack which aims to gather information on the target that can help an attacker to trigger an attack. There exist many types of probes attacks: some abuse legitimate users and others use engineering techniques to gather information. ? R2L (Remote to Local): attack which aims to bypass or usurp authentication credentials to execute commands. Most of these attacks derive from social engineering [18]. ? U2R (User to Root): This attack comes from inside. The attacker usurp the super administrator password and thus the other users' passwords. Most of these attacks come from buffer overloading caused by programming errors [19]. KDD99 dataset contains many redundant packets in training data, as in test data [20]. Redundant data are able to give more importance to a type of attack than it merits. [20] propose NSL-KDD which is an excellent dataset for comparing network IDS. Our experimentation has been done with NSL-KDD, the type of attack and the number in the training and test datasets are proposed in table 4 in appendix. The fields in the packets are described in table 5 in appendix. # a) Preprocessing Pre-processing focus on non-numeric fields. Non numeric fields are: type of protocol (TCP, UDP, ICMP), type of service (AOL, auth, bgp, Z39_50), flag (OTH, REJ, RSTO, RSTOS0, RSTR, S0, S1, S2, S3, SF, SH) and the packet's class (Normal or Abnormal). For type of protocol, we assign the following numeric values: TCP=1, UDP=2 and ICMP=3. We assign 1 to normal packets and 0 to abnormal packets. For field type of service and flag, we can assign numeric values in their total number ascendant or descendant order. [21] has shown the limits of such an approach. He propose to assign random values to those fields. In our work we have assigned random values from 1 to 10 to fields of type flag, and random values from 1 to 65 to fields of type of services. # b) Normalization It consist on transforming data to make them vary between 0 and 1, in order to make them homogeneous and thus simplify network learning. We will in this paper use the Min-Max normalization. Let be ?????? ?? and ?????? ?? respectively the minimum and the maximum of values of attribute ?? of value??, the normalized value is ?? ' = ????????? ?? ?????? ?? ??????? ?? . For each attribute of data vector, compute its normalized value and replace it with the normalized value. We will then make a comparative study of performances compared to the model which has been trained by the set of attributes from the variables space. The selection approach that we will use is a wrappers approach from blocks variables downward strategy. It is illustrated in figure 1. And this is based on criteria (c). # c) Our Selection Algorihm We do mention here that the error retro propagation algorithm which is used to train the neural net work. The principle of our selection method is described in the following steps: ? Learn the network with the set of variables (of size N)from the space of variables using the errors retro propagation algorithm ; # Global Journal of Computer Science and Technology Volume XVII Issue I Version I 22 Year 2017 ( ) E # VII. Experiment Results Analysis To evaluate our models, we will use many indicators: recognition rat (TR), false positive recognition rate (TFP), detection rate (TR) and false negative rate (TFN). This rate is computed as following: For the attacks presented, we observe how the recognition rate gets better as we remove non relevant attributes. This allows us to present new descriptors for each type of attack. This work allows us to better the results we have presented in [22]. NN: normal packet detected as normal; NA: normal packet detected as abnormal; AN: abnormal packet detected as Normal; AA: abnormal packet detected as abnormal. ???? = ????+???? ????+????+????+???? * ??00, ?????? = ???? ????+???? * (a).We have only presented some types of attacks. After that, we have presented the results per type of attack with our performance measure and we have compared with YACOUP measure. For experiments, 80% of data has been used for training purposes, in which 20% are reserved for evaluation and 20% of data are used for testing. The set of data that we submit to each network is reduced compared to initial data. # a) Results analysis with a dynamic threshold Here we present results obtained. model, the learning rate also decreases for some type of attack. The results clearly show that our results are clearly better than works of the authors who have dealt with intrusion detection by type of attack. # VIII. Conclusion We have in this paper, proposed a modular architecture for network intrusion systems based on neural networks and proposed an algorithm for selecting attributes that allows us to propose descriptors for each type of attack. These new descriptors have helped us to better predict different types of attack. In terms of perspectives, we plan to propose a NIDS which timely detects networks attack. 