论文信息 - A two-stage technique to improve intrusion detection systems based on data mining algorithms

A two-stage technique to improve intrusion detection systems based on data mining algorithms

An intrusion detection system (IDS) is the fundamental part of the security infrastructure, since it ensures the detection of any suspicious action. Although the detection of intrusions and attacks is the ultimate goal, the huge amount of generated alerts cannot be properly managed by the administrator. In order to improve the accuracy of sensors, we adopt a two-stage technique. The first one aims to generate meta-alerts through clustering and the second one aims to reduce the rate of false alarms using a binary classification of the generated meta-alerts. For the first stage we use two alternatives, self-organizing map (SOM) with k-means algorithm and neural GAS with fuzzy c-means algorithm. For the second stage we use three approaches, SOM with K-means algorithm, support vector machine and decision trees. Based on a public data set and several evaluation criteria, our proposed procedures are evaluated. Results show that our procedures outperform other competitor methods by reducing the rate of false positives.

Hachmi Fatma | Limam Mohamed | Limam Mohamed | Hachmi Fatma

[1] Maria Papadaki,et al. A preliminary two-stage alarm correlation and filtering system using SOM neural network and K-means algorithm , 2010, Comput. Secur..

[2] Hongli Zhang,et al. Intrusion detection alarms reduction using root cause analysis and clustering , 2009, Comput. Commun..

[3] Gregory Piatetsky-Shapiro,et al. Discovery, Analysis, and Presentation of Strong Rules , 1991, Knowledge Discovery in Databases.

[4] Stefano Zanero,et al. Reducing false positives in anomaly detectors through fuzzy alert aggregation , 2009, Inf. Fusion.

[5] Shahrin Sahib,et al. Intrusion Alert Correlation Technique Analysis for Heterogeneous Log , 2008 .

[6] Maria Papadaki,et al. The Problem of False Alarms: Evaluation with Snort and DARPA 1999 Dataset , 2008, TrustBus.

[7] Ali A. Ghorbani,et al. Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[8] Klaus Julisch,et al. Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[9] Khaled Labib,et al. NSOM: A Real-Time Network-Based Intrusion Detection System Using Self-Organizing Maps , 2002 .

[10] Boleslaw K. Szymanski,et al. NETWORK-BASED INTRUSION DETECTION USING NEURAL NETWORKS , 2002 .

[11] Sokratis K. Katsikas,et al. Reducing false positives in intrusion detection systems , 2010, Comput. Secur..