Home   >   CSC-OpenAccess Library   >    Manuscript Information
Full Text Available

This is an Open Access publication published under CSC-OpenAccess Policy.
A New System for Clustering and Classification of Intrusion Detection System Alerts Using Self-Organizing Maps
Amir Azimi Alasti Ahrabi, Ahmad Habibizad Navin, Hadi Bahrbegi, Mir Kamal Mirnia, Mehdi Bahrbegi, Elnaz Safarzadeh, Ali Ebrahimi
Pages - 589 - 597     |    Revised - 31-01-2011     |    Published - 08-02-2011
Volume - 4   Issue - 6    |    Publication Date - January / February  Table of Contents
IDS, alert clustering, SOM, false positive alert reduction, alert classification
Intrusion Detection Systems (IDS) allow to protect systems used by organizations against threats that emerges network connectivity by increasing. The main drawbacks of IDS are the number of alerts generated and failing. By using Self-Organizing Map (SOM), a system is proposed to be able to classify IDS alerts and to reduce false positives alerts. Also some alert filtering and cluster merging algorithm are introduce to improve the accuracy of the proposed system. By the experimental results on DARPA KDD cup 98 the system is able to cluster and classify alerts and causes reducing false positive alerts considerably.
CITED BY (6)  
1 Feshki, M. G., Sojoodi, O., & Anvary, M. D. (2015). Managing Intrusion Detection Alerts Using Support Vector Machines. International Journal of Computer Science and Security (IJCSS), 9(5), 266.
2 Anvary, M. D., Feshki, M. G., & Ahrabi, A. A. A. (2015). Efficient Security Alert Management System. International Journal of Computer Science and Security (IJCSS), 9(4), 218.
3 Masdari, M., & Bakhtiari, F. C. (2014). Alert Management System using K-means Based Genetic for IDS. International Journal of Security and Its Applications, 8(5), 109-118.
4 Ahrabi, A. A. A., Feyzi, K., Orang, Z. A., Bahrbegi, H., Safarzadeh, E., Azimi, A., & Ahrabi, A. (2012). Using Learning Vector Quantization in Alert Management of Intrusion Detection System. International Journal of Computer Science and Security, 6(2), 128.
5 Bhatti, D. G., Virparia, P. V., & Patel, B. (2012). Conceptual Framework for Soft Computing based Intrusion Detection to Reduce False Positive Rate. International Journal of Computer Applications, 44(13), 1-3.
6 Orang, Z. A., Moradpour, E., Navin, A. H., Ahrabim, A. A. A., & Mirnia, M. K. (2012). Using Adaptive Neuro-Fuzzy Inference System in Alert Management of Intrusion Detection Systems. International Journal of Computer Network and Information Security (IJCNIS), 4(11), 32.
1 Google Scholar
2 Academic Journals Database
3 CiteSeerX
4 refSeek
6 Libsearch
7 Bielefeld Academic Search Engine (BASE)
8 Scribd
9 SlideShare
10 PdfSR
1 H. Debar, M. Dacier, and A. Wespi. Towards a taxonomy of intrusion-detection systems.COMPUT. NETWORKS, 31(8):805-822, 1999. 60 Conclusion And Future Work 61.
2 K. Julisch, "Clustering intrusion detection alarms to support root cause analysis", ACM Transactions on Information and System Security (TISSEC) , 2003, Volume 6 , Issue 4,Pages: 443 471.
3 Maheyzah, M. S., Mohd Aizaini, M., and Siti Zaiton, M. H. (2009), Intelligent Alert Clustering Model for Network Intrusion Analysis., Int. Jurnal in Advances Soft Computing and Its Applications (IJASCA), Vol. 1, No. 1, July 2009, ISSN 2074-8523. pp. 33 - 48.
4 F. Cuppens. Managing alerts in a multi-intrusion detection environment. Proceedings of the 17th Annual Computer Security Applications Conference, 32, 2001.
5 E. MIRADOR. Mirador: a cooperative approach of IDS. Poster present au me European Symposium on Research in Computer Security (ESORICS). Toulouse, France, octobre,2000.
6 Kohonen, T, "Self-Organized Maps", Springer series in information. Science Berlin Heidelberg:1997.
7 Kiziloren, Tevfik, "Network traffic classification with Self-Organized Maps", Computer and information sciences, 2007, page(s): 1-5.
8 Pachghare,V. K., "Intrusion Detection System Using Self Organized Maps", Intelligent Agent & Multi-Agent Systems, 2009, page(s): 1-5.
9 Hayoung Oh, Kijoon Chae, "Real-Time Intrusion Detection System Based on Self-Organized Maps and Feature Correlations", Third International Conference on Convergence and Hybrid Information Technology, IEEE, 2008, vol. 2, Pages.1154-1158.
10 Wang, J., Wang, H., Zhao, G. 2006. A GA-based Solution to an NP-hard Problem of Clustering Security Events. IEEE 2093- 2097.
11 Jianxin Wang, Baojiang Cui, " Clustering IDS Alarms with an IGA-based Approach", ICCCAS 2009, pp586-591.
12 Snort: The open source network intrusion detection system. Available: http://www.snort.org/.
13 MIT Lincoln Lab. (1998). DARPA 1998 Intrusion Detection Evaluation Datasets. Available:http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html
14 Snort Manual, www.snort.org/assets/82/snort_manual.pdf
15 Matlab Software, http://www.mathworks.com.
16 A. Ultsch, H. P. Siemon, " Kohonen's Self Organizing Feature Maps for Exploratory Data Analysis", Proceedings of International Neural Networks Conference (INNC) (1990), pp. 305-308.
17 Binh Viet Nguyen, "Self-Organizing Map for anomaly detection", Available in http://www.cs.umd.edu/~bnguyen/papers/papers.html
18 SOM Toolbox for Matlab, Available in http://www.cis.hut.fi/projects/somtoolbox/.
19 Juha Vesanto, John Himberg, Esa Alhoniemi, and Juha Parhankangas, "SOM Toolbox for Matlab 5", SOM Toolbox Team, Helsinki University of Technology, 2000.
20 Juha Vesanto and Esa Alhoniemi. Clustering of the Self-Organizing Map. IEEE Transactions on Neural Networks, 11(2):586600, March 2000.
21 Julisch, K.: Mining alarm clusters to improve alarm handling efficiency. In: Proceeding of the 17th Annual Computer Security Applications Conference, New Orleans, pp. 1221 (2001)
22 S Terry Brugger and Jedidiah Chow, " An Assessment of the DARPA IDS Evaluation Dataset Using Snort", UC Davis Technical Report CSE-2007-1, Davis, CA, 6 January 2007.
Mr. Amir Azimi Alasti Ahrabi
Industrial Management Institute - Iran
Dr. Ahmad Habibizad Navin
- Iran
Dr. Hadi Bahrbegi
- Iran
Dr. Mir Kamal Mirnia
- Iran
Dr. Mehdi Bahrbegi
- Iran
Dr. Elnaz Safarzadeh
- Iran
Dr. Ali Ebrahimi
- Iran