Triple-Similarity Mechanism for alarm management in the cloud

Its distributed nature and ubiquitous service make the cloud subject to several vulnerabilities. One of the main tools used for reporting suspicious activity in the network's traffic is the Intrusion Detection System. However, two significant problems arise: the huge volume of control messages between the virtual machines and the servers; and the associated transfer costs. In this work, we propose a Triple-Similarity Mechanism (T-SyM) for grouping similar alarms that may correspond to the same attack (or attempt) in order to reduce the number of messages and, consequently, the total amount of information. In addition, we propose an algorithm for calculating the severity level of the alarms. T-SyM works on the basis of 3 steps: individual similarity (Euclidian distance), clustering relevant features (k-means algorithm) and generating the output (the Tanimoto coefficient). An evaluation of the most common attacks is performed using real traces from an IDS. Our mechanism was able to decrease the number of alarms by up to 90% and reduce the total amount of data by more than 80%.