Skip to main content

Filtering intrusion detection alarms


A Network Intrusion Detection System (NIDS) is an alarm system for networks. NIDS monitors all network actions and generates alarms when it detects suspicious or malicious attempts. A false positive alarm is generated when the NIDS misclassifies a normal action in the network as an attack. We present a data mining technique to assist network administrators to analyze and reduce false positive alarms that are produced by a NIDS. Our data mining technique is based on a Growing Hierarchical Self-Organizing Map (GHSOM) that adjusts its architecture during an unsupervised training process according to the characteristics of the input alarm data. GHSOM clusters these alarms in a way that supports network administrators in making decisions about true and false alarms. Our empirical results show that our technique is effective for real-world intrusion data.

This is a preview of subscription content, access via your institution.


  1. 1.

    Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proc. 23rd IEEE Symposium on Security and Privacy, pp. 202–215. Toulouse, France (2002)

  2. 2.

    Faour, A., Leray, P., Eter, B.: Automated filtering of network intrusion detection alerts. In: Proc. 1st Joint Conf. on Security in Network Architectures and Security of Information Systems, pp. 277–291. Seignosse, France (2006)

  3. 3.

    Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proc. International Conference on Knowledge Discovery and Data Mining, pp. 366–375. Edmonton, Canada (2002)

  4. 4.

    Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: On the capability of SOM based intrusion detection systems. In: Proc. IEEE International Joint Conference on Neural Networks, pp. 1808–1813 (2003)

  5. 5.

    Kayacik, H.G., Zincir-Heywood, A.N., Malcolm, I.: A hierarchical SOM-based intrusion detection system. Eng. Appl. Artificial Intell. 20(4), 439–451 (2007)

    Article  Google Scholar 

  6. 6.

    Kohonen, T.: Self-Organizing Maps. Springer, Berlin (1995)

    Google Scholar 

  7. 7.

    Kruegel, C., Robertson, W., Vigna, G.: Using alert verification to identify successful intrusion attempts. Pract. Inf. Process. Commun. 27(4), 220–228 (2004)

    Google Scholar 

  8. 8.

    Lichodzijewski, P., Zincir-Heywood, A.N., Heywood, M.I.: Host-based intrusion detection using self-organizing maps. In: Proc. IEEE International Joint Conference on Neural Networks, pp. 1714–1719. Honolulu (2002)

  9. 9.

    MatLab Software: The Language of technical computing. Version

  10. 10.

    Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proc. 10th ACM Conf. on Computer and Communications Security, pp. 200–209. Washington D.C. (2003)

  11. 11.

    Pampalk, E., Widmer, G., Chan, A.: A new approach to hierarchical clustering and structuring of data with self-organizing maps. Intell. Data Analysis J. 8(2), 131–149 (2003)

    Google Scholar 

  12. 12.

    Rachman, O.: Baseline analysis of security data. Securimine Software Inc. (2005).

  13. 13.

    Rauber, A., Merkl, D., Dittenbach, M.: The growing hierarchical self-organizing map: exploratory analysis of high-dimensional data. IEEE Trans. Neural Netw. 13(6), 1331–1341 (2002)

    Article  Google Scholar 

  14. 14.

    Xiao, Y., Han, C.: Correlating intrusion alerts into attack scenarios based on improved evolving self-organizing maps. Int. J. Comput. Sci. Netw. Secur. 6(6), 199–203 (2006)

    Google Scholar 

  15. 15.

    Zanero, S.: Improving self-organizing map performance for network intrusion detection. In: International Workshop on Clustering High-Dimensional Data and its Applications. SIAM Conference on Data Mining (2005)

Download references

Author information



Corresponding author

Correspondence to Nashat Mansour.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Mansour, N., Chehab, M.I. & Faour, A. Filtering intrusion detection alarms. Cluster Comput 13, 19–29 (2010).

Download citation


  • Alarm filtering
  • Computer security
  • Growing hierarchical self-organizing map
  • Intrusion detection
  • Self-organizing map