{"title":"Minining Intrusion Detection Alarms with an SA-based Clustering Approach","authors":"Jianxin Wang, Yunqing Xia, Hongzhou Wang","doi":"10.1109/ICCCAS.2007.4348195","DOIUrl":null,"url":null,"abstract":"Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.","PeriodicalId":218351,"journal":{"name":"2007 International Conference on Communications, Circuits and Systems","volume":"43 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 International Conference on Communications, Circuits and Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCCAS.2007.4348195","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 4
Abstract
Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.