Cloud Security: LKM and Optimal Fuzzy System for Intrusion Detection in Cloud Environment

Abstract In cloud security, intrusion detection system (IDS) is one of the challenging research areas. In a cloud environment, security incidents such as denial of service, scanning, malware code injection, virus, worm, and password cracking are getting usual. These attacks surely affect the company and may develop a financial loss if not distinguished in time. Therefore, securing the cloud from these types of attack is very much needed. To discover the problem, this paper suggests a novel IDS established on a combination of a leader-based k-means clustering (LKM), optimal fuzzy logic system. Here, at first, the input dataset is grouped into clusters with the use of LKM. Then, cluster data are afforded to the fuzzy logic system (FLS). Here, normal and abnormal data are inquired by the FLS, while FLS training is done by the grey wolf optimization algorithm through maximizing the rules. The clouds simulator and NSL-Knowledge Discovery and DataBase (KDD) Cup 99 dataset are applied to inquire about the suggested method. Precision, recall, and F-measure are conceived as evaluation criteria. The obtained results have denoted the superiority of the suggested method in comparison with other methods.


Introduction
Nowadays, cloud computing [23] renders data storage and computing services through the Internet. Cloud computing has speed, scalability, and elasticity, etc. Cloud computing is a general term for anything that admits delivering hosted services over the Internet and managing the data, by the cloud service provider (CSP). At remote locations, the cloud services permit businesses and people to use software and hardware infrastructure that is led by third parties. An increasing number of cloud users raises privacy and security concerns. Data protection becomes a major issue as the user's data are handled by a third party [15]. The number of attacks on computer networks has grown extensively, various new hacking tools and intrusive methods have emerged on a widespread basis. Within a network, using an intrusion detection system (IDS) is one way of handling suspicious activities [22]. An IDS monitors the activities of an afforded environment and decides whether these activities are malicious (intrusive) or legitimate (normal), demonstrated on system integrity, confidentiality, and the availability of information origins [9].
The IDSs may be changed to perform misuse detection or anomaly detection in general [4]. All known abnormal behavior is evaluated, and the system is trained to identify it in misuse detection. It works by equating arriving packet with features of known attack behavior. If any new, not predefined attack arrives, the system would distinguish it as a normal packet, inducing high false negative rate (FNR) [10]. To avoid very high FNR, misuse-based IDS must be retrained very often, sometimes inducing delays in the network [21]. A number of data mining techniques have been introduced to resolve the limitations of the above methods [18]. In the data, an artificial neural network (ANN) is an efficient algorithm to inquire about the intrusion present. However, ANN also has some drawback such as lower detection precision, especially for low-frequency attacks, e.g. Remote to Local (R2L), User to Root (U2R), and weaker detection stability [24].
To provide a better detection technique for inquiring about the intrusion from the dataset by resolving the issues that currently exist in the literary works is a major aim of this research. Hence, for the IDS, we have intended to suggest a novel detection method. Our suggested method contained three stages, namely, clustering, training, and testing. Primarily, we separate the dataset into two subsets such as training and testing. Then, the training dataset is extracted from the given input database. Then, to reduce the complexity, the training data are clustered using leader-based k-means clustering (LKM) algorithm. Then, we train the subset applying the optimal fuzzy logic system (OFLS). In this FLS, the optimal rules are selected using grey wolf optimization (GWO), which will be used to reduce the time complexity and increase the detection accuracy. Finally, based on the fuzzy score, the data are classified as normal or abnormal. The rest of the paper is organized as follows: a brief review of researches associated with the proposed technique is introduced in Section 2. In Section 3, the authors explain the background of the research and suggested IDS. The detailed experimental results and discussions are explained in Section 4. The conclusion is summed up in Section 5.

