Implementation of Network Intrusion Detection System Using Soft Computing Algorithms ( Self Organizing Feature Map and Genetic Algorithm )

In today’s world, computer network is evolving very rapidly. Most public or/and private companies set up their own local networks system for the purpose of promoting communication and data sharing within the companies. Unfortunately, their data and local networks system are under risks. With the advanced computer networks, the unauthorized users attempt to access their local networks system so as to compromise the integrity, confidentiality and availability of resources. Multiple methods and approaches have to be applied to protect their data and local networks system against malicious attacks. The main aim of our paper is to provide an intrusion detection system based on soft computing algorithms such as Self Organizing Feature Map Artificial Neural Network and Genetic Algorithm to network intrusion detection system. KDD Cup 99 and 1998 DARPA dataset were employed for training and testing the intrusion detection rules. However, GA’s traditional Fitness Function was improved in order to evaluate the efficiency and effectiveness of the algorithm in classifying network attacks from KDD Cup 99 and 1998 DARPA dataset. SOFM ANN and GA training parameters were discussed and implemented for performance evaluation. The experimental results demonstrated that SOFM ANN achieved better performance than GA, where in SOFM ANN high attack detection rate is 99.98%, 99.89%, 100%, 100%, 100% and low false positive rate is 0.01%, 0.1%, 0%, 0%, 0% for DoS, R2L, Probe, U2R attacks, and Normal traffic respectively.


General Introduction
In computer security field, an attacker or a hacker can be understood as an unauthorized user attempts to penetrate the security defenses and gain access to the network system in order to violate the integrity, confidentiality and availability of resources.The hackers constantly invent new attacks and disseminate them over the internet [1].Securing network is a delicate step to protect a company from the most common risks emanating from the Internet as well as from its own local network system.To prevent attacks or to reduce their severity, many solutions exist but no one can be considered satisfactory and complete [2].
An Intrusion Detection System (IDS) is currently a powerful tool used in many companies, institutions, universities and so for to protect their computer systems or/and computer networks from dangerous risks.It is divided into two parts such as Host based IDS and Network based IDS.Network based IDS monitoring all the traffic packets incoming and outgoing through the Internet, whereas Host based IDS is deployed locally on each host computer and monitoring only the host on which it is installed [3].And then, there are two general categories of IDSs [4]: misuse detection and anomaly based.Misuse detection systems are most widely used and they detect intruders with known patterns.The signatures and patterns used to identify attacks consist of various fields of a network packet, like source address, destination address, source and destination ports or even some key words of the payload of a packet.These systems exhibit a drawback in the sense that only the attacks that already exist in the attack database can be detected, so this model needs continuous updating, but they have a virtue of having very low false positive rate.Anomaly detection systems identify deviations from normal behaviour and alert to potential unknown or novel attacks without having any prior knowledge of them.They exhibit higher rate of false alarms, but they have the ability of detecting unknown attacks and perform their task of looking for deviations much faster.
Self Organizing Feature Map Artificial Neural Network (SOFMANN) is unsupervised learning algorithm.For that reason, no human assistance needed during the training process.It is used in varied domains like in computer security as detector module.It can detect both known and novel attacks.Each sample data point from the input data space is shown in parallel to all the neurons in the SOM, and the winner is chosen to be the neuron that responds best [5].It is a delicate algorithm used for visualization and presentation of complex data.It converts the input nodes from high dimensional to the low dimensional output nodes (1-D, 2-D or 3-D).
Genetic Algorithm (GA) operates on a population of potential solutions applying the principle of survival of the fittest to produce better and better approximations to the solution of the problem that GA is trying to solve and at each generation, a new set of approximations is created by the process of selecting individuals according to their level of fitness value in the problem domain and breeding them together using the operators borrowed from the genetic tion, self-learning capabilities, etc.Using GAs for network intrusion detection has proven to be a cost-effective approach [7] [8] [9] [10].Moreover, Self Organizing Feature Maps (SOFM) is chosen among the soft computing algorithms because it is proven technique for automated clustering and visual organization and anomaly detection in IDS.
Our main aim is to provide an intrusion detection system based on soft computing algorithms such as Self Organizing Feature Map Artificial Neural Net-

