Abstract: The use of intrusion detection has created the problem to investigate a generally large number of alarms. To solve the problem, a clustering analysis method based on alert cause was presented. The correlative alarms with the same attribute were ranged into a clustering according to their causes. The generalized attributes can describe the common characteristic of the alarms. The method can cut down the number of alarms remarkably, simplify the alert analysis, and analyze the security risk in network and application environment accurately. I}herefore, the corresponding measures can be taken in time.

Key words: Intrusion detection, Alert analysis, Alert clustering, Alert cause, Heuristic algorithm