DOI QR코드

DOI QR Code

A New Association Rule Mining based on Coverage and Exclusion for Network Intrusion Detection

네트워크 침입 탐지를 위한 Coverage와 Exclusion 기반의 새로운 연관 규칙 마이닝

  • Tae Yeon Kim (Department of IT Convergence Engineering, Gachon University ) ;
  • KyungHyun Han (Department of Electronics and Computer Engineering, Hongik University ) ;
  • Seong Oun Hwang (Department of Computer Engineering, Gachon University)
  • 김태연 (가천대학교 IT융합공학과) ;
  • 한경현 (홍익대학교 전자전산공학과 ) ;
  • 황성운 (가천대학교 컴퓨터공학과)
  • Received : 2022.11.06
  • Accepted : 2022.12.18
  • Published : 2023.02.28

Abstract

Applying various association rule mining algorithms to the network intrusion detection task involves two critical issues: too large size of generated rule set which is hard to be utilized for IoT systems and hardness of control of false negative/positive rates. In this research, we propose an association rule mining algorithm based on the newly defined measures called coverage and exclusion. Coverage shows how frequently a pattern is discovered among the transactions of a class and exclusion does how frequently a pattern is not discovered in the transactions of the other classes. We compare our algorithm experimentally with the Apriori algorithm which is the most famous algorithm using the public dataset called KDDcup99. Compared to Apriori, the proposed algorithm reduces the resulting rule set size by up to 93.2 percent while keeping accuracy completely. The proposed algorithm also controls perfectly the false negative/positive rates of the generated rules by parameters. Therefore, network analysts can effectively apply the proposed association rule mining to the network intrusion detection task by solving two issues.

네트워크 침입 탐지 작업에 다양한 연관 규칙 마이닝 알고리즘을 적용하는 데에는 두 가지 중요한 문제가 있다. 생성된 규칙 집합의 크기가 너무 커서 IoT 시스템에서 활용하기 어렵고, 거짓 부정/긍정 비율을 제어하기 어렵다. 본 연구에서는 coverage와 exclusion이라는 새로 정의된 척도에 기반을 둔 연관 규칙 마이닝 알고리즘을 제안한다. Coverage는 한 클래스의 트랜잭션에서 패턴이 발견되는 빈도를 나타내고, exclusion은 다른 클래스의 트랜잭션에서 패턴이 발견되지 않는 빈도를 나타낸다. 우리는 KDDcup99라는 공개 데이터 세트를 사용하여 가장 유명한 알고리즘인 Apriori 알고리즘과 실험적으로 제안된 알고리즘을 비교한다. Apriori와 비교하여 제안된 알고리즘은 정확도를 완전히 유지하면서 생성되는 규칙 집합 크기를 최대 93.2%까지 줄인다. 또한, 제안된 알고리즘은 생성된 규칙의 거짓 부정/긍정 비율을 매개변수별로 완벽하게 제어한다. 따라서 네트워크 분석가는 두 가지 문제를 해결함으로써 제안한 연관 규칙 마이닝을 네트워크 침입 탐지 작업에 효과적으로 적용할 수 있다.

Keywords

Acknowledgement

This work was supported by the Gachon University research fund of 2021 (GCU-202104500001).

