The gradually increasing of attacks with sophisticated forms has made the security concern a significant necessity for such network. The intrusion detection system (IDS) is using to identify the legitimate incomer different from an intruder. The accuracy of most IDS is not enough. Beside that the false alarms that burden the user, it may also hide an attack. A new approach which inspired from honeybee is proposed to overcome such identification problems. The natural honeybee guard is challenging and solving the same problem which is recognizing the nest mate from non-nest mate. In the proposed model, the HoneybeeGuard approach used neural network trained by bees algorithm for providing best detection rate. The experiments show that the performance of the proposed model can detect novel intrusions and reduce the false alarms. The training and testing were done by using KDD99 dataset.
Intrusion detection system; honeybee approach; Neural networks; bees algorithm
The Computer security remains obsession for many years of improvements and researches. However, it still needs a lot of hard work to settle the critical security problems. Intrusion detection system (IDS) aims to support the essential security issues via scrutinizing every entering and then feedback the user regarding the system situation. It is acting as the "second line of defense" inside the network, giving a clear picture of the threats that a system faces.
Many researchers have argued [, , ],that social insects' behavior system provide us with a powerful metaphor that can be applied to problems in intrusion detection system. The ability to recognize and detect intrusion is critical to the maintenance of the integrity of social insect colonies ,,
In our case, we lean on the natural honeybee, which faces the analogous security problems. Honeybees survive in difficult environments with different levels of threats to security. These threats motivate the bees to be able to detect and respond quickly on any aggressive acts that may attack the colony .
The problem faced by the honeybee guard is the same as the one faced by IDS, which is distinguishing between the intruder and nest-mate. The honeybee colony has a small entrance which is patrolled by its' workers called guards  who allow nest-mates and deter the intruders. The entrance guards intercept and examine incomers at the nest entrance  and differentiate between nestmates and non-nestmates.
The two methods “Undesirable-Absent” and “Desirable–Present” that HoneybeeGuard used in filtering the incomer are applied to IDS. Further details about these methods will be indicated in section.
In order to take the advantages of the new approach, we think it needs a technique to implement the idea effectively. Based on our ideation, the ability of learning is important requirement of this technique. Beside that, this technique is supposed to distinguish between different characteristics after some level of training.
Thus the neural network as component of the model has been chosen. Neural network has many features such as the ability of learning, generalizing attributes even with noisy data, and the capability of classifying patterns effectively. These features can be further used to improve detection and reduce false alerts in intrusion detection system.
Nevertheless, neural network alone cannot take the complete advantages of our approach because it has some drawbacks such as computational complexity, the convergence of learning process is slow, difficulty of parameter settings, and the output may not be ideal which lead to poor performance. Therefore many global optimization techniques have been proposed to train neural network to tackle these problems and enhance learning efficiency such as Particle Swarm Optimisation , Ant Colony Optimization , and Genetic Algorithms.
In this paper, an alternative method based on Bees algorithm  is proposed to be used in training neural networks under our approach. Bees algorithm (BA) is a new optimization algorithm that imitates the natural foraging behavior of bees. It proposed by Pham et al.  and has been successfully applied to different optimization problems including the training of neural networks for wood defect identification  and control chart pattern recognition  and show better result than other methods. To the best of our knowledge, construction of training neural network by Bees algorithm to improve performance of intrusion detection system has not been addressed in the literature. Here we extend this algorithm to classification and demonstrate its effectiveness in intrusion detection.
Security Aspects in Natural Honeybee:
The similarities between a computer security's problems and the ones encountered by the honeybees can be seen by interpreting the honeybee colony behavior into a computer security conduct. The security aspects are emphasized in the honeybee colony behavior; confidentiality and integrity have high priority in the colony, special guard bees scrutinize every entering individual and elicit a colony defense when non-nest members try to intrude . Guards protect their nest and contents from various robbers including the bees from other colonies.
Availability means enabling any nest member to access the nest at any time and to use the resources with cognizable rights. Accountability means examining other bees not only at the nest entrance but also inside the nest . The early-warning system which the honeybee used to detect threats and clarify the intruder makes the nest system always safe. Correctness means participating in nest defense; many bees from the comb rush to join the group to defend their colony from the intruders . The multilayer protection in honeybee colony and the diversity of defenses can be viewed as a typical framework of detection system. Detection, or recognition, is essential in maintaining the integrity in the honeybee colony as well as in the IDS. Indeed, the similarity of the problem has continued to match up in deeper level with the computer security.
A neural network  is a set of simple units called neurons working in unison to solve specific problems. It is inspired by the way biological nervous systems, such as the brain, process information. Signals can be passed between neurons through a series of weighted connections. NNs, like people, learn by example.
