Research Of Intrusion Detection System Based On Apriori-KNN Algorithm For Alarm Filtering

The Network Intrusion Detection System(NIDS)triggers a large number of alarms when suspicious behavior is detected,but most of the behaviors that cause alarms are inherently false alarms.A large number of false alarms cause reducing the detection performance of NIDS.The stricter the detection rules for the signature-based NIDS,the stronger the system security.However,setting strict rules triggers more alarms,many of which alarms are not actually intrusive.Relaxing rules can reduce the number of false alarms,but this behavior is not advisable,which can cause NIDS to fail to detect certain invasive events.NIDS has less identification accuracy and difficulty in fine-tuning.Improving the system performance of NIDS actually maintains a balance between improving identification accuracy and system security.Therefore,reducing false alarms is a key issue to improve NIDS efficiency and system availability.In order to reduce the number of NIDS false alarms,we use data mining technology to reduce the number of NIDS false alarms.In order to reduce the loading of the NIDS,we uses the context-aware blacklisted packet filters.We study the advantages and disadvantages of data mining algorithms KNN and Apriori algorithm,and analyze the association rules in Apriori algorithm.Apriori frequent itemsets are used to strengthen KNN to form Apriori-KNN algorithm with frequent item set mining.We analyze the principle of NIDS alarm generation and classification,and establish a classification model based on normal alarm mode,we use Apriori-KNN algorithm as the core algorithm of alarm classification and construct a filtering mechanism for reducting false alarm.The context-aware blacklist packet filtering is constructed before the AprioriKNN filtering mechanism,and the whole filtering mechanism acts as the middleware of NIDS.The experimental results show that the Apriori-KNN false alarm filter can greatly reduce the number of false alarms of signature-based network intrusion detection system.The identification accuracy of false alarm reduction mechanism is higher than the NIDS filtering mechanism based o n KNN algorithm,decision tree and SVM algorithm.The context-aware based blacklist packet filters can effectively reduce the time consumption of NIDS.The filtering mechanism can effectively reduce the number of false alarms of the network intrusion detection system,improve the identification accuracy and reduce the time consumption of the NIDS without changing the normal configuration of the existing network intrusion detection system.