Association Rule MiningThis step is

Association Rule Mining
This step is to collect and extract these attributes from the
collected log file data, to do Apriori analysis. The extracted
attributes consist of protocol (TCP or UDP), direction
(incoming or outgoing), source IP, destination IP, source port,
destination port, and action (accept or deny). Furthermore,
these attributes are defined as nominal to avoid any functional
significance for its values. A sample line of Linux firewall log
is shown in Fig. 3. Also the protocol is limited to be either TCP
or UDP for our study.
In Association Rule Mining (ARM), an association rule is
of the form X => Y where X and Y are disjoint conjunctions of
attribute-value pairs. The confidence of the rule is the
conditional probability of Y given X, Pr(Y|X), and the support,
of the rule is the prior probability of X and Y, Pr(X and Y).
Here probability is taken to be the observed frequency in the
data set. The traditional association rule mining problem can be
described as follows. Given a database of transactions, a
minimal confidence threshold and a minimal support threshold,
the goal is to find all association rules whose confidence and
support are above the corresponding thresholds. Hence, ARM
generates the largest item-set and the best rules from log
dataset. By using small values for minimum support such as
(0.001), the algorithm would generate more rules. Also by
using large value (e.g., 0.9), it would generate fewer rules. Also
the confidence value is set to 1 for 100 percent confidence.
Therefore, using minimum support and minimum confidence,
ARM algorithm finds the largest itemset followed by the best
rules found, considering only rules with action field (i.e., =Y).
It is because the rule with no action has no effect on firewall
policy rule.