The Algorithm Research Of Assciation Rules Mining And Its Application In Network Intrusion Detection

With the development of network and other information technology, security is the most critical problem to network system. Thus, Intrusion Detection System (IDS) becomes key way and technology of protecting network system. Current IDS neither detects new or unknown attacks, nor accuracy and response can reach requirement of application. Association rule mining is a fundamental and important problem in data mining, which not only detects normal behavior but also abnormal behavior. So, applying frequent pattern to IDS can detect both known and unknown intrusion. Thus, the research of efficient association rules mining algorithm has more important value for improving accuracy and efficiency of IDS.This thesis studies and anaiyses the association rules mining technique and application in IDS systematically and deeply. The main contents are listed as folfows:A fast algorithm XARM is developed for data mining association rules in large database. Based on the traditional Apriori and other optimal algorithms, the concept of self-adapted step and scanning tree is introduced. The dynamical pruning method and support statistic based on join step are adopted to improve Apriori algorithm. The theoretical analysis and experiment result s indicate that this algorithm is of higher application efficiency than Apriori algorithm, and that its effetiveness is also proved.An improved incremental updating algorithm SFUP is developed based on study of the principle and efficiency of FUP algorithm. The algorithm makes full use of the old data mining results and reduces the times of scanning the database greatly, thus the data mining efficiency increases. Some experiments show that SFUP is better than FUP at many aspects.Because user behavior features extracted by current IDS cannot reflect real circumstances, normal and abnormal model are not accurate. The paper presents an intrusion detection method based on a fast mining algorithm XARM and an incremental updating algorithm SFUP. At first, the method constructs user normal model and abnormal model by mining training data sets. Then, Attain real timebehavior model by incremental updating the real Internet data. Finish intrusion detection by maching the model database. The method can distinct normal and abnormal behavior rapidly, which timely update and improve model of IDS. So, the accuracy and reliability of IDS can be enhanced greatly. Experimental results show that the method is efficient and accurate.