An incremental intrusion detection model using alarms correlation

Document Type : Research Paper


1 Department of Management and Economics, Science and Research Branch, Islamic Azad University, Tehran, Iran

2 School of Mathematics, Iran University of Science and Technology, Tehran, Iran

3 School of Computer Engineering, Iran University of Science and Technology, Tehran, Iran

4 Department of Management and Accounting, Karaj Branch, Islamic Azad University, Karaj, Iran


Today, intrusion detection systems are extremely important in securing computers and computer networks. Correlated systems are next to intrusion detection systems by analyzing and combining the alarms received from them, appropriate reports for review and producing security measures. One of the problems face by intrusion detection systems is generating a large volume of false alarms, so one of the most important issues in correlated systems is to check the alerts received by the intrusion detection system to distinguish true-positive alarms from false-positive alarms. The main focus of this research is on the applied optimization of classification methods to reduce the cost of organizations and security expert time in alert checking. The proposed intrusion detection model using correlation(IIDMC) is tested on a valid test dataset and the results show the efficiency of the proposed model and consequently its high accuracy.


[1] A. A. Aburomman, M. B. IbneReaz, A survey of intrusion detection systems based on ensemble and hybrid
classifiers, Computers & security, 65 (2017) 135-152.
[2] J. Akhtar-Khan and N. Jain, A survey on intrusion detection systems and classification techniques, International
journal of scientific research in science, Engineering and technology, 2 (2016) 202-208.
[3] S.O. Al-Mamory and H.L. Zhang, Building scenario graph using clustering, Proceedings of the 2007 international
conference on convergence information technology, IEEE computer society, (2007) 799-804.
[4] S.O. Al-Mamory and H.L. Zhang, Scenario discovery using abstracted correlation graph, International conference
on computational intelligence and security, IEEE computer society, (2007) 702-706.
[5] J. P. Anderson, Computer security threat monitoring and surveillance, Technical report, James P. Anderson
company, Fort Washington, 1980.
[6] R. A. R. Ashfaqand et al, Fuzziness based semi-supervised learning approach for intrusion detection system,
Information sciences 0 0 0 (2016) 1-14.
[7] A. Chmielewskiand S. T. Wierzchon, Hybrid negative selection approach for anomaly detection, In computer
information systems and industrial management, Springer Berlin Heidelberg, (2012) 242-253.
[8] S. Duque and et al, Using data mining algorithms for developing a model for intrusion detection system (IDS),
Procedia computer science, 61 (2015) 46-51.
[9] C. Guo, Y. Zhou, Y. Ping, S. Luo, Y. P. Lai and Z. Zhang, Efficient intrusion detection using representative
instances, Computers and security, 39 (B) (2013) 255-267.
[10] K. K. Gupta, B. Nath and R. Kotagiri, Layered approach using conditional random fields for intrusion detection,
IEEE trans., Dependable secur. comput. , 7 (1)(2010) 35-49.
[11] K. Gupta, S. Singhal, S. Malik and A. Singh, Network intrusion detection system using various data mining
techniques, International conference on research advances in integrated navigation systems (RAINS), (May 2016)
[12] T. Hastie, R. Tibshirani and J. Friedman, The elements of statistical learning: Data mining, inference and
prediction, Springer, 2001.
[13] K. Julisch, Clustering intrusion detection alarms to support rootcause analysis, ACM transactions on information
and system security (TISSEC), 6 (4) (2003) 443e71.
[14] N. K. Kanakarajan and K. Muniasamy, Improving the accuracy of intrusion detection using GAR-Forest with
feature selection, Proceedings of the 4
th international conference on frontiers in intelligent computing: theory and
applications (FICTA) 2015 Springer, (2016) 539-547.
[15] KDD cup 1999 data,(1999), Available:
[16] B. Khosravifar, M. Gomrokchi and J .Bentahar, A multi-agent based approach to improve intrusion detection