Problem Statement
Most public or/and private companies, Banks, Institutions and Universities de- Teuvo Kohonen, Finnish Professor in 1982 known as Kohonen SOFM.It is designed for visualization and representation of huge amount of data, where human brain can easly undastand.And then, the structure of the SOFM is a single feed forward network [11], where each input vector is directory connected to each neuron in the Map.But the neurons in the Kohonen Map are not linked to each other.The number of the input dimensions is usually higher than the output dimensions.It is used in various applications namely image processing, voice recognition, speech recognition, spatial data mapping, data compression, pattern recognition, text mining and so on [12].
The Self Organizing Feature Map is a competitive learning algorithm, where each neuron in the Map competes so that the neuron which responds better is selected as the Best Matching Unit (BMU) or winning neuron.The neurons which are around the winner, is called neighborhood.The weights of the neurons close to the winning neuron are also adjusted but the magnitude of the change depends on the physical distance from the winning neuron and it is also decreased with the time [13].Six stage of the learning process are listed and To determine the Best Matching Unit (BMU), an iterative process is performed by each node in the network and the Euclidean Distance between the weight vector of each node and the current input vector is calculated.The node Journal of Information Security with the weight vector closest to the input vector is labeled as BMU [14].To do that, we have two points such as ( ) , , , n I I I I  known as input vector and ( ) , , , n W W W W  known as weight vector of each neuron.The Euclidean Distance is computed as follows:  Stage 4: The radius of the neighborhood closer to the winning neuron or BMU has the chance to be computed but the farthest one from the Best Matching Unit has no chance to be calculated.The size of the neighborhood decreases progressively with n Epoch.All of the neurons around this radius are labeled neighbors of the winning neuron.To determine the neighborhood in the SOFM network which are closer the BMU, radius must be computed as follows: ( ) ( ) where r(t) means the width of the lattice in time t, 0 r means the width of the lattice in time 0 t , t means a time or an iteration of the epoch and λ means a constant time t (current time).
 Stage 5: Both the Best Matching Unit neuron and its neighborhood weights are adjusted in order to respond better.The closest neurons within the neighborhood are more adjusted than the furthest neurons; where t means the time and K means the learning rate at time t, which decreases progressively in time.And then, the weight at time t + 1 is set to neighborhood nodes from the current instant weight W(t), plus a fraction K(t), the difference between the current weight of "W(t)" neuron and the input vector called I(t), adjusted (theta) based on distance from the BMU [15].In Equation (3) the learning rate at time t can be calculated using an exponential decay function.
( ) ( ) In Equation (3), represents the amount of influence that the distance from one node to the BMU has on their learning, in the current time instant is calculated using Gaussian curve [15].
where D is a distance from one neuron to the winning neuron and r is the radius of the neighborhood.The function also decreases progressively in time.
 Stage 6: Go to Stage 2 if the number of epochs is not reached.

Brief Overview of Genetic Algorithm
Genetic Algorithm is an optimization technique using an evolutionary process [16].Network connection in dataset is represented as chromosome.Fitness Function of Genetic Algorithm is a powerful metric used to evaluate each individual population in the training dataset so as to determine the good solution and to discard the bad one.An evolutionary process of Genetic Algorithm starts where initial population is randomly generated.Each population is now evaluated to find out the best results based on the predefined criteria.For that reason, the fitness value of each population or chromosomes are determined using the Fitness Function.The best fitness values are kept and the worst are prunned from the top list.The best individual populations are selected and undergo crossover and mutation to reproduce new children.This new children knwon as new population is applied for the next generation.The process continues until the number of generations or epochs has been terminated.Figure 1 showed the Genetic Algorithm process.
As displayed in Figure 1, Genetic Algorithm (GA) consists of three operators namely selection, crossover or recombination and mutation.

Data Structure
In Genetic Algorithm data structure is represented as chromosome.The rules to match the attacks are randomly generated and are encoded as an integer array with seven attributes, as displayed in Table 1.The first six attributes of the chromosome match the condition A of an attack.The seventh attribute identifies the attack type that the first six attributes identify when they match.The same data representation is also used by Ms.Lata Jadhav [16].

The Existing and Improved Traditional Fitness Function
Traditional   The obtained results trained with the existing traditional Fitness Function is displayed on Figure 4 and the obtained results trained with the improved traditional Fitness Function is shown on Figure 5.
However, after computation of fitness value using both formulas, the fitness value of 90.6% found using the improved traditional Fitness Function is greater than the fitness value of 83.2% obtained using the existing traditional Fitness Function.It was concluded that the best population individual's fitness value obtained from the improved traditional Fitness Function has chance to identify attack types successfully.For that reason, this improved trational Fitness Function will be applied in our experiments to generate best rules used in identifying malicious attacks from the KDD Cup 99 and 1998 DARPA dataset.

