Network anomaly detection tools based on association rules

Zulaiha Ali Othman, Entisar E. Eljadi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Citations (Scopus)

Abstract

With the growth of computer networks, the number of attacks posing serious security risks for networks has grown extensively. Many organizations are faced with the problem of detecting whether or not they have an anomaly in their network transactions. The Network Intrusion Detection System (NIDS) is one of the popular tools used to secure and protect networks. In order to secure a network the signature rules in NIDS should be updated with the latest signature detection rule. Therefore, this research aims to develop a network anomaly detection tool which focuses on association rule data mining techniques to detect anomalies and also produce anomaly detection rules. The tool, named as NASSR, consists of the following functions: pre-processing of the raw data network transaction that is captured using Wireshark and transforming the data into three types of data sets (2, 5 and 10 seconds), normalization (min., max.) and mining (Appriori, Fuzzy Appriori, and FP-Growth). The anomaly detection is calculated by comparing it with a normal network data set, which is validated by CACE tools. The data set is determined as having no intrusion, if the similarity results are higher than the user threshold, and vice versa. This paper also presents the interface tools used to analyse the 7GB real network data set obtained from Pusat Teknologi Maklumat (PTM), Universiti Kebangsaan Malaysia (UKM), which consists of three days' accumulation of network traffic data, and presents the data sets that have anomalies and their rules. The best result shows that the best technique for pre-processing is in the form of two seconds. Fuzzy Appriori presents the most accurate result while FP-growth has been shown as a faster mining technique. The tools can be easily used to detect anomalies for any network traffic.

Original languageEnglish
Title of host publicationProceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011
DOIs
Publication statusPublished - 2011
Event2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011 - Bandung
Duration: 17 Jul 201119 Jul 2011

Other

Other2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011
CityBandung
Period17/7/1119/7/11

Fingerprint

Association rules
Intrusion detection
Processing
Computer networks
Data mining

Keywords

  • Association Rules Techniques
  • Data Mining
  • network intrusion detection system (NIDS)

ASJC Scopus subject areas

  • Information Systems
  • Electrical and Electronic Engineering

Cite this

Ali Othman, Z., & Eljadi, E. E. (2011). Network anomaly detection tools based on association rules. In Proceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011 [6021705] https://doi.org/10.1109/ICEEI.2011.6021705

Network anomaly detection tools based on association rules. / Ali Othman, Zulaiha; Eljadi, Entisar E.

Proceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011. 2011. 6021705.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Ali Othman, Z & Eljadi, EE 2011, Network anomaly detection tools based on association rules. in Proceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011., 6021705, 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011, Bandung, 17/7/11. https://doi.org/10.1109/ICEEI.2011.6021705
Ali Othman Z, Eljadi EE. Network anomaly detection tools based on association rules. In Proceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011. 2011. 6021705 https://doi.org/10.1109/ICEEI.2011.6021705
Ali Othman, Zulaiha ; Eljadi, Entisar E. / Network anomaly detection tools based on association rules. Proceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011. 2011.
@inproceedings{8384b2837c314f278ad3eef72ca20397,
title = "Network anomaly detection tools based on association rules",
abstract = "With the growth of computer networks, the number of attacks posing serious security risks for networks has grown extensively. Many organizations are faced with the problem of detecting whether or not they have an anomaly in their network transactions. The Network Intrusion Detection System (NIDS) is one of the popular tools used to secure and protect networks. In order to secure a network the signature rules in NIDS should be updated with the latest signature detection rule. Therefore, this research aims to develop a network anomaly detection tool which focuses on association rule data mining techniques to detect anomalies and also produce anomaly detection rules. The tool, named as NASSR, consists of the following functions: pre-processing of the raw data network transaction that is captured using Wireshark and transforming the data into three types of data sets (2, 5 and 10 seconds), normalization (min., max.) and mining (Appriori, Fuzzy Appriori, and FP-Growth). The anomaly detection is calculated by comparing it with a normal network data set, which is validated by CACE tools. The data set is determined as having no intrusion, if the similarity results are higher than the user threshold, and vice versa. This paper also presents the interface tools used to analyse the 7GB real network data set obtained from Pusat Teknologi Maklumat (PTM), Universiti Kebangsaan Malaysia (UKM), which consists of three days' accumulation of network traffic data, and presents the data sets that have anomalies and their rules. The best result shows that the best technique for pre-processing is in the form of two seconds. Fuzzy Appriori presents the most accurate result while FP-growth has been shown as a faster mining technique. The tools can be easily used to detect anomalies for any network traffic.",
keywords = "Association Rules Techniques, Data Mining, network intrusion detection system (NIDS)",
author = "{Ali Othman}, Zulaiha and Eljadi, {Entisar E.}",
year = "2011",
doi = "10.1109/ICEEI.2011.6021705",
language = "English",
isbn = "9781457707520",
booktitle = "Proceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011",