Related Work
Researchers are more interested in intrusion detection since it is usually maintaining security over the network in the current days. Here, they referred to some of the intrusion detection techniques. Bahram and Nima [8] have implemented IDS and demonstrated its combination of multilayer perceptron (MLP) network, artificial bee colony (ABC) and fuzzy clustering algorithms. Moreover, a honeypot based strategy for intrusion detection/prevention systems has been suggested by Baykara and Das [2]. The developed honey pot server application was combined with IDSs to tested data in real time and to control effectively. Moreover, by equating the advantages of low-and high-interaction honeypots, a superior hybrid honeypot system was performed. Mehrnaz et al. [14] have implemented the reliable hybrid method for an anomaly network-based IDS using ABC and AdaBoost algorithms in order to gain a high detection rate with the low false positive rate.
Similarly, the Collaborative Study of Intrusion Detection and Prevention Techniques in Cloud Computing has been explained in Shadab et al. [1]. Hypervisor-based and distributed IDSs have shown promising security features in a cloud computing environment in comparison with traditional identity provider techniques. Partha et al. [6] have presented intrusion detection in the cloud using hybridization of the cuckoo search algorithm and particle swarm optimization (PSO) algorithm. Moreover, Fang et al. [5] have explained anomaly detection in an ad hoc network using deep learning algorithm. Here, they utilize a plug and play device to detect denial of service (DoS) and privacy attacks. Sohal et al. [20] have introduced a digital security system. Their structure has been completely shown to distinguish the malicious edge gadgets in the circulated fog computing condition. Similarly, Girma et al. [7] have exhibited a propelled machine learning way to deal with identifying the DoS assaults on cloud computing with entropy utilizing clustering innovation. They were proceeding with this research to execute those extremely compelling distributed DoS hybrid detection system. Kozik et al. [11] have presented a distributed extreme learning machine technology based attack detection approach that uses cluster resources. Moreover, Bhushan and Gupta [3] have examined different basic features of software defined network that makes it an appropriate systems administration innovation for cloud computing. In addition, they speak to the stream table space of a switch by utilizing a lining hypothesis based numerical model.
Zeenat et al. [12] have explained a principal component analysis (PCA) and neural network (NN) based intrusion detection. This work takes maximum time to find out the intrusion data. In [17], Mehdi and Mohanmmad have explained a NN based on a different attack detection. Here, four types of attacks are identified with the help of a NN. Moreover, Manickam et al. [13], have explained a probabilistic fuzzy c-means clustering (PFCM) and recurrent neural network (RNN) based IDS. Here, PFCM classifier was utilized for clustering process, and RNN is used for classification. Here, also, four types of attacks are identified.

Proposed Model for the IDS
Cloud computing manages parts of assets and computing offices through the Internet. Cloud frameworks pull in numerous clients with its attractive features. Notwithstanding them, cloud frameworks may encounter serious security issues. In order to improve the security of the cloud system, here we have intended to propose an efficient IDS. The main objective of the proposed methodology is to design cloud IDS for achieving cloud security. To achieve the security of the system, in this paper we develop an algorithm based on LKM algorithm and OFLS. Here, with the proposed FLS, the rules are optimally selected with the help of GWO algorithm. The overall process of the proposed technique is shown in Figure 1.
In the proposed technique, at first, the input data are preprocessed. After preprocessing, we cluster the preprocessed data using kernel LKM. After that, each clustered data are given to the OFLS to detect the data as normal or intruded data. Then, finally, the normal data are stored on the cloud. The overall process is split  into two stages, namely, training and testing. The dataset utilized in this proposed method is NSL-Knowledge Discovery and DataBase (KDD) CUP 99 dataset. The step by step process is described in a further section. The proposed method has three main processes, namely, -Preprocessing -Clustering -Intrusion detection

Preprocessing
Consider the NSL-KDD dataset which consists of n number of records and 41 features in which the data may be incomplete, noisy, or duplicate. Therefore, before starting the IDS process, we have to preprocess the data. The preprocessed outputs provide optimal data to the IDS, and this will increase the detection accuracy. The steps involved in preprocessing are given below: -The symbolic attributes in the dataset are converted into the numeric value.
-Then, the numeric attributes are normalized. Let X ij represent the jth column attribute value in the ith row of the dataset and M i represent the mean value of the jth column attribute. The normalization is done using equation (1).
After the normalization process, the data are given to the clustering process.

