TY - GEN
T1 - Minining intrusion detection alarms with an SA-based clustering approach
AU - Jianxin, Wang
AU - Yunqing, Xia
AU - Wang, Hongzhou
PY - 2008
Y1 - 2008
N2 - Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.
AB - Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.
UR - http://www.scopus.com/inward/record.url?scp=40649084148&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:40649084148
SN - 9781424414741
T3 - ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007
SP - 905
EP - 909
BT - ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007
T2 - ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007
Y2 - 11 July 2007 through 13 July 2007
ER -