Anomaly detection for PTM´s network traffic using association rule

In order to evaluate the quality of UKM´s NIDS, this paper presents the process of analyzing network traffic captured by Pusat Teknologi Maklumat (PTM) to detect whether it has any anomalies or not and to produce corresponding anomaly rules to be included in an update of UKM´s NIDS. The network traffic data was collected using WireShark for three days, using the six most common network attributes. The experiment used three association rule data mining techniques known as Appriori, Fuzzy Appriori and FP-Growth based on two, five and ten second window slicing. Out of the four data-sets, data-sets one and two were detected to have anomalies. The results show that the Fuzzy Appriori algorithm presented the best quality result, while FP-Growth presented a faster time to reach a solution. The data-sets, which was pre-processed in the form of two second window slicing displayed better results. This research outlines the steps that can be utilized by an organization to capture and detect anomalies using association rule data mining techniques to enhance the quality their of NIDS.