Crossover and Mutation Operators
1) Individual Crossover Operator Journal of Information Security   In the crossover operation, the best population individuals undergo crossover operator, where population individuals randomly selected involved in swapping genes of two parents with one an another to form two new children from each pair of parents.Crossover probability for a pair of parents were used in our experiments for performance evaluation of our implemented system.In Genetic Algorithm, there are three categories of crossover namely one point crossover, two point crossover and uniform crossover.Two point crossover technique will be used in our experiments.Figure 6 shows a sample of crossover operator.
2) Individual Mutation Operator Mutation operator participates in modifying one or more genes value of single population individual due to the repeated use of crossover operator.For our experiment, mutation probability was employed.Figure 7 shows a sample of mutation operator carried out on single population individual.

Related Work
An Intrusion Detection System is a powerful tool used to secure company's data from risks emanating from the public Internet as well as from their own local network system.Too many papers based on an IDS were published and some contributions were given.And thus, multiple soft computing algorithms were also used to support an Intrusion Detection System for reducing False Negative rate and False Positive rate generated by Anomaly detection method and Signature detection method.Most of them are Genetic Algorithms, Self Organizing Feature Maps Neural Network, Fuzzy Logic and so for.When used for intrusion detection, soft computing is a general term for describing a set of optimization and processing techniques that are tolerant of imprecision and uncertainty [19].In 2012, Xueying Jiang and Kean Liu [20] described some of the issues of SOM neural network algorithm such as: false alarm rate, false negative rate, training time and give an improved anomaly detection SOM algorithm.They also give the intelligent detection model and the model of the training module, designed the main realization of FPSOM neural network algorithm.The simulation experiments were carried out in KDDCUP data sets.In 2009, E. J. Palomo, E. Domnguez, R. M. Luque, and J. Muoz [21] proposed a neural network model based on self organization for detecting intrusions.Growing Hierarchical SOM (GHSOM) was proposed to addresse the limitations of the SOM related to the static architecture of this model.KDD Cup 1999 benchmark was used for training the proposed GHSOM.In 2015, EMIRO DE LA HOZ FRANCO and ANDRES ORTIZ GARCIA [14] provided an implementation of an Intrusion Detection System based on Self Organizing Map and identified a methodology to validate the effectiveness of an Intrusion Detection Systems proposed in three phases (selection, training and classification) using FDR to feature selection and Self Organizing Maps to training-classification.In 2014, Kruti Choksi and Prof. Bhavin Shah [5] presented a survey which focused on IDS using Self Organizing Map and their survey shows that the existing IDS based on SOM have poor detection rate for U2R and R2L attacks.To overcome these issues, the improvement should be conducted.The normalization technique should be used to improve it.During the survey they also found that HSOM and GHSOM are advance model of SOM which have their own unique feature for better performance of IDS.In 2009, M. Bahrololum, E. Salahi and M. Khaleghi [22] proposed a new approach to design the system using a hybrid of misuse and anomaly detection for training of normal and attack packets respectively and the combination of unsupervised and supervised Neural Network (NN) for Intrusion Detection System were used.By the unsupervised NN based on Self Organizing Map (SOM), attacks will be classified into smaller categories considering their similar features.In 2006, Liberios VOKOROKOS and Anton BAL [23] present intrusion detections systems and design architecture of intrusion detection based on neural network self organizing map and described base problematic of neural network and intrusion detection system.Their work deals with specific design of intrusion detection architecture based on user anomaly behavior.
In the work done by B. Abdullah [6], he implemented an Intrusion Detction System by using Genetic Algorithm.Genetic parameters were discussed and implemented.He also applied a linear structure rule to classify normal connections and abnormal connections successfully.KDD99 Benchmark was evaluated with the implemented system.The obtained results showed high detection rate 99.87% and low False Positive rate 0.003%.His results were compared with available machine learning technique.Nitin Gupta [24] for him, he carried out an implementation of a network Intrusion Detction System using Genetic Algorithm to detect Denial of Service attacks.The implemented IDS was used to detect network intrusions.Fitness and Probabilistic approach were used to compute the optimality of the proposed new attack pattern.NSL-KDD dataset was used for training and testing purpose.Thus, Ms. Lata Jadhav [16], he implemented an IDS using Genetic Algorithm approach to derive the set of classification rules from audit data and traditional fitness function with support-confidence framework was used to measure the quality of each rule.The generated rules were used to detect or identify network intrusions.Experimental results show high detection rates based on Benchmark DARPA dataset.

