Correlating intrusion alerts to obtain attack instances through improved evolving self-organizing maps

An attack instance database is fundamental to the whole network security key knowledge system that is significant and useful to solve some problems occurred in network security. But traditional intrusion detection systems (IDSs) focus on low-level attacks and anomalies, and raise alerts independently. So it is difficult to obtain interesting attack instances from these alerts directly. In this paper, an approach of correlating intrusion alerts to obtain attack instances through the improved evolving self-organizing map (IESOM) was proposed. IESOM is an evolving extension of the self-organizing map (SOM) model, which allows for an evolvable network structure and very fast incremental learning. The system of correlating intrusion alerts to obtain attack instances through IESOM has seven components: normalization, restraining, pre-processing, fusion,, clustering, combination and filtering, and the attack instances are given as the output of the system at last. The results obtained with LLS DDOS1.0 and real-word dataset B prove that the approach is useful and effective.