Growing hierarchical self-organizing map for alarm filtering in network intrusion detection systems

It is a well-known problem that intrusion detection systems overload their human operators by triggering thousands of alarms per day. This paper presents a new approach for handling intrusion detection alarms more efficiently. Self-Organizing Map (SOM) and Growing Hierarchical Self-Organizing Map (GHSOM) are used to discover interest patterns, signs of potential real attack scenarios aiming each machine in the network. GHSOM addresses two main limits of SOM which are caused, on the one hand, by the static architecture of this model, as well as, on the other hand, by the limited capabilities for the representation of hierarchical relations of the data. The experiments conducted on several logs extracted from the SNORT NIDS, confirm that the GHSOM can form an adaptive architecture, which grows in size and depth during its training process, thus to unfold the hierarchical structure of the analyzed logs of alerts