Proposed Network Intrusion Detection System Framework
Our

Datasets Mining Phase
For the first phase of our system, the datasets to be mined with our proposed

Preprocessing Phase
Genetic Algorithm (GA) and Self Organizing Feature Maps Neural Network (SOFM) cannot handle symbolic features.For that reason, two subsets training and testing dataset from KDD Cup 99 dataset were picked, the transformation of string to numerical value were carried out, the normalization of the transformed data was done and suitable network features were selected for better accuracy.
The preprocessing phase of our proposed system consists of three parts, as can be seen in Figure 8:  Extraction of datasets: Training and testing datasets were picked from KDD Cup 99 dataset.These two subsets data were used to measure the performance of GA and SOFM Neural Network in intrusion detection rules. Converting string to numerical values: The network features containing the symbolic form named protocol type, Service and Flag were converted to numerical values by affecting unique number for each network feature. Normalization of the numerical values: After conversion to numerical values, we then convert the numerical vector into the binary or normalized (in interval [0,1]) [27], this was done 1) to ensure that one feature did not overpower another (for those with large units) and 2) to speed up training and convergence time by using smaller numbers and the precise method is represented by this equation: where X represents each column in the dataset.
 Network features selection: 41 network features in the KDD Cup 99 dataset were selected and trained, tested with Genetic Algorithm and Self Organizing Feature Map Artificial Neural Network.And 7 network features in 1998 DARPA dataset was selected and trained with Genetic Algorithm for producing rules used in identifying network attacks.

Training and Testing Phase Using GA and SOFM
The GA in an offline environment, whereas, in the testing phase, the generated rules are used to classify incoming network connections in the real time environment and once the rules are generated, the intrusion detection is simple and efficient [6].

The Proposed Architecture of SOFM Artificial Neural Network
The proposed architecture of Self Organizing Feature Map ANN is displayed in

Experimental Results
In this section, we present the obtained results using Genetic Algorithm (GA) and Self Organizing Feature Map Artificial Neural Network trained and tested on KDD Cup 99 and 1998 DARPA.The purpose of our experiments is to show the detection rate, False Positive rate and Classification time comparison for different attack types.The experiments were performed on EliteBook 6930p laptop with Intel ® core TM 2 Duo CPU P8600@ 2.40 GHz × 2 and 4 GB of RAM.The operating system was type 64-bit using Debian 9 stretch and hard drive 350 GB.
Our system was implemented using Python 2.7.13.

Performance Measures
To evaluate our system, the two standard metrics of detection rate and false positive rate developed for network intrusions, have been used [6]: Detection rate (DR) is computed as the ratio between the number of correctly detected intrusions and the total number of intrusions, that is False positive (FP) (also said false alarm) rate is computed as the ratio between the numbers of normal connections that are incorrectly classifies as intrusions and the total number of normal.

Self Organizing Feature Map and Genetic Algorithm Training Parameters
Table 3 displayed the used Genetic Algorithm training parameters during the traing and testing process of our system.And thus, Table 4 is shown the SOFM training parameters.

Simulation Outcomes Obtained Using GA and SOFM
Our first experiment compares our own solutions generated by our implemented GAIDS which applies the improved traditional Fitness Function as shown on Figure 3 with NetGA [28] which uses traditional fitness function [17] [29] [30], and both are trained with 1998 DARPA training sample dataset bsm.
list [31] using the Genetic Algorithm parameters as displayed in Table 3.
Table 5 shows the rules generated by NetGA and Table 6, Table 7 the rules produced by our Implemented GAIDS.The simulation outcomes produced by NetGA shows that this system was able to print to the standard Table 5. Outcomes from NetGA [28].The overall simulation outcomes and their related statistical calculations are displayed in Table 9, Table 10

