Minining intrusion detection alarms with an SA-based clustering approach

Wang Jianxin; Xia Yunqing; Hongzhou Wang

Minining intrusion detection alarms with an SA-based clustering approach

Wang Jianxin^*, Xia Yunqing, Hongzhou Wang

^*Corresponding author for this work

School of Mathematics and Statistics

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Citations (Scopus)

Abstract

Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.

Original language	English
Title of host publication	ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007
Pages	905-909
Number of pages	5
Publication status	Published - 2008
Event	ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007 - Kokura, Japan Duration: 11 Jul 2007 → 13 Jul 2007

Publication series

Name	ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007

Conference

Conference	ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007
Country/Territory	Japan
City	Kokura
Period	11/07/07 → 13/07/07

Cite this

@inproceedings{496973337a6942f58c07ad089b046a07,

title = "Minining intrusion detection alarms with an SA-based clustering approach",

abstract = "Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.",

author = "Wang Jianxin and Xia Yunqing and Hongzhou Wang",

year = "2008",

language = "English",

isbn = "9781424414741",

series = "ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007",

pages = "905--909",

booktitle = "ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007",

note = "ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007 ; Conference date: 11-07-2007 Through 13-07-2007",

}

Jianxin, W, Yunqing, X & Wang, H 2008, Minining intrusion detection alarms with an SA-based clustering approach. in ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007., 4348195, ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007, pp. 905-909, ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007, Kokura, Japan, 11/07/07.

Minining intrusion detection alarms with an SA-based clustering approach. / Jianxin, Wang; Yunqing, Xia; Wang, Hongzhou.
ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007. 2008. p. 905-909 4348195 (ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Minining intrusion detection alarms with an SA-based clustering approach

AU - Jianxin, Wang

AU - Yunqing, Xia

AU - Wang, Hongzhou

PY - 2008

Y1 - 2008

N2 - Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.

AB - Intrusion detection systems generally overload their human operators by triggering per day thousands of alarms most of which are false positives. A clustering method able to eliminate most false positives was put forward by Klaus Julisch, who proved that the clustering problem is NP-complete and proposed a low-quality approximation algorithm. In this paper, the simulated annealing technique is applied in the clustering procedure, to produce high-quality solutions. The local optimization strategy, cooling schedule, and evaluation function are discussed in details. A state-of-the-art selection table is proposed, which greatly reduces the evaluation operation. In order to validate the newly proposed algorithm, a kind of exhaustive searching is implemented, which can find global minima for comparison with the cost of long yet feasible execution time. The results show that the SA-based clustering algorithm can produce solutions with the quality very close to that of the best one, whilst the time consumption is within a reasonable range.

UR - http://www.scopus.com/inward/record.url?scp=40649084148&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:40649084148

SN - 9781424414741

T3 - ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007

SP - 905

EP - 909

BT - ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007

T2 - ICCCAS 2007 - International Conference on Communications, Circuits and Systems 2007

Y2 - 11 July 2007 through 13 July 2007

ER -

Minining intrusion detection alarms with an SA-based clustering approach

Abstract

Publication series

Conference

Other files and links

Fingerprint

Cite this