International Journal of Advanced Computer Science, Vol. 2, No. 5, Pp. 204-206, May, 2012.

Base on Data Mining In Intrusion Detection System Study

Yabing Jiao
Abstract First introduced the related technologies of the intrusion detection system, then introduces the data mining technology will be applied to the intrusion detection system. Through the data mining technology and intrusion detection technology, puts forward a data mining technology based on the intrusion detection system model. The data mining method of association rules, classification analysis in intrusion detection system, through the analysis of collaborative work, and concludes that the invasion of the rules. Manuscript
Received: 29,Jun., 2011 Revised: 16,Nov.,2011 Accepted: 11,Apr.,2012 Published: 15,Jun.,2012

Keywords
Data mining; Intrusion detection system; Association rules; Classification analysis

that is able to against network attacks, extends the security management ability t of system administrator (that embraces security auditing surveillance, attack recognition or response), and improves integrality information security infrastructure. IDS collecting information from a great many key points, and analyze the information. IDS is the second safety gate after firewall. It gives a test to network in the case of that is not to effect network performance. It can prevent and reduce the cyber-threat [2]. A. Model of IDS IDS development time is extremely short. At present it has not uniform data model, DARPA (Defense Advanced Research Projects Agency) ever presented public IDS framework is major structural model (Fig. 1). In this model, IDS is divided into four parts: event generator, pictorial zed by E box; Event analyzer, pictorial zed by a box; Response units, pictorial zed by R box; Event databases, pictorial zed by D box.

1. Introduction
Internet security presents in front of people as a matter of fact stark reality. The network is very vulnerable to be under attack come from internal or external for its openness. And the means of network attack are being created continuously, brute force attack, sniffing, source code analysis, IP camouflage, Denial of service, network sweep, distributed attack, and the way of using of known vulnerabilities or some protocol flaw etc. Many persons can download and use some simple but highly injurious attack computer program from the network, even if you don't have any computer expertise. Because of ubiquitous network attacks, it can be very necessary that intrusion detection system layouts internet to assure network security1.

Fig. 1. IDS framework model.

2. Summary of Intrusion Detection

Intrusion, refer to whatever activities attempting to threaten the integrity, confidentiality or usability of network resource [1] that includes not only person of launch attacks (for example hacker)taking control right of system, but also harmful behavior that collecting information gap take deny access to computer system. Intrusion detection system (IDS), this is a technology of internet security that staying safe initiative to secure a position against attack. As equitable supplement of firewall, intrusion detection system
Yabing Jiao is with Shandong Yingcai University, Jinan, China (email: jiaoyabing@163.com) Shandong Province University Science and Technology Plan :J11LG71
.

B. Classification of IDS Intrusion detection system falls into three class: IDS based on network, IDS based on hosts, and IDS based on mixed modes. IDS based on network protects the whole network segments , monitoring network data packets, finding and disposing data packets including attack characters, such as breaking process, recording attack data, or giving warning signal etc. IDS based on hosts protects vital hosts, by acquiring hosts protected in-system data, diary, system state, applications information etc, from which IDS can discover attacked sign, work out relevant response. IDS based on mixed modes refer to use more than two kinds of intrusion detection modes above to protect the whole network system [3]. C. Shortcoming of IDS Availability, applicability and extendibility of IDS are key indicators to evaluate quality of IDS. Today, most of

International Journal Publishers Group (IJPG)

Yabing Jiao: Base on Data Mining In Intrusion Detection System Study.

205

intrusion detection systems usually adopt means of statistical analysis make knowable intrusion means and system vulnerability analysis, then according to knowledgebased approach hand-coded rule correspondingly. And many of those aim at specific system environment and monitor method. So, these IDS make system validity very bad, and extendibility, self-adaptability limited too.

behavior through mining model from historic action, add these forms to database of intrusion. The action comparing user's behavior present to historic statistical attributes, with security policy contradictory is intrusion behavior. The process of intrusion detection based on data mining is shown in Fig. 2.