}

TY - GEN

T1 - Network anomaly detection tools based on association rules

AU - Ali Othman, Zulaiha

AU - Eljadi, Entisar E.

PY - 2011

Y1 - 2011

N2 - With the growth of computer networks, the number of attacks posing serious security risks for networks has grown extensively. Many organizations are faced with the problem of detecting whether or not they have an anomaly in their network transactions. The Network Intrusion Detection System (NIDS) is one of the popular tools used to secure and protect networks. In order to secure a network the signature rules in NIDS should be updated with the latest signature detection rule. Therefore, this research aims to develop a network anomaly detection tool which focuses on association rule data mining techniques to detect anomalies and also produce anomaly detection rules. The tool, named as NASSR, consists of the following functions: pre-processing of the raw data network transaction that is captured using Wireshark and transforming the data into three types of data sets (2, 5 and 10 seconds), normalization (min., max.) and mining (Appriori, Fuzzy Appriori, and FP-Growth). The anomaly detection is calculated by comparing it with a normal network data set, which is validated by CACE tools. The data set is determined as having no intrusion, if the similarity results are higher than the user threshold, and vice versa. This paper also presents the interface tools used to analyse the 7GB real network data set obtained from Pusat Teknologi Maklumat (PTM), Universiti Kebangsaan Malaysia (UKM), which consists of three days' accumulation of network traffic data, and presents the data sets that have anomalies and their rules. The best result shows that the best technique for pre-processing is in the form of two seconds. Fuzzy Appriori presents the most accurate result while FP-growth has been shown as a faster mining technique. The tools can be easily used to detect anomalies for any network traffic.

AB - With the growth of computer networks, the number of attacks posing serious security risks for networks has grown extensively. Many organizations are faced with the problem of detecting whether or not they have an anomaly in their network transactions. The Network Intrusion Detection System (NIDS) is one of the popular tools used to secure and protect networks. In order to secure a network the signature rules in NIDS should be updated with the latest signature detection rule. Therefore, this research aims to develop a network anomaly detection tool which focuses on association rule data mining techniques to detect anomalies and also produce anomaly detection rules. The tool, named as NASSR, consists of the following functions: pre-processing of the raw data network transaction that is captured using Wireshark and transforming the data into three types of data sets (2, 5 and 10 seconds), normalization (min., max.) and mining (Appriori, Fuzzy Appriori, and FP-Growth). The anomaly detection is calculated by comparing it with a normal network data set, which is validated by CACE tools. The data set is determined as having no intrusion, if the similarity results are higher than the user threshold, and vice versa. This paper also presents the interface tools used to analyse the 7GB real network data set obtained from Pusat Teknologi Maklumat (PTM), Universiti Kebangsaan Malaysia (UKM), which consists of three days' accumulation of network traffic data, and presents the data sets that have anomalies and their rules. The best result shows that the best technique for pre-processing is in the form of two seconds. Fuzzy Appriori presents the most accurate result while FP-growth has been shown as a faster mining technique. The tools can be easily used to detect anomalies for any network traffic.

KW - Association Rules Techniques

KW - Data Mining

KW - network intrusion detection system (NIDS)

UR - http://www.scopus.com/inward/record.url?scp=80054031699&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80054031699&partnerID=8YFLogxK

U2 - 10.1109/ICEEI.2011.6021705

DO - 10.1109/ICEEI.2011.6021705

M3 - Conference contribution

SN - 9781457707520

BT - Proceedings of the 2011 International Conference on Electrical Engineering and Informatics, ICEEI 2011

ER -