Abstract

The Intrusion Detection Systems (IDSs) are one of robust systems which can effectively detect penetrations and attacks. However, they generate large number of alarms most of which are false positives. Fortunately, there are reasons for triggering alarms where most of these reasons are not attacks. In this paper, a new approximation algorithm has developed to group alarms and to produce clusters. Hereafter, each cluster abstracted as a generalized alarm; most of the generalized alarms are root causes. The proposed algorithm makes use of nearest neighboring and generalization concepts. As a clustering algorithm, the proposed algorithm uses a new measure to compute distances between alarms features values. This algorithm was verified with many datasets, and its reduction ratio was about 93% of the total alarms. The resulting generalized alarms help the security analyst in writing filters.