When an input is presented, the network estimates an output. The input-output pair is used to determine the output by adjusting the strengths of the connections until they can approximate a function that computes the proper output for a given input. For every modification, the networks become closer to the desired output.
A neural network is configured for a specific application, such as pattern recognition or data classification, through a learning process and it gives several advantages of using neural networks in the field of classification. Thus the neural network will be used as a component of our approach for improving an intrusion detection system.
1. Real bees
Bees live in high-organized societies that communicate together and exchange information about the food sources using some action movement called" waggle dance". The waggle dance contains specific signals that reveal important information. For example, if the bee wants to advertise about new location for food source, a series of waggle dance runs with semicircular round pointed to direction related to the sun's position and x-axis. The longer duration of dancing means the more profitable source which is as a consequent will attract the watcher bees to visit the place.
For more details about the foraging process, reader is referred to .
2. Bees Algorithm
The BA divides the bees into groups based on there labor. The scout bees(n), elite bees(e), and recruited bees for selected sites (nep) and recruited bees for non-selected sites(m-e). Also the sites are divided into elite sites (which are visited by elite bees)(e), other sites which are not selected by elite bees(m). Beside that, there are other factors required by BA to be set, the initial size of each patch (ngh) (a patch is a region in the search space that includes the visited site and its neighbourhood), and the stopping criterion. The pseudo code of the Bees Algorithm  is shown in
Pseudo code of bees algorithm 
The BA generates n scout randomly distributed initial population of the search space. After initialization, the fitness of the sites visited by the scout bees is evaluated in step 2. The bees that have the highest fitness are selected as "elite bees" and sites visited by them are chosen for neighbourhood search in step 4. In step 5, the bees are recruited for the selected sites and more employed bees for the elite sites (which are visited by the elite bees). At the same step, the fitnesses are evaluated. In another word, through directing more bees to search near the best elite sites which represent more promising solutions and target the elite bees more than other bees are made more detailed. The differential recruitments beside the scouting are very significant operation of the BA. Then based on the evaluation fitness in previous step, the fittest bee is chosen to be selected to generate the next bee population in step 6. This however, is not utilizing in nature. But it is required to reduce the number of points to be explored. In step 7, the remaining bees in the population are distributed randomly to scout for new solutions around the search space.
- Proposed approach using Undesirable-Absent & Desirable-Present
The two methods that HoneybeeGuard used in filtering the incomer are “undesirable–absent” and “desirable–present”. A HoneybeeGuard would accept the incomers because they do not contain the undesirable characteristics U-absent; these undesirable characteristics are seen on almost all intruders but not on valid incomers. On the other hand, the system would also accept the incomers because they have the desirable characteristics, D-present. These characteristics would be seen on most entries. However, if a system uses D-present only, that will make a large number of acceptance errors and smaller amount of rejection errors.
In the proposed approach, the system starts with the U-absent detector to ensure the incoming records are free from undesirable characteristics and then, these packets will be forwarded to D-present.
At D-present detector, all received packet will be verified to ensure that each one has desirable characteristics. If not, the abnormal packets will flow back to the UA detector in order to add these features of abnormal packets to undesirable characteristics. Figure is shown the diagram of HoneybeeGuard approach.
- Experimental Study
1. KDD 99 data set
Many researches use KDD 99 data set for evaluating intrusion detection systems or methods . The KDD99 intrusion detection evaluation data is based on 1998 DARPA initiative. The project was carried out in 1998 and 1999 by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL), and was known as the 1998 DARPA Intrusion Detection Evaluation (KDD data set, 1999). Although some researches criticize KDD 99, however, it is still the most popular dataset used by many researchers to test and evaluate IDSs.
For the purposes of evaluation, the KDD 1999 version contains four main different categories of known attacks characterized as: probing (PRB), denial-of-service (DOS), User to Root (U2R) and Remote to Local (R2L). Particularly, R2L attacks occur when an unauthorized intruder tries to gain access to local machine, whereas U2R attacks happen when an intruder has privilege to access to specific machine but tries to gain higher privilege (i.e. root or administrator privilege). The DOS attacks take place when an intruder tries to prevent system resources to be used by legitimate users. The PRB attacks occur when an intruder tries to gather information by scanning the network to be used for attacking the target host in future.
The KDD Cup 1999 contest provides huge amount of data in the training set (around 5 million instances) makes the training difficult and impractical for most learning method. Therefore, a sample of version KDD99 10% is offered for the evaluation; this sample contains 494,021 connection records; 22 attack types (80.14% attacks) and one normal connection (19.86% normal) in the training dataset. Where as the KDD99 testing set contains 311,029 records; 37 attack types (80.52% attacks) and one normal connection (19.48% normal), that means 15 attacks (6.02% new attacks) are not seen in training set. In our experiment we select the "10 % KDD 99" for training. More detailed about features and attack types can be seen in [14,6].
