Enhancing False Alarm Reduction Using Voted Ensemble Selection in Intrusion Detection

Network intrusion detection systems (NIDSs) have become an indispensable component for the current network security infrastructure. However, a large number of alarms especially false alarms are a big problem for these systems which greatly lowers the effectiveness of NIDSs and causes heavier analysis workload. To address this problem, a lot of intelligent methods (e.g., machine learning algorithms) have been proposed to reduce the number of false alarms, but it is hard to determine which one is the best. We argue that the performance of different machine learning algorithms is very fluctuant with regard to distinct contexts (e.g., training data). In this paper, we propose an architecture of intelligent false alarm filter by employing a method of voted ensemble selection aiming to maintain the accuracy of false alarm reduction. In particular, there are four components in the architecture: data standardization, data storage, voted ensemble selection and alarm filtration. In the experiment, we conduct a study involved three machine learning algorithms such as support vector machine, decision tree and k-nearest neighbor, and use Snort, which is an open source signature-based NIDS, to explore the effectiveness of our proposed architecture. The experimental results show that our intelligent false alarm filter is effective and encouraging to maintain the performance of reducing false alarms at a high and stable level.