LKM Based Clustering Module
The aim of the leader-based clustering module is to partition an afforded set of data into clusters and also this algorithm mainly used to speed up the k-means clustering algorithm. Consider the dataset S which consists of n number of data and m number of attributes. To handle a large number of data is hard for processing. Therefore, at first, we cluster the dataset into a number of clusters in order to decrease the size of the training subset and complexity of the IDS. For that, the LKM algorithm is applied to the clustering process.
To partition the dataset into a number of clusters, the leader clustering method takes the size of each cluster, called the threshold T, as an input parameter [19]. Clusters are mentioned by a pattern as a leader, and other patterns in the cluster are mentioned as followers. The set of leaders A is maintained initially empty and is incrementally built. If there is, leader a ∈ A such as distance between u and A is less than or equal to T for each pattern in the dataset S, then the pattern is assigned to the cluster represented by a. In this case, we call patterns as a follower of the leader and the leader is a follower of itself. The first user, which is at a distance less than or equal to T, is chosen as a follower of the leader. The pattern u becomes a new leader if there is no such leader and is added to A. The set of leaders A is provided as output by the algorithm. Modifications used in this proposed method are as follows: -The clusters are not found in input space, and it can be found only in kernel space.
-According to the pattern in the input space, each cluster is represented by its leader. -All the patterns in each cluster can be retrieved easily when the datasets are re-indexed according to these clusters. -The principle behind the proposed kernel based leaders clustering method is its linear time complexity.
Based on the size of the input, the running time increases linearly, and its working principle is as follows.
For a given threshold T, a set of leaders A and the number of followers of each leader A is maintained by the kernel based leaders clustering method, which is count a. A is initially empty and is incrementally built. For each pattern u in the dataset S, if there is a leader a ∈ A, such that the distance between φ(u) and φ(a) is less than or equal to T, then u is assigned to the cluster that is represented by a count (a), and the value is incremented by 1. Otherwise u becomes a new leader and is added to A, and count (a) becomes 1. The output of the algorithm is the set of leaders A, the number of followers of each leader, i.e. count (a) and the set of followers of each leader a, i.e. followers (a). This output is denoted by A*. The proposed kernel based leaders clustering method is given in Table 1.

Stage 1:
First, the kernel based leaders clustering method is used to find A*.

Stage 2:
Later, to derive a partition of the set of leaders ρ A , in the set of leaders A which is taken from A*, applied again the kernel k-means clustering method. In all iterations, each leader a i is assigned to the cluster C r such that ‖φ(a i ) − m 2 r ‖ is minimized. Assume that the patterns in the cluster are very close to the leader where it exists. Hence, ‖φ(a i ) − m 2 r ‖ is computed as follows. where where Finally, each leader is replaced by all of its followers to get a partition of the entire dataset at the end of the iterative process, and it is denoted by ρ * S . The proposed method is explained below.

IDS Using OFLS Classifier
After the clustering process, each obtained cluster is given to the OFLS. The number of clusters and the OFLS are identical. In this, the FLS rules are optimally selected using a bio-inspired algorithm, namely, GWO.
followers(a) = followers(a) ∪ {x} end if end for Output: A * = {<a, count(a), followers(a) > a is a leader} Prototype based hybrid kernel k-means (D, k, ε (0) , T ) Step 1: A* is generated by using the kernel-based leaders clustering method that is given in the algorithm.
Step 2: Using the given initial seed points ε (0) , compute the initial partition ρ (0) A of the leader set A.
Step 3: Apply kernel k-means clustering method (︁ A, k, ρ (0) A )︁ and find the nearest cluster for a leader. Let ρ A be the output.
Step 4: To get the partition for the entire dataset, say ρ * S , replace each leader a ∈ ρ A , by its cluster.
A fuzzy set can address and handle uncertain data successfully. Table 2 shows proposed protiotype based hybrid kernel k-means. The database D is divided into two sets, namely, training (D TR ) and testing (D TE ). The training data are used to generate the FLS system. The intrusion detection accuracy of the proposed system is evaluated with the help of testing dataset. I have used the 494,000 records. I have taken the records for 80% (395,200) of data for training and 20% (98,800) for testing.

Training Process
After the clustering process, each output of the clusters is trained applying N number of fuzzy logic classifier (FLC). Here, the number of clusters and FLC are same. A FLS is distinctive in that it is competent to handle the numerical data and linguistic knowledge. In this FLS, rules are optimally selected with the help of GWO algorithm [16]. The training process is given in Figure 2.