Conclusion and Future Work
In the experimental results obtained in the training detection rate comparison work and Genetic Algorithm to network intrusion detection system so as to classify four categories of network attacks including normal traffic namely DOS, Probe, R2L, U2L and Normal.KDD Cup 99 and 1998 DARPA dataset were applied for training and testing the intrusion detection rules.The traditional Fitness Function of Genetic Algorithm was also improved for performance evaluation.The experimental results shown good detection rate and law false positive rate for different attack types trained and tested with SOFM, whereas GA has maintained very high detection rate for different attack types but with high false positive rate which leads to very poor accuracy of anomaly detection system.The main contribution of this work is to demonstrate the performance of the SOFM artificial neural network compared with the GA in the detection rate comparison of different attack types, including normal traffic.The remainder of the paper is articulated into seven sections: Section 2 discusses problem statement.Section 3 presents a brief overview of Self Organizing Feature Map Artificial Neural Network (SOFMANN) and Genetic Algorithm (GA).Section 4 describes related works.Section 5 demonstrates our proposed Network Intrusion Detection System Framework.Section 6 presents the experimental results and Section 7 presents the conclusion and future work.
feat against network attacks by applying varied traditional or advanced security methods namely firewalls, Antivirus and intrusion detection systems.The IT Managers of the companies, Banks, Institutions and Universities suffer from the lack of efficient security methods to secure multiple departments of their Companies, Banks and Universities before computer network attack.It is a challenging security issues for IT Managers of the companies to protect their data and network systems from attacks with rapidly growing volume of network traffic and the number of attacks.Multiple commercials and open source Network Intrusion Detection Systems are currently used in the companies, banks and so far to protect their information and local network systems from attacks.Unfortunately, the Intrusions Detection Systems (IDSs) suffer from high false positive rate generated by Anomaly detection method which leads to very poor accuracy cause no human assistance needed during the learning process.The main role of the SOFM is to transform high dimensional of the input vector randomly chosen to low dimensional (1-D or 2-D).The SOFM algorithm is first developed by

briefly described below:  Stage 1 :
Each neuron's weights in the network of x dimension is randomly initialized;  Stage 2: The randomly selected input vectors from huge amount of training datasets are fred to SOFM network;  Stage 3: The Euclidean Distance between the input vectors and neuron's weights are computed to determine the winning neuron or Best Matching Unit (BMU).

1
Journal of Information Security Before evaluating the individual population from training dataset, the rules to match the attack types must be constructed correctly in order to classify successfull abnormal behaviours and normal traffic.And thus, Too many wildcards in the constructed rules are forbidden because they sometime block the connections and lead to very poor accuracy.The gene representation follows the simple rule if A then B, where if the first six attributes are logically and-ed together are true (A), then the rule matches the attack (B) [16].The rule used to classify network connection in training data as well as U2R attack rlogin is explained below: if (Duration = "0:0:14" and Protocol = "rlogin" and Source_port = 1022 and Destination_ port = 513 and Source_ip = "192.168.1.30"and Destination_ip = "192.168.0.20") then Attack_name = "rlogin".The above rule shows that if a network packet is originated from source IP address 192.168.1.30and source port 1022, and sent to destination IP address 192.168.0.20 and destination port 513 using the protocol rlogin, and the connection duration is 0:0:14 second, then it is a network attack of type rlogin.
Fitness Function was defined by Man Leung Wong and Kwong Sak Leung (2000)[17].It is based on the support-confidence framework and It is a performance measure used to determine the fitness value of individuals in the population.The best individuals in the population are selected according to the predefined fitness value threshhold.The fitness value is evaluated by determining how many attack connections the rule matches[18].The traditional Fitness Function is built with two weights parameters such as w1 and w2 with default values 0.2, 0.8 respectively.Those weights are used to control the balance between the confidence and support during the training.This traditional Fitness Function generates in one hand the rules with low fitness value and the other hand with good fitness value.To increase the fitness value of the generated rules, we have proposed two paramaters such as l1 and l2 known as lifts.The lifts l1 and l2, whose values are in the range of [−1.0.0.1.0],are used to increase the fitness value of the rules used in classifying the attack types, and used also to control the balance between the support and confidence.The generated rule with less fitness value has no chance to identify attack types.On the contrary, the rules with high fitness value have the chance in identifying attack types successful.Figure2shows the existing traditional Fitness Function, whereas Figure3shows the improved traditional Fitness Function.An experimental assessment of this improved traditional Fitness Function is presented in Section 6.1.1) The existing traditional Fitness Function: N: Total number of network connection rules in the training dataset; |A|: Number of rules match the condition A; |A and B|: Number of network connections match the rule if A then B; w1, w2: weights employed to balance or control support and confidence.Journal of Information Security

Figure 2 .
Figure 2. Existing traditional fitness function perfomed on support-confidence and weights.

