| The recent widespread deployment of computers and rapid development of network techniques has imposed increasingly importance on network security and information confidentiality. As an active security technique, intrusion detection is able to identify not only the intrusion behavior from outside, but also the inside unauthorized behavior, and therefore, it has become an essential component of network security techniques.An anomaly detection model based on fuzzy association rules is explored in this paper, which is practically used to analyze the network link records by applying the association rules, and puts itself theoretically on the ground of data mining and intrusion detection theories. The temporal statistical features carried by the network link records proved to be critical for developing intrusion detection systems, most of which are quantitative features, and therefore, the straightforward application of traditional association rules only leads to lack of flexibility. Furthermore, the fuzzy nature of network security events also makes more reasonable the proper thought of a tradeoff between normal behaviors and abnormal behavior. The integration of the fuzzy logic with association rulesfor intrusion detection is to adopt fuzzy association rules to mine useful features from network traffic, which consequently improved system's flexibility and detection ability.Normal pattern construction is the key step for anomaly detection systems, which surely includes the low-frequency pattern as well as high-frequency pattern. Low-frequency pattern cannot be mined by using the classical association rules except decreasing the minimum supports, which could produce much more redundant rules.The result of analysis of dataset in KDD Cup 99 indicates that most of the features have a very sparse data distribution and tend to have very uneven distributions, which means that a given quantitative feature will typically contains only a very small subset of the possible values that it can take; and the data has a very irregular attack distribution.Considering the situation mentioned above, here the MSapriori algorithm is adopted to be fuzzied for better performance, instead of Apriori algorithm. This method allows users to specify multiple minimum supports to reflect different natures and/or frequencies of items, and therefore is able to find rare item rules without causing frequent items to generate too many meaningless rules. Experiment results show that the introduction of MSapriori improve not only the detection rate, but also detection efficiency due to the great reduction of rules.
|
PDF Full Text Request