Call for Paper - January 2023 Edition
IJCA solicits original research papers for the January 2023 Edition. Last date of manuscript submission is December 20, 2022. Read More

An Operational Framework for Alert Correlation using a Novel Clustering Approach

International Journal of Computer Applications
© 2012 by IJCA Journal
Volume 54 - Number 12
Year of Publication: 2012
Ashara Banu Mohamed
Norbik Bashah Idris
Bharanidharan Shanmugum

Ashara Banu Mohamed, Norbik Bashah Idris and Bharanidharan Shanmugum. Article: An Operational Framework for Alert Correlation using a Novel Clustering Approach. International Journal of Computer Applications 54(12):23-28, September 2012. Full text available. BibTeX

	author = {Ashara Banu Mohamed and Norbik Bashah Idris and Bharanidharan Shanmugum},
	title = {Article: An Operational Framework for Alert Correlation using a Novel Clustering Approach},
	journal = {International Journal of Computer Applications},
	year = {2012},
	volume = {54},
	number = {12},
	pages = {23-28},
	month = {September},
	note = {Full text available}


Intrusion Detection System (IDS) is a well known security feature and widely implemented among practitioners. However, since the creation of IDS the enormous number of alerts generated by the detection sensors has always been a setback in the implementation environment. Moreover due to this obtrusive predicament, two other problems have emerged which are the difficulty in processing the alerts accurately and also the decrease in performance rate in terms of time and memory capacity while processing these alerts. Thus, based on the specified problems, the purpose of our overall research is to construct a holistic solution that is able to reduce the number of alerts to be processed and at the same time to produce a high quality attack scenarios that are meaningful to the administrators in a timely manner. In this paper we will present our proposed framework together with the result of our novel clustering method, architectured solely with the intention of reducing the amount of alerts generated by IDS. The clustering method was tested against two dataset; a globally used dataset, DARPA and a live dataset from a cyber attack monitoring unit that uses SNORT engine to capture the alerts. The result obtained from the experiment is very promising; the clustering algorithm was able to reduce about 86. 9% of the alerts used in the experiment. From the result we are able to highlight the contribution to practitioners in an actual working environment.


