Journal in Computer Virology

, Volume 6, Issue 1, pp 43–55

New data mining technique to enhance IDS alarms quality

Authors

    • School of Computer Science and TechnologyHarbin Institute of Technology
  • Hongli Zhang
    • School of Computer Science and TechnologyHarbin Institute of Technology
Original Paper

DOI: 10.1007/s11416-008-0104-2

Cite this article as:
Al-Mamory, S.O. & Zhang, H. J Comput Virol (2010) 6: 43. doi:10.1007/s11416-008-0104-2

Abstract

The intrusion detection systems (IDSs) generate large number of alarms most of which are false positives. Fortunately, there are reasons for triggering alarms where most of these reasons are not attacks. In this paper, a new data mining technique has been developed to group alarms and to produce clusters. Hereafter, each cluster abstracted as a generalized alarm. The generalized alarms related to root causes are converted to filters to reduce future alarms load. The proposed algorithm makes use of nearest neighboring and generalization concepts to cluster alarms. As a clustering algorithm, the proposed algorithm uses a new measure to compute distances between alarms features values. This measure depends on background knowledge of the monitored network, making it robust and meaningful. The new data mining technique was verified with many datasets, and the averaged reduction ratio was about 82% of the total alarms. Application of the new technique to alarms log greatly helps the security analyst in identifying the root causes; and then reduces the alarm load in the future.

Copyright information

© Springer-Verlag France 2008