MapReduce-based frequent itemset mining for analysis of electronic evidence

Abstract

Association rules can mine the relevant evidence of computer crime from the massive data and association rules among data itemset, and further mine crime trends and connections among different crimes. They can help polices detect case and prevent crime with clues and criterions. Frequent itemset mining (FIM) plays a fundamental role in mining associations, correlations and many real-world data mining fields such as electronic evidence analysis area. FP-growth is the most famous FIM algorithm for discovering frequent patterns. As the data incrementing, the cost of time and space will be the bottleneck of FP-growth mining algorithms. One of the existing incremental frequent pattern mining algorithms called SPO-tree can perform incremental mining by a single scan for incremental mining. But how to apply this algorithm to the analysis of electronic evidence more effectively will become the focus of this paper. In the past research, little people take care of the item mined to the frequent item needing to update or inserted a little data. The past algorithms are not suit for this problem especially in forensic area. So, in this paper, we propose a novel parallelized algorithm called PISPO based on the cloud-computing framework MapReduce, which is widely used to cope with large-scale data and captures both the content and state to be distributed to the changed and original of the transactions dataset to SPO-tree.