Optimal Rule Generations Using GWO
GWO algorithm is applied to choose the best rule for prediction. In this section, we have N number of clusters, and each cluster has M number of data. Each data has S number of attributes. We utilize the NSL-KDD Cup 99 dataset. Here, each data has 41 features in this paper. As established on the attribute range we generate the rule. Then, we optimally choose the rule using the GWO algorithm. Primarily, the database D is divided into two sets, a training dataset (D TR ) and analyzing dataset (D TE ). The training dataset is applied to generate the fuzzy rules and the aligning of the fuzzy system. With the help of the testing dataset, the prediction accuracy of the suggested system is estimated. The detailed process of generating the rule generation applying GWO algorithm is explained by applying the following steps.
-Discretization At first, we consider the training dataset D TR , which comprise of S number of attributes and N number of data. Here, a number of features are given to a discretization function in order to transfer the input data into a discretized one. The main property of discretization is to change the data value into the specific interval, which means the range of data value is changed into a specific interval. The discretization process is explained below: Step 1: Consider the training dataset D TR , and then we take the attributes in columns. Each column comprises N number of data, and each row comprises n features; 0 < n ≤ 41.
Step 2: Then, we calculate the median (M med ) of each column j.
Step 3: After that, we change the data value into a particular range using the M med value. Here, the particular data value is divided into M med value. Consequently, separate all the feature values, in particular the median value M med . For example, if the median value M med = 100 and feature value P (1) M = 50, it means feature value as 0.5 if it uses the following equation: Applying equation (7), we can alter all the feature values in the specified interval. Now we found the new feature values, which vary from 0 to 1. Then, every value that comes within the range is aligned with the interval value so that the input data are transformed into the discretized data. Consequently, the training dataset D TR is concerted to the discretized format D D where the entire data element D D comprises only the L, M, and H. As established on the discretized format I D , we generate the rule; here the rule should have two decisions such as N or AT. The sample rules are afforded in Table 3.
As established on the rule, we rearrange the dataset D D into two groups, each group having only one kind of data.

-Solution representation
To optimize the rules, GWO algorithm primarily creates an arbitrary population of the solution. Solution creation is a crucial step of an optimization algorithm that helps to identify the optimal solution quickly. Each solution consists of one rule, and that rule is filled with L, H, and M values. The sample rule is afforded in Table 3.    Table 4 shows solution encoding. It is utilized to assess the aptitude (goodness) of candidate solutions. Here, the precision value is the major criterion used to design a fitness function. The fitness function is afforded in equation (10).

R1 IF (P1 is L) and (P 2 is H) and (P 3 is L) and (P4 is M) and . . . . (P41 is H) THEN Decision = Normal (N) R 2 : IF (P1 is H) and (P 2 is L) and (P 3 is M) and (P4 is
where TP refers to the true positive and FP indicates the false positive value.

-Assigning the best solution
After the fitness calculation, we have to assign the first, second, and third best values as S α , S β , and S γ , respectively.

-Encircling prey
The hunting is guided by α, β, and δ, and ω trails these three candidates. In order for the pack to hunt prey, the pack is first encircling it.

-Hunting
We undertake that the α (best candidate solution), β, and δ have enhanced information about the potential site of the prey to replicate scientifically the hunting performance of the grey wolves. As a solution, we store the first three best results reached so far and need the other search agents (as well as the omegas) to study their positions permitting to the position of the best search agent. For recurrence, the novel solution X(t + 1) is assessed with the help of the formulae revealed as follows.
It can be perceived that the concluding position would be in a random place including a circle that is distinct using the points of α, β, and δ in the search space. In added arguments, α, β, and δ evaluate the position of the prey, and other wolves inform their positions arbitrarily near the prey.

-Attacking prey (exploitation) and search for prey (exploration)
Exploration and exploitation are failsafe with the help of the adaptive values of b and B. The adaptive values of parameters b and B let GWO to effortlessly transition among exploration and exploitation. With declining A, half of the repetitions are dedicated to exploration (|B| ≥ 1), and the rest half are devoted to exploitation (|A| < 1). The GWO has only two chief parameters to be accustomed (b and C), though we have retained the GWO algorithm as humble as likely with the smallest operators to be accustomed. The procedure will be sustained until the maximum number of iteration is obtained. Lastly, optimal solutions are designated on the basis of the fitness value.

-Termination criteria
Stop if the maximum number of generations is achieved. The best rule is selected and given to the FLS for further processing, after a suitable training process, we can decide if the data under test is normal or abnormal.

Fuzzy System Design
After the optimal rule generation, we are aligning the fuzzy system. When we are designing the fuzzy system, the fuzzy membership function (MF) definition and fuzzy rule base are the two important steps. The formula used to compute the membership values is described below, -Rule-based fuzzy score computation Using GWO optimization algorithm, we already generated the fuzzy rule set (refer to Section 4.1 Dataset Description). These rules are afforded to the fuzzy logic. The rule base contains a set of fuzzy rules in the form of low, high, and medium distance values.