2. Data Preprocess
We use the KDD 99 as a benchmark for intrusion detection evaluation because of widespread accepted by many researchers and the need for baseline evaluation to compare our work with others, however, the KDD 99 has certain drawbacks . These drawbacks related to the distribution of the data and can be identified as:
- Fewer examples of normal instances comparison to the attack types.
- Imbalanced distribution of attack types (not represented equally), the DOS attack types dominate the majority of the distribution, while others like U2R and R2L are not representing adequately.
In order to train Neural Network for intrusion detection efficiently, the data need to be classified. As mentioned previously, the inequality of attack types will lead Neural Network to identify some of attack types who appeared a lot during the training phase.
In addition to that, the set of feature presented in the KDD 99 contains both numerical and categorical feature (41 features: 34 continuous, 7 categorical). We map the alphanumeric character to numerical values (for example: encode the "protocol", assign "0" for tcp, "1" for icmp, "2" for udp)then assigning numeric values to class label to the type of attacks. Also, the label of each record is coded: 1 for "normal" and 0 for "attack". We apply all 41 features to determine the features of attack types. In fact, the 6 basic features are adequate to train NN and capable to identify most attacks. However, selecting the 41 features is more suitable for covering all attack types and also essential to reduce the false alarm [A hierarchal SOM].
3. Training phases:
- Undesirable absent training phase (Misuse):
In natural honeybee, the guard detects the non nestmate by detecting the undesirable characteristics those incomer posses. In our experiment, the attack types in KDD 99 are representing the undesirable characteristics. In "10% KDD" there are 396.744 records containing attacks. These records distributed into major types of attack. Table 1 summarizes the distribution of attack types of connection records in the training dataset. Here, under UA phase, NN is trained to recognize the characteristics of attacks only in order to classify these characteristics as undesirable characteristics later; during the testing phase. The test data has additional attack types not present in the training data and the distribution is also different from training data set. Table 2 shows the distribution of test data.
As indicated in section, NN is trained by Bees Algorithm. The Bees algorithm corresponds to weights of the neural network. The training phase includes number of steps as shown in Values of parameters are taken by choice for the bee algorithm and were determined by a trial and error technique. The result of training is NN with optimal weights. is shown
Number of records
Records percent (%)
The records distribution on the subset of 10% data of KDD 99 dataset
Number of records
Records percent (%)
The records distribution on the test data (corrected KDD Cup 99)
Total number of records
Number of novel attack records
The novel attacks record distributions on the test data (corrected KDD Cup 99)
- Desirable present training phase (Anomaly):
The guard in natural honeybee observes the behavioure of introduced bees and accepts the incomers who possess the desirable characteristics (D–present). To achieve this, a guard learns the characteristics of the nest mates and uses this learning as a recognition template (Lacy and Sherman, 1983Go). In our experiment, the desirable characteristics are represented by the normal data in KDD 99. Under DP phase, the normal data -free from attack- will be used for training NN to be recognized as desirable characteristics. In "10% KDD" there are 97.277 records contain normal traffic. We use these records "free from attack" to construct the DP. The result of this learning process is NN which capable to detect anomalies in the traffic during the testing phase (the test data "corrected KDD"). Table 4 shows the distribution of normal traffic in KDD 99 training and testing set.
10% data of KDD 99 dataset
Test data of KDD 99 dataset
Number of records
Records percent (%)
Number of records
Records percent (%)
In fact, the distinguishing between intrusion and normal packet may not, however, be this easy if intrusion and normal packets are overlapping (e.g. the behavior of Probe attack is similar to the Normal activity). Also, if there is a small similarity between a template and a receiving packet, this will make the discrimination difficult because a guard cannot simply reject a valid packet. However, permitting too much of dissimilarities between the template and characteristics of the receiving packet will result accepting more intruders . (Figure is illustrated the consequences based on types of threshold selection).
In natural honeybee behavior, the earlier studies indicated the ability of honeybees to develop templates by referring to groups of individuals (Breed et al., 1985). The information about the intruders is renewed from time to time.( SOURCE: Renewal process of nestmate recognition template in European honeybee Apis mellifera L. (Hymenoptera: Apidae), K. HARANO and M. SASAKI, 2006). In this context, the DP is filtered the normal connection and the abnormal packets will flow back to train the UA detector. This procedure will make UA more effective by updating its classifier with new records (novel attacks) in real-time.
In order to measure the performance of intrusion detection system, two major indicators of performance methods are provided to test IDS as following:
- probability of detecting an attack (detection rate): This measurement determines the ability by IDS to detect attacks during such time.
