Intrusion detection systems (IDSs) are devices or software applications that monitor networks or systems for malicious activities and signals alerts/alarms when such activity is discovered. However, an IDS may generate many false alerts which affect its accuracy. In this paper, we develop a cyberattack triage algorithm to detect these alerts (so-called outliers). The proposed algorithm is designed using the clustering, optimization and distance-based approaches. An optimization-based incremental clustering algorithm is proposed to find clusters of different types of cyberattacks. Using a special procedure, a set of clusters is divided into two subsets: normal and stable clusters. Then, outliers are found among stable clusters using an average distance between centroids of normal clusters. The proposed algorithm is evaluated using the well-known IDS data sets—Knowledge Discovery and Data mining Cup 1999 and UNSW-NB15—and compared with some other existing algorithms. Results show that the proposed algorithm has a high detection accuracy and its false negative rate is very low.

中文翻译：

---

使用增量聚类的入侵检测系统进行网络攻击分类

入侵检测系统（IDS）是监视网络或系统是否存在恶意活动并在发现此类活动时发出警报/警报的设备或软件应用程序。但是，IDS可能会生成许多错误警报，从而影响其准确性。在本文中，我们开发了一种网络攻击分类算法来检测这些警报（所谓的异常值）。该算法采用聚类，优化和基于距离的方法进行设计。提出了一种基于优化的增量聚类算法，以找到不同类型的网络攻击的聚类。使用特殊过程，将一组群集分为两个子集：正常群集和稳定群集。然后，使用正常聚类的质心之间的平均距离在稳定聚类中找到离群值。使用著名的IDS数据集-知识发现和数据挖掘杯1999和UNSW-NB15-对提出的算法进行了评估，并将其与其他一些现有算法进行了比较。结果表明，该算法检测精度高，误报率极低。