IDS False Alarm Reduction Using Continuous and Discontinuous Patterns

  • Abdulrahman Alharby
  • Hideki Imai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3531)


Intrusion Detection Systems (IDSs) are widely deployed in computer networks to stand against a wide variety of attacks. IDSs deployment raises a serious problem, namely managing of a large number of triggered alerts. This problem becomes worse by the fact that some commercial IDSs may generate thousands of alerts per day. Identifying the real alarms from the huge volume of alarms is a frustrating task for security officers. Thus, reducing false alarms is a critical issue in IDSs efficiency and usability. In this paper, we mine historical alarms to learn how future alarms can be handled more efficiently. First, an approach is proposed for characterizing the “normal” stream of alarms. In addition, an algorithm for detecting anomalies by using continuous and discontinuous sequential patterns is developed, and used in preliminary experiments with real-world data to show that the presented model can handle IDSs alarms efficiently.


Intrusion detection alarm reduction sequential patterns 


  1. 1.
    The 2004 E-Crime Watch survey (2004), available at:
  2. 2.
    Kumar, S., Spafford, E.H.: A Software Architecture to Support Misuse Intrusion Detection. In: Proceedings of the 18th National Information Security Conference, pp. 194–204 (1995)Google Scholar
  3. 3.
    Forrest, S., Hofmeyr, S.A., Somayaji, A., Logstaff, T.A.: A Sense of Self for Unix process. In: Proceedings of 1996 IEEE Symposium on Computer Security and Privacy, pp. 120–128 (1996)Google Scholar
  4. 4.
    Ilgun, K., Kemmerer, R.A., Porras, P.A.: State Transition Analysis: A Rule- Based Intrusion Detection System. IEEE Transactions on Software Engineering 21(3), 181–199 (1995)CrossRefGoogle Scholar
  5. 5.
    Javitz, H.S., Valdes, A.: The SRI IDES Statistical Anomaly Detector. In: IEEE Symposium on Security and Privacy, May 1991, SRI International, Oakland (1991)Google Scholar
  6. 6.
    Yihua, L., Vemuri, V.R.: Use of K-Nearest Neighbor classifier for intrusion detection. Computers & Security 21(5), 439–448 (2002)CrossRefGoogle Scholar
  7. 7.
    Bellovin, S.M.: Packets Found on an Internet. Computer Communications Review 23(3), 26–31 (1993)CrossRefGoogle Scholar
  8. 8.
    Paxson, V.B.: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  9. 9.
    Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Effciency. In: 17th Annual Computer Security Applications Conference (ACSAC), December 2001, pp. 12–21 (2001)Google Scholar
  10. 10.
    Yen-Liang, C., Shih-Sheng, C., Ping-Yu, H.: Mining hybrid sequential patterns and sequential rules. Information Systems 27(5), 345–362 (2002)zbMATHCrossRefGoogle Scholar
  11. 11.
    Agrawal, R., Srikant, R.: Mining sequential patterns. In: Proceedings of the 7th International Conference on Data Engineering, Taipei, Taiwan, pp. 3–14. IEEE Computer Society, Los Alamitos (1995)CrossRefGoogle Scholar
  12. 12.
    Chen, M.S., Park, J.S., Yu, P.S.: Efficient data mining for path traversal patterns. IEEE Trans. Knowledge Data Eng. 10(2), 209–221 (1998)CrossRefGoogle Scholar
  13. 13.
    Han, J., Pei, J., Yin, Y.: Mining frequent patterns without candidate. In: Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, Dallas, Texas, pp. 1–12. ACM Press, New York (2000)CrossRefGoogle Scholar
  14. 14.
  15. 15.
  16. 16.
    Roesch, M.: Snort – lightweight intrusion detection system for networks. In: Proceedings of USENIX LISA 1999 (1999)Google Scholar
  17. 17.
    Clifton, C., Gengo, G.: Developing Custom Intrusion Detection Filters Using Data Mining. In: Military Communications Int’l Symposium (MILCOM 2000)(October 2000)Google Scholar
  18. 18.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks 34(4), 571–577 (2000)CrossRefGoogle Scholar
  19. 19.
    Barbara, D., Couto, J., Jajodia, S., Popyack, L., Wu, N.: ADAM: Detecting Intrusions by Data Mining. In: IEEE Workshop on Information Assurance and Security (2001)Google Scholar
  20. 20.
    Lee, W., Stolfo, S.J.: A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security 3(4), 227–261 (2000)CrossRefGoogle Scholar
  21. 21.
    Valdes, A., Skinner, K.: Probabilistic Alert Correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Staniford, S., Hoagland, J.A., McAlerney, J.M.: Practical Automated Detection of Stealthy Portscans. In: ACM Computer and Communications Security IDS Workshop, pp. 1–7 (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Abdulrahman Alharby
    • 1
  • Hideki Imai
    • 1
  1. 1.Institute of industrial ScienceThe university of TokyoTokyoJapan

Personalised recommendations