Application of Singular Spectrum Analysis to the Noise Reduction of Intrusion Detection Alarms
Intrusion detection systems typically create a large volume of alarms and most of them are false alarms that can be seen as background noises caused by normal system behaviors. Manual analysis of a large number of alarms is both time consuming and labor intensive. This paper focuses on the statistical analysis of the alarm flow. Using the Singular Spectrum Analysis (SSA) approach, the authors found that the alarm flow has a small intrinsic dimension, and the structure of alarm flow can be composed by leading components (normal components) and residual components (abnormal components).