• DocumentCode
    2359293
  • Title

    Mining alarm clusters to improve alarm handling efficiency

  • Author

    Julisch, Klaus

  • Author_Institution
    Zurich Res. Lab., IBM Res. Div., Zurich, Switzerland
  • fYear
    2001
  • fDate
    10-14 Dec. 2001
  • Firstpage
    12
  • Lastpage
    21
  • Abstract
    It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. As a matter of fact, IBM Research´s Zurich Research Laboratory has been asked by one of our service divisions to help them deal with this problem. This paper presents the results of our research, validated thanks to a large set of operational data. We show that alarms should be managed by identifying and resolving their root causes. Alarm clustering is introduced as a method that supports the discovery of root causes. The general alarm clustering problem is proved to be NP-complete, an approximation algorithm is proposed, and experiments are presented.
  • Keywords
    authorisation; computational complexity; computer network management; data mining; IBM Research; NP-complete problem; Zurich Research Laboratory; alarm clustering; approximation algorithm; enterprise networks; intrusion detection systems; root cause discovery; Approximation algorithms; Clustering algorithms; Humans; Intrusion detection; Laboratories; Monitoring; Network address translation; Pattern matching; TCPIP; Telecommunication traffic;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual
  • Print_ISBN
    0-7695-1405-7
  • Type

    conf

  • DOI
    10.1109/ACSAC.2001.991517
  • Filename
    991517
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2359293