  • Broderick, J. 1998, IBM outsourced solution. Available: http://www. infoworld. com/cgi-bin/displayTC. pl?/980504sb3-ibm. htm.
  • Manganaris, S. , Christensen, M. , Zerkle, D. , and Hermiz, K. , 2000. "A Data Mining Analysis of RTID Alarms. ," Computer Networks, vol. 34 (4), pp. 571-577
  • Julisch, K. , 2001 ". Mining Alarm Clusters to Improve Alarm Handling Eficiency. ," in In 17th Annual Computer Security Applications Conference (ACSAC). , pp. 12-21.
  • Kumar, M. and Hanumanthappa, M. , 2011. "Intrusion Detection System-False Positive Alert Reduction Technique " Proc. of Int. Conf. on Advances in Computer Engineering 2011,
  • Vignesh, R. , Ganesh, B. , Aarthi, G. , and Iyswarya, N. , 2010. "A Cache Oblivious based GA Solution for Clustering Problem in IDS. ," International Journal of Computer Applications (0975 - 8887). , vol. Volume 1- No. 11,
  • Dain, O. and Cunningham, R. K. , 2001. "Fusing a heterogeneous alert stream into scenarios. ," In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, Philadelphia,PA, ACM Press pp. 1-13.
  • Ahrabi, A. A. A. , Feyzi, K. , Orang, Z. A. , Bahrbegi, H. , and Safarzadeh, E. , 2012. "Using Learning Vector Quantization in Alert Management of Intrusion Detection System," International Journal of Computer Science and Security, (IJCSS) vol. 6,
  • Debar, H. and Wespi, A. , 2001. "Aggregation and Correlation of Intrusion-Detection Alerts . Lecture Notes in Computer Science. In: Lee WLM, Wespi A, editors. Proceedings of recent advances in intrusion detection, 4th international symposium, (RAID 2001)," Springer-Verlag Heidelberg, vol. Volume 2212/2001, pp. 85-103.
  • Mohamed, A. B. , Idris, N. B. , and Shanmugum, B. , 2012 ". Alert correlation using a novel clustering approach," Rajkot, Gujrat, pp. 720-725.
  • Valdes, A. and Skinner, K. , 2001. "Probabilistic alert correlation. In: Lee WLM, Wespi A, editors. Proceedings of recent advances inintrusion detection, 4th international symposium, (RAID 2001). " Springer-Verlag Heidelberg, vol. vol. 3089, pp. 54–68.
  • Porras, P. A. , Fong, M. W. , and Valdes, A. , 2002. "A mission-impact-based approach to INFOSEC alarm correlation," Recent Advances in Intrusion Detection, Proceedings, vol. 2516, pp. 95-114.
  • Morin, B. , Me, L. , Debar, H. , and Ducasse, M. , 2009. "A logic-based model to support alert correlation in intrusion detection," Information Fusion, vol. 10, pp. 285-299.
  • Morin, B. , Me, L. , Debar, H. , and Ducasse, M. , 2002. "M2D2: A formal data model for IDS alert correlation," Recent Advances in Intrusion Detection, Proceedings, vol. 2516, pp. 115-137.
  • Frank, J. , 1994. "Artificial Intelligence and Intrusion Detection: Current and Future Direction " Proc. 17th National Computer Security Conference (Baltimore, MD),
  • Valdes, A. and Skinner, K. , 2000. "An approach to sensor correlation. ," In Recent Advances in Intrusion Detection (RAID 2000), Toulouse, France. ,
  • Al-Mamory, S. O. and Zhang, H. , 2009. "Intrusion detection alarms reduction using root cause analysis and clustering. ," Computer Communications,Elsevier. , vol. 32, pp. 419-430.
  • Xu, R. and Wunsch, D. , 2005. "Survey of clustering algorithms," Ieee Transactions on Neural Networks, vol. 16, pp. 645-678.
  • Cuppens, F. and Miege, A. , 2002. " Alert Correlation in a Cooperative Intrusion Detection Framework " Proc. IEEE Symp. Security and Privacy,
  • Valeur, F. , Vigna, G. , Kruegel, C. , and Kemmerer, R. A. , 2004. "A comprehensive approach to intrusion detection alert correlation," Ieee Transactions on Dependable and Secure Computing, vol. 1, pp. 146-169.
  • Jain, A. K. , Murty, M. N. , and Flynn, P. J. , 1999. "Data clustering: A review," Acm Computing Surveys, vol. 31, pp. 264-323.
  • Lovis, C. and Baud, R. H. , 2000. "Fast exact string pattern-matching algorithms adapted to the characteristics of the medical language," Journal of the American Medical Informatics Association, vol. 7, pp. 378-391.
  • Pedretti, K. , Scheetz, T. , Braun, T. , Roberts, C. , Robinson, N. , and Casavant, T. , 2001. "A parallel Expressed Sequence Tag (EST) clustering program," Parallel Computing Technologies, vol. 2127, pp. 490-497.
  • Trivedi, N. , Pedretti, K. T. , Braun, T. A. , Scheetz, T. E. , and Casavant, T. L. , 2003. "Alternative parallelization strategies in EST clustering," Parallel Computing Technologies, Proceedings, vol. 2763, pp. 384-393.
  • Kendall, K. , "A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems," Bachelor of Science in Computer Science and Engineering and Master of Engineering in Electrical Engineering and Computer Science, Department of Electrical Engineering and Computer Science, MASSACHUSETTS INSTITUTE OF TECHNOLOGY, MASSACHUSETTS, 1999.
  • Perdisci, R. , Giacinto, G. , and Roll, F. , 2006. "Alarm clustering for intrusion detection systems in computer networks," Engineering Applications of Artificial Intelligence, vol. 19, pp. 429-438.