Title :
A subjective distance for clustering security events
Author :
Wang, Jianxin ; Zhao, Geng ; Zhang, Weidong
Author_Institution :
Sch. of Inf., Beijing Forestry Univ., China
Abstract :
Intrusion detection systems overload their human operators by triggering thousands of alarms per day, most of which are false positives. A clustering method, put forward by Claus Julisch, is very effective in eliminating false positives and finding the root causes. However, according to the variance related to the operators´ knowledge and experience, a gap may exist between the nature of the event clusters and what the operators obtained from the resulting clusters. A subjective distance, different from the objective distance defined by Julisch, is proposed to fill the gap by controlling the clustering process with the subjective distance.
Keywords :
data mining; knowledge based systems; security of data; trees (mathematics); alarm false positives; association rules; clustering process; episode mining; event clustering; event clusters; intrusion detection systems; objective distance; security event clustering; subjective distance; taxonomy trees; Association rules; Clustering methods; Forestry; Humans; Information security; Intrusion detection; Laboratories; Process control; Protection; Taxonomy;
Conference_Titel :
Communications, Circuits and Systems, 2005. Proceedings. 2005 International Conference on
Print_ISBN :
0-7803-9015-6
DOI :
10.1109/ICCCAS.2005.1493365
