Association rule mining Why Association Rules Some security

  • Slides: 21
Download presentation
Association rule mining

Association rule mining

Why Association Rules? Some security applications Malware detection [e. g. Ding et al. Computers

Why Association Rules? Some security applications Malware detection [e. g. Ding et al. Computers & Security 2013] Hypothesis: malicious behavior exhibited by system calls. Data: API calls and frequencies: Obtained from Windows PE head file Stepping-stone detection [e. g. Hsiao et al. Sec. and Comm. Networks 2013] Stepping stones are intermediate hosts on the path from an hacker to a victim Network connection records: Each transaction contains a number of pairs (s, t) where s, t are IP addresses, s – source, t - destination

Outline Basic Concepts Frequent Itemset Mining Methods Which Patterns Are Interesting? —Pattern Evaluation Methods

Outline Basic Concepts Frequent Itemset Mining Methods Which Patterns Are Interesting? —Pattern Evaluation Methods Summary

What Is Frequent Pattern Analysis? Frequent pattern: a pattern (a set of items, subsequences,

What Is Frequent Pattern Analysis? Frequent pattern: a pattern (a set of items, subsequences, substructures, etc. ) that occurs frequently in a data set First proposed by Agrawal, Imielinski, and Swami [AIS 93] in the context of frequent itemsets and association rule mining Motivation: Finding inherent regularities in data What products were often purchased together? — Beer and diapers? ! What are the subsequent purchases after buying a PC? What kinds of DNA are sensitive to this new drug? Can we automatically classify web documents? Applications Basket data analysis, cross-marketing, catalog design, sale campaign analysis, Web log (click stream) analysis, and DNA sequence analysis. 4

Why Is Freq. Pattern Mining Important? Freq. pattern: An intrinsic and important property of

Why Is Freq. Pattern Mining Important? Freq. pattern: An intrinsic and important property of datasets Foundation for many essential data mining tasks Association, correlation, and causality analysis Sequential, structural (e. g. , sub-graph) patterns Pattern analysis in spatiotemporal, multimedia, time-series, and stream data Classification: discriminative, frequent pattern analysis Cluster analysis: frequent pattern-based clustering Data warehousing: iceberg cube and cube-gradient Semantic data compression: fascicles Broad applications 5

Basic Concepts: Frequent Patterns Tid Items bought 10 Beer, Nuts, Diaper 20 Beer, Coffee,

Basic Concepts: Frequent Patterns Tid Items bought 10 Beer, Nuts, Diaper 20 Beer, Coffee, Diaper 30 Beer, Diaper, Eggs 40 Nuts, Eggs, Milk 50 Nuts, Coffee, Diaper, Eggs, Milk Customer buys both Customer buys diaper Customer buys beer itemset: A set of one or more items k-itemset X = {x 1, …, xk} (absolute) support, or, support count of X: Frequency or occurrence of an itemset X (relative) support, s, is the fraction of transactions that contains X (i. e. , the probability that a transaction contains X) An itemset X is frequent if X’s support is no less than a minsup 6 threshold

Basic Concepts: Association Rules Tid Items bought 10 Beer, Nuts, Diaper 20 Beer, Coffee,

Basic Concepts: Association Rules Tid Items bought 10 Beer, Nuts, Diaper 20 Beer, Coffee, Diaper 30 Beer, Diaper, Eggs 40 50 Nuts, Eggs, Milk Nuts, Coffee, Diaper, Eggs, Milk Customer buys both Customer buys beer Customer buys diaper Find all the rules X Y with minimum support and confidence support, s, probability that a transaction contains X Y confidence, c, conditional probability that a transaction having X also contains Y Let minsup = 50%, minconf = 50% Freq. Pat. : Beer: 3, Nuts: 3, Diaper: 4, Eggs: 3, {Beer, Diaper}: 3 n Association rules: (many more!) n Beer Diaper (60%, 100%) 7 n Diaper Beer (60%, 75%)

Closed Patterns and Max-Patterns A long pattern contains a combinatorial number of subpatterns, e.

Closed Patterns and Max-Patterns A long pattern contains a combinatorial number of subpatterns, e. g. , {a 1, …, a 100} contains (1001) + (1002) + … + (110000) = 2100 – 1 = 1. 27*1030 sub-patterns! Solution: Mine closed patterns and max-patterns instead An itemset X is closed if X is frequent and there exists no super-pattern Y כ X, with the same support as X (proposed by Pasquier, et al. @ ICDT’ 99) An itemset X is a max-pattern if X is frequent and there exists no frequent super-pattern Y כ X (proposed by Bayardo @ SIGMOD’ 98) Closed pattern is a lossless compression of freq. patterns Reducing the # of patterns and rules 8

Closed Patterns and Max-Patterns Exercise: Suppose a DB contains only two transactions <a 1,

Closed Patterns and Max-Patterns Exercise: Suppose a DB contains only two transactions <a 1, …, a 100>, <a 1, …, a 50> Let min_sup = 1 What is the set of closed itemset? {a 1, …, a 100}: 1 {a 1, …, a 50}: 2 What is the set of max-pattern? {a 1, …, a 100}: 1 What is the set of all patterns? {a 1}: 2, …, {a 1, a 2}: 2, …, {a 1, a 51}: 1, …, {a 1, a 2, …, a 100}: 1 A big number: 2100 - 1? Why? 9

