O PTIMAL FEATURE SELECTION FOR FIREWALL LOG CLASSIFICATION USING R ANDOM F OREST AND H YBRID M ETAHEURISTIC ALGORITHMS

.


Introduction
Firewalls of computers are used to ensure that the network is functioning properly and safely.In particular, as the security of personal information [1] becomes more important and robust, it need to be conscious to protect networks.Firewall logs are key evidence to identify intruder attacks, including insider and outsider threats [2].In addition to the existing traditional classification methods, with the development of machine learning and deep learning, a study on log classification and intrusion prevention using this has been conducted [3,4,6,7,8].Log analysis and intrusion detection defense should try to classify efficiently with fewer parameters for quick response.At this time, the number of features to use for classification or regression is based on the researcher's experience.For this reason, research is also being conducted to intensively select the optimal parameters and parameters required for machine learning.It has been mainly designed as information gain, and genetic algorithm [9].In addition, studies have been conducted to select the optimal parameter using reinforcement learning [10], and bayesian optimization [11,12].In this paper, we performed optimal feature search using the bee swarm optimization algorithm (BSO) along with reinforcement learning [13] for firewall log classification.

Data acquisition
In this paper, we used Internet Firewall Data Data Set [4] in UCI Machine Learning Repository [5].The data contains 11 features and 4 labels.Total data points are 65532.Data profile is shown in Table 1.11 feature is bytes, bytes received, bytes sent, destination port, elapsed time, NAT destination port, NAT source port, packets, packets received, packets sent, and source port, and 4 label is allow, deny, drop, reset-both, respectively.

Method
For feature selection, we used the fusion method of BSO and reinforcement learning [13].First, the bee swarm optimization is an algorithm that is inspired by the social behavior of bees.Each bee is an object working together to solve the optimization problem, and they search for fitness function using a feature combination in iterations.Fitness function of this experiment is set to average accuracy.Second, reinforcement learning refers to an algorithm in which an agent defined in the environment recognizes the current state and finds an action that maximizes the reward among actions.The reinforcement learning algorithm applied in this paper is Q-learning [14].
Local search and experience of bee replace Q-learning algorithm.In this process, the reward is given differently depending on the accuracy of the current and next states.If the next state accuracy is higher than the current state, the reward of set to next state accuracy value, and if the current state accuracy is high, the reward set to (next state accuracy -current state accuracy) value.Additionally, if the number of features in the current state is greater than the number of features in the next state, the reward is set to (1/2 * next state accuracy).In the opposite case, the reward is set to (-1/2 * next state accuracy).As a result, the agent tries to get the best accuracy while getting fewer features.Moreover, to reduce the space in the search space, we applied the XOR operation on the best solution and the current state solution.

Hyper-parameter setting
Table 2 shows the hyper-parameters applied to this experiment.The parameters were chosen empirically.

Results
The optimal combination of features selected by the feature selection method is destination port, packets, elapsed time, packets received.Figure 1 shows the frequency of selected features during the total iteration.Performance was evaluated by average accuracy and average macro-averaged precision (Macro-precision), average macro-averaged recall (Macro-recall), average macro-averaged F1 (Macro-F1) score.We compared the optimal selected feature results with the case of applying all features.The results are shown in Table 3.

Discussion and Conclusion
In this paper, we classified firewall logs using optimal feature via BSO with reinforcement learning feature selection method.The results of using optimal features outperformed using all features and it could be applied to a firewall log analysis that can perform log classification using only a few features.In future plans, we will consider the hyper-parameter selection of algorithms for good results.

Figure 1 :
Figure 1: Feature selection frequency result using BSO with reinforcement learning

Table 1 :
Data profile

Table 2 :
Parameters value of experiments

Table 3 :
Performance evaluation result Feature selected Average accuracy Average Macro-precision Average Macro-recall Average Macro-F1 score