The paper presents an alert aggregation algorithm that is based on feature similarity and genetic clustering. The number of clusters is predefined by the number of attack classes. Feature similarity is used to represent the similar distance of two alerts. The genetic method uses the distance to choose the best cluster centers and cluster all the similar alerts. In the phase of alert aggregation, it computes the distance of two alerts in the same cluster, using more features to decide whether they need aggregated or not. Experiments on DARPA99 data set demonstrate that it can efficiently reduce the number of duplicated alerts.

• 出版日期2008
• 单位江西师范大学