Abstract
Intrusion detection systems typically create a large volume of alarms and most of them are false alarms that can be seen as background noises caused by normal system behaviors. Manual analysis of a large number of alarms is both time consuming and labor intensive. This study focuses on the statistical analysis of the alarm flow. Using the Singular Spectrum Analysis (SSA) approach, we found that the alarm flow has a small intrinsic dimension, and the structure of alarm flow can be composed by leading components (normal components) and residual components (abnormal components). Only changes in abnormal components are worth of further study to confirm whether they are true or false alarm. To achieve this goal, an SSA-based anomalies detection algorithm was implemented and applied to catch anomalous changes in residua components, and thus interesting alarms were highlighted and noises were filtered out. Compared with detection approaches using stationary models, our SSA-based method can well deal with the non-stationary natures inherent in the alarm flow. Evaluation results from real network data show a significant increase in model accuracy, and more efficient filtering of alarm noise.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