Figure 3 .
Figure 3.The improved traditional fitness function perfomed on support-confidence, weights and lifts.

Figure 4 .
Figure 4. Computation of fitness value for population individual rule t trained with the existing traditional Fitness Function.

Figure 5 .
Figure 5. Computation of fitness value for population individual rule t trained with the improved traditional Fitness Function.

Figure 6 .
Figure 6.Crossover operator carried out on two parents to generate two new children.

Figure 7 .
Figure 7. Mutation operator carried out on single population individual.
proposed Network Intrusion Detection System Framework based on soft computing algorithms (Self Organizing Feature Map Artificial Neural Network and Genetic Algorithm) is split into four phases namely: Datasets mining Phase, Preprocessing Phase, Training and Testing Phase.As displayed in Figure 8.

Figure 8 .
Figure 8. Proposed network intrusion detection system framework.
proposed Network Intrusion Detection System based on soft computing algorithms SOFM Artificial Neural Network and GA comprises two modules namely Training and testing phase.In the training phase, a set of classification rules are generated from KDD Cup 99 and 1998 DARPA using the SOFM and

Figure 9 .
Figure 9.Our proposed architecture of Self Organizing Feature Map artificial neural network consists of two layers namely: an input node and an output node.The input nodes indicates 41 network features from KDD CUP 99 dataset, which are symbolized in short form as F1, F2, F3, ..., F40 and F41 means Feature 1, Feature 2, Feature 3 until Feature 41.In other way, we have 41 dimensions of the input nodes.The output nodes consists of five outputs N1, N2, N3, N4 and N5 known as nodes were to classify five class of attack types including normal traffic namely DoS, Probe, R2L, U2L and Normal as classification problem.Each node's map namely N1, N2, N3, N4 and N5 receives 41 coordinates (w11, w12, w13, ..., w140, w141) and each node's Map is connected to each input node but node's Map are not connected to each other in the Kohonen network.The Map dimension was initially set (25,25), epochs were initially set 100, learning rate was initially set 0.2 and neighborhood radius was initially set 16. Our proposed SOFM Neural Network was trained for each class of attack types as classification problem in order to evaluate the performance of the algorithm on individual attacks.

Figure 9 .
Figure 9.The proposed architecture of SOFM artificial neural network.

Figure 10 .
Figure 10.Graph of class distribution of experimental on KDD CUP 99 dataset.

Table 2 .
Sample of a population individual rule t matching against a training dataset.
NIDS are KDD CUP 99 and 1998 DARPA dataset.The KDD CUP 99 is one of the most datasets used to train and to test the intrusion detection rules.The

Table 3 .
GA parameters for performance evaluation.

Table 4 .
Self organizing feature map neural network parameters.

Table 7 .
Outcomes from our implemented GAIDS continued.
module.Table8showed the class distribution of experimental on KDD Cup 99 dataset and the class distribution of our experimental is summarized by the graph of Figure10.

Table 8 .
Class distribution of experimental on KDD CUP 99 dataset.

Table 15
Anomaly detection System.It is very difficult to compare the classification time of each attack types because the training speed depends on various factors such as implementation of the algorithms, condition of the hardware and software

Table 9 .
Training detection rate comparison for different attack types using SOFM on KDD Cup 99.

Table 10 .
Testing detection rate comparison for different attack types using SOFM on KDD Cup 99.

Table 11 .
Generalization detection rate comparison for different attack types using SOFM on KDD Cup 99.

Table 12 .
Training detection rate comparison for different attack types using GA on KDD Cup 99.

Table 13 .
Testing detection rate comparison for different attack types using GA on KDD Cup 99.

Table 14 .
Generalization detection rate comparison for different attack types using GA on KDD Cup 99.

Table 15 .
Detection rate (%) comparisons between GA and SOFM.and size of the training dataset.In general the obtained results in SOFM have maintained both high detection rate and low false positive rate than GA.But GA has maintained very high detection rate but it suffer from very high false positive rate, for that reason, It leads to very poor accuracy of Anormaly detection system. platform