An Improved Frequent Pattern Growth Based Approach to Intrusion Detection System Alert Aggregation

This paper introduces different approaches to intrusion detection system (IDS) alert aggregation and proposes an improved frequent pattern growth (FP-growth) algorithm for it. This approach can be divided into three parts, which are removal of noisy data, mining association rules and text similarity check. According to the experiment on Snort alarm dataset provided by an enterprise, all the association rules found by the proposed approach are valid. Therefore, compared with FP-growth algorithm, the proposed approach can increase the precision of the result and is useful for alert aggregation.

[1]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[2]  Baojiang Cui,et al.  Clustering IDS alarms with an IGA-based approach , 2009, 2009 International Conference on Communications, Circuits and Systems.

[3]  Anazida Zainal,et al.  A taxonomy on intrusion alert aggregation techniques , 2014, 2014 International Symposium on Biometrics and Security Technologies (ISBAST).

[4]  Chengpo Mu,et al.  Research on Preprocessing Technique of Alert Aggregation , 2012, 2012 Fifth International Joint Conference on Computational Sciences and Optimization.

[5]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[6]  Yong Shuai,et al.  Hybrid Reliability Parameter Selection Method Based on Text Mining, Frequent Pattern Growth Algorithm and Fuzzy Bayesian Network , 2018 .

[7]  Yu Min,et al.  Design and implementation of a distributed IDS alert aggregation model , 2009, 2009 4th International Conference on Computer Science & Education.