Research And Application Of Weighted Association Rules In Intrusion Detection

Intrusion Detection is an active defense tool of the network security, when intrusions are detected, which require the response units to respond and handing them as soon as possible, at the same time, record their characteristics in order to be useful for the detection in future. For the correlations of intrusions, so correlations analysis between intrusions is one of most important means of intrusion detection, and which is widely used in the intrusion detection system. The association rule mining provides a new way for knowledge acquisition of correlation analysis between intrusions, which can find potential, interesting, useful associations or relationships from large transaction database or data set beween items. Association rule mining, as an active area of data mining, its application in intrusion detection is a current research focus. Numerous studies show that:the application of association rules in intrusion detection system can find unknown intrusion patterns, raise the detection rate of IDS, but also raise the false rate. This result, mainly due to two assumptions in association rules:the same importance of each item; the same or similar frequency of each item. However, the assumptions are not the case in the real world, so, we introduce the weighted association rules, to reflect the importance by giving every item the weight value, which will meet the mining requirments more.This paper mainly did some research about the application of weighted association in intrusion detection. I made a deep analysis in weighted association rule mining algorithm and classification algorithm at home and abroad, especially for the classific weighted association rule mining algorithm—MINWAL（O） algorithm, and pointed its inadequacies. The paper combined the large-scale network intrusion detection data and different attributes have different importances for intrusion detection, on the basis of the the MINWAL（O） algorithm and FP-Growth algorithm, chose their respective strengths, the paper gave an improved weighted association rule algorithm—WAPF algorithm,which not only can improve the efficiency of mining,but more fit for intrusion data’s mining. In WAPF algorithm, the paper established a hierarchy diagram for intrusion detection, using the AHP method to determine the weight value of items; by analysis MINWAL（O） algorithm and FP-Growth algorithm, discribed the basic idea of WAFP algorithm in detail; explained how to build WAFP-tree by an example; discribed how to act weighted association frequent items’mining, and introduced the proportion weight value to prune the candidate itemsets, reduce the generation of candidate itemsets. The introduction of the proportion weight value, in some extent, make up for its shortcomings, which accumulated items’weight values as the itemsets’weight in MINWAL（O） algorithm. Followed by, the paper built an intrusion detection module based WAFP algorithm, and introduced the functions of every module.Finally, the paper presented the whole architecture of the IDS, selected30000records from kddcup.data₁0percent of KDD CUP99’s subset,90%as the training set,10%as the test set. The experimental results showed that the running time of improved algorithm was shorter than MINWAL（O） algorithm under different support; the intrusion detection module based WAFP had a higher detection rate and lower false rate.