Design of intelligent KNN-based alarm filter using knowledge-based alert verification in intrusion detection

Weizhi Meng, Wenjuan Li, Lam For Kwok

Research output: Journal article publicationJournal articleAcademic researchpeer-review

64 Citations (Scopus)


Network intrusion detection systems (NIDSs) have been widely deployed in various network environments to defend against different kinds of network attacks. However, a large number of alarms especially unwanted alarms such as false alarms and non-critical alarms could be generated during the detection, which can greatly decrease the efficiency of the detection and increase the burden of analysis. To address this issue, we advocate that constructing an alarm filter in terms of expert knowledge is a promising solution. In this paper, we develop a method of knowledge-based alert verification and design an intelligent alarm filter based on a multi-class k-nearest-neighbor classifier to filter out unwanted alarms. In particular, the alarm filter employs a rating mechanism by means of expert knowledge to classify incoming alarms to proper clusters for labeling. We further analyze the effect of different classifier settings on classification accuracy with two alarm datasets. In the evaluation, we investigate the performance of the alarm filter with a real dataset and in a network environment, respectively. Experimental results indicate that our alarm filter can effectively filter out a number of NIDS alarms and can achieve a better outcome under the advanced mode.

Original languageEnglish
Pages (from-to)3883-3895
Number of pages13
JournalSecurity and Communication Networks
Issue number18
Publication statusPublished - 1 Dec 2015
Externally publishedYes


  • Alarm filtration
  • Alert verification
  • Intelligent system
  • Network intrusion detection

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications


Dive into the research topics of 'Design of intelligent KNN-based alarm filter using knowledge-based alert verification in intrusion detection'. Together they form a unique fingerprint.

Cite this