Characterizing network traffic by means of the NetMine framework

To link to full-text access for this article, visit this link: http://dx.doi.org/10.1016/j.comnet.2008.12.011 Byline: Daniele Apiletti, Elena Baralis, Tania Cerquitelli, Vincenzo D'Elia Keywords: Network traffic characterization; Network data analysis; Generalized association rules Abstract: The NetMine framework allows the characterization of traffic data by means of data mining techniques. NetMine performs generalized association rule extraction to profile communications, detect anomalies, and identify recurrent patterns. Association rule extraction is a widely used exploratory technique to discover hidden correlations among data. However, it is usually driven by frequency constraints on the extracted correlations. Hence, it entails (i) generating a huge number of rules which are difficult to analyze, or (ii) pruning rare itemsets even if their hidden knowledge might be relevant. To overcome these issues NetMine exploits a novel algorithm to efficiently extract generalized association rules, which provide a high level abstraction of the network traffic and allows the discovery of unexpected and more interesting traffic rules. The proposed technique exploits (user provided) taxonomies to drive the pruning phase of the extraction process. Extracted correlations are automatically aggregated in more general association rules according to a frequency threshold. Eventually, extracted rules are classified into groups according to their semantic meaning, thus allowing a domain expert to focus on the most relevant patterns. Experiments performed on different network dumps showed the efficiency and effectiveness of the NetMine framework to characterize traffic data. Author Affiliation: Politecnico di Torino, Dipartimento di Authomatica Informatica, Corso Duca degli Abruzzi, 24, 10129 Torino, Italy