An Improved Intrusion Detection System Based on a Two Stage Alarm Correlation to Identify Outliers and False Alerts

  • Fatma Hachmi
  • Mohamed Limam
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9468)


To ensure the protection of computer networks from attacks, an intrusion detection system (IDS) should be included in the security architecture. Despite the detection of intrusions is the ultimate goal, IDSs generate a huge amount of false alerts which cannot be properly managed by the administrator, along with some noisy alerts or outliers. Many research works were conducted to improve IDS accuracy by reducing the rate of false alerts and eliminating outliers. In this paper, we propose a two-stage process to detect false alerts and outliers. In the first stage, we remove outliers from the set of meta-alerts using the best outliers detection method after evaluating the most cited ones in the literature. In the last stage, we propose a binary classification algorithm to classify meta-alerts whether as false alerts or real attacks. Experimental results show that our proposed process outperforms concurrent methods by considerably reducing the rate of false alerts and outliers.


Clustering Binary classification False positives Intrusion detection systems Outliers 


  1. 1.
    Zhu, B., Ghorbani, A.: Alert correlation for extracting attack strategies. Int. J, Netw. Secur. 3(3), 244–258 (2006)Google Scholar
  2. 2.
    Tjhai, C., Furnell, M., Papadaki, M., Clarck, L.: A preliminary two-stage alarm correlation and filtering system using som neural network and k-means algorithm. Comput. Secur. 29, 712–723 (2010)CrossRefGoogle Scholar
  3. 3.
    Bievens, A., Palagiri, C., Szymanski, B., Embrechts, M.: Network-based intrusion detection using neural networks. Intell. Eng. Syst. Artif. Neural Netw. 12, 579–584 (2002)Google Scholar
  4. 4.
    Labib, K., Vemuri, R.: Nsom: A real time network-based intrusion detection system using self-organizing map. In: Networks Security (2002)Google Scholar
  5. 5.
    Zhang, Y., Huang, S., Wang, Y.: Ids alert classification model construction using decision support techniques. In: International Conference on Computer Science and Electronics Engineering, pp. 301–305 (2012)Google Scholar
  6. 6.
    Gupta, D., Joshi, P.S., Bhattacharjee, A.K., Mundada, R.S.: Ids alerts classification using knowledge-based evaluation. In: International Conference on Communication Systems and Networks, pp. 1–8 (2012)Google Scholar
  7. 7.
    Elshoush, H.-T., Osman, I.-M.: An improved framework for intrusion alert correlation. In: WCE12: Proceedings of the 2012 World Congress on Engineering, pp. 1–6 (2012)Google Scholar
  8. 8.
    Benferhat, S., Boudjelida, A., Tabia, K., Drias, H.: An intrusion detection and alert correlation approach based on revising probabilistic classifiers using expert knowledge. Int. J. Appl. Intell. 38(4), 520–540 (2013)CrossRefGoogle Scholar
  9. 9.
    Elhag, S., Fernandez, A., Bawakid, A., Alshomrani, S., Herrera, F.: On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on intrusion detection systems. Expert Syst. Appl. 42, 193–202 (2015)CrossRefGoogle Scholar
  10. 10.
    Lin, W.-C., Ke, S.-W., Tsai, C.-F.: Cann: An intrusion detection system based on combining cluster centers and nearest neighbors. Knowl. Based Syst. 78, 13–21 (2015)CrossRefGoogle Scholar
  11. 11.
    Rousseeuw, P.J., Leroy, A.M.: Robust regression and outlier detection. John Wiley & Sons, New York (1987)zbMATHCrossRefGoogle Scholar
  12. 12.
    Abe, N., Zadrozny, B., Langford, J.: Outlier detection by active learning. In: Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 504–509. ACM Press, New York, NY, USA (2006)Google Scholar
  13. 13.
    Jain, A.K., Murty, M.N., Flynn, P.J.: Data clustering: A review. ACM Comput. Surv. 31(3), 264–323 (1999)CrossRefGoogle Scholar
  14. 14.
    Knorr, E.M., Ng, R.T.: Algorithms for mining distance-based outliers in large datasets. In: Proceedings of the 24th International Conference on Very Large Databases, New York, NY, pp. 392–403 (1998)Google Scholar
  15. 15.
    Ramaswamy, S., Rastogi, R., Kyuseok, S.: Efficient algorithms for mining outliers from large data sets. In: Proceedings of the ACM SIDMOD International Conference on Management of Data, pp. 211–222 (2000)Google Scholar
  16. 16.
    Angiulli, F., Pizzuti, C.: Fast outlier detection in high dimensional spaces. In: Elomaa, T., Mannila, H., Toivonen, H. (eds.) PKDD 2002. LNCS (LNAI), vol. 2431, pp. 15–27. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  17. 17.
    Wu, W.Z., Zhang, W.X.: Neighborhood operator systems and approximations. Inf. Sci. 144, 201–217 (2002)zbMATHCrossRefGoogle Scholar
  18. 18.
    Chen, Y.M., Miao, D.Q., Zhang, H.Y.: Neighborhood outlier detection. Expert Syst. Appl. 37(12), 8745–8749 (2010)CrossRefGoogle Scholar
  19. 19.
    Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: Lof: Identifying densitybased local outliers. In: Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, Dallas, pp. 93–104 (2000)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.ISGUniversity of TunisTunisTunisia
  2. 2.University of TunisTunisia and Dhofar universitySalalahOman

Personalised recommendations