IDS False Alarm Filtering Using KNN Classifier

  • Kwok Ho Law
  • Lam For Kwok
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3325)


Intrusion detection is one of he important aspects in computer security. Many commercial intrusion detection systems (IDSs) are available and are widely used by organizations. However, most of them suffer from the problem of high false alarm rate, which added heavy workload to security officers who are responsible for handling the alarms. In this paper, we propose a new method to reduce the number of false alarms. We model the normal alarm patterns of IDSs and detect anomaly from incoming alarm streams using k-nearest-neighbor classifier. Preliminary experiments show that our approach successfully reduces up to 93% of false alarms generated by a famous IDS.


False Alarm False Alarm Rate Intrusion Detection Intrusion Detection System Audit Data 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    CERT/CC Statistics 1988-2003: CERT Coordination Centre, Carnegie Mellon University,
  2. 2.
    Bace, R.: Intrusion Detection. Macmillan Technical Publishing, NYC (2000)Google Scholar
  3. 3.
    Julisch, K.: Dealing with False Positives in Intrusion Detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907. Springer, Heidelberg (2000)Google Scholar
  4. 4.
    Seleznyov, A., Puuronen, S.: HIDSUR: a hybrid intrusion detection system based on real-time user recognition. In: Proceedings of 11th International Workshop on Database and Expert Systems Applications, pp. 41–45 (2000)Google Scholar
  5. 5.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A data mining analysis of RTID alarms. Computer Networks 34(4), 571–577 (2000)CrossRefGoogle Scholar
  6. 6.
    Julisch, K.: Mining Alarm Clusters to Improve Alarm Handling Efficiency. In: Proceedings of the 17th Annual Conference on Computer Security Applications, pp. 12–21 (2001)Google Scholar
  7. 7.
    Julisch, K., Dacier, M.: Mining Intrusion Detection Alarms for Actionable Knowledge. In: Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 266–375 (2002)Google Scholar
  8. 8.
    Liao, Y., Vemuri, V.R.: Use of K-Nearest Neighbor classifier for intrusion detection. Computers and Security 21(5), 439–448 (2002)CrossRefGoogle Scholar
  9. 9.
    DARPA Intrusion Detection Evaluation, MIT Lincoln Laboratory,
  10. 10.

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Kwok Ho Law
    • 1
  • Lam For Kwok
    • 1
  1. 1.Department of Computer ScienceCity University of Hong KongKowloon, Hong Kong

Personalised recommendations