Intelligent Alert Clustering Model for Network Intrusion Analysis

As security threats change and advance in a drastic way, most ofthe organizations implement multiple Network Intrusion DetectionSystems (NIDSs) to optimize detection and to provide comprehensiveview of intrusion activities. But NIDSs trigger a massive amount ofalerts even for a day and overwhelmed security experts. Thus,automated and intelligent clustering is important to reveal theirstructural correlation by grouping alerts with common attributes. Wepropose a new hybrid clustering model based on Improved UnitRange (IUR), Principal Component Analysis (PCA) andunsupervised learning algorithm (Expectation Maximization) toaggregate similar alerts and to reduce the number of alerts. Wetested against other unsupervised learning algorithms to validate theperformance of the proposed model. Our empirical results showusing DARPA 2000 dataset the proposed model gives better results interms of the clustering accuracy and processing time.