Frequent Pattern Mining Algorithm And Its Use In Intrusion Detective System

Intrusion Detective System(IDS) is becoming a more and more influential technology in the world of network security. The intrusion signatures model of Intrusion Detective System is formerly built by network security specialists based on the attacks which had happened. That intrusion signatures model can detect the attacks which have been known efficiently,but can do nothing to the attacks that are unknown to us.To solve the problem, the maximal frequent patterm in the field of Data Mining is used to build the signatures model. The maximal frequent patterm comprises all the frequent items which are its subsets and reduces the room of memory largely, so it is widely used in many application of Data Mining.The Apriori algorithm and its amelioration named as GenMax algorithm, which are the typical maximal frequent pattern mining algorithms,have not very good performance because they have produced too many candidate frequent iterms. Therefore, a pruning strategy called the multi-level backtracking strategy is realized in this paper,along with a maximal frequent pattern mining algorithm called MinMax,which adopts multi-level backtracking.The analysis and experimental results show that MinMax prunes the search space more strongly and efficiently than most other algorithms.A feature-discover model used in Intrusion Detective System(IDS) is built based on the maximal frequent pattern.The maximal frequent itemsets which come from the intrusion network data and the pure host audit data are used respectively as the normal behavior model and the abnormal behavior model.The data is detected for the first time with the abnormal behavior model in the network level and detected for the second time with the normal behavior model in the application level.And whether intrusion or abnormal behavior which have happened can be judged.This model adopts both the misuse and the abnormity measures and be applicable in the popular intrusion detective system based on both network and host. Furthermore,it can detect both the known and unknown attacks, so it has a good practicability.