Abstract
A Network Intrusion Detection System (NIDS) is an alarm system for networks. NIDS monitors all network actions and generates alarms when it detects suspicious or malicious attempts. A false positive alarm is generated when the NIDS misclassifies a normal action in the network as an attack. We present a data mining technique to assist network administrators to analyze and reduce false positive alarms that are produced by a NIDS. Our data mining technique is based on a Growing Hierarchical Self-Organizing Map (GHSOM) that adjusts its architecture during an unsupervised training process according to the characteristics of the input alarm data. GHSOM clusters these alarms in a way that supports network administrators in making decisions about true and false alarms. Our empirical results show that our technique is effective for real-world intrusion data.
Similar content being viewed by others
References
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proc. 23rd IEEE Symposium on Security and Privacy, pp. 202–215. Toulouse, France (2002)
Faour, A., Leray, P., Eter, B.: Automated filtering of network intrusion detection alerts. In: Proc. 1st Joint Conf. on Security in Network Architectures and Security of Information Systems, pp. 277–291. Seignosse, France (2006)
Julisch, K., Dacier, M.: Mining intrusion detection alarms for actionable knowledge. In: Proc. International Conference on Knowledge Discovery and Data Mining, pp. 366–375. Edmonton, Canada (2002)
Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: On the capability of SOM based intrusion detection systems. In: Proc. IEEE International Joint Conference on Neural Networks, pp. 1808–1813 (2003)
Kayacik, H.G., Zincir-Heywood, A.N., Malcolm, I.: A hierarchical SOM-based intrusion detection system. Eng. Appl. Artificial Intell. 20(4), 439–451 (2007)
Kohonen, T.: Self-Organizing Maps. Springer, Berlin (1995)
Kruegel, C., Robertson, W., Vigna, G.: Using alert verification to identify successful intrusion attempts. Pract. Inf. Process. Commun. 27(4), 220–228 (2004)
Lichodzijewski, P., Zincir-Heywood, A.N., Heywood, M.I.: Host-based intrusion detection using self-organizing maps. In: Proc. IEEE International Joint Conference on Neural Networks, pp. 1714–1719. Honolulu (2002)
MatLab Software: The Language of technical computing. Version 6.0.0.88
Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proc. 10th ACM Conf. on Computer and Communications Security, pp. 200–209. Washington D.C. (2003)
Pampalk, E., Widmer, G., Chan, A.: A new approach to hierarchical clustering and structuring of data with self-organizing maps. Intell. Data Analysis J. 8(2), 131–149 (2003)
Rachman, O.: Baseline analysis of security data. Securimine Software Inc. (2005). www.securimine.com
Rauber, A., Merkl, D., Dittenbach, M.: The growing hierarchical self-organizing map: exploratory analysis of high-dimensional data. IEEE Trans. Neural Netw. 13(6), 1331–1341 (2002)
Xiao, Y., Han, C.: Correlating intrusion alerts into attack scenarios based on improved evolving self-organizing maps. Int. J. Comput. Sci. Netw. Secur. 6(6), 199–203 (2006)
Zanero, S.: Improving self-organizing map performance for network intrusion detection. In: International Workshop on Clustering High-Dimensional Data and its Applications. SIAM Conference on Data Mining (2005)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Mansour, N., Chehab, M.I. & Faour, A. Filtering intrusion detection alarms. Cluster Comput 13, 19–29 (2010). https://doi.org/10.1007/s10586-009-0096-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-009-0096-9