FILTERING FALSE ALARMS: AN APPROACH BASED ON EPISODE MINING

Abstract

The security of computer networks is a prime concern today. Various devices and methods have been developed to offer different kinds of protection (firewalls, IDS´s, antiviruses, etc.). By centrally storing and processing the signals of these devices, it is possible to detect more cheats and attacks than simply by analysing the logs independently. The most difficult and still unsolved problem in centralized systems is that vast numbers of false alarms. If a harmless pattern, which caused by a safe operation is identified as an alarm, then it is a nuisance and requires human invention to be handled properly. In this paper we show how we can use data mining to discover the patterns that frequently causes false alarms. Due to the new requirements (events with many attributes, invertible parametric predicates) none of the previously published algorithms can be applied to our problem directly. We present the algorithm ABAMSEP, which discovers frequent alert-ended episodes. We prove that the algorithm is correct in the sense that it finds all episodes that meet the requirements of the specification.