-
Rare Association Rule Mining for Network Intrusion Detection
Authors:
Hyeok Kong,
Cholyong Jong,
Unhyok Ryang
Abstract:
In this paper, we propose a new practical association rule mining algorithm for anomaly detection in Intrusion Detection System (IDS). First, with a view of anomaly cases being relatively rarely occurred in network packet database, we define a rare association rule among infrequent itemsets rather than the traditional association rule mining method. And then, we discuss an interest measure to catc…
▽ More
In this paper, we propose a new practical association rule mining algorithm for anomaly detection in Intrusion Detection System (IDS). First, with a view of anomaly cases being relatively rarely occurred in network packet database, we define a rare association rule among infrequent itemsets rather than the traditional association rule mining method. And then, we discuss an interest measure to catch differences between interesting relations and uninteresting ones, and what interest there is, and develop a hash based rare association rule mining algorithm for finding rare, but useful anomaly patterns to user. Finally, we define a quantitative association rule in relational database, propose a practical algorithm to mine rare association rules from network packet database, and show advantages of it giving a concrete example. Our algorithm can be applied to fields need to mine hidden patterns which are rare, but valuable, like IDS, and it is based on hashing method among infrequent itemsets, so that it has obvious advantages of speed and memory space limitation problems over the traditional association rule mining algorithms. Keywords: rare association mining algorithm, infrequent itemsets, quantitative association rule, network intrusion detection system, anomaly detection
△ Less
Submitted 13 October, 2016;
originally announced October 2016.
-
Implementation of Association Rule Mining for Network Intrusion Detection
Authors:
Hyeok Kong,
Cholyong Jong,
Unhyok Ryang
Abstract:
Many modern intrusion detection systems are based on data mining and database-centric architecture, where a number of data mining techniques have been found. Among the most popular techniques, association rule mining is one of the important topics in data mining research. This approach determines interesting relationships between large sets of data items. This technique was initially applied to th…
▽ More
Many modern intrusion detection systems are based on data mining and database-centric architecture, where a number of data mining techniques have been found. Among the most popular techniques, association rule mining is one of the important topics in data mining research. This approach determines interesting relationships between large sets of data items. This technique was initially applied to the so-called market basket analysis, which aims at finding regularities in shop** behaviour of customers of supermarkets. In contrast to dataset for market basket analysis, which takes usually hundreds of attributes, network audit databases face tens of attributes. So the typical Apriori algorithm of association rule mining, which needs so many database scans, can be improved, dealing with such characteristics of transaction database. In this paper we propose an impoved Apriori algorithm, very useful in practice, using scan of network audit database only once by transaction cutting and hashing.
△ Less
Submitted 3 August, 2016; v1 submitted 20 January, 2016;
originally announced January 2016.
-
Software Cognitive Information Measure based on Relation Between Structures
Authors:
Yong-Hwa Choe,
Chol-Yong Jong,
Song Han
Abstract:
Cognitive complexity measures quantify human difficulty in understanding the source code based on cognitive informatics foundation. The discipline derives cognitive complexity on a basis of fundamental software factors i.e, inputs, outputs, and internal processing architecture. An approach to integrating Granular Computing into the new measure called Structured Cognitive Information Measure or SCI…
▽ More
Cognitive complexity measures quantify human difficulty in understanding the source code based on cognitive informatics foundation. The discipline derives cognitive complexity on a basis of fundamental software factors i.e, inputs, outputs, and internal processing architecture. An approach to integrating Granular Computing into the new measure called Structured Cognitive Information Measure or SCIM. The proposed measure unifies and re-organizes complexity factors analogous to human cognitive process. However, according to the methodology of software and the scope of the variables, Information Complexity Number(ICN) of variables is depended on change of variable value and cognitive complexity is measured in several ways. In this paper, we define the Scope Information Complexity Number (SICN) and present the cognitive complexity based on functional decomposition of software, including theoretical validation through nine Weyuker's properties.
△ Less
Submitted 1 April, 2013;
originally announced April 2013.
