Association rule mining Why Association Rules Some security
- Slides: 21
Association rule mining
Why Association Rules? Some security applications Malware detection [e. g. Ding et al. Computers & Security 2013] Hypothesis: malicious behavior exhibited by system calls. Data: API calls and frequencies: Obtained from Windows PE head file Stepping-stone detection [e. g. Hsiao et al. Sec. and Comm. Networks 2013] Stepping stones are intermediate hosts on the path from an hacker to a victim Network connection records: Each transaction contains a number of pairs (s, t) where s, t are IP addresses, s – source, t - destination
Outline Basic Concepts Frequent Itemset Mining Methods Which Patterns Are Interesting? —Pattern Evaluation Methods Summary
What Is Frequent Pattern Analysis? Frequent pattern: a pattern (a set of items, subsequences, substructures, etc. ) that occurs frequently in a data set First proposed by Agrawal, Imielinski, and Swami [AIS 93] in the context of frequent itemsets and association rule mining Motivation: Finding inherent regularities in data What products were often purchased together? — Beer and diapers? ! What are the subsequent purchases after buying a PC? What kinds of DNA are sensitive to this new drug? Can we automatically classify web documents? Applications Basket data analysis, cross-marketing, catalog design, sale campaign analysis, Web log (click stream) analysis, and DNA sequence analysis. 4
Why Is Freq. Pattern Mining Important? Freq. pattern: An intrinsic and important property of datasets Foundation for many essential data mining tasks Association, correlation, and causality analysis Sequential, structural (e. g. , sub-graph) patterns Pattern analysis in spatiotemporal, multimedia, time-series, and stream data Classification: discriminative, frequent pattern analysis Cluster analysis: frequent pattern-based clustering Data warehousing: iceberg cube and cube-gradient Semantic data compression: fascicles Broad applications 5
Basic Concepts: Frequent Patterns Tid Items bought 10 Beer, Nuts, Diaper 20 Beer, Coffee, Diaper 30 Beer, Diaper, Eggs 40 Nuts, Eggs, Milk 50 Nuts, Coffee, Diaper, Eggs, Milk Customer buys both Customer buys diaper Customer buys beer itemset: A set of one or more items k-itemset X = {x 1, …, xk} (absolute) support, or, support count of X: Frequency or occurrence of an itemset X (relative) support, s, is the fraction of transactions that contains X (i. e. , the probability that a transaction contains X) An itemset X is frequent if X’s support is no less than a minsup 6 threshold
Basic Concepts: Association Rules Tid Items bought 10 Beer, Nuts, Diaper 20 Beer, Coffee, Diaper 30 Beer, Diaper, Eggs 40 50 Nuts, Eggs, Milk Nuts, Coffee, Diaper, Eggs, Milk Customer buys both Customer buys beer Customer buys diaper Find all the rules X Y with minimum support and confidence support, s, probability that a transaction contains X Y confidence, c, conditional probability that a transaction having X also contains Y Let minsup = 50%, minconf = 50% Freq. Pat. : Beer: 3, Nuts: 3, Diaper: 4, Eggs: 3, {Beer, Diaper}: 3 n Association rules: (many more!) n Beer Diaper (60%, 100%) 7 n Diaper Beer (60%, 75%)
Closed Patterns and Max-Patterns A long pattern contains a combinatorial number of subpatterns, e. g. , {a 1, …, a 100} contains (1001) + (1002) + … + (110000) = 2100 – 1 = 1. 27*1030 sub-patterns! Solution: Mine closed patterns and max-patterns instead An itemset X is closed if X is frequent and there exists no super-pattern Y כ X, with the same support as X (proposed by Pasquier, et al. @ ICDT’ 99) An itemset X is a max-pattern if X is frequent and there exists no frequent super-pattern Y כ X (proposed by Bayardo @ SIGMOD’ 98) Closed pattern is a lossless compression of freq. patterns Reducing the # of patterns and rules 8
Closed Patterns and Max-Patterns Exercise: Suppose a DB contains only two transactions <a 1, …, a 100>, <a 1, …, a 50> Let min_sup = 1 What is the set of closed itemset? {a 1, …, a 100}: 1 {a 1, …, a 50}: 2 What is the set of max-pattern? {a 1, …, a 100}: 1 What is the set of all patterns? {a 1}: 2, …, {a 1, a 2}: 2, …, {a 1, a 51}: 1, …, {a 1, a 2, …, a 100}: 1 A big number: 2100 - 1? Why? 9