Testing Module
After the training process, we test the incoming data. In the testing process, the cloud user uploads the data to the CSP. In this stage, the CSP checks whether incoming data are normal or intruded because the CSP is not aware of incoming data. In training, at first, the incoming data are preprocessed. Then, the preprocessed data are given to the clustering process. After the clustering process, the data are given to the corresponding cluster based FLS. The trained FLS structure tests the data. Finally, we obtained the score value. Based on the score value, we check whether the given data are intruded or not. In this, based on the score value, we fix one threshold T h . If the obtained score value is above the threshold T h , it means the data are intruded; otherwise Apply preprocessing process in selected data (refer to Section 4.1) 3.
Call Section 4.2 to the clustering process 4. Apply optimal fuzzy system to each clustered output 5.
Call logical rule generation process 7.
Initialize random rule for GWO 8.
Call fitness function 9.
Select optimal rule 11. Design a fuzzy system based on the optimal rule 12.
Detect normal or intruded data using fuzzy score 13.
Store normal data on the cloud the data are normal. Thus, the obtained score value satisfies the condition which is given in equation (19), and the overall algorithm is given in Table 5.

Results and Discussion
This section affords the detailed view of the result that is found by our proposed intrusion detection in cloud applying LKM and optimal FLS, which is performed in the working platform of JAVA with Cloud Sim tools and a series of experiments performed on a PC with Windows 7 Operating system at 2 GHz dual-core PC machine with 4 GB main memory running a 64-bit version of Windows 2007. To estimate the performance of the suggested LKM+OFLS based intrusion detection method, a series of experiments on the NSL-KDD CUP1999 dataset were conducted.

Dataset Description
The NSL-KDD dataset is a refined version of its predecessor KDD"99 dataset, and this dataset is widely applied for the IDS. This dataset contains five million records, and each record consists of 41 features. The attack classes present in the NSL-KDD dataset are grouped into four classes, namely, Probe attacks, U2R attacks, R2L attacks, and DoS. This dataset has a binary class attribute. Also, it has a reasonable number of training and test instances which makes it practical to run the experiments on.

Evaluation Metrics
The evaluation of the suggested IDS is carried out applying the following metrics as proposed by equations given below: Precision: Precision is the ratio of the number of normal data inquired to the total number of normal and abnormal data detected, which is afforded in equation (20).
Recall: Recall is the ratio of the number of normal data inquired to the total number of data present in the dataset, which is afforded in equation (21).
F-measure: F-measure is determined as the harmonic mean of precision and recalls metrics, which is afforded in equation (22).

Simulation Results
The simulation results obtained from the proposed methodology is given in this section. The simulation is done on the working platform of JAVA with Cloud Sim tools. The proposed methodology test bed is given in Figure 3. Moreover, Figures 4-8 show the simulation results obtained from the proposed IDS. The proposed IDS can be used in real-time applications. For real-time analysis, due to the lack of storage place and security, n numbers of users want to upload their data on the cloud. During the process of data uploading, an intrusion detector in the cloud detects or classifies normal or intruded data using the proposed algorithm (LKM+OFLS). At the end of verification or detection, the normal data are stored on the cloud, and intruded data are neglected. Hence, this process will increase the storage of the cloud. The proposed text bed is given in Figure 3.

Performance Analysis
The aim of the suggested methodology is to inquire whether the data are normal or intruded applying a combination of clustering and classifier techniques. Here, at first, the data are pre-processed to make it fit for further processing. Then, the preprocessed data are afforded to the clustering process. We have used a LKM algorithm for subset of the data into n numbers. Then, each subset is afforded to a separate fuzzy logic system. Finally, established on fuzzy logic score value, we identified the afforded data as normal or intruded data.    We analyze the performance applying precision, recall, and F-measure by varying cluster size and data size by this paper. The performance of the suggested methodology is afforded in Figures 9-11. Figure 9 demonstrates the performance of the suggested methodology by varying cluster size and data size. Figure 9A shows various numbers of clustered like 3, 4, 5, 6 representing precision, recall and F-measure are tested. Figure 9 shows performance analysis by varying cluster size and performance analysis by varying data size. Here, the x axis represents the cluster size, and y axis refers to the corresponding output. When the cluster size is 3, we achieve the precision of 84.89%, recall of 89.90%, and F-measure of 85.63%. The data are partitioned into a number of clusters for easy execution. The performance of the proposed methodology by      varying data size is afforded in Figure 9B. When the data size is 10,000, the proposed method achieves the maximum precision of 90.22%, recall of 86.26%, and F-measure of 88.1983%. This is because of the proposed LKM and optimal rule generation process. The fitness comparison is afforded in Figure 10. For optimal rule generation, in this paper, GWO is utilized. In Figure 10, two optimization algorithms, namely, PSO and genetic algorithm performances are compared with the proposed GWO. From the result, we can clearly understand that our suggested approach attains the maximum accuracy compared to other works.