3. Model of IDS Base on Data Mining Technology

A. Concept of data mining Data mining is to draw process of information and knowledge from unknown in advance but valuable. Association rules mining is an important branch of study of data mining, used to find out the correlativity of Dataset items. As a result of association rules clean formalism understood and explained easily and it be able to seize effectively significant relationship, association rule how to mine valuable data from large database has become contents of study the most mature, the most important, and the most active[4]. Now the Topic association rule of mining has given rise to highly value of large scholar and research unit in the realms of database, artificial intelligence, statistics, detection-info, visualization, information-sciences etc. it has achieved many research production in this research field. B. Model of association rule The model of association rule as follows: Given I= ( i1, i2,,im) aggregation of all item, D transactional databases ,T transaction a subclass item ( T I). Each transaction possesses a sole transaction identifier T. Given A aggregation made of items, named Itemset. T includes A , namely A T. If A includes K sets of items, known as K Itemset . The percentage of A to D is named the support of Itemset. If the support of a Itemset is greater than the threshold, minimum support set by user, the Itemset will be named frequency Itemset ( or large Itemset). Association rule is a logic form such as X Y, including X I , Y I, besides X Y= . If s% of transaction in D transaction database contain X Y, the support of association rule X Y is s%, in effect, supports a probability. If given the support of Itemset X marking support (X), the Confidence of the association rule should be support (X Y) /support (X). This is a conditional probability: P (Y|X). That is: support (X Y) /P(Y|X) Confidence (X Y) =P(Y|X) C. Building of IDS model based on data mining technology Making use of association rule of data mining may discover the relation between executing of programme and characteristics of system reflected during the user's behavior [5], for example the administrator alters database. Accordingly IDS reveals statistical attributes of user's
International Journal Publishers Group (IJPG)

Fig. 2. Process of intrusion detection based on data mining.

As shown as Figure3, The model shows data mining technique of association rule. Association rule mining technique adopt the following steps: (1) Determine in advance minimum support and minimum confidence thresholds; (2) Find out frequent Itemset that fits these thresholds by apriori algorithm; (3) Make association rule from frequent Itemset. (4) Reject rules useless; (5) Establish intrusion classification model; (6) Insert rules newly created to rule database according to the way of decision-tree.

Fig. 3. Model based on data mining technology.

D. Model application Given user database as shown in the TABLE 1

ID 1 2 3 4

TABLE 1 USER DATABASE TIME NAME HOST IP 2010.6.16 00:23:17AM LIU 60.216.8.110 2010.6.16 04:08:32PM WANG 60.216.8.110 2010.6.17 01:45:18AM LIU 60.216.8.110 2010.6.18 06:11:33AM LIU 60.216.8.110

USER IP 60..216.8.78 60.216.8.94 60..216.8.78 60..216.8.78

Data mining gets association rule as follows: NAME=LIU Time=Am; Host IP=60.216.8.110; USER IP=60.216.8.78={0.78,0.55} Rule analysis: Confidence of the user LIU logging on the host of IP 60.216.8.110 in the morning is 78%,

206

International Journal of Advanced Computer Science, Vol. 2, No. 5, Pp. 204-206, May, 2012.

confidence of logging on user computer of IP 60.216.8.78 is 55%. E. Result classification analysis IDS based on data mining can forecast new audit data normal or abnormal using new rule item gotten from classification algorithm. The key link of classification analysis is to choose correct system characteristics. For example, from association rule, if frequency users logging on host of IP 60.216.8.110 in the afternoon exceed normal values in the morning, this user will be regarded as illegal user and the action of the user will be given a mark classified. Similarly different user will be given different mark classified. So IDS accurately describes each classification and mine classification rule, then use this classification rule to classify records with same attribute.

4. Summary
IDS based on data mining has become hot spot which many scholars research. It is feasible to find out same a relationship in user's actions which have different attributes, and dispose by classification analysis according to different purpose of the act intrusion, then apply data mining to intrusion detection system. IDS based on data mining not only can improve intrusion detection efficiency but also have a very strong scalability and adaptability.

References
[1] Yang Xiangrong, Song Qinbao, & Shen Junyi, "Research on the Intrusion Detection Technology and A System's Design [J]," (2001) Computer Engineering and Applications, vol. 16, pp. 1-4. [2] Jin Wei, "Research of Intrusion Detection Technology [J]," (2005) Journal of Shandong Normal University (Natural Science), vol. 4, pp. 99-101. [3] Jiao Yabing, "Analysis and Study of Instruction Detection System in Network [J]," (2006) Journal of Anyang Institute of Technology, vol. 8, pp. 44-47. [4] Jiawei Han, & Micheline Kamber, Data Mining: Concepts and Techniques [M]. Beijing: China Machine Press, 2007. [5] Hong Feilong, Fan Junbo, & He Da, "Research on Application of Data mining in Intrusion Detection System [M]," (2004) Journal of Computer Applications, vol. 12, pp. 81-82.

International Journal Publishers Group (IJPG)