| Intrusion detecction has become an important part of the network and information security. Alarm correlation has also become an essential component of the intrusion detection system. The vast amounts of network traffic challenges the capability of the intrusion detection system as the network size and transmission speed increasing. Usually, the abnormal data is only a small part in these massive data to be processed. The abnormal data will be overwhelmed by the normal data, and that will affect the performance of the intrusion detection system. A large number of normal data will occupy most of resources of the IDS and lead to a lot of false alarms. These all will bring troubles for administrators. Repetitive and inadequate alarms are increasing significantly as the intrusion becoming more complexity. The large number of false and repetitive alarms not only bring considerable burden to the administrator, but they also can't reflect the real state of the system.We propose two methods to reduce some of normal data and false and redundant alarms.Firstly, for the normal data in a dominated situation of the vast amounts of data to be processed, we propose a method based on semi-supervised learning to process the massive data in the network and remove some normal data. The normal data and abnormal data can be relatively balanced. This method can improve the real-time of the system and reduce false alarms.Next we propose a method to reduce the redundant alarms based on the maximum density of alarms. The results show that the proposed methods can effectively reduce the repetitive alarms to improve the system's real-time and availability. |
PDF Full Text Request