- probability of issuing a false alarm: This measurement determines the rate of false alarm issued by the system during such time. There are two types of alarms: 1. false positive alarm which is the number of normal connections labeled as attack. 2. false negative alarm which is the number of attack connections labeled as normal.
The best performance for detection system when compromises between the detection rate and the false alarm. The receiver operating characteristic (ROC) curve will be used to illustrate the compromising between them.
- UA detector: we apply four layers NN: 41 neurons as an input layer, three hidden layers composed, respectively, of 43, 21, and 14 neurons, and one neuron (for ‘‘intrusion'' or ‘‘normal'' connection) as an output layer . Only the normal connection (based on UA detector) will flow to DP in order to verify the normal characteristics.
The result for the first implemented intrusion detector is shown in table. From this table we can deduce the efficiently of our UA detector. The Dos got the highest detection rate (99.30%) and the lowest false alarm rate (0.30%). Probe is the next higher DR, got (99.21%). This can be explained by the fact that NN network learned more about Dos and Probe during the learning process because of the majority presentation of theirs records in the learning data set (10% KDD). However, R2L and U2R attack categories are not a high detection rate (70.03%, 73.16% respectively) this can be due to the same reason of the lack of their presentations during the learning phase. Nevertheless, the DP and FD detectors will filter out the intrusion connections and add them to UA detector to improve its performance. So these novel attacks which not appeared during the training phase will be detected by the next detector and then added to UA detector that will lead to increase the detection rate for UA and for the whole system.
- DP detector: in this experiment, the remaining packets which include normal data plus some abnormal ones that UA couldn't capture will flow to DP.
From the previous experiment we know that most of the intrusion connections have been filtered out by UA. The NN is trained by bees algorithm to achieve higher detection rate. As indicated in Section 4.1, only normal data is used for training and one output node. This anomaly detector will recognize the normal and filter out any novel attack to pass it back to UA. The object of this flowing back is to achieve higher detection rate by increasing the accuracy for UA.
As indicated in section, the DP detector as an anomaly detector is only identified whether the packet is normal or abnormal. The abnormal ones which contain attack or suspicious will be followed back to UA.
To ensure high levels of intrusion rejection the threshold in DP would be more restrictive when desirable characteristics not found. Based on that, the DP will classify the two types of incoming packets (attack or suspicious) as an attack. It is easier to reject a suspected incomer than to accept it and this will be safer for the system. By using the restrictive threshold, the overlapping problem (identification errors: by rejecting a suspicious packet or accepting an intrusion) is solved. The value of threshold set empirical.
In the testing stage, overall performance was obtained when the testing date include NORMAL (60593 records), plus the intrusions PROBE (32.9114 records), DoS (1608.971 records), R2L (4851.8433 records), and U2R (61.1952 records) that flowed from UA, where UA couldn't detect.
The result of DP testing is shown in table. It shows the power of the trained NN in identifying the unknown intrusion by detecting the deviation of normal .This anomaly detector (DP) has the overall detection rate of 97.30% and 2.30% false positive rate.
Number of records
Number of records
Total of records 67148.9209
Total of intrusion 4742
Before the last step, the measurement of the performance of UA detector after the updating is evaluated. The novel intrusions which have been detected by DP are added to update the UA detector. 2532 intrusion records (abnormal) have been captured by DP and were added to the training data of UA detector.
In the testing phase, the test data again is testing the UA detector after the last updating. The average result of detection rate for UA shows the improvement of the detector. It shows high DR 96.74% and low FP 1.62%.
The last step is to measure the whole performance of the HoneybeeGuard system. The results show that HoneybeeGuard has 97.02% detection rate and 2.69% false alarm.
The performance of the HoneybeeGuard has been compared with some other learning methods tested on the KDD dataset and is shown in Table
Winner of KDD 
Neural Network Intrusion Detector 
PSO+SVM [ ]
Genetic + NN 
Based on the results shown in the Table it can be easily seen that the proposed approach has a good performance for detecting known and unknown intrusion in computer networks.
In this paper, a new approach is presented based on honeybee for intrusion detection and is successfully demonstrated its usefulness on the training and testing subset of KDD Cup 99 dataset. The approach is inspired from the detection technique of distinguishing between nestmate and non nestmate of natural honeybee. The approach is constructed with two detectors; UA as a misuse detector which detects the undesirable characteristics and specifies the attacks, and DP as an anomaly detector which detects the deviation of normal profile. Because of the many advantages of neural networks, it is used as a component of the IDS after trained by bees algorithm. The performance of the model has been compared with other recent approaches in the literature. Results of the experiments show that the HoneybeeGuard approach can be successfully applied to improve IDS.
Some of the future work will be to develop the flow back updating of data between the DP and UA by classifying the record to its group before send it back to UA.