Implementation of Association Rule Mining for Network Intrusion Detection

TL;DR

This paper presents an improved Apriori algorithm tailored for network intrusion detection, reducing database scans to enhance efficiency in analyzing large network audit datasets.

Contribution

The paper introduces a novel version of the Apriori algorithm that minimizes database scans, specifically optimized for network intrusion detection datasets.

Findings

Reduced number of database scans in association rule mining

Enhanced efficiency in network intrusion detection processes

Practical applicability demonstrated with network audit data

Abstract

Many modern intrusion detection systems are based on data mining and database-centric architecture, where a number of data mining techniques have been found. Among the most popular techniques, association rule mining is one of the important topics in data mining research. This approach determines interesting relationships between large sets of data items. This technique was initially applied to the so-called market basket analysis, which aims at finding regularities in shopping behaviour of customers of supermarkets. In contrast to dataset for market basket analysis, which takes usually hundreds of attributes, network audit databases face tens of attributes. So the typical Apriori algorithm of association rule mining, which needs so many database scans, can be improved, dealing with such characteristics of transaction database. In this paper we propose an impoved Apriori algorithm, very useful in practice, using scan of network audit database only once by transaction cutting and hashing.