References

  1. A.S.Sadh and N.Shukla, "Association Rules Optimization: A Survey," Int. J. of Advanced Comput. Res., Vol.3, No.1, pp.111-115, 2013. https://doi.org/10.1002/adom.201370013
  2. G.J.Simon, P.J.Caraballo, T.M.Therneau, S.S.Cha, M.R.Castro, and P.W.Li, "Extending Association Rule Summarization Techniques to Assess Risk of Diabetes Mellitus," IEEE Trans. Knowl. Data Eng., Vol.27, No.1, pp.130-141, 2015. https://doi.org/10.1109/TKDE.2013.76
  3. I.F.Videla-Cavieres and S.A.Rios, "Extending market basket analysis with graph mining techniques: A real case," Expert Syst. Appl., Vol.41, No.4, pp.1928-1936, 2014. https://doi.org/10.1016/j.eswa.2013.08.088
  4. A.C.Squicciarini, D.Lin, S.Sundareswaran, and J.Wede, "Privacy Policy Inference of User-Uploaded Images on Content Sharing Sites," IEEE Trans. Knowl. Data Eng., Vol.27, No.1, pp.193-206, 2015. https://doi.org/10.1109/TKDE.2014.2320729
  5. K.H.Lee, "A Scheme on Anomaly Prevention for Systems in IoT Environment," Journal of The Korea Internet of Things Society, Vol.5, No.2, pp.95-101, 2019. https://doi.org/10.20465/KIOTS.2019.5.2.095
  6. I.H.Sarker, A.I.Khan, Y.B.Abushark, and F.Alsolami, "Internet of things (iot) security intelligence: a comprehensive overview, machine learning solutions and research directions," Mobile Networks and Applications, pp.1-17, 2022.
  7. D.Sellappan, and R.Srinivasan, "Association rule-mining-based intrusion detection system with entropy-based feature selection: Intrusion detection system," In Handbook of Research on Intelligent Data Processing and Information Security Systems, pp.1-24, 2020.
  8. L.Ertoz, E.Eilertson, A.Lazarevic, P.N.Tan, V.Kumar, J.Srivastava, and P.Dokas, "MINDS - Minnesota Intrusion Detection System," Next Generation Data Mining, MIT Press, 2004.
  9. C.Miao, and W.Chen, "A Study of Intrusion Detection System Based on Data Mining," 2010 IEEE Int. Conf. on Inform. Theory and Inform. Security, pp.186-189, 2010.
  10. N.Khamphakdee, N.Benjamas, S.Saiyod, "Improving Intrusion Detection System Based on Snort Rules for Network Probe Attacks Detection with Association Rules Technique of Data Mining," J. ICT Res. Appl., Vol.8, No.3, pp.234-250, 2015. https://doi.org/10.5614/itbj.ict.res.appl.2015.8.3.4
  11. R.Agrawal and R.Srikant, "Fast Algorithms for Mining Association Rules," Proc. 20th VLDB Conf., Vol.1215, pp.487-499, 1994.
  12. J.Han, J.Pei, and Y.Yin, "Mining Frequent Patterns without Candidate Generation," ACM Sigmod Rec., Vol.29, No.2, pp.1-12, 2000. https://doi.org/10.1145/335191.335372
  13. A.Y.R.Gonzalez, J.F.Martinez-Trinidad, J.A.Carrasco-Ochoa, J.Ruiz-Shulcloper, "Mining frequent patterns and association rules using similarities," Expert Syst. Appl., Vol.40, pp.6823-6836, 2013. https://doi.org/10.1016/j.eswa.2013.06.041
  14. R.Agrawal, T.Imielinski, and A.Swami, "Mining association rules between sets of items in large databases," ACM Sigmod Rec., Vol.22, No.2, pp.207-216, 1993. https://doi.org/10.1145/170036.170072
  15. M.Hahsler, "New Probabilistic Interest Measures for Association Rules," Intelligent Data Anal., Vol.11, No.5, pp.437-455, 2007. https://doi.org/10.3233/IDA-2007-11502
  16. F.Benites and E.Sapozhnikova, "Evaluation of Hierarchical Interestingness Measures for Mining Pairwise Generalized Association Rules," IEEE Trans. Knowl. Data Eng., Vol.26, No.12, pp.3012-3025, 2014. https://doi.org/10.1109/TKDE.2014.2320722
  17. University of California, Irvine, "KDD Cup 1999 Data," https://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
  18. University of New Brunswick, "The NSL-KDD Data Set," https://web.archive.org/web/20150205070216/http://nsl.cs.unb.ca/NSL-KDD/