1![Figure 1: Four-level intrusion detection architecture (MAMBiM)](image-2.png "Figure 1 :") 1ATTACKS? NVVARIABLES SELECTEDTR%TFP%TFN%0 4111111111111111111111111111111111111111111100001 321111011111111001111111111010001111011111010000Warezmaster2 2201110101111110001010101110000000110011110100003 1100010100001110000000001010000000000011110100000 411111111111111111111111111111111111111111195,94,254,78Nmap1 3811111111111110111011111111111111111111100100000 411111111111111111111111111111111111111111199,90,550,15portsweep1 31 2 1911111111111110111111111110110100000111110 1111011010100010101111011000000000101010098,0 97,54,3 5,30 0,43 121110000010000010101010011000000000101000098,01,82,080 411111111111111111111111111111111111111111196,94,42,71 251000100101111110001001111111100010011111195,36,23,2satan2 181000100001111100001000011111000010000111191,210,87,43 140000100001111100001000011111000010000111190,911,87,00 411111111111111111111111111111111111111111196,54,42,41 301100100110111111111111101111110010001111198,802,22 111100100000010011001000001100010010000000010000pod0 41111111111111111111111111111111111111111118033,301 1710000000000110110010000111111010000101011100002 111000000000011011001000000110100000000001180025rootkit3 ?????? =???? ????+????* ??????, with:( ) Ei. Comparative study of our criteria with Yacoup oneDJIONANGYACOUPCategoryType of attackNumber VATR (%)Number VATR (%)ftp_write3910037100guess_passwd3193,022893,02R2Lphf4010034100warezmaster1110011100A New Networks Intrusion Detection Architecture based on Neural Networks 2buffer_overflow4084,6230100loadmodule401005100U2Rperl4166,673066,67rootkit78017100warezclient4197,633496,84A New Networks Intrusion Detection Architecture based on Neural Networks 3© 20 7 Global Journa ls Inc. (US) 1 © 20 7 Global Journa ls Inc. (US) 1 © 2017 Global Journals Inc. (US) * Feature selection and architecture optimization in connectionist system Yacoub & YounesMeziane Bennami International journal of Neural Systems 10 5 2000 * Discriminant Anlysis based feature Selection in KDD Intrusion Dataset SSiva International Journal of Computer Application 31 11 october 2011 * Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99 Intrusion Detection Datasets HGünes * A New Method for Detecting Network Intrusion by Using a combinaison of Genetic and Support Vector Machine Behrooz Mabadi Journal Of Engineering and Applied Science 11 4 2016 * Feature Selection for Intrusion Detection using NS L-KDD HChae BOJo SHChoi TKPark Recent Advances in Computer Science 2013 * Intrusion detection using an ensemble of intelligent paradigms SrinivasMukkamala &&All Journal Network and Computer Applications 28 2005 * A Machine Learning Approach to Detecting Attacks by Identifying Anomalies in Network Traffic MatthewVincent Mahoney May 2003 Florida Institute of Technology * A Detailed Analysis of the KDD CUP 99 Data Set MahbodTavallaee &&All Proceding of the 2009 IEEE Symposium on Computational Intelligence in Security and Defense Application eding of the 2009 IEEE Symposium on Computational Intelligence in Security and Defense Application CISDA 2009 * Protocole Type Based Intrusion Detection Using RBF Neural Network AslihanOzkaya &Bekir Karlik International Journal of Artificial Intelligence and Expert Systems 3 2012 * Towards A New Architecture of Detecting Networks Intrusion Based on Neural Network GBhl Djionang Tindo International Journal of Computer Networks and Communications Security 5 1 2017 * Network Intrusion Detection Systems based Neural Network:A Comparative Study LekagningBerlin GilbertDjionang Tindo International Journal of Computer Applications 157 5 January 2017 * PhilippeLeray Gallinari «Patrick Feature Selection with Neural Networks 1998 26 * Segmentation d'images par morphologie mathématique et classification de données par réseaux de neurones : Application a la classification de cellules en cytologie des séreuses OlivierLezoray « 2000 UNIVERSITE de CAEN/BASSE-NORMANDIE janvier * sélection et extraction d'attributs pour les problèmes de classification" THESE UNIVERSITE de LILLE janvier ELSaba Ferchichi 2013 * Feature selection for classification. Intelligent Data Analysis MDash HLiu 1997 1 * José Crispín HERNÁNDEZHERNÁNDEZ « Algorithmes métaheuristiques hybrides pour la sélection de gènes et la classification de données de biopuces » THESE UNIVERSITE de ANGERS novembre 2008 * sélection et extraction d'attributs pour les problèmes de classification" THESE UNIVERSITE de LILLE janvier ELSaba Ferchichi 2013 * An introduction to variable and feature selection IGuyon AElisseeff Journal of Machine Learning Research 3 998 2003. October * Artificial Neural Networks for Misuse Detection JamesCanady Proceedings, National Information Systems Security Conference (NISSC ) National Information Systems Security Conference (NISSC ) 98 * les réseaux de neurones GDreyfus Mécanique Industriel et Matériaux 51 1998 septembre * Intruision recognition using neural networks VladimirGolovko PavelKochurko International Scientific Journal of computing 4 2005 * On Attack-Relevant Ranking of Network Features AdelAmmar KhaledAl-Shalfan IJACSA) International Journal of Advanced Computer Science and Applications 6 11 2015