Minining Intrusion Detection Alarms with an SA-based Clustering Approach
Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.
Jianxin Wang Yunqing Xia Hongzhou Wang
School of Information Beijing Forestry University Beijing, China Research Institute of Info Technology Tsinghua University Beijing, China Department of Mathematics Beijing Institute of Technology Beijing, China
国际会议
2007年通信、电路与系统国际会议(2007 International Conference on Communications,Circuits and Systems Proceedings)
日本福冈
英文
2007-07-11(万方平台首次上网日期,不代表论文的发表时间)