Mining alarm clusters to improve alarm handling efficiency

被引:60
作者
Julisch, K [1 ]
机构
[1] IBM Res, Zurich Res Lab, Zurich, Switzerland
来源
17TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, PROCEEDINGS | 2001年
关键词
D O I
10.1109/ACSAC.2001.991517
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. As a matter of fact, we have been asked by one of our service divisions to help them deal with this problem. This paper presents the results of our research, validated thanks to a large set of operational data. We show that alarms should be managed by identifying and resolving their root causes. Alarm clustering is introduced as a method that supports the discovery of root causes. The general alarm clustering problem is proved to be NP-complete, an approximation algorithm is proposed, and experiments are presented.
引用
收藏
页码:12 / 21
页数:10
相关论文
共 33 条
[1]  
Agrawal R., 1998, AUTOMATIC SUBSPACE C, P94, DOI DOI 10.1145/276304.276314
[2]  
[Anonymous], 1996, PROBABILISTIC APPROA
[3]   Clustering gene expression patterns [J].
Ben-Dor, A ;
Shamir, R ;
Yakhini, Z .
JOURNAL OF COMPUTATIONAL BIOLOGY, 1999, 6 (3-4) :281-297
[4]  
BRODERICK J, 1998, IBM OUTSOURCED SOLUT
[5]  
*CERT, CA199626 CERT
[6]  
*CISC SYST INC, NETR DOC
[7]  
ERLINGER M, INTRUSION DETECTION
[8]  
Fasulo D., 1999, ANAL RECENT WORK CLU
[9]  
Ganti Venkatesh., 1999, Int. Conf. Knowledge Discovery and Data Mining, P73, DOI DOI 10.1145/312129.312201
[10]   Clustering categorical data: an approach based on dynamical systems [J].
Gibson, D ;
Kleinberg, J ;
Raghavan, P .
VLDB JOURNAL, 2000, 8 (3-4) :222-236