The Downward Closure Property and Scalable Mining Methods The downward closure property of frequent

The Downward Closure Property and Scalable Mining Methods The downward closure property of frequent patterns Any subset of a frequent itemset must be frequent If {beer, diaper, nuts} is frequent, so is {beer, diaper} i. e. , every transaction having {beer, diaper, nuts} also contains {beer, diaper} Scalable mining methods: Three major approaches Apriori (Agrawal & Srikant@VLDB’ 94) Freq. pattern growth (FPgrowth—Han, Pei & Yin @SIGMOD’ 00) Vertical data format approach (Charm—Zaki & Hsiao @SDM’ 02) 10

Apriori: A Candidate Generation & Test Approach Apriori pruning principle: If there is any

Apriori: A Candidate Generation & Test Approach Apriori pruning principle: If there is any itemset which is infrequent, its superset should not be generated/tested! (Agrawal & Srikant @VLDB’ 94, Mannila, et al. @ KDD’ 94) Method: Initially, scan DB once to get frequent 1 -itemset Generate length (k+1) candidate itemsets from length k frequent itemsets Test the candidates against DB Terminate when no frequent or candidate set can be generated 11

The Apriori Algorithm—An Example Database TDB Tid Items 10 A, C, D 20 B,

The Apriori Algorithm—An Example Database TDB Tid Items 10 A, C, D 20 B, C, E 30 A, B, C, E 40 B, E Supmin = 2 Itemset {A, C} {B, E} {C, E} sup {A} 2 {B} 3 {C} 3 {D} 1 {E} 3 C 1 1 st scan C 2 L 2 Itemset sup 2 2 3 2 Itemset {A, B} {A, C} {A, E} {B, C} {B, E} {C, E} sup 1 2 3 2 L 1 Itemset sup {A} 2 {B} 3 {C} 3 {E} 3 C 2 2 nd scan Itemset {A, B} {A, C} {A, E} {B, C} {B, E} {C, E} C 3 Itemset {B, C, E} 3 rd scan L 3 Itemset sup {B, C, E} 2 12

The Apriori Algorithm (Pseudo-Code) Ck: Candidate itemset of size k Lk : frequent itemset

The Apriori Algorithm (Pseudo-Code) Ck: Candidate itemset of size k Lk : frequent itemset of size k L 1 = {frequent items}; for (k = 1; Lk != ; k++) do begin Ck+1 = candidates generated from Lk; for each transaction t in database do increment the count of all candidates in Ck+1 that are contained in t Lk+1 = candidates in Ck+1 with min_support end return k Lk; 13

Implementation of Apriori How to generate candidates? Step 1: self-joining Lk Step 2: pruning

Implementation of Apriori How to generate candidates? Step 1: self-joining Lk Step 2: pruning Example of Candidate-generation L 3={abc, abd, ace, bcd} Self-joining: L 3*L 3 abcd from abc and abd acde from acd and ace Pruning: acde is removed because ade is not in L 3 C 4 = {abcd} 14

How to Count Supports of Candidates? Why counting supports of candidates a problem? The

How to Count Supports of Candidates? Why counting supports of candidates a problem? The total number of candidates can be very huge One transaction may contain many candidates Method: Candidate itemsets are stored in a hash-tree Leaf node of hash-tree contains a list of itemsets and counts Interior node contains a hash table Subset function: finds all the candidates contained in a transaction 15

Counting Supports of Candidates Using Hash Tree Subset function 3, 6, 9 1, 4,

Counting Supports of Candidates Using Hash Tree Subset function 3, 6, 9 1, 4, 7 Transaction: 1 2 3 5 6 2, 5, 8 1+2356 234 567 13+56 145 136 12+356 124 457 125 458 345 356 357 689 367 368 159 16

Support and Confidence Support count: The support count of an itemset X, denoted by

Support and Confidence Support count: The support count of an itemset X, denoted by X. count, in a data set T is the number of transactions in T that contain X. Assume T has n transactions. Then, 17

Generating rules from frequent itemsets. Frequent itemsets association rules One more step is needed

Generating rules from frequent itemsets. Frequent itemsets association rules One more step is needed to generate association rules For each frequent itemset X, For each proper nonempty subset A of X, Let B = X - A A B is an association rule if Confidence(A B) ≥ minconf, support(A B) = support(A B) = support(X) confidence(A B) = support(A B) / support(A) 18

Generating rules: an example Suppose {2, 3, 4} is frequent, with sup=50% Proper nonempty

Generating rules: an example Suppose {2, 3, 4} is frequent, with sup=50% Proper nonempty subsets: {2, 3}, {2, 4}, {3, 4}, {2}, {3}, {4}, with sup=50%, 75%, 75% respectively These generate these association rules: 4, 2, 4 3, 4 2, 2 3, 4, 3 2, 4, 4 2, 3, 2, 3 confidence=100% confidence=67% All rules have support = 50% 19

Generating rules: summary B) and To recap, in order to obtain A B, we

Generating rules: summary B) and To recap, in order to obtain A B, we need to have support(A) All the required information for confidence computation has already been recorded in itemset generation. No need to see the data T any more. This step is not as time-consuming as frequent itemsets generation. 20

Reference CS 583 - Data Mining and Text Mining by professor Bing Liu http:

Reference CS 583 - Data Mining and Text Mining by professor Bing Liu http: //www. cs. uic. edu/~liub/teach/cs 583 -spring-14/cs 583. html