Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - False positive elimination in intrusion detection based on clustering
AU - Hu, Liang
AU - Li, Taihui
AU - Xie, Nannan
AU - Hu, Jiejun
PY - 2015
Y1 - 2015
N2 - In order to solve the problem of high false positive in network intrusion detection systems, we adopted clustering algorithms, the K-means algorithm and the Fuzzy C Mean (FCM) algorithm, to identify false alerts, to reduce invalid alerts and to purify alerts for a better analysis. In this paper, we first introduced typical clustering algorithms, including the partition clustering, the hierarchical clustering, the density and grid clustering, and the fuzzy clustering, and then analyzed their feasibilities in security data processing. Furthermore, we introduced an intrusion detection framework, and tested the validity and feasibility of false positive elimination in intrusion detection. The process steps of false positive elimination were clearly described, and additionally, two typical clustering algorithms, the K-means algorithm and the FCM algorithm, were implemented for false alerts identification and filtration. Also, we defined three evaluation indexes: the elimination rate, the false elimination rate and the miss elimination rate. Accordingly, we used DARPA 2000 LLDOS1.0 dataset for our experiments, and adopted Snort as our intrusion detection system. Eventually, the results showed that the method proposed by us has a satisfactory validity and feasibility in false positive elimination, and the clustering algorithms we adopted can achieve a high elimination rate.
AB - In order to solve the problem of high false positive in network intrusion detection systems, we adopted clustering algorithms, the K-means algorithm and the Fuzzy C Mean (FCM) algorithm, to identify false alerts, to reduce invalid alerts and to purify alerts for a better analysis. In this paper, we first introduced typical clustering algorithms, including the partition clustering, the hierarchical clustering, the density and grid clustering, and the fuzzy clustering, and then analyzed their feasibilities in security data processing. Furthermore, we introduced an intrusion detection framework, and tested the validity and feasibility of false positive elimination in intrusion detection. The process steps of false positive elimination were clearly described, and additionally, two typical clustering algorithms, the K-means algorithm and the FCM algorithm, were implemented for false alerts identification and filtration. Also, we defined three evaluation indexes: the elimination rate, the false elimination rate and the miss elimination rate. Accordingly, we used DARPA 2000 LLDOS1.0 dataset for our experiments, and adopted Snort as our intrusion detection system. Eventually, the results showed that the method proposed by us has a satisfactory validity and feasibility in false positive elimination, and the clustering algorithms we adopted can achieve a high elimination rate.
U2 - 10.1109/FSKD.2015.7381996
DO - 10.1109/FSKD.2015.7381996
M3 - Conference contribution/Paper
SP - 519
EP - 523
BT - 2015 12th International Conference on Fuzzy Systems and Knowledge Discovery (FSKD)
PB - IEEE
ER -