Mining alarm clusters to improve alarm handling efficiency

  • Julisch K
  • 42


    Mendeley users who have this article in their library.
  • 105


    Citations of this article.


It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. As a matter of fact, IBM Research's Zurich Research Laboratory has been asked by one of our service divisions to help them deal with this problem. This paper presents the results of our research, validated thanks to a large set of operational data. We show that alarms should be managed by identifying and resolving their root causes. Alarm clustering is introduced as a method that supports the discovery of root causes. The general alarm clustering problem is proved to be NP-complete, an approximation algorithm is proposed, and experiments are presented.

Author-supplied keywords

  • Approximation algorithms
  • Clustering algorithms
  • Humans
  • Intrusion detection
  • Laboratories
  • Monitoring
  • Network address translation
  • Pattern matching
  • Telecommunication traffic

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • Klaus Julisch

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free