Abstract:
A Network Intrusion Detection System (NIDS) is an alarm system for networks. NIDS
monitors all inbound and outbound network actions and generates alarms when it detects
suspicious or malicious attempts. A false positive alarm is generated when the NIDS
misclassifies a normal action in the network as an attack. We present a data mining
technique to assist network administrators to analyze and reduce false positive alarms that
are produced by a NIDS. Our data mining technique is based on a Growing Hierarchical
Self-Organizing Map (GHSOM) that adjusts its architecture during an unsupervised
training process according to the characteristics of the input alarm data, where no prior
information is available about these alarms. GHSOM clusters these alarms in a way that
supports network administrators in making decisions about true and false alarms. We
compare the effectiveness of our GHSOM-based technique with a recent technique
(SOM) using real-world intrusion detection data. The results show that our technique
performs better than SOM in terms of reducing false positives from 15% to 4.7% and
false negatives from16% to 4%.
