An Intrusion Detection System Using Correlation, Prioritization and Clustering Techniques to Mitigate False Alerts

  • Andrew J.
  • G. Jaspher W. Kathrine
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 645)


Intrusion detection system (IDS) is one of the network security tools which monitors the network traffic for suspicious activity and alerts the network administrator. In large networks, huge volumes of false alerts are generated by IDS which reduces the effectiveness of the system and increases the work of the network administrator. The false incoming alerts raised by IDS lower the defence of network. In this paper, post-correlation methods such as prioritization and clustering are used to analyse intrusion alerts. The proposed framework uses prioritization to classify important and unimportant alerts and clustering approaches by correlating the alerts. Scalable distance-based clustering (SDC) is applied to further reduce the false alerts efficiently.


Intrusion IDS Correlation Prioritization Clustering SDC 


  1. 1.
    Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion detection systems. Comput. Netw. 31(8), 805–822 (1999)CrossRefGoogle Scholar
  2. 2.
    Sandhu, U.A., Haider, S., Naseer, S., Ateeb, O.U.: A survey of intrusion detection & prevention techniques. In: 2011 International Conference on Information Communication and Management IPCSIT, vol. 16 (2011)Google Scholar
  3. 3.
    Alsubhi, K., Al-Shaer, E., Boutaba, R.: Alert Prioritization in Intrusion Detection SystemsGoogle Scholar
  4. 4.
    Lagzian, S.: Frequent item set mining-based alert correlation for extracting multi-stage attack scenarios. In: IEEE Telecommunications (IST), 2012 Sixth International Symposium, pp. 1010–1014 (2012)Google Scholar
  5. 5.
    Yang, C.C., Ng, T.D.: Analyzing and visualizing web opinion development and social interactions with density-based clustering. In: Proceedings of the International WWW Conference, pp. 1144–1155 (2011)Google Scholar
  6. 6.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.A.: A comprehensive approach to intrusion detection alert correlation. IEEE Trans. Depend. Secur. Comput. 1, 146–169 (2004)CrossRefGoogle Scholar
  7. 7.
    Yu, J., Ramana Reddy, Y.V., Selliah, S., Reddy, S., Vijayan, Bharadwaj, Kankanahalli, S.: TRINETR: an architecture for collaborative intrusion detection and knowledge based alert evaluation. Adv.Eng. Inform. (Elsevier) 19, 93–101 (2005)Google Scholar
  8. 8.
    Lee, S., Chung, B., Kim, H., Lee, Y., Park, C., Yoon, H.: Real-time analysis of intrusion detection alerts via correlation. Comput. Secur. (Elsevier) 25, 169–183 (2006)CrossRefGoogle Scholar
  9. 9.
    Noel, S., Jajodia, S.: Optimal IDS sensor placement and alert prioritizing using attack graphs. J. Netw. Syst. Manag. 16, 259–275 (2008)CrossRefGoogle Scholar
  10. 10.
    Alsubhi, K., Al-Shaer, E., Boutaba, R.: Alert prioritization in intrusion detection systems. In: NOMS 2008–2008 IEEE Network Operations and Management Symposium, pp. 33–40 (2008)Google Scholar
  11. 11.
    Pietraszek, T., Tanner, A.: Data mining and machine learning—towards reducing false positives in intrusion detection. Inf. Secur. Tech. Rep. (Elsevier) 10, 169–183 (2005)CrossRefGoogle Scholar
  12. 12.
    Nikulin, V.: Threshold-based clustering with merging and regularization in application to network intrusion detection. Comput. Statist. Data Anal. (Elsevier) 51, 1184–1196 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Patel, H.: Intrusion Alerts Analysis Using Attack Graphs and Clustering. Masters’, San Jose State University (2009)Google Scholar
  14. 14.
    Al-Mamory, S.O., Zhang, H.: Intrusion detection alarms reduction using root cause analysis and clustering. Comput. Commun. (Elseiver) 32, 419–430 (2009)CrossRefGoogle Scholar
  15. 15.
    Njogu, H.W., Wei, L.J.: Using alert cluster to reduce IDS alerts. In: Proceedings of the Third IEEE International Conference on Computer Science and Information Technology, pp. 467–471 (2011)Google Scholar
  16. 16.
    Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., Rajarajan, M.: Intrusion alert prioritisation and attack detection using post-correlation analysis. Comput. Secur. (Elsevier) 50, 1–15 (2015)CrossRefGoogle Scholar
  17. 17.
    Breunig, M.M., Kriegel, H., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. In: Proceedings of the 2000 ACM Sigmod International Conference on Management of Data, pp. 1–12 (2000)Google Scholar
  18. 18.
    Shah, G.H., Bhensdadia, C.K., Ganatra, A.P.: An empirical evaluation of density-based clustering techniques. Int. J. Soft Comput. Eng. (IJSCE). 2(1) (2012). ISSN: 2231-2307Google Scholar
  19. 19.
    Ren, H., Stakhanova, N., Ghorbani, A.A.: An online adaptive approach to alert correlation. In: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pp. 153–172 (2010)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2018

Authors and Affiliations

  1. 1.Department of Computer Sciences TechnologyKarunya UniversityCoimbatoreIndia

Personalised recommendations