Fig 1.
Two-Tier Feature Selection Procedure.
Fig 2.
IDMEF alert format in an XML document.
Table 1.
Attributes of an alert extracted from the XML document.
Table 2.
All features of DRAPA 2000 datasets.
Fig 3.
Information Gain algorithm.
Table 3.
Feature ranking using IG on DMZ 1 DARPA 2000 dataset.
Table 4.
Feature ranking using IG on Inside 1 DARPA 2000 dataset.
Table 5.
Feature ranking using IG on DMZ 2 DARPA 2000 dataset.
Table 6.
Feature ranking using IG on Inside 2 DARPA 2000 dataset.
Fig 4.
Results of K-means with varying number of clusters.
Fig 5.
Results of EM with varying number of clusters.
Fig 6.
Results of Hierarchical with varying number of clusters.
Table 7.
Summary on AR using K-means, EM and Hierarchical algorithm on all datasets before feature selection.
Fig 7.
Results of K-means after feature ranking.
Fig 8.
Results of EM algorithm after feature e ranking.
Fig 9.
Results of Hierarchical after feature ranking.
Table 8.
Summary of clustering accuracy using K-means, EM and Hierarchical algorithm on all datasets after feature ranking.
Table 9.
The description of significant features of DARPA 2000 dataset.
Fig 10.
Results of K-means based on the seven selected features.
Fig 11.
Results of EM based on the seven selected features.
Fig 12.
Results of Hierarchical based on seven selected features.
Table 10.
Summary on AR using K-means, FCM and EM algorithm on all datasets.
Table 11.
List of attack steps (clusters) discovered on all dataset.
Table 12.
Description of attack steps based on RealSecure Signatures Reference Guide Version 6.0 (Internet Security Systems.
Fig 13.
Comparison on accuracy performance of K-means in all datasets.
Fig 14.
Comparison on accuracy performance of EM in all datasets.
Table 13.
Performance comparison with other feature subsets.