Title: Anomaly-based network IDS false alarm filter using cluster-based alarm classification approach

Authors: Qais Saif Qassim; Abdullah Mohd Zin; Mohd Juzaiddin Ab Aziz

Addresses: Faculty of Information Science and Technology, School of Computer Science, Universiti Kebangsaan Malaysia, Bangi, Selangor Darul Ehsan, 43600, Malaysia ' Faculty of Information Science and Technology, School of Computer Science, Universiti Kebangsaan Malaysia, Bangi, Selangor Darul Ehsan, 43600, Malaysia ' Faculty of Information Science and Technology, School of Computer Science, Universiti Kebangsaan Malaysia, Bangi, Selangor Darul Ehsan, 43600, Malaysia

Abstract: Anomaly-based network intrusion detection systems (A-NIDS) are an important and essential defence mechanism against network attacks. However, they generate a high volume of alarms that can be mixed with false-positive alarms, which poses a major challenge for these systems. Large amounts of false alarms prevent correct detection and make an immediate response impossible for intrusion detection system (IDS). To mitigate this issue, this paper presents a strategy for filtering these alarms to reduce the rate of false-positive alarms of A-NIDS. This paper presents a new semi-supervised alarm classification method that does not require predefined knowledge of attack signatures or security personal feedback.

Keywords: intrusion detection systems; anomaly based IDS; false positive alarms; alarm management; joint entropy; network security; false alarm filters; clustering; alarm classification.

DOI: 10.1504/IJSN.2017.081056

International Journal of Security and Networks, 2017 Vol.12 No.1, pp.13 - 26

Received: 04 Sep 2015
Accepted: 27 Jun 2016

Published online: 08 Dec 2016 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article