Comparative Analysis Based on Different Clustering Methods
In this section, the performance of the proposed algorithm is analyzed. To prove the effectiveness of the proposed methodology, the proposed LKM algorithm is compared with existing clustering algorithms, namely, k-means clustering and fuzzy means clustering (FCM). The performance analysis is established on cluster sizes and various data sizes. Table 6 shows the comparative analysis results based on clustering algorithm. When analyzing Table 6, the proposed method attains the average precision of 88.285%, which is 82.72% for using k-means and 83.44% for using FCM based clustering. Moreover, the proposed method attains average recall of 86.89%, which is 74.36% for using k-means and 72.64% for using FCM based clustering. Similarly, compared to F-measure also, we obtain better results. Table 6 shows that our proposed LKM based clustering algorithm is 6.7% better than K-means and 5.8% better than FCM. This because of prototype based hybrid approach. This speeds up the proposed clustering algorithm and overcomes the difficulties present in the K-means clustering algorithm.  Table 7 demonstrates the performance of the proposed and existing methods by varying data sizes. Here, the suggested LKM algorithm-based IDS is compared with k-means based IDS and FCM based IDS. Here, the precision value is high when the data size is 20,000; similarly, the precision value is low when the data size is 10,000. Similarly, in this approach, we attain the average recall of 88.69%, which is 75.08% for using k-means based clustering and 76.1% for using FCM based IDS. From the results, it clearly shows that our proposed method is better than the previous clustering algorithm.

Comparative Analysis Based on the Classifier
In this section the performance of various classifiers based intrusion detection is analyzed. Here, the suggested optimal FLS (OFLS) is compared with a k-nearest neighbor (KNN) based intrusion detection and ANN based intrusion detection. The performance analysis is established on various cluster sizes and different data sizes. Table 8 shows the comparative analysis based on different classifiers by varying cluster sizes. The precision value is computed by varying the cluster size by 3, 4, 5, and 6. The precision value of cluster size 5 is highly equated with other cluster sizes, and the value is 94.54%. The average recall value of the proposed LKM+OFLS is 86.89% in which the existing LKM+KNN attains 73.44% and the existing LKM+ANN obtains 74.35%. The average F-measure value of the suggested LKM+OFLS is 80.66% in which the existing LKM+KNN obtains 78.46% and the existing LKM+ANN obtains 79.30%. These existing values are low when compared to the suggested LKM+OFLS technique. Due to optimal fuzzy rule selection in FLS, the proposed method attains better result compared to the other method.

Comparison with Published Papers
To prove the effectiveness of the proposed methodology, in this paper, we compare the performance of our proposed methodology with existing works, namely, PCA+NN [12], MLP [17], ABC+FCM+NN [8], and PFCM+RNN [13]. In [12], a combination of principal component analysis and NN based intrusion detection is made. For feature selection they utilized PCA and for classification they utilized the ANN. In [17], MLP is used for IDS, which is based on off-line analysis approach. The hybridization of a MLP network, ABC, and fuzzy clustering algorithms based IDS is developed in [8]. Similarly, in [13], the IDS is developed based on  possibilistic PFCM with RNN. To compare these methods, NSL-KDD cup 99 dataset is utiized. Comparative analysis based on the precision measure for KDD CUP99 dataset is given in Figure 11. OFLS+LKM based IDS is explained in this paper. Here, for clustering process, LKM is utilized, and for intrusion detection, optimal NN is utilized. When analyzing Figure 11, we obtain the average maximum accuracy of 96.54%, which is 94% for using PCA-NN [12], 90.13% for using MLP based IDS [17], 94.5% for using [8], and 94.65 for using PFCM+RNN [13]. This is because of LKM and weight optimization process. From the result, we clearly understand that our proposed approach is better compared to other approaches.

Conclusion
Nowadays, in the cloud, system security is one of the major worries because of various attacks and vulnerabilities. As a result, attack detection is an imperative segment in system security. In this paper, a combination of FLS, GWO, and LKM generates a novel IDS which is presented. At various trainings, subsets are developed by LKM method. The discrimination among normal and abnormal data is done by the FLS. The optimal rules are generated applying GWO algorithm. The experimental results applying the KDD CUP 1999 dataset shows the effectiveness of our approach, which provides better precision than the existing method. In the future, we will develop the security of the data applying cryptographic algorithms.