systems false alarm ratio by using honeypot, International conference on advanced information networking and
applications workshops, (2009) 97-102.
[17] Laboratory ML, Darpa2000 intrusion detection scenario specific data sets,
[18] H. H. Lin, C. H. Mao and H. M. Lee, False alarm reduction by weighted score-based rule adaptation through expert
feedback, At the second international workshop on multimedia, Information privacy and intelligent computing
systems (MPIS), Jeju island, Korea, 2009.
[19] H. S. Lin, H. K. Pao, C. H. Mao, H. M. Lee, T. Chen and Y. J.Lee, Adaptive alarm filtering by causal correlation
consideration in intrusion detection, First KES international symposium on intelligent decision technologies (IDT),
[20] Y. Liu and L. Zhu, A new intrusion detection and alarm correlation technology based on neural network, EURASIP
Journal on Wireless communications and networking 2019, (2019) 109.
[21] P. Ning, Y. Cui and S. Reeves, Constructing attack scenarios through correlation of intrusion alerts, In proceedings
of the 9
th ACM conference on computer and communications security, ACM, (2002) 245-254.
[22] P. Ning, Y. Cui, D. S. Reeves, Techniques and tools for analyzing intrusion alerts, ACM transactions on information and system security, 7 (2) (2004) 274-318.
[23] H. H. Pajouh, G. Dastghaibyfard and S. Hashemi, Two-tier network anomaly detection model: a machine learning
approach, J Intell Inf Syst, (2015) 1-14.
[24] M. Panda, A. Abraham and M. R. Patra, A hybrid intelligent approach for network intrusion detection, Procedia
engineering, 30 (2012) 1-9.
[25] T. Pietraszek, Using adaptive alert classification to reduce false positives in intrusion detection, Proceedings of
the 7
th symposium on recent advances in intrusion detection (RAID), Springer-Verlag, 3224 (2004) 102-124.
[26] K. Polat, S. Gunes, Principles component analysis, fuzzy weighting pre-processing and artificial immune recogni-tion system based diagnostic system for diagnosis of lung cancer, Expert systems with applications, 34 (1) (2008)
[27] R. Sadoddin, A. A. Ghorbani, An incremental frequent structure mining framework for real-time alert correlation,
Computers and security, 28 (3-4) (2009) 153-173.
[28] ST. Sarasamma, QA. Zhu, Min-max hyper ellipsoidal clustering for anomaly detection in network security, IEEE
transactions on systems, Man and cybernetics, 36(4) (2006) 887-901.
[29] F. Shen, O. Hasegawa, A fast nearest neighbor classifier based on self-organizing incremental neural network,
Neural networks, 21 (2008) 1537-1547.
[30] R. Shittu, A. Healing, R. Ghanea-Hercock, R. E. Bloomfield and M.Rajarajan, Intrusion alert prioritisation and
attack detection using post-correlation analysis, Computers & security, 50 (2015) 1-15.
[31] G. Spathoulas and S. Katsikas, Reducing false positives in intrusion detection systems, Computers & security, 29
(1) (2010) 35-44.
[32] P. Srinivasu and P. S. Avadhani, Genetic algorithm based weight extraction algorithm for rtificial neural network
classifier in intrusion detection, Procedia engineering, 38 (2012) 144-153.
[33] R. Vaarandi, K. Podins, Network IDS alert classification with frequent itemset mining and data clustering, CNSM
2010, (2010) 451-456.
[34] A. Valdes and K. Skinner, Probabilistic alert correlation, In proceedings of the 4
th international symposium on
recent advances in intrusion detection, (2001) 54-68.
[35] F. Valeur, G. Vigna, C. Kruegel and R. Kemmerer, Acomprehensive approach to intrusion detection alert correlation, IEEE transactions on dependable and secure computing, 1(3) (2004) 146-169.
[36] Y. Yi, J. Wu, W. Xu, Incremental SVM based on reserved set for network intrusion detection, Expert systems
with applications, 38(6) (2011) 7698-7707.
[37] J. Zhang, X. Chen, Research on intrusion detection of database based on Rough set, Physics procedia, 25 (2012)
[38] B. Zhu, A. Ghorbani, Alert correlation for extracting attack strategies, International journal of network security,
3 (3) (2006) 244-258.
Volume 12, Special Issue
December 2021
Pages 541-562
  • Receive Date: 11 January 2020
  • Revise Date: 09 November 2020
  • Accept Date: 17 January 2021