Intelligent alert clustering model for network intrusion analysis

  • Siraj M
  • Maarof M
  • Hashim S
  • 9


    Mendeley users who have this article in their library.
  • 9


    Citations of this article.


As security threats change and advance in a drastic way, most of the organizations implement multiple Network Intrusion Detection Systems (NIDSs) to optimize detection and to provide comprehensive view of intrusion activities. But NIDSs trigger a massive amount of alerts even for a day and overwhelmed security experts. Thus, automated and intelligent clustering is important to reveal their structural correlation by grouping alerts with common attributes. We propose a new hybrid clustering model based on Improved Unit Range (IUR), Principal Component Analysis (PCA) and unsupervised learning algorithm (Expectation Maximization) to aggregate similar alerts and to reduce the number of alerts. We tested against other unsupervised learning algorithms to validate the performance of the proposed model. Our empirical results show using DARPA 2000 dataset the proposed model gives better results in terms of the clustering accuracy and processing time.

Author-supplied keywords

  • Alert clustering
  • Alert correlation
  • Expectation maximization
  • Principal component analysis
  • Unsupervised learning

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document

  • SCOPUS: 2-s2.0-77958541754
  • ISSN: 20748523
  • SGR: 77958541754
  • PUI: 364697920


  • Maheyzah Md Siraj

  • Mohd Aizaini Maarof

  • Siti Zaiton Mohd Hashim

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free