Experimental studies using median polish procedure to reduce alarm rates in data cubes of intrusion data

Abstract

The overwhelming number of alarms generated by rule-based network intrusion detection systems makes the task of network security operators ineffective. Preliminary results on an approach called EXOLAP shows that false positive alarms can be avoided by detecting changes on the stream of alarms using a data cube and median polish procedure. A data cube aggregates alarms by hierarchical time frames, rule number, target port number and other feature attributes. The median polish procedure is used on materialized relational views of the data cube to detect changes on the stream of alarms. EXOLAP shows promising results on labeled and unlabeled test sets by focusing on exceptions on the normal stream of alarms, diverting the attention away from false positives. © Springer-Verlag Berlin Heidelberg 2004.