Title :
Mining alarm clusters to improve alarm handling efficiency
Author_Institution :
Zurich Res. Lab., IBM Res. Div., Zurich, Switzerland
Abstract :
It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. As a matter of fact, IBM Research´s Zurich Research Laboratory has been asked by one of our service divisions to help them deal with this problem. This paper presents the results of our research, validated thanks to a large set of operational data. We show that alarms should be managed by identifying and resolving their root causes. Alarm clustering is introduced as a method that supports the discovery of root causes. The general alarm clustering problem is proved to be NP-complete, an approximation algorithm is proposed, and experiments are presented.
Keywords :
authorisation; computational complexity; computer network management; data mining; IBM Research; NP-complete problem; Zurich Research Laboratory; alarm clustering; approximation algorithm; enterprise networks; intrusion detection systems; root cause discovery; Approximation algorithms; Clustering algorithms; Humans; Intrusion detection; Laboratories; Monitoring; Network address translation; Pattern matching; TCPIP; Telecommunication traffic;
Conference_Titel :
Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual
Print_ISBN :
0-7695-1405-7
DOI :
10.1109/ACSAC.2001.991517
