Integration of PSO and K-means clustering algorithm for structural-based alert correlation model

Network-based Intrusion Detection Systems (NIDS) will trigger alerts as notifications of abnormal activities detected in computing and networking resources. As Distributed Denial-of-Service (DDOS) attacks are getting more sophisticated, each attack consists of a series of events which in turn trigger a series of alerts. However, the alerts are produced in a huge amount, of low quality and consist of repeated and false positive alerts. This requires clustering algorithm to effectively correlate the alerts for identifying each unique attack. Soft computing including bio-inspired algorithms are explored to optimally cluster the alerts. Therefore, this study investigates the effects of bio-inspired algorithm in alert correlation (AC) model. Particle Swarming Optimization (PSO) is integrated with K-Means clustering algorithm to conduct structural-based AC. It was tested on the benchmarked DARPA 2000 dataset. The efficiency of the AC model was evaluated using clustering accuracy, error rate and processing time measurements. Surprisingly, the experimental results show that K-Means algorithm works better than the integration of PSO and K-Means. K-Means gives 99.67% clustering accuracy while PSO and K-Means gives 92.71% clustering accuracy. This indicates that a single clustering algorithm is sufficient for optimal structural-based AC instead of integrated PSO and K-Means