Clustering IDS Alarms with an IGA-based Approach
Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms, most of which are false positives. Klaus Julisch put forward a clustering method effectual of eliminating false positives and finding root causes. But he proved that the clustering problem is unfortunately NP-complete. In this paper, an immune genetic algorithm is proposed to conquer the NP-complete clustering problem. The ad hoc strategy of generating antibodies and computing their density is proposed. The coding scheme and genetic operations including selection, crossover, and mutation are discussed in detail. The IGAs local searching ability is improved by combining it with discrete gradient method. The results obtained by several tests are quite encouraging, including that the immune operator contributes much to solve the problem of premature convergence. Compared to a simple GA-based algorithm, the IGA-based one is able to generate higher-quality clusters within shorter period of time.
Jianxin Wang Baojiang Cui
School of Informatin, Beijing Forestry University, Beijing, China School of Computer Science&Tech, Beijing University of Posts and Telecommunications, Beijing, China
国际会议
2009国际通信电路与系统学术会议(ICCCAS 2009)(2009 International Conference on Communications,Circuits and Systems)
成都
英文
586-590
2009-07-23(万方平台首次上网日期,不代表论文的发表时间)