Hierarchically Clustering IDS Alarms Using a GA with Vary-lengthed Chromosomes

Intrusion detection systems (IDS) usually trigger a great number of alarm messages that frequently overwhelm their human operators. Hierarchically clustering technique is able to help IDS operators to get meaningful overviews from the great number of alarms. A dilemma is encountered when the clusters are generated. If the clusters are obtained one by one, they cannot be prevented from overlapping each other, which makes it quite likely to mislead the operator, if they are obtained in a batch, the total number of clusters must be guessed before clustering, which indicates possibly imprecise cluster number or repeated running. In this paper, we propose a GA (genetic algorithm)-based approach in which vary-lengthed chromosomes are adopted instead of fixed-lengthed chromosomes. The encoding scheme is that different numbers of clusters are encoded into different lengths of chromosomes. In addition, the other genetic operations such as selection, crossover and mutation, are discussed in detail. Results from several experiments are quite encouraging, including that the newly proposed approach is able to efficiently generate fitful number of clusters of high quality in a batch.