In this paper, we propose a novel framework for mining security events of DARPA-2009 network intrusion detection dataset. Our approach relies on finding a correlation between the security event of the dataset and the destination port that is exploited by an attacker in order to hack the network according to what security event reports. Association rule mining technique has been used in this paper to discover such correlation, since it is widely used to find strong correlations between features of massive datasets in terms of generated rules. | International Journal of Computer Networks and Communications Security VOL. 4, NO. 12, DECEMBER 2016, 336–342 Available online at: E-ISSN 2308-9830 (Online) / ISSN 2410-0595 (Print) Identifying the Most Frequently Attacked Ports Using Association Rule Mining DOAA HASSAN Computers and Systems Department, National Telecommunication Institute, Cairo, 11768, Egypt doaa@ ABSTRACT The security events presented in the dataset of network intrusion detection systems (NIDS) provide useful information about various network attacks that lunched against the network. For each security event, different information can be extracted including but not limited to the type of the event, the start and end time of the event, the source and destination IP addresses and ports. In this paper, we propose a novel framework for mining security events of DARPA-2009 network intrusion detection dataset. Our approach relies on finding a correlation between the security event of the dataset and the destination port that is exploited by an attacker in order to hack the network according to what security event reports. Association rule mining technique has been used in this paper to discover such correlation, since it is widely used to find strong correlations between features of massive datasets in terms of generated rules. Thus, the proposed framework aims to discover the most frequently destination ports that often exploited by an attacker to lunch a network attack according to the generated rules. This can save the time required to manually categorize destination ports in view of the security events reported in the dataset. Moreover, it can be very useful in creating various security policies for blocking the ports that can be used as back-doors by the attacker that let him/her illegally accesses the network. Various sets of rules have been generated using association rules based on apriori algorithm for the experimental analysis of the proposed approach. .
