Application of Singular Spectrum Analysis to the Noise Reduction of Intrusion Detection Alarms

Abstract

Intrusion detection systems typically create a large volume of alarms and most of them are false alarms that can be seen as background noises caused by normal system behaviors. Manual analysis of a large number of alarms is both time consuming and labor intensive. This study focuses on the statistical analysis of the alarm flow. Using the Singular Spectrum Analysis (SSA) approach, we found that the alarm flow has a small intrinsic dimension, and the structure of alarm flow can be composed by leading components (normal components) and residual components (abnormal components). Only changes in abnormal components are worth of further study to confirm whether they are true or false alarm. To achieve this goal, an SSA-based anomalies detection algorithm was implemented and applied to catch anomalous changes in residua components, and thus interesting alarms were highlighted and noises were filtered out. Compared with detection approaches using stationary models, our SSA-based method can well deal with the non-stationary natures inherent in the alarm flow. Evaluation results from real network data show a significant increase in model accuracy, and more efficient filtering of alarm noise.