The Downward Closure Property and Scalable Mining Methods The downward closure property of frequent patterns Any subset of a frequent itemset must be frequent If {beer, diaper, nuts} is frequent, so is {beer, diaper} i. e. , every transaction having {beer, diaper, nuts} also contains {beer, diaper} Scalable mining methods: Three major approaches Apriori (Agrawal & Srikant@VLDB’ 94) Freq. pattern growth (FPgrowth—Han, Pei & Yin @SIGMOD’ 00) Vertical data format approach (Charm—Zaki & Hsiao @SDM’ 02) 10
Apriori: A Candidate Generation & Test Approach Apriori pruning principle: If there is any itemset which is infrequent, its superset should not be generated/tested! (Agrawal & Srikant @VLDB’ 94, Mannila, et al. @ KDD’ 94) Method: Initially, scan DB once to get frequent 1 -itemset Generate length (k+1) candidate itemsets from length k frequent itemsets Test the candidates against DB Terminate when no frequent or candidate set can be generated 11
The Apriori Algorithm—An Example Database TDB Tid Items 10 A, C, D 20 B, C, E 30 A, B, C, E 40 B, E Supmin = 2 Itemset {A, C} {B, E} {C, E} sup {A} 2 {B} 3 {C} 3 {D} 1 {E} 3 C 1 1 st scan C 2 L 2 Itemset sup 2 2 3 2 Itemset {A, B} {A, C} {A, E} {B, C} {B, E} {C, E} sup 1 2 3 2 L 1 Itemset sup {A} 2 {B} 3 {C} 3 {E} 3 C 2 2 nd scan Itemset {A, B} {A, C} {A, E} {B, C} {B, E} {C, E} C 3 Itemset {B, C, E} 3 rd scan L 3 Itemset sup {B, C, E} 2 12
The Apriori Algorithm (Pseudo-Code) Ck: Candidate itemset of size k Lk : frequent itemset of size k L 1 = {frequent items}; for (k = 1; Lk != ; k++) do begin Ck+1 = candidates generated from Lk; for each transaction t in database do increment the count of all candidates in Ck+1 that are contained in t Lk+1 = candidates in Ck+1 with min_support end return k Lk; 13
Implementation of Apriori How to generate candidates? Step 1: self-joining Lk Step 2: pruning Example of Candidate-generation L 3={abc, abd, ace, bcd} Self-joining: L 3*L 3 abcd from abc and abd acde from acd and ace Pruning: acde is removed because ade is not in L 3 C 4 = {abcd} 14
How to Count Supports of Candidates? Why counting supports of candidates a problem? The total number of candidates can be very huge One transaction may contain many candidates Method: Candidate itemsets are stored in a hash-tree Leaf node of hash-tree contains a list of itemsets and counts Interior node contains a hash table Subset function: finds all the candidates contained in a transaction 15
Counting Supports of Candidates Using Hash Tree Subset function 3, 6, 9 1, 4, 7 Transaction: 1 2 3 5 6 2, 5, 8 1+2356 234 567 13+56 145 136 12+356 124 457 125 458 345 356 357 689 367 368 159 16
Support and Confidence Support count: The support count of an itemset X, denoted by X. count, in a data set T is the number of transactions in T that contain X. Assume T has n transactions. Then, 17
Generating rules from frequent itemsets. Frequent itemsets association rules One more step is needed to generate association rules For each frequent itemset X, For each proper nonempty subset A of X, Let B = X - A A B is an association rule if Confidence(A B) ≥ minconf, support(A B) = support(A B) = support(X) confidence(A B) = support(A B) / support(A) 18
Generating rules: an example Suppose {2, 3, 4} is frequent, with sup=50% Proper nonempty subsets: {2, 3}, {2, 4}, {3, 4}, {2}, {3}, {4}, with sup=50%, 75%, 75% respectively These generate these association rules: 4, 2, 4 3, 4 2, 2 3, 4, 3 2, 4, 4 2, 3, 2, 3 confidence=100% confidence=67% All rules have support = 50% 19
Generating rules: summary B) and To recap, in order to obtain A B, we need to have support(A) All the required information for confidence computation has already been recorded in itemset generation. No need to see the data T any more. This step is not as time-consuming as frequent itemsets generation. 20
Reference CS 583 - Data Mining and Text Mining by professor Bing Liu http: //www. cs. uic. edu/~liub/teach/cs 583 -spring-14/cs 583. html
- Association rule mining tutorial
- Integrating classification and association rule mining
- Association rule definition
- Association rule mining definition
- What is association mining
- Pictures
- Fast algorithms for mining association rules
- Fast algorithms for mining association rules
- Association rules in data mining
- Association rules in data mining
- Association analysis advanced concepts
- Association rules in data mining
- Fast algorithms for mining association rules
- Fast algorithms for mining association rules
- Private securit
- Strip mining vs open pit mining
- Chapter 13 mineral resources and mining
- Difference between strip mining and open pit mining
- Web text mining
- Mining multimedia databases
- Eck
- Kelvin rodolfo