An SR-ISODATA algorithm for IDS alerts aggregation

Intrusion detection Systems(IDS) can produce large amount of alert data which usually possesses the characteristics of high redundancy and high repetition. Such kind of data makes the event processing for network security significantly difficult. Current cluster algorithms use cluster center to calculate the distance which leads to fairly big calculation errors. In order to aggregate the massive alert data effectively and identify important security events accurately, we propose an improved Iterative Self-Organizing Data Analysis Techniques Algorithm based on Similarity Radius (SR-ISODATA). In the presented algorithm, optimal sequence comparison method is used to calculate the attribute weight of alert data, and different similarity calculation methods are chosen due to different properties of alert data; the merging and splitting criteria are revised, the clustering center in the original ISODATA algorithm is replaced by the average similarity radius and the distance calculation in the original algorithm is replaced by the similarity. Extensive experiments using the alert experimental data on KDDCUP99 show that the SR-ISODATA algorithm gets a high alert compression rate and a higher purity of each cluster.