A two-stage technique to improve intrusion detection systems based on data mining algorithms

An intrusion detection system (IDS) is the fundamental part of the security infrastructure, since it ensures the detection of any suspicious action. Although the detection of intrusions and attacks is the ultimate goal, the huge amount of generated alerts cannot be properly managed by the administrator. In order to improve the accuracy of sensors, we adopt a two-stage technique. The first one aims to generate meta-alerts through clustering and the second one aims to reduce the rate of false alarms using a binary classification of the generated meta-alerts. For the first stage we use two alternatives, self-organizing map (SOM) with k-means algorithm and neural GAS with fuzzy c-means algorithm. For the second stage we use three approaches, SOM with K-means algorithm, support vector machine and decision trees. Based on a public data set and several evaluation criteria, our proposed procedures are evaluated. Results show that our procedures outperform other competitor methods by reducing the rate of false positives.