| With the rapid development of computer networks, people are faced with increasing threat of network security. Network security has become a major problem restricting the development of the network, which directly affected national security and social stability. How to solve network security problem, has become an important issue in front of us. As a dynamic and active defense security technology, intrusion detection can detect intrusion before damage occurs in the system and responds by the alarm and intrusion protection system to reduce loss caused by intrusion. Intrusion detection is essentially a classification problem, that is, divides data collected from the network into two types of normal or abnormal. The association analysis is a data mining method, which uses association rules to mining data. It can find implicit and interest association or relationship among items from a large business or data sets. Meanwhile, the association analysis also can combine association rules with classification, mine some of the potential Class-Association Rules (CARs) among data to build a classifier. Since the classifier is composed of a series of CARs, it is easier to understand and apply which obtained by CAR Mining. Therefore, the association analysis can be applied to intrusion detection, find relationships among properties of network data, and mine the potential and effective intrusion detection rules.This paper studies the application of association analysis in intrusion detection, and builds a model of intrusion detection system (IDS) based on CAR. When the Apriori algorithm mines frequent itemsets, it needs to scan data sets repeatedly and produces a large number of candidate items, which leads this algorithm to take too much time and use too much memory. I-Apriori-TFP (Total-from-Partial) algorithm is an improve algorithm based on Apriori-TFP algorithm. It reduces the nodes of P tree and T tree and only produces frequent item sets with the class label to generate CARs. This paper implements an associative classification algorithm by the combination of I-Apriori-TFP algorithm and CMAR algorithm. Firstly, the datasets are preprocessed by the system, and then all the CARs are generated by the use of I-Apriori-TFP algorithm. Moreover, a classifier based on the generated CARs is established and it is tested by test data so as to generate a detection agent. At last, network data are detected by the detection agent.Finally, this paper carries out a comparing experiment between Apriori-TFP algorithm and I-Apriori-TFP algorithm. Experiments showed that I-Apriori-TFP algorithm saved more storage space and run time than Apriori-TFP algorithm. Meanwhile, the intrusion detection model is trained and tested by the use of KDD Cup 99 experimental data sets of intrusion detection. Experiment also showed that the intrusion detection model could detect intrusions efficiently in the network. |
PDF Full Text Request